# Emerging Threats 
#
# This distribution may contain rules under two different licenses. 
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2017, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for snort-2.9.0-enhanced.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; distance:0; content:"offer-"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:url,www.exploit-db.com/exploits/11172/; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2010665; classtype:attempted-user; sid:2010665; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcom Helper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; distance:0; content:!"offer-"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+(service-url|banner|noexec|OS|Lang|return-page|core-product|userid|itemid|_c[xy]|sec-param|secparam)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.exploit-db.com/exploits/11172/; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2011675; classtype:attempted-user; sid:2011675; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Java Deployment Toolkit CSLID Command Execution Attempt"; flow:to_client,established; file_data; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; content:"launch"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA/si"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011010; classtype:attempted-user; sid:2011010; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt"; flow:established,to_client; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; nocase; distance:0; content:"DataURL"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*333C7BC4-460F-11D0-BC04-0080C7055A83/si"; reference:url,securitytracker.com/alerts/2010/Mar/1023773.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20202; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.vupen.com/english/advisories/2010/0744; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0805; reference:url,doc.emergingthreats.net/2011007; classtype:attempted-user; sid:2011007; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (29)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009598; classtype:web-application-attack; sid:2009598; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (30)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"AD8E510D-217F-409B-8076-29C5E73B98E8"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AD8E510D-217F-409B-8076-29C5E73B98E8/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009599; classtype:web-application-attack; sid:2009599; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (31)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"B0EDF163-910A-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0EDF163-910A-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009600; classtype:web-application-attack; sid:2009600; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (32)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"B64016F3-C9A2-4066-96F0-BD9563314726"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B64016F3-C9A2-4066-96F0-BD9563314726/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009601; classtype:web-application-attack; sid:2009601; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (33)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"BB530C63-D9DF-4B49-9439-63453962E598"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB530C63-D9DF-4B49-9439-63453962E598/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009602; classtype:web-application-attack; sid:2009602; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (34)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C531D9FD-9685-4028-8B68-6E1232079F1E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C531D9FD-9685-4028-8B68-6E1232079F1E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009603; classtype:web-application-attack; sid:2009603; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (35)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCC-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009604; classtype:web-application-attack; sid:2009604; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (37)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; nocase; distance:0;  pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCE-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009606; classtype:web-application-attack; sid:2009606; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (38)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C5702CCF-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCF-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009607; classtype:web-application-attack; sid:2009607; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (40)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009609; classtype:web-application-attack; sid:2009609; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (41)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009610; classtype:web-application-attack; sid:2009610; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (42)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"D02AAC50-027E-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009611; classtype:web-application-attack; sid:2009611; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (44)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"FA7C375B-66A7-4280-879D-FD459C84BB02"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FA7C375B-66A7-4280-879D-FD459C84BB02/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009613; classtype:web-application-attack; sid:2009613; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (1)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"011B3619-FE63-4814-8A84-15A194CE9CE3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*011B3619-FE63-4814-8A84-15A194CE9CE3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009614; classtype:web-application-attack; sid:2009614; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (2)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"0149EEDF-D08F-4142-8D73-D23903D21E90"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0149EEDF-D08F-4142-8D73-D23903D21E90/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009615; classtype:web-application-attack; sid:2009615; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (3)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"0369B4E5-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E5-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009616; classtype:web-application-attack; sid:2009616; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (4)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"0369B4E6-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E6-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009617; classtype:web-application-attack; sid:2009617; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (5)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"055CB2D7-2969-45CD-914B-76890722F112"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*055CB2D7-2969-45CD-914B-76890722F112/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009618; classtype:web-application-attack; sid:2009618; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (6)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15D6504A-5494-499C-886C-973C9E53B9F1/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009619; classtype:web-application-attack; sid:2009619; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (7)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"1BE49F30-0E1B-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1BE49F30-0E1B-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009620; classtype:web-application-attack; sid:2009620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (8)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"1C15D484-911D-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1C15D484-911D-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009621; classtype:web-application-attack; sid:2009621; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (9)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"1DF7D126-4050-47F0-A7CF-4C4CA9241333"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1DF7D126-4050-47F0-A7CF-4C4CA9241333/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009622; classtype:web-application-attack; sid:2009622; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (10)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"2C63E4EB-4CEA-41B8-919C-E947EA19A77C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C63E4EB-4CEA-41B8-919C-E947EA19A77C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009623; classtype:web-application-attack; sid:2009623; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (11)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"334125C0-77E5-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*334125C0-77E5-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009624; classtype:web-application-attack; sid:2009624; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (12)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"37B0353C-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B0353C-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009625; classtype:web-application-attack; sid:2009625; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (13)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"37B03543-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03543-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009626; classtype:web-application-attack; sid:2009626; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (14)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"37B03544-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03544-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009627; classtype:web-application-attack; sid:2009627; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (15)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"418008F3-CF67-4668-9628-10DC52BE1D08"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*418008F3-CF67-4668-9628-10DC52BE1D08/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009628; classtype:web-application-attack; sid:2009628; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (16)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"4A5869CF-929D-4040-AE03-FCAFC5B9CD42"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4A5869CF-929D-4040-AE03-FCAFC5B9CD42/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009629; classtype:web-application-attack; sid:2009629; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (17)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"577FAA18-4518-445E-8F70-1473F8CF4BA4"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*577FAA18-4518-445E-8F70-1473F8CF4BA4/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009630; classtype:web-application-attack; sid:2009630; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (18)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"59DC47A8-116C-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*59DC47A8-116C-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009631; classtype:web-application-attack; sid:2009631; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (19)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F9CB14D-48E4-43B6-9346-1AEBC39C64D3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009632; classtype:web-application-attack; sid:2009632; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (20)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"823535A0-0318-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*823535A0-0318-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009633; classtype:web-application-attack; sid:2009633; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (21)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8872FF1B-98FA-4D7A-8D93-C9F1055F85BB/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009634; classtype:web-application-attack; sid:2009634; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (22)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"8A674B4C-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4C-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009635; classtype:web-application-attack; sid:2009635; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (23)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"8A674B4D-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4D-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009636; classtype:web-application-attack; sid:2009636; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (24)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"9CD64701-BDF3-4D14-8E03-F12983D86664"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CD64701-BDF3-4D14-8E03-F12983D86664/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009638; classtype:web-application-attack; sid:2009638; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (25)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9E77AAC4-35E5-42A1-BDC2-8F3FF399847C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009639; classtype:web-application-attack; sid:2009639; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (26)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009640; classtype:web-application-attack; sid:2009640; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (27)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"A2E3074E-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E3074E-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009641; classtype:web-application-attack; sid:2009641; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (28)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009642; classtype:web-application-attack; sid:2009642; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; file_data; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; distance:0; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; classtype:web-application-attack; sid:2008407; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; file_data; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; distance:0; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008408; classtype:web-application-attack; sid:2008408; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; distance:0; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008409; classtype:web-application-attack; sid:2008409; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; file_data; content:"hcp|3a|//"; fast_pattern; nocase; distance:0; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established; content:"0x40000"; nocase; content:"E9A7F56F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase; reference:url,www.milw0rm.com/exploits/5086; reference:url,www.milw0rm.com/exploits/5100; reference:url,doc.emergingthreats.net/bin/view/Main/2007847; classtype:web-application-attack; sid:2007847; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; file_data; content:"210D0CBC-8B17-48D1-B294-1A338DD2EB3A"; nocase; distance:0; content:"0x40000"; distance:0; content:"Url"; nocase; distance:0; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007903; classtype:web-application-attack; sid:2007903; rev:19; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL Radio AmpX ActiveX Control ConvertFile Method Buffer Overflow"; flow:to_client,established; file_data; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; content:"ConvertFile"; nocase; distance:0; reference:url,milw0rm.com/exploits/8733; reference:bugtraq,35028; reference:url,doc.emergingthreats.net/2009469; classtype:web-application-attack; sid:2009469; rev:17; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; file_data; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; distance:0; content:"SetSuperBuddy"; nocase; distance:0; content:"//"; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt"; flow:from_server,established; file_data; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; distance:0; content:"ConvertFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6/si"; reference:url,www.milw0rm.org/exploits/8733; reference:url,www.securityfocus.com/bid/35028; reference:url,doc.emergingthreats.net/2010160; classtype:attempted-user; sid:2010160; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL 9.5 BindToFile Heap Overflow Attempt"; flow:established,to_client; file_data; content:"BC8A96C6-3909-11D5-9001-00C04F4C3B9F"; nocase; distance:0; content:"BindToFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC8A96C6-3909-11D5-9001-00C04F4C3B9F/si"; reference:url,tcc.hellcode.net/advisories/hellcode-adv008.txt; reference:url,doc.emergingthreats.net/2010814; classtype:attempted-user; sid:2010814; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL 9.5 Phobos.Playlist Import ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; distance:0; content:".Import"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/; reference:url,doc.emergingthreats.net/2010962; classtype:attempted-user; sid:2010962; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt"; flow:established,from_server; file_data; content:"3895DD35-7573-11D2-8FED-00606730D3AA"; nocase; distance:0; content:"RUN"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3895DD35-7573-11D2-8FED-00606730D3AA/si"; reference:url,securitytracker.com/alerts/2009/Aug/1022752.html; reference:url,www.kb.cert.org/vuls/id/485961; reference:url,www.securityfocus.com/bid/21207/info; reference:url,doc.emergingthreats.net/2009868; classtype:attempted-user; sid:2009868; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access"; flow:established,to_client; file_data; content:"233C1507-6A77-46A4-9443-F871F945D258"; nocase; distance:0; content:"PlayerVersion"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*233C1507-6A77-46A4-9443-F871F945D258/si"; reference:url,www.milw0rm.com/exploits/9682; reference:url,doc.emergingthreats.net/2010256; classtype:web-application-attack; sid:2010256; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 1"; flow:to_client,established; file_data; content:"4871A87A-BFDD-4106-8153-FFDE2BAC2967"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4871A87A-BFDD-4106-8153-FFDE2BAC2967/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009687; classtype:web-application-attack; sid:2009687; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 2"; flow:to_client,established; file_data; content:"2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009688; classtype:web-application-attack; sid:2009688; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 3"; flow:to_client,established; file_data; content:"FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009689; classtype:web-application-attack; sid:2009689; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Altiris Deployment Solution AeXNSPkgDLLib.dll ActiveX Control DownloadAndInstall Method Arbitrary Code Execution Attempt"; flow:from_server,established; file_data; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7"; nocase; distance:0; content:"DownloadAndInstall"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7/si"; reference:url,securitytracker.com/alerts/2009/Sep/1022928.html; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090922_00; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,doc.emergingthreats.net/2010011; classtype:attempted-user; sid:2010011; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; distance:0;  reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:url,securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010245; classtype:attempted-user; sid:2010245; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Altiris.AeXNSPkgDL.1"; nocase; distance:0; content:"DownloadAndInstall"; nocase; distance:0; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,secunia.com/advisories/36679; reference:url,doc.emergingthreats.net/2010190; classtype:attempted-user; sid:2010190; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOLShare ActiveX AppString method denial of service Attempt"; flow:established,to_client; file_data; content:"18477169-4752-41DC-AB0F-C50EBA75641D"; nocase; distance:0; content:"Appstring"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18477169-4752-41DC-AB0F-C50EBA75641D/si"; reference:url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt; reference:url,doc.emergingthreats.net/2010986; classtype:attempted-user; sid:2010986; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOLShare ActiveX AppString method denial of service Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"YGPWz.CAOLMemExpWz"; nocase; distance:0; content:"AppString"; nocase; distance:0; reference:url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt; reference:url,doc.emergingthreats.net/2010987; classtype:attempted-user; sid:2010987; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL 9.5 ActiveX control Import method Heap Overflow Attempt"; flow:established,to_client; file_data; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; distance:0; content:"Import"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,www.exploit-db.com/exploits/11204; reference:url,doc.emergingthreats.net/2010977; classtype:attempted-user; sid:2010977; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; file_data; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"String("; nocase; distance:0; pcre:"/^\s*?[0-9]{4}/R"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/Ri"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AtHocGov IWSAlerts ActiveX Control Buffer Overflow Function Call Attempt"; flow:established,to_client; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AtHocGovGSTlBar.GSHelper.1"; nocase; distance:0; content:"CompleteInstallation"; nocase; distance:0; reference:url,metasploit.com/modules/exploit/windows/browser/athocgov_completeinstallation; reference:url,athoc.com/products/IWSAlerts_overview.aspx; reference:url,doc.emergingthreats.net/2011211; classtype:attempted-user; sid:2011211; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"15B168B2-AD3C-11D1-A8D8-00A0C9200E61"; nocase; distance:0; content:"ControlID"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15B168B2-AD3C-11D1-A8D8-00A0C9200E61/si"; reference:url,doc.emergingthreats.net/2011129; classtype:attempted-user; sid:2011129; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"R2AXCTRLLib.R2winCtrl"; nocase; distance:0; content:"ControlID"; nocase; distance:0; reference:url,doc.emergingthreats.net/2011130; classtype:attempted-user; sid:2011130; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method"; flow:to_client,established; file_data; content:"A662DA7E-CCB7-4743-B71A-D817F6D575DF"; nocase; distance:0; content:"SaveAS"; nocase; distance:0; reference:url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html; reference:url,secunia.com/Advisories/31989/; reference:url,doc.emergingthreats.net/2008612; classtype:web-application-attack; sid:2008612; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Autodesk IDrop Indicator ActiveX Control Memory Corruption"; flow:to_client,established; file_data; content:"21E0CB95-1198-4945-A3D2-4BF804295F78"; nocase; distance:0; pcre:"/(Src|Background|PackageXml)/i"; reference:url,secunia.com/advisories/34563/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2009-04/0020.html; reference:url,vupen.com/english/advisories/2009/0942; reference:url,milw0rm.com/exploits/8560; reference:url,doc.emergingthreats.net/2009399; classtype:web-application-attack; sid:2009399; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"9589AEC9-1C2D-4428-B7E8-63B39D356F9C"; nocase; distance:0; content:"PrinterName"; nocase; distance:0; reference:url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt; reference:bugtraq,35582; reference:url,juniper.net/security/auto/vulnerabilities/vuln35583.html; reference:url,doc.emergingthreats.net/2009792; classtype:web-application-attack; sid:2009792; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; file_data; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; distance:0; content:"SceneURL"; nocase; distance:0; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; classtype:web-application-attack; sid:2009857; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm ActiveX Control OnBeforeVideoDownload Method Buffer Overflow"; flow:to_client,established; file_data; content:"6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB"; nocase; distance:0; content:"OnBeforeVideoDownload"; nocase; distance:0; reference:bugtraq,34789; reference:url,milw0rm.com/exploits/8579; reference:url,doc.emergingthreats.net/2009425; classtype:web-application-attack; sid:2009425; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm ActiveX Control SetAttributeValue Method Buffer Overflow"; flow:to_client,established; file_data; content:"BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05"; nocase; distance:0; content:"SetAttributeValue"; nocase; distance:0; reference:bugtraq,34869; reference:url,juniper.net/security/auto/vulnerabilities/vuln34869.html; reference:url,vupen.com/english/advisories/2009/1392; reference:url,milw0rm.com/exploits/8757; reference:url,doc.emergingthreats.net/2009657; classtype:web-application-attack; sid:2009657; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MPS.StormPlayer.1"; nocase; distance:0; content:"OnBeforeVideoDownload"; nocase; distance:0; reference:bugtraq,34789; reference:url,doc.emergingthreats.net/2010995; classtype:attempted-user; sid:2010995; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt"; flow:from_server,established; file_data; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"Enable"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(EnableKeepExistingFiles|EnableStartApplication|EnableStartBeforePrint|EnablePassParameters)/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010203; classtype:attempted-user; sid:2010203; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt"; flow:from_server,established; file_data; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"Set"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010204; classtype:attempted-user; sid:2010204; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt"; flow:from_server,established; file_data; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"SaveBlackIceDEVMODE"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010205; classtype:attempted-user; sid:2010205; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt"; flow:from_server,established; file_data; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"ClearUserSettings"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010206; classtype:attempted-user; sid:2010206; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt"; flow:from_server,established; file_data; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; distance:0; content:"ControlJob"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010207; classtype:attempted-user; sid:2010207; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(EnableStartApplication|EnableStartBeforePrint|EnableKeepExistingFiles|EnablePassParameters)/i"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010208; classtype:attempted-user; sid:2010208; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/i"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010209; classtype:attempted-user; sid:2010209; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"SaveBlackIceDEVMODE"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010210; classtype:attempted-user; sid:2010210; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ClearUserSettings"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010211; classtype:attempted-user; sid:2010211; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ControlJob"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010212; classtype:attempted-user; sid:2010212; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Charm Real Converter pro 6.6 Activex Control DOS clsid access attempt"; flow:established,to_client; file_data; content:"F4F647AD-B160-11D2-A3EF-00104BDF4755"; nocase; distance:0; content:"GetCodecModulus"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4F647AD-B160-11D2-A3EF-00104BDF4755/si"; reference:url,www.packetstormsecurity.org/0909-exploits/charmrc-dos.txt; reference:url,doc.emergingthreats.net/2010280; classtype:web-application-attack; sid:2010280; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; file_data; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; classtype:web-application-attack; sid:2008099; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS"; flow:to_client,established; file_data; content:"126FB030-1E9E-4517-A254-430616582C50"; nocase; distance:0; content:"LoadXmlEmail"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/6600; reference:url,doc.emergingthreats.net/2008607; classtype:web-application-attack; sid:2008607; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method"; flow:to_client,established; file_data; content:"3352B5B9-82E8-4FFD-9EB1-1A3E60056904"; nocase; distance:0; content:"WriteFile"; nocase; distance:0; reference:url,secunia.com/Advisories/32513/; reference:url,milw0rm.com/exploits/6963; reference:url,doc.emergingthreats.net/2008814; classtype:web-application-attack; sid:2008814; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation"; flow:to_client,established; file_data; content:"474FCCCD-1B89-4D34-9E09-45807F23289C"; nocase; distance:0; content:"SaveLastError"; nocase; distance:0; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7142; reference:url,doc.emergingthreats.net/2008870; classtype:web-application-attack; sid:2008870; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Socket Activex Remote Arbitrary File Overwrite 1"; flow:to_client,established; file_data; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054"; nocase; distance:0; content:"SaveLastError"; nocase; distance:0; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7594; reference:url,doc.emergingthreats.net/2009046; classtype:web-application-attack; sid:2009046; rev:51; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chinagames ActiveX Control CreateChinagames Method Buffer Overflow"; flow:to_client,established; file_data; content:"75108B29-202F-493C-86C5-1C182A485C4C"; nocase; distance:0; content:"CreateChinagames"; nocase; distance:0; reference:bugtraq,34871; reference:url,milw0rm.com/exploits/8758; reference:url,doc.emergingthreats.net/2009500; classtype:web-application-attack; sid:2009500; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ciansoft PDFBuilderX Control ActiveX Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"00E7C7F8-71E2-498A-AB28-A3D72FC74485"; nocase; distance:0; content:"SaveToFile"; nocase; distance:0; reference:bugtraq,33233; reference:url,milw0rm.com/exploits/7794; reference:url,doc.emergingthreats.net/2009064; classtype:web-application-attack; sid:2009064; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit"; flow:established,to_client; file_data; content:"0x40000"; distance:0; content:"SendChannelData"; nocase; distance:0; content:"238F6F83-B8B4-11CF-8771-00A024541EE3"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/5106; reference:bugtraq,21458; reference:cve,CVE-2006-6334; reference:url,doc.emergingthreats.net/bin/view/Main/2007851; classtype:web-application-attack; sid:2007851; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ComponentOne VSFlexGrid ActiveX Control Archive Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"C945E31A-102E-4A0D-8854-D599D7AED5FA"; nocase; distance:0; content:"Archive"; nocase; distance:0; reference:url,exploit-db.com/exploits/12673; reference:url,doc.emergingthreats.net/2011210; classtype:attempted-user; sid:2011210; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"01113300-3E00-11D2-8470-0060089874ED"; nocase; distance:0; content:"RunCMD"; nocase; distance:0; reference:url,www.kb.cert.org/vuls/id/602801; reference:bugtraq,40006; reference:url,juniper.net/security/auto/vulnerabilities/vuln40006.html; reference:url,doc.emergingthreats.net/2011212; classtype:attempted-user; sid:2011212; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control BOF Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SdcUser.TgConCtl"; nocase; distance:0; fast_pattern; content:"RunCMD"; nocase; distance:0; reference:url,www.kb.cert.org/vuls/id/602801; reference:bugtraq,40006; reference:url,juniper.net/security/auto/vulnerabilities/vuln40006.html; reference:url,doc.emergingthreats.net/2011213; classtype:attempted-user; sid:2011213; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods"; flow:to_client,established; file_data; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; distance:0; content:"Save"; distance:0; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; pcre:"/(Save|SaveLayoutChanges|SaveMenuUsageData)/i"; reference:bugtraq,24959; reference:cve,CVE-2007-3883; reference:url,www.exploit-db.com/exploits/5395/; reference:url,doc.emergingthreats.net/2008127; classtype:web-application-attack; sid:2008127; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; file_data; content:"A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C"; nocase; distance:0; content:"0x40000"; distance:0; content:"Url"; nocase; distance:0; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007905; classtype:web-application-attack; sid:2007905; rev:51; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EDraw Flowchart ActiveX Control OpenDocument Method Remote Code Execution Attempt"; flow:to_client,established; file_data; content:"F685AFD8-A5CC-410E-98E4-BAA1C559BA61"; nocase; distance:0; content:"OpenDocument"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F685AFD8-A5CC-410E-98E4-BAA1C559BA61/si"; reference:url,doc.emergingthreats.net/2011055; classtype:attempted-user; sid:2011055; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable WriteToLog Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; file_data; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; distance:0; content:"WriteToLog"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010035; classtype:attempted-user; sid:2010035; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable SetLogLevel/SetLogFileName Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; file_data; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; distance:0; content:"SetLog"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010036; classtype:attempted-user; sid:2010036; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"PDIControl.PDI.1"; nocase; distance:0; content:"WriteToLog"; distance:0; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010154; classtype:web-application-attack; sid:2010154; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"PDIControl.PDI.1"; nocase; distance:0; content:"SetLog"; distance:0; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010155; classtype:web-application-attack; sid:2010155; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow"; flow:to_client,established; file_data; content:"5B8BE023-76A2-4F6D-8993-F7E588D79D98"; nocase; distance:0; content:"0x400000"; nocase; distance:0; content:"CreateStore"; nocase; distance:0; reference:bugtraq,32722; reference:url,milw0rm.com/exploits/7402; reference:url,doc.emergingthreats.net/2008963; classtype:web-application-attack; sid:2008963; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quiksoft EasyMail imap connect() ActiveX stack overflow vulnerability"; flow:from_server,established; file_data; content:"<script"; nocase; distance:0; content:"unescape|28|"; nocase; distance:0; content:"|2e|connect"; nocase; distance:0; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; reference:url,www.milw0rm.com/exploits/9704; reference:url,www.securityfocus.com/bid/22583; reference:url,doc.emergingthreats.net/2009948; classtype:attempted-user; sid:2009948; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt"; flow:to_client,established; file_data; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; distance:0; content:"LicenseKey"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; reference:url,milw0rm.com/exploits/9684; reference:url,doc.emergingthreats.net/2010253; classtype:web-application-attack; sid:2010253; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Quicksoft ActiveX CreateStore method Remote code excution clsid access"; flow:established,to_client; file_data; content:"18A76B9A-45C1-11D3-80DC-00C04F6B92D0"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18A76B9A-45C1-11D3-80DC-00C04F6B92D0/si"; content:"CreateStore"; nocase; reference:url,www.milw0rm.com/exploits/9685; reference:url,doc.emergingthreats.net/2010277; classtype:web-application-attack; sid:2010277; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail ActiveX AddAttachment method Remote code excution clsid access attempt"; flow:established,to_client; file_data; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; distance:0; content:"AddAttachment"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:url,www.milw0rm.com/exploits/9705; reference:url,doc.emergingthreats.net/2010278; classtype:web-application-attack; sid:2010278; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; distance:0; content:"DoSaveFile"; nocase; distance:0; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009102; classtype:web-application-attack; sid:2009102; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; distance:0; content:"DoSaveFile"; nocase; distance:0; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009063; classtype:web-application-attack; sid:2009063; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (1)"; flow:from_server,established; file_data; content:"4C39376E-FA9D-4349-BACC-D305C1750EF3"; nocase; distance:0; content:"PictureUrls"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4C39376E-FA9D-4349-BACC-D305C1750EF3/si"; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009402; classtype:attempted-user; sid:2009402; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (2)"; flow:from_server,established; file_data; content:"C3EB1670-84E0-4EDA-B570-0B51AAE81679"; nocase; distance:0; content:"PictureUrls"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3EB1670-84E0-4EDA-B570-0B51AAE81679/si"; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009403; classtype:attempted-user; sid:2009403; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow"; flow:to_client,established; file_data; content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; nocase; distance:0; content:"RemoteAddress"; nocase; distance:0; reference:bugtraq,32814; reference:url,www.milw0rm.com/exploits/7460; reference:url,doc.emergingthreats.net/2008999; classtype:web-application-attack; sid:2008999; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP ActiveX DeleteFile Arbitrary File Deletion"; flow:to_client,established; file_data; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"DeleteFile"; nocase; distance:0; reference:bugtraq,33842; reference:url,xforce.iss.net/xforce/xfdb/48837; reference:url,doc.emergingthreats.net/2009184; classtype:web-application-attack; sid:2009184; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP ActiveX Control GetFromURL Method Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"GetFromURL"; nocase; distance:0; reference:url,exploit-db.com/exploits/14269/; reference:url,doc.emergingthreats.net/2011251; classtype:web-application-attack; sid:2011251; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FlexCell Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"2A7D9CCE-211A-4654-9449-718F71ED9644"; nocase; distance:0; pcre:"/(SaveFile|ExportToXML)/i"; reference:url,www.milw0rm.com/exploits/7868; reference:bugtraq,33453; reference:url,doc.emergingthreats.net/2009120; classtype:web-application-attack; sid:2009120; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Foxit Reader ActiveX control OpenFile method Heap Overflow Attempt"; flow:established,to_client; file_data; content:"05563215-225C-45EB-BB34-AFA47217B1DE"; nocase; distance:0; content:"OpenFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05563215-225C-45EB-BB34-AFA47217B1DE/si"; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010929; classtype:attempted-user; sid:2010929; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Foxit Reader ActiveX OpenFile method Remote Code Execution Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"FOXITREADEROCXLib.FoxitReaderOCX"; nocase; distance:0; content:"OpenFile "; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010930; classtype:attempted-user; sid:2010930; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit"; flow:to_client,established; file_data; content:"0x40000"; distance:0; content:"DoWebLaunch"; distance:0; content:"97BB6657-DC7F-4489-9067-51FAB9D8857E"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/4982; reference:bugtraq,27193; reference:url,doc.emergingthreats.net/2007852; classtype:web-application-attack; sid:2007852; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method"; flow:to_client,established; file_data; content:"E8512363-3581-42EF-A43D-990E7935C8BE"; nocase; distance:0; content:"SaveAsPDF"; nocase; distance:0; reference:url,secunia.com/Advisories/31966/; reference:url,milw0rm.com/exploits/6638; reference:url,doc.emergingthreats.net/2008613; classtype:web-application-attack; sid:2008613; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution"; flow:to_client,established; file_data; content:"814A3C52-B6F7-4AEA-A9BC-7849B9B0ECA8"; nocase; distance:0; content:"GetAudioPlayingTime"; nocase; distance:0; reference:bugtraq,34115; reference:url,milw0rm.com/exploits/8206; reference:url,doc.emergingthreats.net/2009328; classtype:web-application-attack; sid:2009328; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"8D58D690-6B71-4ee8-85AD-006DB0287BF1"; nocase; distance:0; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009160; classtype:web-application-attack; sid:2009160; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"DA8484DE-52DB-4860-A986-61A8682E298A"; nocase; distance:0; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009161; classtype:web-application-attack; sid:2009161; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"F4421170-DB22-4551-BBFB-FFCFFB419F6F"; nocase; distance:0; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009162; classtype:web-application-attack; sid:2009162; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gom Player V 2.1.16 Activex Command Execution clsid access attempt"; flow:established,to_client; file_data; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; distance:0; content:"Command"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010367; classtype:web-application-attack; sid:2010367; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gom Player V 2.1.16 ActiveX Command Execution Function call attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"GOMWEBCTRLLib.GomWeb"; nocase; distance:0; content:"Command"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010368; classtype:web-application-attack; sid:2010368; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; content:"ViewProfile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; reference:url,www.securityfocus.com/bid/37834; reference:url,doc.emergingthreats.net/2010760; classtype:attempted-user; sid:2010760; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary File Download Attempt"; flow:from_server,established; file_data; content:"E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; distance:0; content:"XUPLOAD"; nocase; distance:0; content:"MakeHttpRequest"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E87F6C8E-16C0-11D3-BEF7-009027438003/si"; reference:url,www.securityfocus.com/bid/36550/info; reference:url,doc.emergingthreats.net/2010010; classtype:attempted-user; sid:2010010; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX DisplayName method Memory corruption Attempt"; flow:established,to_client; file_data; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; content:"DisplayName"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010611; classtype:web-application-attack; sid:2010611; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX AddGroup method Memory corruption Attempt"; flow:established,to_client; file_data; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; content:"AddGroup"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010612; classtype:web-application-attack; sid:2010612; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt"; flow:established,to_client; file_data; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; content:"InstallComponent"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010613; classtype:web-application-attack; sid:2010613; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX Subscribe method Memory corruption Attempt"; flow:established,to_client; file_data; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; distance:0; content:"Subscribe"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010614; classtype:web-application-attack; sid:2010614; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1"; flow:established,to_client; file_data; content:"98C53984-8BF8-4D11-9B1C-C324FCA9CADE"; nocase; distance:0; content:"ProgColor"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE/si"; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010778; classtype:attempted-user; sid:2010778; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2"; flow:established,to_client; file_data; content:"CDBD9968-7BF1-11D4-9D36-0001029DEBEB"; nocase; distance:0; content:"ProgColor"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CDBD9968-7BF1-11D4-9D36-0001029DEBEB/si"; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010779; classtype:attempted-user; sid:2010779; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Operations Manager SourceView ActiveX LoadFile/SaveFile Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"366C9C52-C402-416B-862D-1464F629CA59"; nocase; distance:0; content:"File"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*366C9C52-C402-416B-862D-1464F629CA59.+(LoadFile|SaveFile)/si"; reference:url,packetstormsecurity.org/1004-exploits/CORELAN-10-027.txt; reference:url,secunia.com/advisories/39538/; reference:url,doc.emergingthreats.net/2011075; classtype:attempted-user; sid:2011075; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Virtual Rooms Control Clsid Access"; flow:from_server,established; file_data; content:"00000032-9593-4264-8B29-930B3E4EDCCD"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000032-9593-4264-8B29-930B3E4EDCCD/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01678405; reference:url,doc.emergingthreats.net/2009404; classtype:attempted-user; sid:2009404; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"1A01FF01-EA62-4702-B837-1E07158145FA"; nocase; distance:0; content:"URL"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1A01FF01-EA62-4702-B837-1E07158145FA/si"; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010373; classtype:attempted-user; sid:2010373; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MYACTIVEX|2E|MyActiveXCtrl|2E|1"; nocase; distance:0; content:"URL"; nocase; distance:0; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010374; classtype:attempted-user; sid:2010374; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods"; flow:to_client,established; file_data; content:"7F9B30F1-5129-4F5C-A76C-CE264A6C7D10"; nocase; distance:0; pcre:"/(Run|SetRegistryValueAsString|PerformUpdateAsync)/i"; reference:url,secunia.com/Advisories/32337/; reference:url,doc.emergingthreats.net/2008678; classtype:web-application-attack; sid:2008678; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Control SaveasMolFile Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; nocase; distance:0; content:"SaveasMolFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C372350A-1D5A-44DC-A759-767FC553D96C/si"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010997; classtype:attempted-user; sid:2010997; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Control ReadMolFile Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; nocase; distance:0; content:"ReadMolFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C372350A-1D5A-44DC-A759-767FC553D96C/si"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010998; classtype:attempted-user; sid:2010998; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Buffer Overflow Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"HyleosChemView.HLChemView"; nocase; distance:0; pcre:"/(ReadMolFile|SaveasMolFile)/i"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010999; classtype:attempted-user; sid:2010999; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS"; flow:to_client,established; file_data; content:"6BC096BC-0CE6-11D1-BAAE-00C04FC2E20D"; nocase; distance:0; content:"PutProperty"; nocase; distance:0; reference:url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded; reference:cve,2008-2639; reference:url,securityreason.com/securityalert/4323; reference:url,doc.emergingthreats.net/2008618; classtype:web-application-attack; sid:2008618; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"IbmEgath.IbmEgathCtl.1"; distance:0; nocase; content:"GetXMLValue"; nocase; distance:0; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17871; reference:cve,2009-0215; reference:url,doc.emergingthreats.net/2010482; classtype:attempted-user; sid:2010482; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt"; flow:established,to_client; file_data; content:"74FFE28D-2378-11D5-990C-006094235084"; nocase; distance:0; content:"GetXMLValue"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*74FFE28D-2378-11D5-990C-006094235084/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17871; reference:cve,2009-0215; reference:url,doc.emergingthreats.net/2010483; classtype:attempted-user; sid:2010483; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID"; flow:from_server,established; file_data; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; distance:0; content:".Spline|28|"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D7A7D7C3-D47F-11D0-89D3-00A0C90833E6/si"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003102; classtype:attempted-user; sid:2003102; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object"; flow:from_server,established; file_data; content:" DirectAnimation.PathControl"; distance:0; content:".Spline|28|"; nocase; distance:0; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003103; classtype:attempted-user; sid:2003103; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"DirectAnimation.PathControl"; nocase; distance:0; content:".KeyFrame|28|"; nocase; distance:0; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; reference:url,doc.emergingthreats.net/2003105; classtype:attempted-user; sid:2003105; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID"; flow:from_server,established; file_data; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; nocase; distance:0; reference:url,www.securityfocus.com/bid/20843; reference:url,secunia.com/advisories/22603; reference:cve,2006-4704; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; reference:url,doc.emergingthreats.net/2003158; classtype:attempted-user; sid:2003158; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VsmIDE.DTE object call CSLID"; flow:from_server,established; file_data; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; nocase; distance:0; reference:url,doc.emergingthreats.net/2003159; classtype:attempted-user; sid:2003159; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID"; flow:from_server,established; file_data; content:"639F725F-1B2D-4831-A9FD-874847682010"; nocase; distance:0; reference:url,doc.emergingthreats.net/2003160; classtype:attempted-user; sid:2003160; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID"; flow:from_server,established; file_data; content:"CLSID"; nocase; distance:0; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; nocase; distance:0; reference:url,doc.emergingthreats.net/2003161; classtype:attempted-user; sid:2003161; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID"; flow:from_server,established; file_data; content:"CLSID"; nocase; distance:0; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; nocase; distance:0; reference:url,doc.emergingthreats.net/2003162; classtype:attempted-user; sid:2003162; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VsaIDE.DTE object call CSLID"; flow:from_server,established; file_data; content:"CLSID"; nocase; distance:0; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; nocase; distance:0; reference:url,doc.emergingthreats.net/2003163; classtype:attempted-user; sid:2003163; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Business Object Factory object call CSLID"; flow:from_server,established; file_data; content:"CLSID"; nocase; distance:0; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; nocase; distance:0; reference:url,doc.emergingthreats.net/2003164; classtype:attempted-user; sid:2003164; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Outlook Data Object object call CSLID"; flow:from_server,established; file_data; content:"CLSID"; nocase; distance:0; content:"0006F033-0000-0000-C000-000000000046"; nocase; distance:0; reference:url,doc.emergingthreats.net/2003165; classtype:attempted-user; sid:2003165; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Outlook.Application object call CSLID"; flow:from_server,established; file_data; content:"CLSID"; nocase; distance:0; content:"0006F03A-0000-0000-C000-000000000046"; nocase; distance:0; reference:url,doc.emergingthreats.net/2003166; classtype:attempted-user; sid:2003166; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009"; flow:from_server,established; file_data; content:"CLSID"; nocase; distance:0; content:"00000535-0000-0010-8000-00AA006D2EA4"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/3577; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx; reference:url,doc.emergingthreats.net/2003514; classtype:attempted-user; sid:2003514; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution"; flow:from_server,established; file_data; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; distance:0; content:"BaseUrl"; nocase; distance:0; content:"SetCifFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url, osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003231; classtype:attempted-user; sid:2003231; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2)"; flow:from_server,established; file_data; content:" ASControls.InstallEngineCtl"; distance:0; content:"BaseUrl"; nocase; distance:0; content:"SetCifFile"; nocase; distance:0; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003232; classtype:attempted-user; sid:2003232; rev:60; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution"; flow:from_server,established; file_data; content:" Shell.Application"; distance:0; content:"GetLink"; nocase; distance:0; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003233; classtype:attempted-user; sid:2003233; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2)"; flow:from_server,established; file_data; content:"13709620-C279-11CE-A49E-444553540000"; nocase; distance:0; content:"GetLink"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; reference:url, osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003234; classtype:attempted-user; sid:2003234; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Explorer Plugin.ocx Heap Overflow"; flow: from_server,established; file_data; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; distance:0; content:".load("; nocase; distance:0; reference:url,www.hnc3k.com/ievulnerabil.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001181; classtype:misc-attack; sid:2001181; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IE ActiveX control Exec method Remote code execution Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"72C24DD5-D70A-438B-8A42-98424B88AFB8"; nocase; distance:0; content:"Exec"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72C24DD5-D70A-438B-8A42-98424B88AFB8/si"; reference:url,www.packetstormsecurity.org/1001-exploits/wshomocx-activex.txt; reference:url,doc.emergingthreats.net/2010978; classtype:attempted-user; sid:2010978; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"C3B32488-AFEC-11D1-9868-00A0C922E703"; distance:0; nocase; content:"SetPassword"; nocase; distance:0; reference:cve,2008-4301; reference:url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded; reference:url,doc.emergingthreats.net/2008620; classtype:web-application-attack; sid:2008620; rev:40; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Information Service adsiis.dll activex remote DOS"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"D6BFA35E-89F2-11D0-8527-00C04FD8D503"; distance:0; nocase; content:"GetObject"; nocase; distance:0; reference:cve,2008-4300; reference:url,securityreason.com/securityalert/4325; reference:url,doc.emergingthreats.net/2008621; classtype:web-application-attack; sid:2008621; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image22 ActiveX DrawIcon Method Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"1DC09FDF-2EF8-4CE9-ADEA-4D6A98A2F779"; nocase; distance:0; content:"DrawIcon"; nocase; distance:0; reference:url,exploit-db.com/exploits/14321/; reference:url,doc.emergingthreats.net/2011250; classtype:web-application-attack; sid:2011250; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"BDF9442E-9B03-42C2-87BA-2A459B0A5317"; nocase; distance:0; pcre:"/file\:.*\.(jpg|ini|exe|dll|bat|com|cab|txt)/i"; content:"BuildSlideShow"; reference:url,www.milw0rm.com/exploits/4981; reference:bugtraq,27439; reference:url,doc.emergingthreats.net/2007853; classtype:web-application-attack; sid:2007853; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"F8984111-38B6-11D5-8725-0050DA2761C4"; nocase; distance:0; content:"ImShExt.dll"; nocase; distance:0; content:"DoWebMenuAction"; nocase; distance:0; content:"INCREDISHELLEXTLib.IMMenuShellExt"; nocase; distance:0; content:"String"; nocase; distance:0; pcre:"/[0-9]{3,}/"; reference:url,www.milw0rm.com/exploits/3877; reference:bugtraq,23674; reference:cve,CVE-2007-1683; reference:url,doc.emergingthreats.net/2007931; classtype:web-application-attack; sid:2007931; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"032038A5-B655-11D3-BB7D-0050DA276194"; nocase; distance:0; content:"Authenticate"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*032038A5-B655-11D3-BB7D-0050DA276194/si"; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011048; classtype:attempted-user; sid:2011048; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0;  content:"INCREDISPOOLERLib.Pop"; nocase; distance:0; content:"Authenticate"; nocase; distance:0; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011049; classtype:attempted-user; sid:2011049; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ISWiAuto15.ISWiSequence"; nocase; distance:0; content:"SaveToFile"; nocase; distance:0; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010257; classtype:attempted-user; sid:2010257; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite clsid Access"; flow:established,to_client; file_data; content:"34E7A6F9-F260-46BD-AAC8-1E70E22139D2"; nocase; distance:0; content:"SaveToFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*34E7A6F9-F260-46BD-AAC8-1E70E22139D2/si"; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010258; classtype:web-application-attack; sid:2010258; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX InstanGet v2.08 Activex Control DOS clsid access attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"98C92840-EB1C-40BD-B6A5-395EC9CD6510D"; nocase; distance:0; content:"ShowBar"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C92840-EB1C-40BD-B6A5-395EC9CD6510/si"; reference:url,www.packetstormsecurity.org/0909-exploits/instantget-dos.txt; reference:url,doc.emergingthreats.net/2010279; classtype:web-application-attack; sid:2010279; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX JamDTA ActiveX Control SaveToFile Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"clsid"; nocase; content:"0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41"; nocase; distance:0; content:"SaveToFile"; nocase; distance:0; reference:bugtraq,33345; reference:url,doc.emergingthreats.net/2009115; classtype:web-application-attack; sid:2009115; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow"; flow:to_client,established; file_data; content:"clsid"; nocase; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; pcre:"/(setInstallerType|setAdditionalPackages|installLatestJRE|compareVersion|installJRE|getStaticCLSID|launch)/i"; reference:url,xforce.iss.net/xforce/xfdb/50508; reference:bugtraq,34931; reference:url,milw0rm.com/exploits/8665; reference:url,doc.emergingthreats.net/2009434; classtype:web-application-attack; sid:2009434; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX JuniperSetup Control Buffer Overflow"; flow:established,from_server; file_data; content:"E5F5D008-DD2C-4D32-977D-1A0ADF03058B"; nocase; distance:0; pcre:"/param[^>]*name\s*=\s*["']?productname["']?[^>]*\s+value\s*=\s*(['"])((?!\1).|\\['"]){200}/Ri"; reference:url,www.eeye.com/html/research/advisories/AD20060424.html; reference:url,doc.emergingthreats.net/2002889; classtype:attempted-user; sid:2002889; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"clsid"; nocase; content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; nocase; distance:0; content:"KEYHELP"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C/si"; reference:url,www.securityfocus.com/bid/36546/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19135; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html; reference:url,doc.emergingthreats.net/2010012; classtype:attempted-user; sid:2010012; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"00150B1A-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/iR"; content:"SaveSettingsToFile"; distance:0; nocase; reference:url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html; reference:bugtraq,28442; reference:cve,CVE-2008-1605; reference:url,doc.emergingthreats.net/2008129; classtype:web-application-attack; sid:2008129; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Liquid XML Studio 2010 OpenFile Method Remote Heap Overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E68E401C-7DB0-4F3A-88E1-159882468A79"; nocase; distance:0; content:"OpenFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E68E401C-7DB0-4F3A-88E1-159882468A79/si"; reference:url,exploit-db.com/exploits/11750; reference:url,doc.emergingthreats.net/2011050; classtype:attempted-user; sid:2011050; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Logitech VideoCall ActiveX Start method buffer overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BF4C7B03-F381-4544-9A33-CB6DAD2A87CD"; nocase; distance:0; content:"Start"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BF4C7B03-F381-4544-9A33-CB6DAD2A87CD/si"; reference:url,osvdb.org/36820; reference:url,www.packetstormsecurity.nl/0911-exploits/logitechvideocall_start.rb.txt; reference:url,www.kb.cert.org/vuls/id/330289; reference:url,doc.emergingthreats.net/2010851; classtype:web-application-attack; sid:2010851; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MciWndx ActiveX Control"; flow:from_server,established; file_data; content:"288F1523-FAC4-11CE-B16F-00AA0060D93D"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002724; classtype:web-application-attack; sid:2002724; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054"; flow:established,from_server; pcre:"/000(2(042[1-5]|1401|000D)|6F071)-0000-0000-C000-000000000046|6E2271(FB|0[9A-F])-F799-11CF-9227-00AA00A1EB95|ECAB(AFC0|B0AB)-7F19-11D2-978E-0000F8757E2A|3050F4F5-98B5-11CF-BB82-00AA00BDCE0B|DF0B3D60-548F-101B-8E65-08002B2BD119|2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64|51B4ABF3-748F-4E3B-A276-C828330E926A|E4979309-7A32-495E-8A92-7B014AAD4961|62EC9F22-5E30-11D2-97A1-00C04FB6DD9A|B1D4ED44-EE64-11D0-97E6-00C04FC30B4A|D675E22B-CAE9-11D2-AF7B-00C04F99179F/i"; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002725; classtype:web-application-attack; sid:2002725; rev:14; metadata:created_at 2010_07_30, updated_at 2016_04_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Danim.dll and Dxtmsft.dll COM Objects"; flow:established,from_server; pcre:"/42B07B28-2280-4937-B035-0293FB812781|542FB453-5003-11CF-92A2-00AA00B8A733/i"; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx; reference:url,doc.emergingthreats.net/2002861; classtype:web-application-attack; sid:2002861; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt"; flow:established,to_client; file_data; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; classtype:attempted-user; sid:2002971; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt"; flow:established,to_client; file_data; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010263; classtype:attempted-user; sid:2010263; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt"; flow:established,to_client; file_data; content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010264; classtype:attempted-user; sid:2010264; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 1 Access Attempt"; flow:established,to_client; file_data; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5DFB2651-9668-11D0-B17B-00C04FC2A0CA/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010292; classtype:attempted-user; sid:2010292; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 2 Access Attempt"; flow:established,to_client; file_data; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010293; classtype:attempted-user; sid:2010293; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 3 Access Attempt"; flow:established,to_client; file_data; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010294; classtype:attempted-user; sid:2010294; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 4 Access Attempt"; flow:established,to_client; file_data; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010295; classtype:attempted-user; sid:2010295; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 5 Access Attempt"; flow:established,to_client; file_data; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010296; classtype:attempted-user; sid:2010296; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 6 Access Attempt"; flow:established,to_client; file_data; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010297; classtype:attempted-user; sid:2010297; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 7 Access Attempt"; flow:established,to_client; file_data; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010298; classtype:attempted-user; sid:2010298; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 8 Access Attempt"; flow:established,to_client; file_data; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010299; classtype:attempted-user; sid:2010299; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 9 Access Attempt"; flow:established,to_client; file_data; content:"31087270-D348-432C-899E-2D2F38FF29A0"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010300; classtype:attempted-user; sid:2010300; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 10 Access Attempt"; flow:established,to_client; file_data; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010301; classtype:attempted-user; sid:2010301; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 11 Access Attempt"; flow:established,to_client; file_data; content:"2EA10031-0033-450E-8072-E27D9E768142"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010302; classtype:attempted-user; sid:2010302; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 12 Access Attempt"; flow:established,to_client; file_data; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010303; classtype:attempted-user; sid:2010303; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 13 Access Attempt"; flow:established,to_client; file_data; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010304; classtype:attempted-user; sid:2010304; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 14 Access Attempt"; flow:established,to_client; file_data; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010305; classtype:attempted-user; sid:2010305; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 15 Access Attempt"; flow:established,to_client; file_data; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010306; classtype:attempted-user; sid:2010306; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 16 Access Attempt"; flow:established,to_client; file_data; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010307; classtype:attempted-user; sid:2010307; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 17 Access Attempt"; flow:established,to_client; file_data; content:"679E132F-561B-42F8-846C-A70DBDC62999"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010308; classtype:attempted-user; sid:2010308; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 18 Access Attempt"; flow:established,to_client; file_data; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010309; classtype:attempted-user; sid:2010309; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 19 Access Attempt"; flow:established,to_client; file_data; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010310; classtype:attempted-user; sid:2010310; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 20 Access Attempt"; flow:established,to_client; file_data; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010311; classtype:attempted-user; sid:2010311; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 21 Access Attempt"; flow:established,to_client; file_data; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010312; classtype:attempted-user; sid:2010312; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 22 Access Attempt"; flow:established,to_client; file_data; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010313; classtype:attempted-user; sid:2010313; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 23 Access Attempt"; flow:established,to_client; file_data; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010314; classtype:attempted-user; sid:2010314; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 24 Access Attempt"; flow:established,to_client; file_data; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010315; classtype:attempted-user; sid:2010315; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 25 Access Attempt"; flow:established,to_client; file_data; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010316; classtype:attempted-user; sid:2010316; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 26 Access Attempt"; flow:established,to_client; file_data; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010317; classtype:attempted-user; sid:2010317; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 27 Access Attempt"; flow:established,to_client; file_data; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010318; classtype:attempted-user; sid:2010318; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 28 Access Attempt"; flow:established,to_client; file_data; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010319; classtype:attempted-user; sid:2010319; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 29 Access Attempt"; flow:established,to_client; file_data; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010320; classtype:attempted-user; sid:2010320; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 30 Access Attempt"; flow:established,to_client; file_data; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010321; classtype:attempted-user; sid:2010321; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 31 Access Attempt"; flow:established,to_client; file_data; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010322; classtype:attempted-user; sid:2010322; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 32 Access Attempt"; flow:established,to_client; file_data; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010323; classtype:attempted-user; sid:2010323; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 33 Access Attempt"; flow:established,to_client; file_data; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010324; classtype:attempted-user; sid:2010324; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 34 Access Attempt"; flow:established,to_client; file_data; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010325; classtype:attempted-user; sid:2010325; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 35 Access Attempt"; flow:established,to_client; file_data; content:"5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010326; classtype:attempted-user; sid:2010326; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 36 Access Attempt"; flow:established,to_client; file_data; content:"ADEADEB8-E54B-11d1-9A72-0000F875EADE"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADEADEB8-E54B-11d1-9A72-0000F875EADE/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010327; classtype:attempted-user; sid:2010327; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 37 Access Attempt"; flow:established,to_client; file_data; content:"EC85D8F1-1C4E-46e4-A748-7AA04E7C0496"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC85D8F1-1C4E-46e4-A748-7AA04E7C0496/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010328; classtype:attempted-user; sid:2010328; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 38 Access Attempt"; flow:established,to_client; file_data; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010329; classtype:attempted-user; sid:2010329; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 39 Access Attempt"; flow:established,to_client; file_data; content:"E673DCF2-C316-4c6f-AA96-4E4DC6DC291E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4c6f-AA96-4E4DC6DC291E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010330; classtype:attempted-user; sid:2010330; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 40 Access Attempt"; flow:established,to_client; file_data; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010331; classtype:attempted-user; sid:2010331; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 41 Access Attempt"; flow:established,to_client; file_data; content:"01002B17-5D93-4551-81E4-831FEF780A53"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010332; classtype:attempted-user; sid:2010332; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Communications Control Clsid Access"; flow:from_server,established; file_data; content:"648A5600-2C6E-101B-82B6-000000000014"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*648A5600-2C6E-101B-82B6-000000000014/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,doc.emergingthreats.net/2009400; classtype:attempted-user; sid:2009400; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service"; flow:to_client,established; file_data; content:"7233D6F8-AD31-440F-BAF0-9E7A292A53DA"; nocase; distance:0; content:"GetEntryPointForThread"; nocase; distance:0; reference:bugtraq,31996; reference:url,doc.emergingthreats.net/2008792; classtype:web-application-attack; sid:2008792; rev:51; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow"; flow:to_client,established; file_data; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; distance:0; content:"Open"; nocase; distance:0; content:".avi"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7431; reference:bugtraq,32613; reference:url,doc.emergingthreats.net/2008993; classtype:web-application-attack; sid:2008993; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack"; flow:from_server,established; file_data; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; pcre:"/http\://.*?[\w]{4,}=1/i"; pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; reference:url,milw0rm.com/exploits/6699; reference:url,doc.emergingthreats.net/2008673; classtype:web-application-attack; sid:2008673; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"CheckForUpdates"; nocase; distance:0; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/210560; classtype:web-application-attack; sid:2010560; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"UpdateComponents"; nocase; distance:0; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010561; classtype:web-application-attack; sid:2010561; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1"; flow:established,to_client; file_data; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; content:"CheckForUpdates"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010562; classtype:web-application-attack; sid:2010562; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2"; flow:established,to_client; file_data; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; content:"UpdateComponents"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010563; classtype:web-application-attack; sid:2010563; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Windows Media Services nskey.dll ActiveX Control Possible Remote Buffer Overflow"; flow:to_client,established; file_data; content:"2646205B-878C-11D1-B07C-0000C040BCDB"; nocase; distance:0; content:"CallHTMLHelp"; nocase; distance:0; reference:bugtraq,30814; reference:cve,2008-5232; reference:url,doc.emergingthreats.net/2008925; classtype:web-application-attack; sid:2008925; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit"; flow:to_client,established; file_data; content:"0x40000"; distance:0; content:"WksPictureInterface"; nocase; distance:0; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; nocase; distance:0; reference:bugtraq,28820; reference:url,www.milw0rm.com/exploits/5460; reference:url,www.milw0rm.com/exploits/5530; reference:url,doc.emergingthreats.net/2008226; classtype:web-application-attack; sid:2008226; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; nocase; distance:0; content:"loadXML"; nocase; distance:0; content:"parseError.srcText"; nocase; distance:0; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; reference:url,doc.emergingthreats.net/2008887; classtype:web-application-attack; sid:2008887; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"14D09688-CFA7-11D5-995A-005004CE563B"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31979; reference:url,milw0rm.com/exploits/6871; reference:url,doc.emergingthreats.net/2008809; classtype:web-application-attack; sid:2008809; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"90D2A875-5024-4CCD-80AA-C8A353DB2B45"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31983; reference:url,milw0rm.com/exploits/6873; reference:url,doc.emergingthreats.net/2008810; classtype:web-application-attack; sid:2008810; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; nocase; distance:0; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31980; reference:url,milw0rm.com/exploits/6872; reference:url,doc.emergingthreats.net/2008811; classtype:web-application-attack; sid:2008811; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31974; reference:url,milw0rm.com/exploits/6870; reference:url,doc.emergingthreats.net/2008812; classtype:web-application-attack; sid:2008812; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Macrovision FLEXnet Connect ActiveX Control Arbitrary File Download"; flow:to_client, established; file_data; content:"DownloadAndExecute"; nocase; distance:0; content:"1DF951B1-8D40-4894-A04C-66AD824A0EEF"; nocase; distance:0; reference:bugtraq,27279; reference:url,www.milw0rm.com/exploits/4913; reference:url,doc.emergingthreats.net/2010358; classtype:successful-user; sid:2010358; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Remediation Client Enginecom.Dll ActiveX Code Execution Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Enginecom.imagineLANEngine.1"; nocase; distance:0; content:"DeleteSnapshot"; nocase; distance:0; reference:url,fgc.fortinet.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html; reference:url,doc.emergingthreats.net/2010692; classtype:attempted-user; sid:2010692; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX McAfee ePolicy Orchestrator naPolicyManager.dll Arbitrary Data Write Attempt"; flow:from_server,established; file_data; content:"04D18721-749F-4140-AEB0-CAC099CA4741"; nocase; distance:0; content:"WriteTaskDataToIniFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*04D18721-749F-4140-AEB0-CAC099CA4741/si"; reference:url,www.securitytracker.com/alerts/2009/Jun/1022413.html; reference:url,www.packetstormsecurity.com/0906-exploits/mcafee-activex.txt; reference:url,doc.emergingthreats.net/2009411; classtype:attempted-user; sid:2009411; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MetaProducts MetaTreeX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"67E66985-F81A-11D6-BC0F-F7B40157DC26"; nocase; distance:0; pcre:"/(SaveToBMP|SaveToFile)/i"; reference:bugtraq,33318; reference:url,milw0rm.com/exploits/7804; reference:url,doc.emergingthreats.net/2009104; classtype:web-application-attack; sid:2009104; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microgaming FlashXControl Control Clsid Access"; flow:from_server,established; file_data; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D8089245-3211-40F6-819B-9E5E92CD61A2/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,www.microgaming.co.uk/news_flashxcontrol.php; reference:url,doc.emergingthreats.net/2009401; classtype:attempted-user; sid:2009401; rev:27; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"18B409DA-241A-4BD8-AC69-B5D547D5B141"; nocase; pcre:"/(Save|ExportImage)/i"; reference:url,milw0rm.com/exploits/8208; reference:bugtraq,23934; reference:url,doc.emergingthreats.net/2009334; classtype:web-application-attack; sid:2009334; rev:31; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; flow:established,from_server; file_data; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; distance:0; content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; within:500; reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; reference:url,doc.emergingthreats.net/2003328; classtype:web-application-attack; sid:2003328; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 Activex File Creation clsid access attempt"; flow:established,to_client; file_data; content:"6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790"; nocase; distance:0; content:"OpenFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790/si"; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010356; classtype:web-application-attack; sid:2010356; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 ActiveX File Creation Function call attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"NCTAVIFileLib.AVIFileM"; nocase; distance:0; content:"OpenFile"; nocase; distance:0; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010357; classtype:web-application-attack; sid:2010357; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTsoft NCTAudioFile2 ActiveX Control NCTWMAFILE2.DLL Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"6ED74AE3-8066-4385-AABA-243E033F75A3"; nocase; distance:0; content:"CreateFile"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7871; reference:bugtraq,24613; reference:url,doc.emergingthreats.net/2009121; classtype:web-application-attack; sid:2009121; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Nokia Phoenix Service Software ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"F85B4A10-B530-4D68-A714-7415838FD174"; nocase; distance:0; content:"SelectDevice"; nocase; distance:0; reference:bugtraq,33726; reference:url,doc.emergingthreats.net/2009178; classtype:web-application-attack; sid:2009178; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"9796BED2-C1CF-11D2-9384-0008C7396667"; nocase; distance:0; content:"SetFontFace"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9796BED2-C1CF-11D2-9384-0008C7396667/si"; reference:url,www.securityfocus.com/bid/36398; reference:url,doc.emergingthreats.net/2009923; classtype:attempted-user; sid:2009923; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client ExecuteRequest ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; distance:0; content:"ExecuteRequest"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:cve,2008-0935; reference:url,doc.emergingthreats.net/2010693; classtype:attempted-user; sid:2010693; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client GetDriverSettings ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"336723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; distance:0; content:"GetDriverSettings"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:cve,2008-2908; reference:url,doc.emergingthreats.net/2010694; classtype:attempted-user; sid:2010694; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete"; flow:to_client,established; file_data; content:"3F1D494B-0CEF-4468-96C9-386E2E4DEC90"; nocase; distance:0; content:"download"; nocase; distance:0; reference:bugtraq,34200; reference:url,milw0rm.com/exploits/8257; reference:url,doc.emergingthreats.net/2009314; classtype:web-application-attack; sid:2009314; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orca Browser 1.1 Activex Command Execution clsid access attempt"; flow:established,to_client; file_data; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; distance:0; content:"ExecCommand"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010363; classtype:web-application-attack; sid:2010363; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orca Browser 1.1 ActiveX Command Execution Function call attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MOZXLib.EmbeddedMoz"; nocase; distance:0; content:"ExecCommand"; nocase; distance:0; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010364; classtype:web-application-attack; sid:2010364; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PDFZilla 1.0.8 ActiveX DebugMsgLog method DOS CLSid Access"; flow:established,to_client; file_data; content:"59DBDDA6-9A80-42A4-B824-9BC50CC172F5"; nocase; distance:0; content:"DebugMsgLog"; nocase; distance:0; reference:url,packetstormsecurity.org/0908-exploits/pdfzilla-overflow.txt; reference:url,doc.emergingthreats.net/9130; classtype:web-application-attack; sid:2010029; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX PPMate PPMedia Class ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F"; nocase; content:"StartURL"; nocase; distance:0; reference:cve,2008-3242; reference:url,secunia.com/advisories/30952; reference:url,milw0rm.com/exploits/6090; reference:url,doc.emergingthreats.net/2009143; classtype:web-application-attack; sid:2009143; rev:39; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability"; flow:to_client,established; file_data; content:"5EC7C511-CD0F-42E6-830C-1BD9882F3458"; nocase; distance:0; content:"0x40000"; distance:0; content:"Logo"; nocase; distance:0; reference:bugtraq,25502; reference:url,doc.emergingthreats.net/2008173; classtype:web-application-attack; sid:2008173; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt"; flow:from_server,established; file_data; content:"D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D/si"; reference:url,www.securityfocus.com/bid/36234/info; reference:url,doc.emergingthreats.net/2009858; classtype:attempted-user; sid:2009858; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow"; flow:to_client,established; file_data; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; nocase; distance:0; content:"SetID"; nocase; distance:0; reference:bugtraq,32901; reference:url,www.milw0rm.com/exploits/7505; reference:url,doc.emergingthreats.net/2009002; classtype:web-application-attack; sid:2009002; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; file_data; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; distance:0; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; distance:0; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; reference:url,doc.emergingthreats.net/2008683; classtype:web-application-attack; sid:2008683; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"6C951D10-B07F-11DB-A6ED-0050C2490048"; nocase; distance:0; pcre:"/(SaveBarCode|SaveEnhWMF)/i"; reference:url,milw0rm.com/exploits/8332; reference:url,securityfocus.com/archive/1/502319; reference:url,doc.emergingthreats.net/2009315; classtype:web-application-attack; sid:2009315; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ProgramChecker 1.5 Activex Command Execution clsid access attempt"; flow:established,to_client; file_data; content:"DD50A655-10FB-11D2-A22B-00104B27F81B"; nocase; distance:0; content:"Run"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DD50A655-10FB-11D2-A22B-00104B27F81B/si"; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010365; classtype:web-application-attack; sid:2010365; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ProgramChecker 1.5 ActiveX Command Execution Function call attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"TRATLLib.Options"; nocase; distance:0; content:"Run"; nocase; distance:0; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010366; classtype:web-application-attack; sid:2010366; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Remote Desktop Connection ActiveX Control Heap Overflow clsid access"; flow:established,to_client; file_data; content:"7390f3d8-0439-4c05-91e3-cf5cb290c3d0"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(.+<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7390f3d8-0439-4c05-91e3-cf5cb290c3d0\s*}?\s*(\?P=q1)(\s|>)/si"; reference:cve,2009-1929; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-044.mspx; reference:url,doc.emergingthreats.net/2009907; classtype:attempted-user; sid:2009907; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RKD Software ActiveX Control SaveasMolFile Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"C26D9CA8-6747-11D5-AD4B-C01857C10000"; nocase; distance:0; content:"SaveasMolFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C26D9CA8-6747-11D5-AD4B-C01857C10000/si"; reference:url,packetstorm.foofus.com/1002-exploits/barcode_ax49.rb.txt; reference:bugtraq,24596; reference:url,doc.emergingthreats.net/2011020; classtype:attempted-user; sid:2011020; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RSP MP3 Player OCX ActiveX OpenFile Method Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"3C88113F-8CEC-48DC-A0E5-983EF9458687"; nocase; content:"OpenFile"; nocase; distance:0; reference:url,exploit-db.com/exploits/14309/; reference:url,packetstormsecurity.org/1007-exploits/rspmp3-overflow.txt; reference:url,doc.emergingthreats.net/2011249; classtype:web-application-attack; sid:2011249; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; file_data; content:"45830FF9-D9E6-4F41-86ED-B266933D8E90"; nocase; distance:0; content:"0x40000"; nocase; distance:0; content:"Url"; nocase; distance:0; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007904; classtype:web-application-attack; sid:2007904; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution"; flow:to_client,established; file_data; content:"BADA82CB-BF48-4D76-9611-78E2C6F49F03"; nocase; distance:0; content:"url"; nocase; distance:0; pcre:"/(exe|bat|com|dll|ini)/i"; content:"start"; nocase; reference:cve,CVE-2006-6838; reference:bugtraq,21831; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html; reference:url,doc.emergingthreats.net/2007998; classtype:web-application-attack; sid:2007998; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Registry OCX ActiveX FullPath Method Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"6D5B4E71-625F-11D2-B3AE-00A0C932C7DF"; nocase; distance:0; content:"FullPath"; nocase; distance:0; reference:url,exploit-db.com/exploits/14200/; reference:url,doc.emergingthreats.net/2011253; classtype:attempted-user; sid:2011253; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Rising Online Virus Scanner ActiveX Control Scan() Method Stack Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"9FAFB576-6933-4CCC-AB3D-B988EC43D04E"; nocase; distance:0; content:"Scan"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9FAFB576-6933-4CCC-AB3D-B988EC43D04E/si"; reference:url,www.securityfocus.com/bid/38282; reference:url,doc.emergingthreats.net/2010839; classtype:attempted-user; sid:2010839; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Rising Online Virus Scanner ActiveX Scan Method stack Overflow Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"RavOLCtlLib.RavOnline"; nocase; distance:0; content:"Scan"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/risingonline-dos.txt; reference:bugtraq,38282; reference:url,doc.emergingthreats.net/2011021; classtype:attempted-user; sid:2011021; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow"; flow:to_client,established; file_data; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; nocase; distance:0; content:"DiskType"; nocase; distance:0; reference:url,milw0rm.com/exploits/8824; reference:bugtraq,23412; reference:url,doc.emergingthreats.net/2009725; classtype:web-application-attack; sid:2009725; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Roxio CinePlayer IAManager.dll ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"EE1BBA18-F0C8-477E-8AC8-C28B94F1B7DC"; nocase; distance:0; content:"SetIAPlayerName"; nocase; distance:0; reference:url,xforce.iss.net/xforce/xfdb/50868; reference:url,milw0rm.com/exploits/8835; reference:url,doc.emergingthreats.net/2009735; classtype:web-application-attack; sid:2009735; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SAP GUI ActiveX Control Insecure Method File Overwrite Attempt"; flow:from_server,established; file_data; content:"AFBBE070-7340-11d2-AA6B-00E02924C34E"; nocase; distance:0; content:"Save"; nocase; distance:0; content:"ToSessionFile"; within:17; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AFBBE070-7340-11d2-AA6B-00E02924C34E/si"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022953.html; reference:url,doc.emergingthreats.net/2010013; classtype:attempted-user; sid:2010013; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt"; flow:from_server,established; file_data; content:"77F12F8A-F117-11D0-8CF1-00A0C91D9D87"; nocase; distance:0; content:"Accept"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*77F12F8A-F117-11D0-8CF1-00A0C91D9D87/si"; reference:url,www.securityfocus.com/bid/35256/info; reference:url,doc.emergingthreats.net/2010219; classtype:attempted-user; sid:2010219; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Buffer Overflow Function call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"VSFlexGrid.VSFlexGridL"; nocase; distance:0; pcre:"/(Text|EditSelText|EditText|CellFontName|Archive)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010467; classtype:web-application-attack; sid:2010467; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Archive method Buffer Overflow CLSID Attempt"; flow:established,to_client; file_data; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"Archive"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010468; classtype:web-application-attack; sid:2010468; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Text method Buffer Overflow CLSID Attempt"; flow:established,to_client; file_data; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"Text"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010469; classtype:web-application-attack; sid:2010469; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX EditSelText method Buffer Overflow CLSID Attempt"; flow:established,to_client; file_data; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"EditSelText"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010470; classtype:web-application-attack; sid:2010470; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX EditText method Buffer Overflow CLSID Attempt"; flow:established,to_client; file_data; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"EditText"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010471; classtype:web-application-attack; sid:2010471; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX CellFontName method Buffer Overflow CLSID Attempt"; flow:established,to_client; file_data; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; distance:0; content:"CellFontName"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010472; classtype:web-application-attack; sid:2010472; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP AG SAPgui EAI WebViewer2D ActiveX stack buffer overflow CLSid Access"; flow:established,to_client; file_data; content:"A76CEBEE-7364-11D2-AA6B-00E02924C34E"; nocase; distance:0; content:"SaveToSessionFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A76CEBEE-7364-11D2-AA6B-00E02924C34E/si"; reference:url,dsecrg.com/pages/vul/show.php?id=143; reference:url,doc.emergingthreats.net/2010481; classtype:attempted-user; sid:2010481; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI SAPBExCommonResources ActiveX Insecure Method Code Execution Attempt"; flow:established,to_client; file_data; content:"A009C90D-814B-11D3-BA3E-080009D22344"; nocase; distance:0; content:"Execute"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A009C90D-814B-11D3-BA3E-080009D22344/si"; reference:url,dsecrg.com/pages/vul/show.php?id=164; reference:url,doc.emergingthreats.net/2010957; classtype:attempted-user; sid:2010957; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow"; flow:to_client,established; file_data; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; distance:0; content:"Get"; nocase; distance:0; reference:bugtraq,33053; reference:url,milw0rm.com/exploits/7617; reference:url,doc.emergingthreats.net/2009047; classtype:web-application-attack; sid:2009047; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt"; flow:established,from_server; file_data; content:"E3462D53-47A6-11D8-8EF6-DAE89272743C"; nocase; distance:0; content:"StartVideoSaving"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E3462D53-47A6-11D8-8EF6-DAE89272743C/si"; reference:url,www.securityfocus.com/bid/36217/info; reference:url,doc.emergingthreats.net/2009869; classtype:attempted-user; sid:2009869; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt"; flow:to_client,established; file_data; content:"6EEFD7B1-B26C-440D-B55A-1EC677189F30"; nocase; distance:0; content:"AddRouteEntry"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30/si"; reference:url,www.securityfocus.com/bid/26288/info; reference:cve,2007-5603; reference:url,doc.emergingthreats.net/2010456; classtype:attempted-user; sid:2010456; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution"; flow:to_client,established; file_data; content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; nocase; distance:0; content:"SetExternalPlayer"; nocase; distance:0; reference:bugtraq,33920; reference:url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt; reference:url,doc.emergingthreats.net/2009226; classtype:web-application-attack; sid:2009226; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution"; flow:to_client,established; file_data; content:"01110800-3E00-11D2-8470-0060089874ED"; nocase; distance:0; pcre:"/(Packagefiles|SaveDna|SetIdentity|AddFile)/i"; reference:bugtraq,34004; reference:url,milw0rm.com/exploits/8160; reference:url,doc.emergingthreats.net/2009322; classtype:web-application-attack; sid:2009322; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sygate Personal Firewall ActiveX SetRegString Method Stack Overflow Attempt"; flow:established,to_client; file_data; content:"D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9"; nocase; distance:0; content:"SetRegString"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9/si"; reference:url,www.exploit-db.com/exploits/13834/; reference:url,www.corelan.be#=#=8800/index.php/forum/security-advisories/10-050-sygate-personal-firewall-5-6-build-2808-activex/; reference:url,doc.emergingthreats.net/2011690; classtype:attempted-user; sid:2011690; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability"; flow:to_client,established; file_data; content:"22ACD16F-99EB-11D2-9BB3-00400561D975"; nocase; distance:0; content:"0x40000"; distance:0; pcre:"/(_DOWText)|(_MonthText)/i"; content:"Save"; nocase; reference:url,www.milw0rm.com/exploits/5205; reference:cve,CVE-2007-6017; reference:bugtraq,28008; reference:url,doc.emergingthreats.net/2007932; classtype:web-application-attack; sid:2007932; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Norton Ghost EasySetupInt.dll ActiveX Multiple Remote Denial of Service"; flow:to_client,established; file_data; content:"7972D5BE-2213-4B28-884C-F8F82432EAA5"; nocase; distance:0; pcre:"/(SetupDeleteVolume|GetBackupLocationPath|CallUninstall|CanUseEasySetup|CallAddInitialProtection|CallTour)/i"; reference:url,milw0rm.com/exploits/8523; reference:bugtraq,34696; reference:url,doc.emergingthreats.net/2009373; classtype:web-application-attack; sid:2009373; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec WinFax Pro DCCFAXVW.DLL Heap Buffer Overflow"; flow:to_client,established; file_data; content:"C05A1FBC-1413-11D1-B05F-00805F4945F6"; nocase; distance:0; content:"AppendFax"; nocase; distance:0; reference:bugtraq,34766; reference:url,milw0rm.com/exploits/8562; reference:url,doc.emergingthreats.net/2009385; classtype:web-application-attack; sid:2009385; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; nocase; distance:0; pcre:"/classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; reference:bugtraq,8008; reference:url,xforce.iss.net/xforce/xfdb/12423; reference:url,juniper.net/security/auto/vulnerabilities/vuln8008.html; reference:url,doc.emergingthreats.net/2009847; classtype:web-application-attack; sid:2009847; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt"; flow:established,from_server; file_data; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010227; classtype:attempted-user; sid:2010227; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt"; flow:established,to_client; file_data; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; distance:0; content:"RunCmd"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010369; classtype:attempted-user; sid:2010369; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"RunCmd"; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010370; classtype:attempted-user; sid:2010370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"E381F1C0-910E-11D1-AB1E-00A0C90F8F6F"; nocase; distance:0; content:"SetRemoteComputerName"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E381F1C0-910E-11D1-AB1E-00A0C90F8F6F/si"; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; reference:url,dsecrg.com/pages/vul/show.php?id=139; reference:cve,2010-0108; reference:url,doc.emergingthreats.net/2010958; classtype:attempted-user; sid:2010958; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"cliproxy.objects.1"; nocase; distance:0; content:"SetRemoteComputerName"; nocase; distance:0; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; reference:url,dsecrg.com/pages/vul/show.php?id=139; reference:cve,2010-0108; reference:url,doc.emergingthreats.net/2010959; classtype:attempted-user; sid:2010959; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit"; flow:to_client,established; file_data; content:"38681fbd-d4cc-4a59-a527-b3136db711d3"; nocase; distance:0; content:"TransferFile"; nocase; distance:0; pcre:"/[\w\W]{2500,}/i"; reference:bugtraq,28662; reference:url,www.milw0rm.com/exploits/5398; reference:url,doc.emergingthreats.net/2008128; classtype:web-application-attack; sid:2008128; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Universal HTTP File Upload Remote File Deletetion"; flow:to_client,established; file_data; content:"4FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; distance:0; content:"RemoveFileOrDir"; nocase; distance:0; pcre:"/(txt|ini|com|exe|bat|dll|dat)/i"; reference:url,www.milw0rm.com/exploits/5272; reference:url,doc.emergingthreats.net/2008062; classtype:web-application-attack; sid:2008062; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit"; flow:to_client,established; file_data; content:"04FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; distance:0; content:"RemoveFileOrDir"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/5569; reference:url,doc.emergingthreats.net/2008225; classtype:web-application-attack; sid:2008225; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow"; flow:to_client,established; file_data; content:"433268D7-2CD4-43E6-AA24-2188672E7252"; nocase; distance:0; content:"OpenPDF"; nocase; distance:0; reference:bugtraq,32313; reference:url,milw0rm.com/exploits/7126; reference:url,doc.emergingthreats.net/2008869; classtype:web-application-attack; sid:2008869; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"89F968A1-DBAC-4807-9B3C-405A55E4A279"; nocase; distance:0; content:"extractPagesToFile"; nocase; distance:0; reference:bugtraq,32664; reference:url,milw0rm.com/exploits/7358; reference:url,doc.emergingthreats.net/2008895; classtype:web-application-attack; sid:2008895; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Software Movie Player Pro SDK ActiveX 6.8 Remote Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E"; nocase; distance:0; content:"DrawText"; nocase; distance:0; content:!"|0A|"; within:25; isdataat:25,relative; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E/si"; reference:url,en.securitylab.ru/poc/extra/389924.php; reference:url,doc.emergingthreats.net/2010840; classtype:attempted-user; sid:2010840; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible VMware Console ActiveX Format String Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"B94C2238-346E-4C5E-9B36-8CC627F35574"; nocase; distance:0; content:"connect"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B94C2238-346E-4C5E-9B36-8CC627F35574/si"; reference:url,dsecrg.com/pages/vul/show.php?id=153; reference:url,lists.vmware.com/pipermail/security-announce/2010/000090.html; reference:cve,2009-3732; reference:url,doc.emergingthreats.net/2011126; classtype:attempted-user; sid:2011126; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Web on Windows ActiveX Insecure Methods"; flow:to_client,established; file_data; content:"441E9D47-9F52-11D6-9672-0080C88B3613"; nocase; distance:0; pcre:"/(WriteIniFileString|ShellExecute)/i"; reference:bugtraq,33515; reference:url,xforce.iss.net/xforce/xfdb/48337; reference:url,doc.emergingthreats.net/2009136; classtype:web-application-attack; sid:2009136; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WinDVD7 IASystemInfo.DLL ActiveX ApplicationType method buffer overflow Attempt"; flow:established,to_client; file_data; content:"B727C217-2022-11D4-B2C6-0050DA1BD906"; nocase; distance:0; content:"ApplicationType"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B727C217-2022-11D4-B2C6-0050DA1BD906/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/windvd7_applicationtype.rb.txt; reference:url,secunia.com/advisories/24556/; reference:url,doc.emergingthreats.net/2010852; classtype:web-application-attack; sid:2010852; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX DeleteValue/WriteValue method Heap Overflow Attempt"; flow:established,to_client; file_data; content:"07DD3249-A591-4949-8F20-09CD347C69DC"; nocase; distance:0; content:"Value"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07DD3249-A591-4949-8F20-09CD347C69DC.+(DeleteValue|WriteValue)/si"; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010834; classtype:attempted-user; sid:2010834; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX DeleteValue method Remote Code Execution Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"DeleteValue"; nocase; distance:0; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010835; classtype:attempted-user; sid:2010835; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX WriteValue method Remote Code Execution Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"WriteValue"; nocase; distance:0; reference:url,www.packetstormsecurity.org/1001-exploits/msdef2-overflow.txt; reference:url,doc.emergingthreats.net/2010837; classtype:attempted-user; sid:2010837; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"C2828995-4A83-4100-A212-3024BA117356"; nocase; distance:0; content:"RichUploadControlContextData"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C2828995-4A83-4100-A212-3024BA117356/si"; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010702; classtype:attempted-user; sid:2010702; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"RichUploadLib.UploadControl"; nocase; distance:0; content:"RichUploadControlContextData"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010703; classtype:attempted-user; sid:2010703; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 1"; flowbits:noalert; flow: to_client,established; file_data; content:"|3C|OBJECT"; nocase; distance:0; content:"application/x-oleobject"; nocase; within: 64; content:"codebase="; nocase; distance:0; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; metadata: former_category ACTIVEX; reference:url,doc.emergingthreats.net/bin/view/Main/2001622; classtype:web-application-attack; sid:2001622; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 2"; flow:to_client,established; flowbits:isset,winhlp32; file_data; content:"|3C|PARAM"; nocase; distance:0; content:"value="; nocase; distance:0; content:"command|3B|"; nocase; distance:0; pcre:"/(javascript|http|ftp|vbscript)/iR"; metadata: former_category ACTIVEX; reference:url,doc.emergingthreats.net/bin/view/Main/2001623; classtype:web-application-attack; sid:2001623; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 3"; flow:to_client, established; flowbits:isset,winhlp32; content:".HHClick|2829|"; nocase; metadata: former_category ACTIVEX; reference:url,doc.emergingthreats.net/bin/view/Main/2001624; classtype:web-application-attack; sid:2001624; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_08;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow"; flow:to_client,established; file_data; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; nocase; distance:0; content:"CanUninstall"; nocase; distance:0; reference:bugtraq,31435; reference:url,securitytracker.com/alerts/2008/Sep/1020951.html; reference:url,doc.emergingthreats.net/2008619; classtype:web-application-attack; sid:2008619; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HTTP ACTi SetText() nvUnifiedControl.dll Buffer Overflow Attempt"; flow:established,from_server; file_data; content:"A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8"; nocase; distance:0; content:"SetText"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s* \x7B?\s*A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8/si"; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009893; classtype:attempted-user; sid:2009893; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HTTP ACTi SaveXMLFile()/DeleteXMLFile() nvUnifiedControl.dll Arbitrary File Overwrite/Deletion Attempt"; flow:established,from_server; file_data; content:"A0D43FB0-116B-47AB-80FB-6DCFA92A03E3"; nocase; distance:0; content:"eXMLFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A0D43FB0-116B-47AB-80FB-6DCFA92A03E3/si"; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009894; classtype:attempted-user; sid:2009894; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"APWebGrabber.Object"; nocase; distance:0; content:"GetStatus"; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010690; classtype:attempted-user; sid:2010690; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"02C2DD87-2E67-11D2-96EF-0000861852D5"; nocase; distance:0; content:"GetStatus"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02C2DD87-2E67-11D2-96EF-0000861852D5/si"; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010691; classtype:attempted-user; sid:2010691; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt"; flow:from_server,established; file_data; content:"44A8091F-8F01-43B7-8CF7-4BBA71E61E04"; nocase; distance:0; content:"FtpConnect"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44A8091F-8F01-43B7-8CF7-4BBA71E61E04/si"; reference:url,www.milw0rm.org/exploits/8986; reference:url,doc.emergingthreats.net/2010161; classtype:attempted-user; sid:2010161; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion"; flow:to_client,established; file_data; content:"9A077D0D-B4A6-4EC0-B6CF-98526DF589E4"; nocase; distance:0; pcre:"/(DeleteFile|write)/i"; reference:bugtraq,33867; reference:bugtraq,33942; reference:url,doc.emergingthreats.net/2009187; classtype:web-application-attack; sid:2009187; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"SendCommand"; nocase; distance:0; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011200; classtype:attempted-user; sid:2011200; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Login"; nocase; distance:0; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011201; classtype:attempted-user; sid:2011201; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Snapshot"; nocase; distance:0; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011202; classtype:attempted-user; sid:2011202; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBOpen"; nocase; distance:0; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011203; classtype:attempted-user; sid:2011203; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBClose"; nocase; distance:0; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011204; classtype:attempted-user; sid:2011204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBControl"; nocase; distance:0; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011205; classtype:attempted-user; sid:2011205; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/iR"; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; classtype:attempted-user; sid:2011206; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; distance:0; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; classtype:attempted-user; sid:2010705; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; classtype:attempted-user; sid:2010726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; classtype:web-application-attack; sid:2010921; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"7F14A9EE-6989-11D5-8152-00C04F191FCA"; nocase; distance:0; content:"InstallFrom"; nocase; distance:0; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/10767; classtype:attempted-user; sid:2011692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; distance:0; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; classtype:attempted-user; sid:2011681; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"DE625294-70E6-45ED-B895-CFFA13AEB044"; nocase; distance:0; content:"SetImage"; nocase; distance:0; reference:bugtraq,41078; reference:url,doc.emergingthreats.net/2011722; classtype:attempted-user; sid:2011722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; fast_pattern:16,20; nocase;  pcre:"/(LogFile|ClearLogFile|SaveToFile)/i"; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789; classtype:web-application-attack; sid:2008789; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; content:"0x400000"; distance:0; content:"ImageURL"; nocase; reference:bugtraq,31987; reference:url,milw0rm.com/exploits/6878; reference:url,doc.emergingthreats.net/2008790; classtype:web-application-attack; sid:2008790; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"EasyMail.SMTP.6"; distance:0; nocase; pcre:"/(AddAttachment|SubmitToExpress)/i"; reference:url,secunia.com/advisories/24199/; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb; reference:url,doc.emergingthreats.net/2010657; classtype:web-application-attack; sid:2010657; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object IMAP4 Component Buffer Overflow Function call Attempt"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"EasyMail.IMAP4.6"; distance:0; nocase; content:"LicenseKey"; nocase; reference:url,secunia.com/advisories/24199/; reference:url,doc.emergingthreats.net/2010658; classtype:web-application-attack; sid:2010658; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Head Method Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; distance:0; content:"Head"; nocase; distance:0; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011207; classtype:web-application-attack; sid:2011207; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SoftArtisans.FileManager.1"; distance:0; nocase; pcre:"/(Buildpath|GetDriveName|DriveExists|DeleteFile)/i"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010745; classtype:attempted-user; sid:2010745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"BuildPath"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010746; classtype:attempted-user; sid:2010746; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"GetDriveName"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010747; classtype:attempted-user; sid:2010747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DriveExists"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010748; classtype:attempted-user; sid:2010748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DeleteFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010749; classtype:attempted-user; sid:2010749; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftCab Sound Converter ActiveX SaveFormat File overwrite Attempt"; flow:established,to_client; file_data; content:"66757BFC-DA0C-41E6-B3FE-B6D461223FF5"; nocase; distance:0; content:"SaveFormat"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*66757BFC-DA0C-41E6-B3FE-B6D461223FF5/si"; reference:url,secunia.com/advisories/37967/; reference:url,doc.emergingthreats.net/2010943; classtype:web-application-attack; sid:2010943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A"; nocase; distance:0; content:"savePageAsBitmap"; nocase; distance:0; reference:bugtraq,31984; reference:url,milw0rm.com/exploits/6875; reference:url,doc.emergingthreats.net/2008791; classtype:web-application-attack; sid:2008791; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Movie Player Pro SDK ActiveX DrawText method Buffer Overflow Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MOVIEPLAYER.MoviePlayerCtrl.1"; nocase; distance:0; content:"DrawText"; nocase; distance:0; reference:url,www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txt; reference:url,secunia.com/advisories/38156/; reference:url,doc.emergingthreats.net/2010944; classtype:attempted-user; sid:2010944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL ACTIVEX Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; file_data; content:"clsid|3A|"; nocase; distance:0; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; distance:0; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2102485; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL ACTIVEX winhelp clsid attempt"; flow:from_server,established; file_data; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:2103148; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"_Marshaled_pUnk"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; reference:url,www.exploit-db.com/exploits/14843/; classtype:attempted-user; sid:2011412; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; nocase; distance:0; content:"ExecuteRequest"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c/si"; reference:url,www.exploit-db.com/moaub-14-novell-iprint-client-browser-plugin-executerequest-debug-parameter-stack-overflow/; reference:bid,42100; reference:url,doc.emergingthreats.net/2011509; classtype:attempted-user; sid:2011509; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; file_data; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MSVidCtlLib.MSVidVMR9"; nocase; distance:0; content:".CustomCompositorClass"; nocase; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:attempted-user; sid:2011590; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase; distance:0; content:"InitLicenKeys"; nocase; reference:url,exploit-db.com/exploits/14599/; reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt; classtype:web-application-attack; sid:2011801; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; classtype:attempted-user; sid:2011867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"11E7DA45-B56D-4078-89F6-D3D651EC4CD6"; nocase; distance:0; content:".DebugTraceFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6/si"; reference:url,exploit-db.com/exploits/15071; classtype:web-application-attack; sid:2011869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SoftekATL.CBarcode"; nocase; distance:0; content:".DebugTraceFile"; nocase; reference:url,exploit-db.com/exploits/15071/; classtype:attempted-user; sid:2011870; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"F21507A7-530F-4A89-8FE4-9D989670FD2C"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*F21507A7-530F-4A89-8FE4-9D989670FD2C\s*}?\s*(.*)(\s|)/si"; pcre:"/\x2e[RemoveAccessPermission|AddLaunchPermission|AddAccessPermission|RemoveLaunchPermission]/"; reference:url,www.exploit-db.com/exploits/15648; classtype:attempted-user; sid:2012095; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WMITools ActiveX Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; content:"|2e|AddContextRef"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15809/; classtype:attempted-user; sid:2012097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_12_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra ActiveX SetIdentity Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"8234E54E-20CB-4A88-9AB6-7986F99BE243"; nocase; content:"|2e|SetIdentity"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*8234E54E-20CB-4A88-9AB6-7986F99BE243\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15655; classtype:attempted-user; sid:2012098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_12_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:3; metadata:created_at 2011_12_27, updated_at 2011_12_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; distance:0; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript|3a|document|2e|getElementById|28 27|"; content:"|2e|strategy"; distance:0; within:20; content:"javascript|3a|document.getElementById|28 27|"; distance:0; content:"|2e|target"; distance:0; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:7; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"|2e|LCDWriteString"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*69A40DA3-4D42-11D0-86B0-0000C025864A\s*}?(.*)\>/si"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WBEM.SingleViewCtrl.1"; nocase; distance:0; pcre:"/WBEM\x2ESingleViewCtrl\x2E1.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; classtype:attempted-user; sid:2012157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt"; flow:established,to_client; file_data; content:"0B68B7EB-02FF-4A41-BC14-3C303BB853F9"; nocase; distance:0; content:"DelFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B68B7EB-02FF-4A41-BC14-3C303BB853F9/si"; reference:url,packetstormsecurity.org/files/view/97394/newvcommon-insecure.txt; classtype:attempted-user; sid:2012192; rev:1; metadata:created_at 2011_01_15, updated_at 2011_01_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; nocase; distance:0; content:"RecordClip"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5/si"; reference:bid,44443; reference:cve,2010-3749; classtype:attempted-user; sid:2012194; rev:1; metadata:created_at 2011_01_15, updated_at 2011_01_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Novell iPrint ActiveX GetDriverSettings Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; distance:0; content:"GetDriverSettings2"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-256/; reference:url,www.vupen.com/english/advisories/2010/3023; reference:bid,44966; reference:cve,2010-4321; classtype:attempted-user; sid:2012206; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_20, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT"; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"E5D2CE27-5FA0-11D2-A666-204C4F4F5020"; nocase; distance:0; content:"SelectServer"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E5D2CE27-5FA0-11D2-A666-204C4F4F5020/si"; reference:url,exploit-db.com/exploits/16002/; classtype:web-application-attack; sid:2012218; rev:3; metadata:created_at 2011_01_21, updated_at 2011_01_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture Insecure Read Method File Access Attempt"; flow:established,to_client; file_data; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; distance:0; content:"ImportBodyText"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:cve,2010-3595; classtype:attempted-user; sid:2012231; rev:1; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Deletion Attempt"; flow:established,to_client; file_data; content:"F647CBE5-3C01-402A-B3F0-502A77054A24"; nocase; distance:0; content:"DownloadSingleMessageToFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F647CBE5-3C01-402A-B3F0-502A77054A24/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012232; rev:1; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite Attempt"; flow:established,to_client; file_data; content:"4932CEF4-2CAA-11D2-A165-0060081C43D9"; nocase; distance:0; content:"SaveLayoutChanges"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4932CEF4-2CAA-11D2-A165-0060081C43D9/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012233; rev:1; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:1; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt"; flow:established,to_client; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; nocase; distance:0; content:"cdda|3A|//"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA/si"; reference:bid,44450; reference:cve,2010-3747; classtype:attempted-user; sid:2012543; rev:2; metadata:created_at 2011_03_24, updated_at 2011_03_24;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; distance:0; content:"Exec"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5.+(Exec|ExecLow|ShellExec)/smi"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012636; rev:1; metadata:created_at 2011_04_05, updated_at 2011_04_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; distance:0; content:"CreateVistaTaskLow"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012637; rev:2; metadata:created_at 2011_04_05, updated_at 2011_04_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; distance:0; content:"ShellExec"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012638; rev:2; metadata:created_at 2011_04_05, updated_at 2011_04_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; distance:0; content:"CreateShortcut"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012639; rev:2; metadata:created_at 2011_04_05, updated_at 2011_04_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; distance:0; content:"CopyDocument"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012640; rev:2; metadata:created_at 2011_04_05, updated_at 2011_04_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime New Plugin Docbase Buffer Overflow Attempt"; flow:established,to_client; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; content:"launchjnlp"; fast_pattern; nocase; distance:0; content:"docbase"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:257,relative; content:!"|0A|"; within:257; reference:bid,44023; reference:cve,2010-3552; classtype:attempted-user; sid:2012641; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt";  flow:to_client,established; file_data; content:"<OBJECT"; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"824C4DC5-8DA4-11D6-A01F-00E098177CDC"; nocase; distance:0; content:".GetItem1"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ELONFMTLib.ElonFmt"; nocase; distance:0; content:".GetItem1"; nocase; reference:url,exploit-db.com/exploits/17196; classtype:attempted-user; sid:2012742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Magneto ICMP ActiveX ICMPSendEchoRequest Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"3A86F1F2-4921-4C75-AF2C-A1AA241E12BA"; nocase; distance:0; content:"ICMPSendEchoRequest"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A86F1F2-4921-4C75-AF2C-A1AA241E12BA/si"; reference:url,www.exploit-db.com/exploits/17328/; classtype:attempted-user; sid:2012905; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_05_31, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt"; flow:established,to_client; file_data; content:"55963676-2F5E-4BAF-AC28-CF26AA587566"; nocase; distance:0; content:"url"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*55963676-2F5E-4BAF-AC28-CF26AA587566/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012929; rev:1; metadata:created_at 2011_06_03, updated_at 2011_06_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Cisco.AnyConnect.VPNWeb.1"; nocase; distance:0; content:"url"; nocase; distance:0; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012930; rev:2; metadata:created_at 2011_06_03, updated_at 2011_06_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_06_24, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"79956462-F148-497F-B247-DF35A095F80B"; nocase; distance:0; content:".DownloadImageFileURL"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79956462-F148-497F-B247-DF35A095F80B/si"; reference:url,exploit-db.com/exploits/17415/; reference:cve,2008-2683; classtype:attempted-user; sid:2013130; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote Code Execution Exploit"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2E980303-C865-11CF-BA24-444553540000"; nocase; distance:0; content:".GetItemQueue"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013131; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2E980303-C865-11CF-BA24-444553540000"; nocase; distance:0; content:".GetFirstItem"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013132; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX CygniCon CyViewer ActiveX Control SaveData Insecure Method Vulnerability"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"A6FC2988-16BE-4053-BE89-F562431FD6ED"; nocase; distance:0; content:".SaveData"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A6FC2988-16BE-4053-BE89-F562431FD6ED/si"; reference:bugtraq,48483; classtype:attempted-user; sid:2013160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX Initialize method Buffer Overflow Vulnerability"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"27527D31-447B-11D5-A46E-0001023B4289"; nocase; distance:0; content:".Initialize"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013161; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX RunCore method Buffer Overflow Vulnerability"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"27527D31-447B-11D5-A46E-0001023B4289"; nocase; distance:0; content:".RunCore"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX LEADTOOLS Imaging LEADSmtp ActiveX SaveMessage Method Vulnerability"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".SaveMessage"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F/si"; reference:bugtraq,48408; classtype:attempted-user; sid:2013163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IDrive Online Backup ActiveX control SaveToFile Insecure Method"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E"; nocase; distance:0; content:".SaveToFIle"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E/si"; reference:url,htbridge.ch/advisory/idrive_online_backup_activex_control_insecure_method.html; classtype:attempted-user; sid:2013232; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Crypt ActiveX Control SaveDecrypted Insecure Method Vulnerability"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0B70AB61-5C95-4126-9985-A32531CA8619"; nocase; distance:0; content:".SaveDecrypted"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B70AB61-5C95-4126-9985-A32531CA8619/si"; reference:bugtraq,48585; classtype:attempted-user; sid:2013233; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 1"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6C10489-FB89-11D4-93C9-006008A7EED4/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 2"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 3"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 4"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 5"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Software Possible Memory Corruption Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"658ED6E7-0DA1-4ADD-B2FB-095F08091118"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*658ED6E7-0DA1-4ADD-B2FB-095F08091118/si"; classtype:web-application-attack; sid:2013565; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Possible Memory Corruption Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1"; nocase; distance:0; classtype:attempted-user; sid:2013566; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; nocase; distance:0; content:"file|3A 2F 2F|"; nocase; distance:0; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616/smi"; reference:url,www.dl.packetstormsecurity.net/1109-advisories/sa45550.txt; classtype:attempted-user; sid:2013750; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile) Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013810; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013811; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom) Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013812; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013813; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom) Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013814; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_01_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014325; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ActiveX CxDbgPrint Format String Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ipswcom.IPSWComItf"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Stack Buffer Overflow"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"F6FE8878-54D2-4333-B9F0-FC543B1BE1ED"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014390; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Format String Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"OfficeViewer.OfficeViewer"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 2"; flow:from_server,established; file_data; content:"<object"; nocase; distance:0; content:"E065E4A-BD9D-4547-8F90-985DC62A5591"; nocase; distance:0; content:"|2e|SetSource("; distance:0; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:attempted-user; sid:2014417; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 1"; flow:from_server,established; file_data; content:"<script"; nocase; distance:0; content:"PLAYERPT.PlayerPTCtrl.1"; nocase; distance:0; content:"|2e|SetSource("; distance:0; pcre:"/(ActiveXObject|CreateObject)\s*\(\s*(\x22|\x27)PLAYERPT\.PlayerPTCtrl\.1/iG"; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:attempted-user; sid:2014416; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Remote File Overwrite Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Remote File Overwrite Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Download and Execute"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F5DF8D65-559D-4b75-8562-5302BD2F5F20"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014422; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"TuxClientSystem.ClientSystem.1"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX  Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"13149882-F480-4F6B-8C6A-0764F75B99ED"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014451; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential  Buffer Overflow Attempt 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase;  content:"CRAZYTALK4Lib.CrazyTalk4"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014452; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014453; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AnnotationX.AnnList.1"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014454; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014455; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"UltraMJCam.UltraMJCam.1"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014456; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"84B74E82-3475-420E-9949-773B4FB91771"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Isig.isigCtl.1"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014551; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"6286EF1A-B56E-48EF-90C3-743410657F3C"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"DETECTIESETTINGS.detectIESettingsCtrl.1"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"6116A7EC-B914-4CCE-B186-66E0EE7067CF"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014585; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"EDBoardLib.EDBoard"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"D9397163-A2DB-4A4A-B2C9-34E876AF2DFC"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"PNLLM.Client.1"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"65996200-3B87-11D4-A21F-00E029189826"; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014593; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"TList.TList.6"; fast_pattern; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014594; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"209EBDEE-065C-11D4-A6B8-00C04F0D38B7"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014619; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MYCIOSCNLib.Scan"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014620; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F7014877-6F5A-4019-A3B2-74077F2AE126"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"QExplain2.ExplainPlanDisplayX"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MVT.MVTControl.6300"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i Viewer-Active-X-SEH-Overwrite.html; classtype:attempted-user; sid:2014710; rev:3; metadata:created_at 2012_05_04, updated_at 2012_05_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WebexUCFObject.WebexUCFObject"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:4; metadata:created_at 2012_06_01, updated_at 2012_06_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49443/; classtype:attempted-user; sid:2014896; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"721700FE-7F0E-49C5-BDED-CA92B7CB1245"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"DcsCliCtrl.DCSStrmControl.1"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014903; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"62789780-B744-11D0-986B-00609731A21D"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MGMapControl.MGMap"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_22, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Aventail.EPInterrogator.10.0.4.018"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014991; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"2A1BE1E7-C550-4D67-A553-7F2D3A39233D"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014992; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle AutoVue ActiveX SetMarkupMode Method Access Remote Code Execution"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"AutoVueX.ocx"; fast_pattern; nocase; distance:0; content:"SetMarkupMode"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114364/Oracle-AutoVue-ActiveX-SetMarkupMode-Remote-Code-Execution.html; classtype:attempted-user; sid:2015465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"684811FB-0523-420F-9E8F-A5452C65A19C"; nocase; distance:0; content:"ToSvg"; nocase; distance:0; reference:url,exploit-db.com/exploits/19861/; classtype:attempted-user; sid:2015490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ListCtrl.ocx"; fast_pattern; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015492; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CommuniCrypt Mail SMTP ActiveX AddAttachments Method Access Stack Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; distance:0; content:"AddAttachments"; nocase; distance:0; reference:url,packetstormsecurity.org/files/89856/CommuniCrypt-Mail-1.16-SMTP-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2015493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; nocase; distance:0; content:"installAppMgr"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82969/Symantec-AppStream-LaunchObj-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView ActiveX CreateNewFolderFromName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"WZFILEVIEW.FileViewCtrl.61"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015563; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz (BARCODEWIZLib.BarCodeWiz) ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"BARCODEWIZLib.BarCodeWiz"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"54BDE6EC-F42F-4500-AC46-905177444300"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute 2"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"ICQPhone.SipxPhoneManager.1"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"6F255F99-6961-48DC-B17E-6E1BCCBC0EE3"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015607; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; nocase; distance:0; content:".Install("; nocase; distance:0; reference:url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html; classtype:attempted-user; sid:2015608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CA eTrust PestPatrol ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6"; nocase; distance:0; content:".Initialize("; nocase; distance:0; reference:url,exploit-db.com/exploits/16630/; classtype:attempted-user; sid:2015636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"525A15D0-4938-11D4-94C7-0050DA20189B"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; reference:url,kb.cert.org/vuls/id/179281; classtype:attempted-user; sid:2015643; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SnoopyX.SnoopyCtrl.1"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; classtype:attempted-user; sid:2015644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0; content:".AddPackages"; nocase; distance:0; reference:url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html; classtype:attempted-user; sid:2016041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; nocase; distance:0; content:".SetShapeNodeType("; nocase; distance:0; reference:url,packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html; classtype:attempted-user; sid:2016084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control ShowPropertiesDialog arbitrary code execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; nocase; distance:0; content:"ShowPropertiesDialog"; nocase; distance:0; reference:url,packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html; classtype:attempted-user; sid:2016085; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0; content:"InternationalSeparator"; nocase; distance:0; reference:url,securityfocus.com/bid/47596; classtype:attempted-user; sid:2016118; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEA36793-F574-4CC1-8690-60E3511CFEAA"; nocase; distance:0; content:".Load"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016160; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A70D160E-E925-4207-803B-A0D702BEDF46"; nocase; distance:0; content:".CheckCompatibility"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016161; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141"; nocase; distance:0; content:".Admin_RemoveDirectory"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016162; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E01DF79C-BE0C-4999-9B13-B5F7B2306E9B"; nocase; distance:0; content:".DownloadFromURL"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html; classtype:attempted-user; sid:2016197; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016236; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung Kies ActiveX PrepareSync method Buffer overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EA8A3985-F9DF-4652-A255-E4E7772AFCA8"; nocase; distance:0; content:".PrepareSync"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119423/Samsung-Kies-2.5.0.12114_1-Buffer-Overflow.html; classtype:attempted-user; sid:2016237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"KeyHelp.KeyScript"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016235; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method arbitrary file overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; nocase; distance:0; content:".SaveToFile"; nocase; distance:0; reference:url,exploit-db.com/exploits/24319/; classtype:attempted-user; sid:2016286; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Ecava IntegraXor save method Remote ActiveX Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"520F4CFD-61C6-4EED-8004-C26D514D3D19"; nocase; distance:0; content:".save"; nocase; distance:0; reference:url,1337day.org/exploit/15398; classtype:attempted-user; sid:2016382; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"401"; http_stat_code; threshold: type both, count 1, seconds 300, track by_dst; reference:url,doc.emergingthreats.net/2009345; classtype:attempted-recon; sid:2009345; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack"; flow:from_server,established; content:"401";  http_stat_code;  threshold:type both, track by_dst, count 30, seconds 60; reference:url,doc.emergingthreats.net/2009346; classtype:attempted-recon; sid:2009346; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Request"; flow:established,from_server; content:"Thanks Snailsor,FuYu,BloodSword"; fast_pattern:only; reference:url,doc.emergingthreats.net/2009146; classtype:web-application-activity; sid:2009146; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Related Activity"; flow:established,from_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/2009147; classtype:web-application-activity; sid:2009147; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/2009149; classtype:web-application-activity; sid:2009149; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request"; content:"|00 01 74 63 6C 73 68 2E 74 63 6C|"; fast_pattern:only; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009244; classtype:bad-unknown; sid:2009244; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET 69 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Download"; content:"|54 63 6C 53 68 65 6C 6C|"; fast_pattern:only; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009245; classtype:bad-unknown; sid:2009245; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a|\\WINDOWS\\system32\\"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; classtype:trojan-activity; sid:2008556; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000499; classtype:string-detect; sid:2000499; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000500; classtype:string-detect; sid:2000500; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000501; classtype:string-detect; sid:2000501; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000502; classtype:string-detect; sid:2000502; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000503; classtype:string-detect; sid:2000503; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000504; classtype:string-detect; sid:2000504; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000505; classtype:string-detect; sid:2000505; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000506; classtype:string-detect; sid:2000506; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000507; classtype:string-detect; sid:2000507; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000508; classtype:string-detect; sid:2000508; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - user"; flow:established,from_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftpuser; reference:url,doc.emergingthreats.net/bin/view/Main/2007715; classtype:trojan-activity; sid:2007715; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.strippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftppass; reference:url,doc.emergingthreats.net/bin/view/Main/2007717; classtype:trojan-activity; sid:2007717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.strippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session,300,seconds; reference:url,doc.emergingthreats.net/bin/view/Main/2007723; classtype:trojan-activity; sid:2007723; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002809; classtype:trojan-activity; sid:2002809; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002810; classtype:trojan-activity; sid:2002810; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002811; classtype:trojan-activity; sid:2002811; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; nocase; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; classtype:trojan-activity; sid:2003464; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (freeFTPd)"; flow:established,from_server; content:"220 "; content:"--freeFTPd "; depth:40; nocase; reference:url,www.freeftp.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003465; classtype:trojan-activity; sid:2003465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)"; flow:established,from_server; dsize:<18; content:"220 WinFtpd"; depth:11; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007725; classtype:trojan-activity; sid:2007725; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007726; classtype:trojan-activity; sid:2007726; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (fuckFtpd)"; flow:established,from_server; dsize:<18; content:"220 fuckFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/2009210; classtype:trojan-activity; sid:2009210; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (NzmxFtpd)"; flow:established,from_server; dsize:<18; content:"220 NzmxFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/2009211; classtype:trojan-activity; sid:2009211; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; content:"Accept-Encoding|3a| identity"; http_header; content:"Next|2d|Polling"; http_header; fast_pattern:only; content:"Content|2d|Salt|3a| "; http_header; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/Hi"; reference:url,doc.emergingthreats.net/2010795; classtype:trojan-activity; sid:2010795; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Download Detected"; flow:to_client,established; content:"stdapi_fs_stat"; depth:54; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009558; classtype:successful-user; sid:2009558; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process List (ps) Command Detected"; flow:to_client,established; content:"stdapi_sys_process_get_processes"; depth:65; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009559; classtype:successful-user; sid:2009559; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Getuid Command Detected"; flow:to_client,established; content:"stdapi_sys_config_getuid"; depth:65; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009560; classtype:successful-user; sid:2009560; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process Migration Detected"; flow:to_client,established; content:"core_migrate"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009561; classtype:successful-user; sid:2009561; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter ipconfig Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_interfaces"; depth:65; threshold: type threshold, track by_src, count 2, seconds 4; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009562; classtype:successful-user; sid:2009562; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Sysinfo Command Detected"; flow:to_client,established; content:"stdapi_sys_config_sysinfo"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009563; classtype:successful-user; sid:2009563; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Route Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_route"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009564; classtype:successful-user; sid:2009564; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Kill Process Command Detected"; flow:to_client,established; content:"stdapi_sys_process_kill"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009565; classtype:successful-user; sid:2009565; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Print Working Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_getwd"; depth:55; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009566; classtype:successful-user; sid:2009566; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter View Current Process ID Command Detected"; flow:to_client,established; content:"stdapi_sys_process_getpid"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009567; classtype:successful-user; sid:2009567; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Execute Command Detected"; flow:to_client,established; content:"stdapi_sys_process_execute"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009568; classtype:successful-user; sid:2009568; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Reboot/Shutdown Detected"; flow:to_client,established; content:"stdapi_sys_power_exitwindows"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009569; classtype:successful-user; sid:2009569; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Get Idle Time Command Detected"; flow:to_client,established; content:"stdapi_ui_get_idle_time"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009570; classtype:successful-user; sid:2009570; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Make Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_mkdir"; depth:55; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009571; classtype:successful-user; sid:2009571; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Remove Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_delete_dir"; depth:57; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009572; classtype:successful-user; sid:2009572; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Change Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_chdir"; depth:57; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009573; classtype:successful-user; sid:2009573; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter List (ls) Command Detected"; flow:to_client,established; content:"stdapi_fs_ls"; depth:52; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009574; classtype:successful-user; sid:2009574; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter rev2self Command Detected"; flow:to_client,established; content:"stdapi_sys_config_rev2self"; depth:52; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009575; classtype:successful-user; sid:2009575; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Keyboard Detected"; flow:to_client,established; content:"stdapi_ui_enable_keyboard"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009576; classtype:successful-user; sid:2009576; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Mouse Detected"; flow:to_client,established; content:"stdapi_ui_enable_mouse"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009577; classtype:successful-user; sid:2009577; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File/Memory Interaction Detected"; flow:to_client,established; content:"stdapi_fs_file_expand_path"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009578; classtype:successful-user; sid:2009578; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Registry Interation Detected"; flow:to_client,established; content:"stdapi_registry_create_key"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009579; classtype:successful-user; sid:2009579; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Upload Detected"; flow:to_client,established; content:"core_channel_write"; depth:50; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009580; classtype:successful-user; sid:2009580; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Channel Interaction Detected, Likely Interaction With Executable"; flow:to_client,established; content:"core_channel_interact"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009651; classtype:successful-user; sid:2009651; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ"; fast_pattern; depth:13; content:"!This program cannot be run in DOS mode."; distance:75; within:40; reference:url,doc.emergingthreats.net/2009581; classtype:successful-admin; sid:2009581; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"|40 00 41 00 42 0043 00 44 00 6d 65 74 73 72 76 2e 64 6c 6c 00 49 6e 69 74 00 5f 52 65 66 6c 65 63 74 69 76 65 4c 6f 61|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010454; classtype:successful-admin; sid:2010454; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From|3a| anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent|3a| PHP"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001628; classtype:web-application-activity; sid:2001628; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; file_data; content:"r57shell - http-shell by RST/GHC"; fast_pattern:only; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/*  (c)oded by 1dt.w0lf"; content:"/*  RST/GHC http"; distance:0; fast_pattern; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; classtype:web-application-activity; sid:2003536; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; classtype:web-application-activity; sid:2007651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE c99shell phpshell detected"; flow:established,from_server; content:"c99shell"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007652; classtype:web-application-activity; sid:2007652; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE RFI Scanner detected"; flow:established,from_server; content:"RFI Scanner"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007653; classtype:web-application-activity; sid:2007653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE C99 Modified phpshell detected"; flow:established,from_server; content:"C99 Modified"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007654; classtype:web-application-activity; sid:2007654; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE lila.jpg phpshell detected"; flow:established,from_server; content:"CMD PHP"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007655; classtype:web-application-activity; sid:2007655; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE ALBANIA id.php detected"; flow:established,from_server; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007656; classtype:web-application-activity; sid:2007656; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; classtype:web-application-activity; sid:2007657; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http initiate"; flow:to_server,established; content:"?action=checkPort&port="; http_uri; content:"Java/"; http_header; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011667; classtype:trojan-activity; sid:2011667; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"Java/"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Weak Netbios Lanman Auth Challenge Detected"; flow:from_server; content:"|ff 53 4d 42|"; content:"|00 11 22 33 44 55 66 77 88|"; reference:url,doc.emergingthreats.net/bin/view/Main/2006417; classtype:policy-violation; sid:2006417; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system"; flow:established; dsize:<110; content:"Microsoft Windows "; depth:20; content:"Copyright 1985-20"; distance:0; content:"Microsoft Corp"; distance:0; content:"|0a 0a|"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2008953; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; distance:8; within:40; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009675; classtype:successful-recon-limited; sid:2009675; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ipconfig Response Detected"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; offset:35; depth:55; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009676; classtype:successful-recon-limited; sid:2009676; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"POST"; http_method; content:"/notify/"; http_uri; pcre:"/\/notify\/(single|mass)$/iU"; content:"defacer|3d|"; http_client_body; depth:8; fast_pattern; metadata: former_category ATTACK_RESPONSE; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; classtype:trojan-activity; sid:2001616; rev:13; metadata:created_at 2010_07_30, updated_at 2017_12_20;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; classtype:successful-recon-limited; sid:2002034; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; classtype:successful-recon-limited; sid:2003071; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,to_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; classtype:successful-recon-limited; sid:2003149; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,to_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; classtype:successful-recon-limited; sid:2003150; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:2101882; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; fast_pattern:only; classtype:bad-unknown; sid:2100498; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL ATTACK_RESPONSE del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101008; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL ATTACK_RESPONSE directory listing"; flow:to_server,established; content:"/ServerVariables_Jscript.asp"; http_uri; nocase; reference:nessus,10573; classtype:web-application-attack; sid:2101009; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE directory listing"; flow:established; content:"Volume Serial Number"; fast_pattern:only; classtype:bad-unknown; sid:2101292; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE Invalid URL"; flow:from_server,established; content:"Invalid URL"; fast_pattern:only; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:2101200; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command completed"; flow:established; content:"Command completed"; fast_pattern:only; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:2100494; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command error"; flow:established; content:"Bad command or filename"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2100495; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE file copied ok"; flow:established; content:"1 file|28|s|29| copied"; fast_pattern:only; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:2100497; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; fast_pattern:only; classtype:bad-unknown; sid:2101886; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; fast_pattern:only; classtype:bad-unknown; sid:2101885; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; fast_pattern:only; classtype:bad-unknown; sid:2101883; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; within:25; classtype:bad-unknown; sid:2101884; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; fast_pattern:only; nocase; reference:nessus,10039; classtype:bad-unknown; sid:2101666; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"GPL ATTACK_RESPONSE isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2102043; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Windows 7 CMD Shell from Local System"; flow:established; dsize:<160; content:"Microsoft Windows [Version "; depth:30; content:"Copyright (c)"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2012690; rev:1; metadata:created_at 2011_04_17, updated_at 2011_04_17;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:"</title>"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015905; rev:2; metadata:created_at 2012_11_21, updated_at 2018_01_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - POST structure"; flow:established,to_server; content:"POST"; http_method; content:"&c="; http_client_body; content:"&p1="; http_client_body; content:"&p2="; http_client_body; content:"&p3="; http_client_body; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/P"; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015906; rev:2; metadata:created_at 2012_11_21, updated_at 2018_01_08;)

alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern:only; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:2; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Net User Command Response"; flow:established; content:"User accounts for |5C 5C|"; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:successful-user; sid:2017025; rev:3; metadata:created_at 2013_06_17, updated_at 2013_06_17;)

alert udp $HOME_NET 623 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival RAKP message 2 status code Unauthorized Name"; content:"|06 13|"; offset:4; depth:2; content:"|0d|"; distance:11; within:1; classtype:protocol-command-decode; sid:2017121; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Non-Local Burp Proxy Error"; flow:established,to_client; content:"502"; http_stat_code; content:"Bad gateway"; http_stat_msg; file_data; content:"Burp proxy error|3A 20|"; within:18; reference:url,portswigger.net/burp/proxy.html; classtype:successful-admin; sid:2017148; rev:1; metadata:created_at 2013_07_15, updated_at 2013_07_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE python shell spawn attempt"; flow:established,to_client; content:"pty|2e|spawn|2822|/bin/sh|2229|"; depth:64; classtype:trojan-activity; sid:2017317; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE webr00t WebShell Access"; flow:established,to_server; content:"/?webr00t="; http_uri; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html; classtype:trojan-activity; sid:2017701; rev:4; metadata:created_at 2013_11_08, updated_at 2017_11_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE PHP script in OptimizePress Upload Directory Possible WebShell Access"; flow:to_server,established; content:"/wp-content/uploads/optpress/images_"; http_uri; fast_pattern:16,20; content:".php"; http_uri; pcre:"/\/wp-content\/uploads\/optpress\/images\_(?:comingsoon|lncthumbs|optbuttons)\/.*?\.php/Ui"; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017854; rev:2; metadata:created_at 2013_12_13, updated_at 2017_11_28;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Linksys Router Returning Device Settings To External Source"; flow:established,from_server; file_data; content:"<GetDeviceSettingsResponse>"; content:"<GetDeviceSettingsResult>"; content:"<ModelName>"; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633; classtype:attempted-admin; sid:2018136; rev:2; metadata:created_at 2014_02_13, updated_at 2017_11_28;)

alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible  MS CMD Shell opened on local system 2"; dsize:<200; content:"Microsoft Windows "; depth:40; content:"[Version"; distance:0; within:10; content:"Copyright (c) 2009"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2018392; rev:1; metadata:created_at 2014_04_15, updated_at 2014_04_15;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Output of id command from HTTP server"; flow:established; content:"uid="; pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5; pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; classtype:bad-unknown; sid:2019284; rev:1; metadata:created_at 2014_09_26, updated_at 2014_09_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound"; flow:established; content:"Windows PowerShell"; content:"Copyright |28|C|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020084; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft CScript Banner Outbound"; flow:established; content:"Windows Script Host Version"; content:"Copyright |28|C|29|"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020085; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft WMIC Prompt Outbound"; flow:established; content:"wmic|3a|root|5c|cli>"; classtype:successful-admin; sid:2020086; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound"; flow:established; content:"netsh firewall|22| is deprecated|3b|"; content:"use |22|netsh advfirewall"; distance:0; content:"Ok."; distance:0; classtype:successful-admin; sid:2020087; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound"; flow:established; content:"SERVICE_NAME|3a|"; content:"TYPE"; distance:0; content:"SERVICE_EXIT_CODE"; distance:0; classtype:successful-admin; sid:2020088; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL syntax"; fast_pattern; content:"MySQL"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020506; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mysql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020507; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlException (0x"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020508; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid MySQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020509; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlClient."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020510; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"com.mysql.jdbc.exceptions"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020511; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"PostgreSQL"; fast_pattern; content:"ERROR"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020512; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"Wpg_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020513; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid PostgreSQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020514; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Npgsql."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020515; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.postgresql.util.PSQLException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020516; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ERROR|3a 20 20|syntax error at or near"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020517; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Driver"; fast_pattern; pcre:"/^ SQL[-_ ]Server/R"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020518; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"OLEDB"; fast_pattern; content:"|20|SQL Server"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020519; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[Microsoft]"; content:"[ODBC SQL Server Driver]"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020520; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mssql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020521; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"500 Internal Server Error"; file_data; content:"OLE DB Provider for SQL Server"; fast_pattern:only; pcre:"/SQL Server.*?error \x27[0-9a-f]{8}/mi"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020522; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"System.Data.SqlClient."; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020523; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"Roadhouse.Cms"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020524; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Microsoft Access"; fast_pattern; pcre:"/^ \d+ Driver/R"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020525; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"JET Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020526; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Access Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020527; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ORA-"; fast_pattern:only; pcre:"/ORA-\d{4}/"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020528; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020529; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle"; fast_pattern; content:"Driver"; distance:0; within:12; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020530; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"oci_"; distance:0; fast_pattern; pcre:"/Warning.*\Woci_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020531; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ora_"; fast_pattern; distance:0; pcre:"/Warning.*\Wora_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020532; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"CLI Driver"; fast_pattern:only; pcre:"/CLI Driver.*DB2/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020533; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"DB2 SQL error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020534; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"bdb2_"; fast_pattern:only; pcre:"/bdb2_\w+\(/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020535; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Informix error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; content:"Informix"; fast_pattern; pcre:"/Exception.*Informix/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020536; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020537; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020538; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite/JDBCDriver"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020539; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite.Exception"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020540; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"System.Data.SQLite.SQLiteException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020541; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sqlite_"; fast_pattern; distance:0; pcre:"/Warning.*sqlite_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020542; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"SQLite3|3a 3a|"; fast_pattern; distance:0; pcre:"/Warning.*SQLite3::/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020543; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[SQLITE_ERROR]"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020544; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL error"; fast_pattern; content:"POS("; distance:0; pcre:"/SQL error.*POS\([0-9]+\)/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020545; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"maxdb"; fast_pattern; distance:0; pcre:"/Warning.*maxdb/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020546; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sybase"; fast_pattern; distance:0; pcre:"/i?Warning.*sybase/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020547; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020548; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase Server message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020549; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ingres_"; fast_pattern; distance:0; pcre:"/Warning.*ingres_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020550; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres SQLSTATE"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020551; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres"; fast_pattern; content:"Driver"; distance:0; pcre:"/Ingres\W.*Driver/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020552; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frontbase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception (condition )"; content:". Transaction rollback."; fast_pattern; distance:0; pcre:"/Exception (condition )\d+\. Transaction rollback\./m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020553; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HSQLDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.hsqldb.jdbc"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020554; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate"; flow:from_server,established; content:"|A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00|"; fast_pattern:only; content:"|16 03 03|"; pcre:"/^..\x0B.{9}\x30\x82..\x30\x82..\xA0\x03\x02\x01\x02\x02(?:\x09.{9}|\x08.{8})/Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30|"; within:16; pcre:"/^.\x31.\x30.\x06\x03\x55\x04\x03\x0C.([a-z]{2,9})\x30.\x17\x0D[0-9]{12}Z\x17\x0D[0-9]{12}Z\x30.\x31.\x30.\x06\x03\x55\x04\x03\x0C.\g{1}\x30\x82../Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; pcre:"/^...\x30\x82..\x02\x82...{256,257}/Rs"; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; within:36; content:!"|06|ubuntu"; content:!"|04|mint"; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module; classtype:trojan-activity; sid:2021178; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_06_03, updated_at 2017_01_20;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode"; flow:to_server; content:"|ff ff ff|tcp/CONNECT/3/"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}\/\d+\x00$/Ri"; reference:url,raw.githubusercontent.com/exodusintel/disclosures/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022819; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible BeEF HTTP Headers Inbound"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|Server|3a 20|Apache/2.2.3 (CentOS)|0d 0a|Pragma|3a|"; fast_pattern; offset:17; depth:69; content:"|0d 0a|Expires|3a 20|0|0d 0a|"; distance:0; content:!"Set-Cookie|3a 20|"; content:!"X-Powered-By|3a 20|"; metadata: former_category ATTACK_RESPONSE; classtype:attempted-user; sid:2024421; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2017_06_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE 401TRG Perl DDoS IRCBot File Download"; flow:established,from_server; content:"|6d 79 20 24 70 72 6f 63 65 73 73 20 3d 20 24 72 70 73 5b 72 61 6e 64 20 73 63 61 6c 61 72 20 40 72 70 73 5d 3b|"; metadata: former_category ATTACK_RESPONSE; classtype:trojan-activity; sid:2024977; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_11_07, malware_family webshell, performance_impact Moderate, updated_at 2017_11_07;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE passwd file Outbound from WEB SERVER Linux"; flow:established,from_server; file_data; content:"root:x:0:0:root:/root:/bin/"; within:27; classtype:successful-recon-limited; sid:2025879; rev:2; metadata:created_at 2018_07_20, updated_at 2018_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (buddy list)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/buddy_list.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010785; classtype:policy-violation; sid:2010785; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (settings)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/settings.php"; http_uri; content:"facebook.com|0d 0a|"; http_header;  reference:url,doc.emergingthreats.net/2010786; classtype:policy-violation; sid:2010786; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Facebook Chat using XMPP"; flow:to_server,established; content:"chat.facebook.com"; nocase; content:"jabber|3A|client"; nocase; distance:9; within:13; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.facebook.com/sitetour/chat.php; reference:url,doc.emergingthreats.net/2010819; classtype:policy-violation; sid:2010819; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Gadu-Gadu IM Login Server Request"; flow:established,to_server; content:"/appsvc/appmsg"; http_uri; nocase; content:".asp"; http_uri; nocase; content:"fmnumber="; http_uri; content:"&version="; http_uri; content:"&fmt="; http_uri; content:"Host|3a| appmsg.gadu-gadu."; http_header; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008295; classtype:policy-violation; sid:2008295; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Welcome Packet"; flow:established,from_server; dsize:12; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.gadu.welcome; metadata: former_category CHAT; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008297; classtype:policy-violation; sid:2008297; rev:5; metadata:created_at 2010_07_30, updated_at 2017_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Client Login Packet"; flowbits:isset,ET.gadu.welcome; flow:established,to_server; dsize:<50; content:"|15 00 00 00|"; depth:4; flowbits:set,ET.gadu.loginsent; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008298; classtype:policy-violation; sid:2008298; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; content:"|03 00 00 00|"; depth:4; byte_jump:4,0,relative,little,post_offset -1; isdataat:!2,relative; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008299; classtype:policy-violation; sid:2008299; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login Failed Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; dsize:8; content:"|09 00 00 00 00 00 00 00|"; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008300; classtype:policy-violation; sid:2008300; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Server Available Status Packet"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|02 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008301; classtype:policy-violation; sid:2008301; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Send Message"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008302; classtype:policy-violation; sid:2008302; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Receive Message"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|0a 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008303; classtype:policy-violation; sid:2008303; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Keepalive PING"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|08 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008304; classtype:policy-violation; sid:2008304; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Keepalive PONG"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|07 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008305; classtype:policy-violation; sid:2008305; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Request"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|01 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008306; classtype:policy-violation; sid:2008306; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Details"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008307; classtype:policy-violation; sid:2008307; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Accept"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|06 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008308; classtype:policy-violation; sid:2008308; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Begin"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008309; classtype:policy-violation; sid:2008309; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Invisible"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|001900130005|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001801; classtype:policy-violation; sid:2001801; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (1)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|000E00010011|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001802; classtype:policy-violation; sid:2001802; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (2)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|00120001001E|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001803; classtype:policy-violation; sid:2001803; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Login"; flow: from_client,established; content:"|2A01|"; depth: 2; content:"|00010001|"; offset: 8; depth: 4; reference:url,doc.emergingthreats.net/2001804; classtype:policy-violation; sid:2001804; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT ICQ Message"; flow: established; content:"|2A02|"; depth: 2; content:"|000400060000|"; offset: 6; depth: 6; reference:url,doc.emergingthreats.net/2001805; classtype:policy-violation; sid:2001805; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002327; classtype:policy-violation; sid:2002327; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google IM traffic Jabber client sign-on"; flow:to_server; content:"gmail.com"; nocase; content:"jabber.org"; nocase; content:"version="; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002334; classtype:policy-violation; sid:2002334; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer request"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; distance: 0; content:"text/x-msmsgsinvite"; fast_pattern:only; content:"Application-Name|3A|"; content:"File Transfer"; nocase; distance: 0; reference:url,doc.emergingthreats.net/2001241; classtype:policy-violation; sid:2001241; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer accept"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; fast_pattern:only; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance: 1; reference:url,doc.emergingthreats.net/2001242; classtype:policy-violation; sid:2001242; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer reject"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; fast_pattern:only; content:"Invitation-Command|3A|"; content:"CANCEL"; distance: 0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; nocase; distance: 0; reference:url,doc.emergingthreats.net/2001243; classtype:policy-violation; sid:2001243; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT MSN IM Poll via HTTP"; flow: established,to_server; content:"/gateway/gateway.dll?Action=poll&SessionID="; http_uri; nocase; threshold: type limit, track by_src, count 10, seconds 3600; reference:url,doc.emergingthreats.net/2001682; classtype:policy-violation; sid:2001682; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN status change"; flow:established,to_server; content:"CHG "; depth:55; reference:url,doc.emergingthreats.net/2002192; classtype:policy-violation; sid:2002192; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"ET CHAT Possible MSN Messenger File Transfer"; flow:established,from_client; content:"x-msnmsgrp2p"; nocase; content:"appid|3a|"; nocase; pcre:"/appid\x3a\s+2/i"; reference:url,www.hypothetic.org/docs/msn/client/file_transfer.php; reference:url,doc.emergingthreats.net/2008289; classtype:policy-violation; sid:2008289; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT General MSN Chat Activity"; flow: established; content:"Content-Type|3A|"; http_header; content:"application/x-msn-messenger"; http_header; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009375; classtype:policy-violation; sid:2009375; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM voicechat"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|J"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001254; classtype:policy-violation; sid:2001254; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM ping"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 12|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001255; classtype:policy-violation; sid:2001255; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference invitation"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 18|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001256; classtype:policy-violation; sid:2001256; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference logon success"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 19|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001257; classtype:policy-violation; sid:2001257; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001258; classtype:policy-violation; sid:2001258; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Unavailable Status"; flow: to_server,established; content:"|59 47 00 0b 00 00 00 00 00 12 00 00 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2001427; classtype:policy-violation; sid:2001427; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00 dc|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001259; classtype:policy-violation; sid:2001259; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM message"; flow: established; content:"YMSG"; depth: 4; reference:url,doc.emergingthreats.net/2001260; classtype:policy-violation; sid:2001260; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference offer invitation"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|P"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001262; classtype:policy-violation; sid:2001262; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference request"; flow: to_server,established; content:"<R"; depth: 2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; reference:url,doc.emergingthreats.net/2001263; classtype:policy-violation; sid:2001263; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference watch"; flow: from_server,established; content:"|0D 00 05 00|"; depth: 4; fast_pattern; reference:url,doc.emergingthreats.net/2001264; classtype:policy-violation; sid:2001264; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Yahoo IM Client Install"; flow: to_server,established; content:"/ycontent/stats.php?version="; nocase; http_uri; content:"EVENT=InstallBegin"; nocase; http_uri; reference:url,doc.emergingthreats.net/2002659; classtype:policy-violation; sid:2002659; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; reference:url,doc.emergingthreats.net/2000355; classtype:misc-activity; sid:2000355; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Known SSL traffic on port 5222 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003031; classtype:not-suspicious; sid:2003031; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 5223 (msg:"ET CHAT Known SSL traffic on port 5223 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003032; classtype:not-suspicious; sid:2003032; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype VOIP Checking Version (Startup)"; flow: to_server,established; content:"/ui/"; http_uri; nocase; content:"/getlatestversion?ver="; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001595; classtype:policy-violation; sid:2001595; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header;  pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET CHAT Skype Bootstrap Node (udp)"; threshold: type both, count 5, track by_src, seconds 120; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2003022; classtype:policy-violation; sid:2003022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Gadu-Gadu Chat Client Checkin via HTTP"; flow:established,to_server; content:"/appsvc/appmsg"; nocase; http_uri; content:"fmnumber="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&fmt="; nocase; http_uri; content:"&lastmsg="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007866; classtype:trojan-activity; sid:2007866; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER command"; flow:to_server,established; content:"USER|20|"; nocase; depth:5; content:"|203a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002023; classtype:misc-activity; sid:2002023; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC NICK command"; flow:to_server,established; content:"NICK|20|"; nocase; depth:5; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002024; classtype:misc-activity; sid:2002024; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC JOIN command"; flow:to_server,established; content:"JOIN|2023|"; nocase; depth:50; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002025; classtype:misc-activity; sid:2002025; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PRIVMSG command"; flow:established,to_server; content:"PRIVMSG|20|"; depth:8; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002026; classtype:misc-activity; sid:2002026; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any 6666:7000 -> any any (msg:"ET CHAT IRC PING command"; flow:from_server,established; content:"PING|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PONG response"; flow:from_client,established; content:"PONG|20|"; depth:5;  flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:2101633; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:2101988; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:2101989; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2102453; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2102454; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2102458; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2102451; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2102456; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2102461; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Incoming Message"; flow:to_client,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100236; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Logon Success"; flow:to_client,established; content:"<success"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100235; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"GPL CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:2101631; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"GPL CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:2101632; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"GPL CHAT Google Talk Version Check"; flow: established,to_server; content:"/googletalk/google-talk-versioncheck.txt?"; http_uri; nocase; classtype:policy-violation; sid:2100876; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:2101991; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:2101986; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:2101990; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2102455; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2102459; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2102452; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2102460; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Logon"; flow:to_server,established; content:"<stream|3a|stream to=\"gmail.com\""; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100232; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:2100877; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Log Out"; flow:to_server,established; content:"</stream"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100234; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:"<auth"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100231; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:"<stream"; nocase; reference:url,www.google.com/talk/; classtype:not-suspicious; sid:2100230; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outoing Message"; flow:to_server,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100233; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC CHAT chat"; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101640; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC SEND"; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101639; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC Channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; fast_pattern:only; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101729; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:2100540; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; metadata: former_category CHAT; classtype:misc-activity; sid:2025066; rev:1; metadata:created_at 2013_07_12, updated_at 2017_11_28;)

alert tcp any any -> any !6666:7000 (msg:"ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; metadata: former_category CHAT; classtype:misc-activity; sid:2025067; rev:1; metadata:created_at 2013_07_12, updated_at 2017_11_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"<html><head></head><body>Loading...<div id=|22|page|22| style=|22|display|3a| none|22|>"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|np"; http_client_body; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011348; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; http_client_body; distance:32; within:4; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011349; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; http_client_body; distance:5; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011350; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"Server|3a| nginx"; http_header; file_data; content:"<div style=|22|visibility|3a| hidden|3b 22|><"; within:120; classtype:bad-unknown; sid:2011355; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; nocase; http_header; content:"User-Agent|3a| "; nocase; http_header; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_01, updated_at 2010_10_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby Bredolab - client exploited by acrobat"; flow:established,to_server; content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; classtype:trojan-activity; sid:2011797; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_10_09, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SEO Exploit Kit - Landing Page"; flow:established,to_client; content:"<div id=\"obj\"></div><div id=\"pdf\"></div><div id=\"hcp\">"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2011812; rev:4; metadata:created_at 2010_10_12, updated_at 2017_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011813; rev:5; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS exploit kit x/load/svchost.exe"; flow:established,to_server; content:"GET"; http_method; content:"load/svchost.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011906; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/ "; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1; metadata:created_at 2010_11_23, updated_at 2010_11_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PDF served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".pdf"; http_uri; pcre:"/\/tmp\/[^\/]+\.pdf$/U"; classtype:bad-unknown; sid:2011972; rev:3; metadata:created_at 2010_11_23, updated_at 2010_11_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JAR served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".jar"; http_uri; pcre:"/\/tmp\/[^\/]+\.jar$/U"; classtype:bad-unknown; sid:2011973; rev:3; metadata:created_at 2010_11_23, updated_at 2010_11_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|></IFRAME>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2011988; rev:5; metadata:created_at 2010_12_01, updated_at 2017_04_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:2; metadata:created_at 2011_02_22, updated_at 2011_02_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:4; metadata:created_at 2011_03_15, updated_at 2011_03_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:7; metadata:created_at 2011_03_15, updated_at 2011_03_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:trojan-activity; sid:2012518; rev:1; metadata:created_at 2011_03_17, updated_at 2011_03_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; distance:0; classtype:trojan-activity; sid:2012525; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; distance:0; classtype:trojan-activity; sid:2012526; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"%PDF-"; distance:0; classtype:trojan-activity; sid:2012527; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; file_data; content:"%PDF-"; distance:0; classtype:trojan-activity; sid:2012528; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page"; flow:established,from_server; file_data; content:"<title>MWL</title>"; within:300; classtype:bad-unknown; sid:2012530; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:5; metadata:created_at 2011_03_30, updated_at 2011_03_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:1; metadata:created_at 2011_03_30, updated_at 2011_03_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"SWF"; fast_pattern:only; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012621; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; classtype:attempted-user; sid:2012624; rev:4; metadata:created_at 2011_04_02, updated_at 2011_04_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:2; metadata:created_at 2011_04_04, updated_at 2011_04_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:4; metadata:created_at 2011_04_04, updated_at 2011_04_04;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:bad-unknown; sid:2012632; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_04_05, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:bad-unknown; sid:2012630; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_04_05, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2012635; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_04_05, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern:only; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern:only; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:1; metadata:created_at 2011_04_13, updated_at 2011_04_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:1; metadata:created_at 2011_04_28, updated_at 2011_04_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:1; metadata:created_at 2011_04_28, updated_at 2011_04_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:2; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Newplayer.pdf"; flow:established,to_server; content:"/newplayer.pdf"; fast_pattern:only; http_uri; metadata: former_category CURRENT_EVENTS; reference:cve,2009-4324; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012941; rev:6; metadata:created_at 2011_06_07, updated_at 2017_04_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Printf.pdf"; flow:established,to_server; content:"/printf.pdf"; fast_pattern:only; http_uri; reference:cve,2008-2992; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012942; rev:6; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Geticon.pdf"; flow:established,to_server; content:"/geticon.pdf"; fast_pattern:only; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012943; rev:6; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit All.pdf"; flow:established,to_server; content:"/tmp/all.pdf"; fast_pattern:only; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012944; rev:6; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; http_header; fast_pattern:only; content:"Set-Cookie|3a| "; http_header; content:"avtor="; http_header; within:40; classtype:trojan-activity; sid:2013011; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:trojan-activity; sid:2013024; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013025; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013027; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\"></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Clickfraud Framework Request"; flow:to_server,established; content:"/go.php?uid="; http_uri; fast_pattern; content:"&data="; http_uri; urilen:>500; classtype:bad-unknown; sid:2013093; rev:3; metadata:created_at 2011_06_22, updated_at 2011_06_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:bad-unknown; sid:2013094; rev:10; metadata:created_at 2011_06_22, updated_at 2011_06_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:"<param name="; nocase; content:"value="; nocase; distance:0; content:"|2E|swf?info="; fast_pattern; nocase; distance:0; pcre:"/value\x22[^\x22]*\x2Eswf\x3finfo\x3D/smi"; reference:url,stopmalvertising.com/malware-reports/all-ur-swf-bel0ng-2-us-analysis-of-cve-2011-2110.html; reference:bid,48268; reference:cve,2011-2110; classtype:attempted-user; sid:2013137; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013175; rev:4; metadata:created_at 2011_07_04, updated_at 2011_07_04;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body><div|20|"; fast_pattern; within:500; pcre:"/\x7b?(visibility\x3ahidden|display\x3anone)\x3b?\x7d?\x22><div>\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:1; metadata:created_at 2011_07_11, updated_at 2011_07_11;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; fast_pattern:only; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:3; metadata:created_at 2011_07_27, updated_at 2011_07_27;)

#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;)

#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;)

#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;)

#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;)

#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;)

#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;)

#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.* "; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|></iframe>"; fast_pattern; content:"<html"; nocase; distance:0; classtype:bad-unknown; sid:2013380; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_10, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"<title>NACHA</title>"; distance:0; classtype:bad-unknown; sid:2013474; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_08_26, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient.vulnerable; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; distance:0; classtype:bad-unknown; sid:2013484; rev:2; metadata:created_at 2011_08_29, updated_at 2011_08_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; distance:0; classtype:bad-unknown; sid:2013485; rev:2; metadata:created_at 2011_08_29, updated_at 2011_08_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; distance:0; classtype:bad-unknown; sid:2013486; rev:1; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:4; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2011_08_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_09, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013552; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_09, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:"<html><body><script>|0d 0a|"; fast_pattern; nocase; content:"document.createElement"; within:50; content:"|28|String["; distance:0; pcre:"/,[0-9\.]+\*\d,[a-z]\+\d+,[0-9\.]+\*\d,[a-z]\+\d+,[0-9\.]+\*\d,[a-z]\+\d+,/iR"; classtype:bad-unknown; sid:2013660; rev:3; metadata:created_at 2011_09_15, updated_at 2011_09_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit kit worms.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/worms.jar"; http_uri; classtype:trojan-activity; sid:2013661; rev:1; metadata:created_at 2011_09_15, updated_at 2011_09_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; distance:0; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, updated_at 2011_09_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013690; rev:2; metadata:created_at 2011_09_23, updated_at 2011_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013691; rev:2; metadata:created_at 2011_09_23, updated_at 2011_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013693; rev:6; metadata:created_at 2011_09_23, updated_at 2011_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious EXE"; flow:established,to_server; content:"_exe"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_exe$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013692; rev:2; metadata:created_at 2011_09_23, updated_at 2011_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit x.jar?o="; flow:established,to_server; content:"/x.jar?o="; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013696; rev:2; metadata:created_at 2011_09_27, updated_at 2011_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo.class"; flow:established,to_server; content:"/lo.class"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013697; rev:2; metadata:created_at 2011_09_27, updated_at 2011_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo2.jar"; flow:established,to_server; content:"/lo2.jar"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013698; rev:2; metadata:created_at 2011_09_27, updated_at 2011_09_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"<html>|0d 0a|<body>|0d 0a|<applet archive="; distance:0; content:"width=|22|0|22| height=|22|0|22|></applet>|0d 0a|</body>|0d 0a|</body></html>"; distance:0; classtype:trojan-activity; sid:2013699; rev:2; metadata:created_at 2011_09_27, updated_at 2011_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013775; rev:3; metadata:created_at 2011_10_13, updated_at 2011_10_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Saturn Exploit Kit probable Java exploit request"; flow:established,to_server; content:"/dl/apache.php"; depth:14; http_uri; classtype:trojan-activity; sid:2013776; rev:5; metadata:created_at 2011_10_13, updated_at 2011_10_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013777; rev:3; metadata:created_at 2011_10_13, updated_at 2011_10_13;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"common1|1b|0"; classtype:bad-unknown; sid:2013805; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2011_10_25, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"admin@common"; classtype:bad-unknown; sid:2013806; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2011_10_25, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit Java request to showthread.php?t="; flow:established,to_server; content:"/showthread.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/showthread\.php\?t=\d+$/Ui"; reference:url,research.zscaler.com/2012/01/popularity-of-exploit-kits-leading-to.html; classtype:trojan-activity; sid:2013916; rev:4; metadata:created_at 2011_11_16, updated_at 2011_11_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jupiter Exploit Kit Landing Page with Malicious Java Applets"; flow:established,from_server; content:"<applet"; content:"code="; content:".jar"; distance:0; content:"u//FCyy"; within:50; fast_pattern; content:"</applet>"; within:100; classtype:bad-unknown; sid:2013955; rev:4; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2013975; rev:2; metadata:created_at 2011_11_30, updated_at 2011_11_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served to Client"; flow:established,to_client; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013978; rev:2; metadata:created_at 2011_12_02, updated_at 2011_12_02;)

#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served from Local Server"; flow:established,from_server; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013979; rev:2; metadata:created_at 2011_12_02, updated_at 2011_12_02;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; distance:0; content:"<</Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013996; rev:1; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2"; flow:established,from_server; file_data; content:"/Subtype /U3D"; distance:0; content:"/Contents (a pwning u3d model) /3DI false > /3DA << /A /PO /DIS /I >> /Rect [0 0 640 480] /3DD 10 0 R /F 7 >>"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013997; rev:2; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable Scalaxy exploit kit secondary request"; flow:established,to_server; content:"=1.6.0_"; http_uri; fast_pattern:only; pcre:"/^\/[a-z][0-9a-z_+=-]{10,30}\?\w=[0-9.]+\&\w=1.6.0_\d\d$/Ui"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014024; rev:5; metadata:created_at 2011_12_12, updated_at 2011_12_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable Scalaxy exploit kit Java or PDF exploit request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; urilen:35; pcre:"/\/[a-z]\/[0-9a-f]{32}$/U"; classtype:bad-unknown; sid:2014025; rev:2; metadata:created_at 2011_12_12, updated_at 2011_12_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"|2b 2f 3d 22 3b|"; fast_pattern; content:"<<18|7c|"; within:500; content:"<<12|7c|"; within:13; content:"<<6|7c|"; within:13; classtype:bad-unknown; sid:2014027; rev:3; metadata:created_at 2011_12_12, updated_at 2011_12_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/com.class"; http_uri; classtype:trojan-activity; sid:2014031; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_12_19, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/org.class"; http_uri; classtype:trojan-activity; sid:2014032; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_12_19, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/edu.class"; http_uri; classtype:trojan-activity; sid:2014033; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_12_19, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:trojan-activity; sid:2014034; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_12_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2014036; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_12_22, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING OpenX BrowserDetect.init Download"; flow:established,to_client; content:"OAID="; http_cookie; depth:5; file_data; content:"BrowserDetect.init"; distance:0; classtype:bad-unknown; sid:2014038; rev:3; metadata:created_at 2011_12_22, updated_at 2011_12_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>"; classtype:bad-unknown; sid:2014039; rev:1; metadata:created_at 2011_12_22, updated_at 2011_12_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent|3a| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:1; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:6; metadata:created_at 2012_01_04, updated_at 2012_01_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; fast_pattern; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014097; rev:3; metadata:created_at 2012_01_04, updated_at 2012_01_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; distance:0; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:trojan-activity; sid:2014136; rev:4; metadata:created_at 2012_01_18, updated_at 2012_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; within:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_01_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Landing Page Request"; flow:established,to_server; content:".php?s="; http_uri; pcre:"/\.php\?s=[0-9a-fA-F]{25}$/U"; flowbits:set,et.exploitkitlanding; reference:url,xylibox.blogspot.com/2012/01/sakura-exploit-pack-10.html; classtype:bad-unknown; sid:2014147; rev:1; metadata:created_at 2012_01_23, updated_at 2012_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Binary Load Request"; flow:established,to_server; content:"/load.php?spl="; http_uri; pcre:"/\/load\.php\?spl=[-_\w]+$/U"; classtype:attempted-user; sid:2014148; rev:1; metadata:created_at 2012_01_23, updated_at 2012_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Known Malicious Link Leading to Exploit Kits (t.php?id=is1)"; flow:established,to_server; content:"/t.php?id=is1"; http_uri; classtype:bad-unknown; sid:2014151; rev:1; metadata:created_at 2012_01_26, updated_at 2012_01_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_01_27, updated_at 2017_01_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:4; metadata:created_at 2012_01_27, updated_at 2012_01_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:"<applet code="; within:35; content:".class"; distance:0; content:".jar"; distance:0; content:".pdf"; distance:0; classtype:attempted-user; sid:2014168; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_01_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected"; flow:established,to_client; content:"function booom"; nocase; fast_pattern:only; pcre:"/function\x20booom[1-3]{1}\x28\x29/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014197; rev:1; metadata:created_at 2012_02_06, updated_at 2012_02_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Exploiting IEPeers"; flow:established,to_client; content:"booom["; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; reference:url,www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/; reference:cve,2010-0806; classtype:trojan-activity; sid:2014199; rev:1; metadata:created_at 2012_02_07, updated_at 2016_11_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Landing Page Request"; flow:established,to_server; content:"/CUTE-IE.html"; nocase; http_uri; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014203; rev:2; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CutePack Exploit Kit JavaScript Variable Detected"; flow:established,to_client; content:"var Cute"; nocase; fast_pattern:only; pcre:"/var\x20Cute(Money|Power|Shine)/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014204; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Iframe for Landing Page Detected"; flow:established,to_client; content:"/CUTE-IE.html"; nocase; fast_pattern:only; pcre:"/iframe[^\r\n]*\x2FCUTE-IE\x2Ehtml/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014205; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CutePack Exploit Kit Landing Page Detected"; flow:established,to_client; content:"button id=|22|evilcute|22|"; nocase; fast_pattern:only; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014206; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:bad-unknown; sid:2014243; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_02_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; classtype:bad-unknown; sid:2014295; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_02_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dadong Exploit Kit Downloaded"; flow:established,from_server; flowbits:set,et.exploitkitlanding; content:"indexOf(|22|dadong=|22|)=="; fast_pattern:only; metadata: former_category CURRENT_EVENTS; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:trojan-activity; sid:2025037; rev:2; metadata:created_at 2012_03_01, updated_at 2017_11_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script"; flow:established,to_client; content:"document.cookie=|22|dadong"; fast_pattern:17,6; nocase; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:bad-unknown; sid:2014308; rev:1; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; http_header; content:".exe"; http_header; content:"load/"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:attempted-user; sid:2014314; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_03_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Requested"; flow:established,to_server; content:"/lib.php"; http_uri; content:".php?showtopic="; http_header; classtype:trojan-activity; sid:2014315; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_03_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; http_header; content:".pdf"; http_header; file_data; content:"%PDF-"; within:5; content:"<</Filter/FlateDecode /Length"; within:64; classtype:trojan-activity; sid:2014316; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_03_05, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"30"; http_stat_code; depth:2; content:"clickpayz.com/"; http_header; classtype:bad-unknown; sid:2014318; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dadong Java Exploit Requested"; flow:established,to_server; content:"/Gondad.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2014319; rev:1; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Compromised Wordpress Redirect"; flow:established,to_server; content:"GET"; http_method; content:"/mm.php?d=1"; http_uri; content:".rr.nu"; http_header; pcre:"/Host\x3A\x20[^\r\n]*.rr.nu/H"; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014334; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RogueAV Wordpress Injection Campaign Compromised Page Served to Local Client"; flow:established,to_client; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014337; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_03_08, updated_at 2016_07_01;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server"; flow:established,from_server; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:successful-admin; sid:2014338; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=|22|http|3a|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014362; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; content:"visited=TRUE"; fast_pattern; content:"visited=TRUE"; http_cookie; content:"mutex="; http_cookie; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014407; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_03_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; content:"ited=TRUE|3b| mutex="; fast_pattern:only; content:"visited=TRUE|3b| mutex="; http_cookie; depth:20; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014408; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_03_21, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Rhino Exploit Attempt - evilcode.class"; flow:established,to_client; content:"code=|22|evilcode.class|22|"; nocase; fast_pattern:only; reference:cve,2011-3544; classtype:attempted-user; sid:2014429; rev:5; metadata:created_at 2012_03_26, updated_at 2012_03_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:" news=1"; content:"news=1"; http_cookie; within:6; classtype:bad-unknown; sid:2014438; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_03_28, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack Landing Page /de/sN"; flow:established,to_server; content:"/de/s"; http_uri; depth:5; urilen:6; flowbits:set,et.exploitkitlanding;  classtype:bad-unknown; sid:2014446; rev:2; metadata:created_at 2012_03_30, updated_at 2012_03_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Dynamic Dns Exploit Pack Java exploit"; flow:established,to_server; content:"/de/"; http_uri; depth:4; content:".jar"; http_uri;  distance:32;  within:4; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014447; rev:3; metadata:created_at 2012_03_30, updated_at 2012_03_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Italian Spam Campaign"; flow:established,to_server; content:"/Dettagli.zip"; http_uri; reference:md5,c64504b68d34b18a370f5e77bd0b0337; classtype:trojan-activity; sid:2014458; rev:2; metadata:created_at 2012_04_03, updated_at 2012_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:bad-unknown; sid:2014526; rev:1; metadata:created_at 2012_04_06, updated_at 2012_04_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious TDS /indigo?"; flow:to_server,established; content:"/indigo?"; http_uri; pcre:"/\/indigo\?\d+/U"; classtype:bad-unknown; sid:2014539; rev:1; metadata:created_at 2012_04_11, updated_at 2012_04_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - redirect received"; flow:established,to_client; content:"302"; http_stat_code; content:" SL_"; content:"_0000="; within:8; classtype:bad-unknown; sid:2014542; rev:2; metadata:created_at 2012_04_12, updated_at 2012_04_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Sutra - request in.cgi"; flow:to_server,established; content:"/in.cgi"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014543; rev:1; metadata:created_at 2012_04_12, updated_at 2017_11_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set"; flow:established,to_client; content:!"302"; http_stat_code; content:"Set-Cookie|3a| SL_"; content:"_0000="; within:8; classtype:bad-unknown; sid:2014544; rev:3; metadata:created_at 2012_04_12, updated_at 2012_04_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:!"[Adblock Plus"; depth:13; content:"/in.cgi?"; distance:0; flowbits:isnotset,ET.opera.adblock; classtype:bad-unknown; sid:2014545; rev:4; metadata:created_at 2012_04_12, updated_at 2017_02_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:established,to_client; content:"/in.cgi"; http_header; classtype:bad-unknown; sid:2014546; rev:4; metadata:created_at 2012_04_12, updated_at 2012_04_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - redirect received"; flow:established,to_client; content:"302"; http_stat_code; content:"=_"; content:"_\; domain="; distance:1; within:10; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/C"; classtype:bad-unknown; sid:2014547; rev:4; metadata:created_at 2012_04_12, updated_at 2012_04_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set"; flow:established,to_client; content:!"302"; http_stat_code; content:"=_"; content:"_\; domain="; distance:1; within:10; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/C"; classtype:bad-unknown; sid:2014548; rev:2; metadata:created_at 2012_04_12, updated_at 2012_04_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"?igc.ni/"; classtype:bad-unknown; sid:2014549; rev:1; metadata:created_at 2012_04_12, updated_at 2012_04_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf|2f|x|2f|Payload"; distance:0; classtype:trojan-activity; sid:2014560; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_04_13, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:2; metadata:created_at 2012_04_13, updated_at 2012_04_13;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File"; flow:established,to_client; file_data; content:"<script"; distance:0; content:"navigator.userAgent.indexOf|28 27|Mac|27 29|"; distance:0; nocase; content:"setAttribute|28 27|code|27|"; distance:0; nocase; content:".class"; nocase; distance:0; content:"setAttribute|28 27|archive|27|"; distance:0; nocase; content:".jar"; nocase; distance:0; reference:url,blog.trendmicro.com/another-tibetan-themed-malware-email-campaign-targeting-windows-and-macs/; reference:cve,2011-3544; classtype:bad-unknown; sid:2014565; rev:2; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=MSIE"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; classtype:trojan-activity; sid:2014568; rev:1; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x="; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern; content:"&pdf="; http_uri; content:"&flash="; content:"&qt="; http_uri; classtype:trojan-activity; sid:2014569; rev:3; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ET CURRENT_EVENTS Italian Spam Campaign ZIP with EXE Containing Many Underscores"; flow:from_server,established; file_data; content:"|50 4b 03 04|"; within:4; byte_test:2,>,50,22,relative; content:"|5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 2e|exe"; distance:22; within:150; classtype:trojan-activity; sid:2014577; rev:1; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Compromised Site Served To Local Client"; flow:established,from_server; file_data; content:"</title><script src="; nocase; distance:0; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:5; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

#alert tcp $HOME_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:"</title><script src="; nocase; distance:0; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:5; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; content:"/images.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/images\.php\?t=\d+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014609; rev:1; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set RULEZ"; flow:established,from_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014611; rev:1; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Sutra - cookie is set RULEZ"; flow:established,to_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014612; rev:1; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (file upload)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"jembot"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:2; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (system command)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase;  content:"empix="; http_uri; fast_pattern:only; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:2; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:6; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit PDF request to images.php?t=81118"; flow:established,to_server; content:"/images.php?t=81118"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014639; rev:3; metadata:created_at 2012_04_26, updated_at 2012_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014640; rev:2; metadata:created_at 2012_04_26, updated_at 2012_04_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:3; metadata:created_at 2012_04_26, updated_at 2012_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit pdf download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".pdf"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014657; rev:2; metadata:created_at 2012_04_30, updated_at 2012_04_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014658; rev:2; metadata:created_at 2012_04_30, updated_at 2012_04_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; classtype:trojan-activity; sid:2014665; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_05_02, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; content:"/load_module.php?e="; http_uri; classtype:trojan-activity; sid:2014705; rev:3; metadata:created_at 2012_05_03, updated_at 2012_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; content:"/download_file.php?e="; http_uri; classtype:trojan-activity; sid:2014706; rev:2; metadata:created_at 2012_05_03, updated_at 2012_05_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; content:"filename=payload.exe.exe|0d 0a|"; http_header; classtype:trojan-activity; sid:2014707; rev:3; metadata:created_at 2012_05_03, updated_at 2012_05_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer!</"; fast_pattern; content:"images/alert.png"; classtype:bad-unknown; sid:2014729; rev:1; metadata:created_at 2012_05_10, updated_at 2012_05_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014749; rev:2; metadata:created_at 2012_05_14, updated_at 2012_05_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014750; rev:3; metadata:created_at 2012_05_14, updated_at 2012_05_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:bad-unknown; sid:2014751; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_05_17, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fragus Exploit jar Download"; flow:established,to_server; content:"_.jar?"; http_uri; pcre:"/\w_\.jar\?[a-f0-9]{8}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014802; rev:2; metadata:created_at 2012_05_23, updated_at 2017_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:1; metadata:created_at 2012_05_23, updated_at 2012_05_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; content:"/timthumb.php?"; http_uri; content:!"webshot=1"; http_uri; distance:0; content:"src="; http_uri; distance:0; content:"http"; http_uri; distance:0; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/Ui"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:2014846; rev:10; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_05_29, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2; metadata:created_at 2012_05_30, updated_at 2012_05_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014828; rev:2; metadata:created_at 2012_05_30, updated_at 2017_12_11;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1; metadata:created_at 2012_05_30, updated_at 2012_05_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; distance:0; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:5; metadata:created_at 2012_05_30, updated_at 2012_05_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"GIF89a|01 3f|"; within:8; content:"<?"; within:720; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014848; rev:1; metadata:created_at 2012_06_01, updated_at 2012_06_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/Ui"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014851; rev:1; metadata:created_at 2012_06_04, updated_at 2012_06_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014852; rev:2; metadata:created_at 2012_06_04, updated_at 2012_06_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern:only; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely TDS redirecting to exploit kit"; flow:established,to_server; content:".php?go="; http_uri; pcre:"/\.php\?go=\d$/U"; classtype:bad-unknown; sid:2014854; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redirect to driveby sid=mix"; flow:to_server,established; content:"/go.php?sid=mix"; http_uri; classtype:bad-unknown; sid:2014866; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_06_07, updated_at 2016_07_01;)

alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:3; metadata:created_at 2012_06_08, updated_at 2012_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern:only; content:" lonly="; http_cookie; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014884; rev:1; metadata:created_at 2012_06_08, updated_at 2017_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:trojan-activity; sid:2014891; rev:2; metadata:created_at 2012_06_14, updated_at 2012_06_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014892; rev:3; metadata:created_at 2012_06_14, updated_at 2012_06_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:trojan-activity; sid:2014895; rev:5; metadata:created_at 2012_06_15, updated_at 2012_06_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request  - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:" Java/1."; http_header; fast_pattern; content:"User-Agent|3A| Mozilla"; http_header; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:6; metadata:created_at 2012_06_15, updated_at 2012_06_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:trojan-activity; sid:2014913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_06_15, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_06_15, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:trojan-activity; sid:2014915; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_06_15, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:trojan-activity; sid:2014922; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:attempted-user; sid:2014923; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; content:"/getfile.php?"; http_uri; content:"Java/1"; http_header; classtype:attempted-user; sid:2014924; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1; metadata:created_at 2012_06_20, updated_at 2012_06_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:2; metadata:created_at 2012_06_20, updated_at 2012_06_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:2; metadata:created_at 2012_06_21, updated_at 2017_12_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014934; rev:3; metadata:created_at 2012_06_22, updated_at 2017_04_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; within:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; content:"GET"; http_method; content:".php"; http_uri; pcre:"/^\/[a-z]{15}[0-9]\.php$/U"; classtype:trojan-activity; sid:2014967; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; fast_pattern:only; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:1; metadata:created_at 2012_06_29, updated_at 2012_06_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; within:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:2; metadata:created_at 2012_06_29, updated_at 2012_06_29;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:4; metadata:created_at 2012_06_29, updated_at 2012_06_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; distance:0; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:1; metadata:created_at 2012_07_02, updated_at 2012_07_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_header; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_07_02, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015010; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:2; metadata:created_at 2012_07_04, updated_at 2012_07_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ payload"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".php"; http_uri; content:"fid="; http_uri; content:"quote="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015011; rev:1; metadata:created_at 2012_07_04, updated_at 2012_07_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:2; metadata:created_at 2012_07_06, updated_at 2012_07_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:2; metadata:created_at 2012_07_06, updated_at 2012_07_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:trojan-activity; sid:2015042; rev:1; metadata:created_at 2012_07_06, updated_at 2012_07_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; distance:0; classtype:trojan-activity; sid:2015057; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:10; content:"/top2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015478; rev:2; metadata:created_at 2012_07_16, updated_at 2012_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015479; rev:2; metadata:created_at 2012_07_16, updated_at 2012_07_16;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; content:"/net/?u="; http_uri; fast_pattern:only; content:"Host|3a| net"; http_header; content:"net.net"; http_header; distance:2; within:7; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.0)"; http_header; pcre:"/^Host\x3a\snet[0-4]{2}net\.net\r?\n$/Hmi"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; distance:0; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_16, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; fast_pattern:only; classtype:trojan-activity; sid:2015516; rev:1; metadata:created_at 2012_07_23, updated_at 2012_07_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:2; metadata:created_at 2012_07_23, updated_at 2012_07_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".php"; distance:0; http_uri; classtype:bad-unknown; sid:2015518; rev:3; metadata:created_at 2012_07_23, updated_at 2012_07_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; fast_pattern:only;  reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:2; metadata:created_at 2012_07_31, updated_at 2012_07_31;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015559; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_08_01, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern:only; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015573; rev:1; metadata:created_at 2012_08_03, updated_at 2012_08_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; within:3; content:"<doswf version="; fast_pattern:only; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015574; rev:1; metadata:created_at 2012_08_03, updated_at 2012_08_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:7; metadata:created_at 2012_08_03, updated_at 2012_08_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:1; metadata:created_at 2012_08_06, updated_at 2012_08_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; distance:0; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:3; metadata:created_at 2012_08_07, updated_at 2012_08_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:3; metadata:created_at 2012_08_07, updated_at 2012_08_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:1; metadata:created_at 2012_08_07, updated_at 2012_08_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sutra TDS /simmetry"; flow:to_server,established; content:"/simmetry?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:trojan-activity; sid:2015593; rev:1; metadata:created_at 2012_08_08, updated_at 2012_08_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; content:"/spl_data/"; http_uri; fast_pattern:only; content:" Java/"; http_header; classtype:trojan-activity; sid:2015603; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern:only; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:trojan-activity; sid:2015604; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015646; rev:4; metadata:created_at 2012_08_17, updated_at 2012_08_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:3; metadata:created_at 2012_08_17, updated_at 2012_08_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:9; metadata:created_at 2012_08_22, updated_at 2012_08_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_08_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_08_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:3; metadata:created_at 2012_08_28, updated_at 2012_08_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:1; metadata:created_at 2012_08_28, updated_at 2012_08_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:5; metadata:created_at 2012_08_28, updated_at 2012_08_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET CURRENT_EVENTS Unknown Exploit Kit redirect"; flow:established,to_server;  content:"GET /t/"; depth:7; fast_pattern; pcre:"/^[a-f0-9]{32}\sHTTP\x2f1\./Ri"; content:"|0d 0a|Host|3a| "; distance:0; pcre:"/^[^\r\n]+\x3a1342\r\n/R"; classtype:bad-unknown; sid:2015672; rev:9; metadata:created_at 2012_08_29, updated_at 2012_08_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:trojan-activity; sid:2015676; rev:2; metadata:created_at 2012_09_05, updated_at 2012_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern:only; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2015678; rev:2; metadata:created_at 2012_09_06, updated_at 2012_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015679; rev:1; metadata:created_at 2012_09_06, updated_at 2012_09_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015682; rev:1; metadata:created_at 2012_09_06, updated_at 2012_09_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015683; rev:1; metadata:created_at 2012_09_06, updated_at 2012_09_06;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:2; metadata:created_at 2012_09_07, updated_at 2012_09_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:attempted-user; sid:2015689; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_09_11, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015690; rev:1; metadata:created_at 2012_09_11, updated_at 2012_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS  NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015691; rev:1; metadata:created_at 2012_09_11, updated_at 2016_09_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015693; rev:1; metadata:created_at 2012_09_11, updated_at 2012_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015694; rev:1; metadata:created_at 2012_09_11, updated_at 2012_09_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:attempted-user; sid:2015695; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_09_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:5; metadata:created_at 2012_09_17, updated_at 2012_09_17;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; content:"/x-java-archive|0d 0a|"; fast_pattern:only; content:"|0d 0a|Set-Cookie|3a 20|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"|0d 0a 0d 0a|PK"; distance:0; classtype:trojan-activity; sid:2015724; rev:11; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:1; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:1; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015733; rev:1; metadata:created_at 2012_09_24, updated_at 2012_09_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; content:"/nano.php?x="; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015734; rev:1; metadata:created_at 2012_09_24, updated_at 2012_09_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015735; rev:2; metadata:created_at 2012_09_24, updated_at 2012_09_24;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"d---o---c---u---m---"; within:500; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015758; rev:2; metadata:created_at 2012_10_04, updated_at 2018_03_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; isdataat:64,relative; content:"="; http_uri; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/U"; classtype:trojan-activity; sid:2015781; rev:1; metadata:created_at 2012_10_05, updated_at 2012_10_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:trojan-activity; sid:2015782; rev:3; metadata:created_at 2012_10_05, updated_at 2012_10_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015783; rev:6; metadata:created_at 2012_10_06, updated_at 2017_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:trojan-activity; sid:2015789; rev:1; metadata:created_at 2012_10_09, updated_at 2012_10_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; distance:0; within:50; classtype:trojan-activity; sid:2015788; rev:1; metadata:created_at 2012_10_09, updated_at 2012_10_09;)

alert tcp $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:trojan-activity; sid:2015792; rev:1; metadata:created_at 2012_10_11, updated_at 2012_10_11;)

#alert tcp $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:1; metadata:created_at 2012_10_11, updated_at 2012_10_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:2; metadata:created_at 2012_10_18, updated_at 2012_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015818; rev:2; metadata:created_at 2012_10_19, updated_at 2012_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015819; rev:2; metadata:created_at 2012_10_19, updated_at 2012_10_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:successful-user; sid:2015840; rev:2; metadata:created_at 2012_10_24, updated_at 2012_10_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:successful-user; sid:2015841; rev:2; metadata:created_at 2012_10_24, updated_at 2012_10_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015846; rev:2; metadata:created_at 2012_10_26, updated_at 2012_10_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:6; metadata:created_at 2012_10_26, updated_at 2012_10_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Imposter USPS Domain"; flow:established,to_server; content:".usps.com."; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]\.usps\.com\./Hi"; classtype:trojan-activity; sid:2015848; rev:1; metadata:created_at 2012_10_26, updated_at 2012_10_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015849; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_10_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:2; metadata:created_at 2012_10_31, updated_at 2012_10_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:trojan-activity; sid:2015859; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_11_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:trojan-activity; sid:2015865; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_11_06, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:3; metadata:created_at 2012_11_06, updated_at 2012_11_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:1; metadata:created_at 2012_11_06, updated_at 2012_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern:only; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:4; metadata:created_at 2012_11_08, updated_at 2012_11_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:2; metadata:created_at 2012_11_09, updated_at 2012_11_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015881; rev:2; metadata:created_at 2012_11_14, updated_at 2012_11_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015882; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern:13,20; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:trojan-activity; sid:2015884; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; content:"/Dot.class"; http_uri; classtype:trojan-activity; sid:2015885; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:trojan-activity; sid:2015886; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015888; rev:6; metadata:created_at 2012_11_15, updated_at 2012_11_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:trojan-activity; sid:2015890; rev:2; metadata:created_at 2012_11_15, updated_at 2012_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"/flow"; fast_pattern; depth:5; http_uri; content:".php"; distance:1; within:5; http_uri; content:"GET"; http_method; content:".ru|0d 0a|"; http_header; pcre:"/^\/flow\d{1,2}\.php$/U"; classtype:bad-unknown; sid:2015897; rev:2; metadata:created_at 2012_11_19, updated_at 2012_11_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:trojan-activity; sid:2015901; rev:2; metadata:created_at 2012_11_20, updated_at 2012_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Credit Card Information Phish"; flow:established,to_server; content:"POST"; http_method; content:"creditcard="; http_client_body; fast_pattern; content:"expyear="; http_client_body; content:"ccv="; http_client_body; content:"pin="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015907; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic PII Phish"; flow:established,to_server; content:"POST"; http_method; content:"&phone3="; http_client_body; content:"&ssn3="; http_client_body; fast_pattern; content:"&dob3="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015908; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bank of America Phish M1 Oct 01 2012"; flow:established,to_server; content:"POST"; http_method; content:"reason="; nocase; depth:7; fast_pattern; http_client_body; content:"Access_ID="; nocase; distance:0; http_client_body; content:"Current_Passcode="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015909; rev:3; metadata:created_at 2012_11_21, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful AOL Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"aoluser="; http_client_body; content:"aolpassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015910; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"yahoouser="; http_client_body; content:"yahoopassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015911; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Gmail Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"gmailuser="; http_client_body; content:"gmailpassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015912; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Hotmail Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"hotmailuser="; http_client_body; content:"hotmailpassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015913; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish - Other Credentials Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"otheruser="; http_client_body; content:"otherpassword="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015914; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_21, updated_at 2017_08_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:trojan-activity; sid:2015921; rev:1; metadata:created_at 2012_11_21, updated_at 2012_11_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_header; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U";  flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015922; rev:4; metadata:created_at 2012_11_23, updated_at 2012_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_header; urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015923; rev:1; metadata:created_at 2012_11_23, updated_at 2012_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015928; rev:2; metadata:created_at 2012_11_26, updated_at 2012_11_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015929; rev:2; metadata:created_at 2012_11_26, updated_at 2012_11_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015930; rev:1; metadata:created_at 2012_11_26, updated_at 2012_11_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015931; rev:1; metadata:created_at 2012_11_26, updated_at 2012_11_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; content:"GET /t/"; depth:7; pcre:"/^[a-f0-9]{32}\s*HTTP\/1\.[0-1]\r\n/R"; classtype:trojan-activity; sid:2015936; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_11_26, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Chase/Bank of America Phishing Landing Uri Structure Nov 27 2012 "; flow:established,to_server; content:"/Logon.php?LOB=RBG"; http_uri; content:"&_pageLabel=page_"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015938; rev:2; metadata:created_at 2012_11_26, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015939; rev:2; metadata:created_at 2012_11_26, updated_at 2012_11_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:" Java/"; http_header; fast_pattern:only; pcre:"/amor\d{0,2}\.jar/U"; classtype:trojan-activity; sid:2015941; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:" Java/"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015942; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:trojan-activity; sid:2015943; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:trojan-activity; sid:2015944; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:trojan-activity; sid:2015945; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015946; rev:2; metadata:created_at 2012_11_27, updated_at 2017_04_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:trojan-activity; sid:2015949; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:trojan-activity; sid:2015950; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_header; fast_pattern:only; pcre:"/\.jar\?m\=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:15; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic SSN Phish"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; fast_pattern; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; content:!"User-Agent|3a 20|LabTech Agent"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015952; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2012_11_27, updated_at 2017_08_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015955; rev:1; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:trojan-activity; sid:2015956; rev:1; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request"; flow:established,to_server; content:"/j.php?t=u00"; http_uri; fast_pattern:only; content:"Java/1."; http_header; classtype:trojan-activity; sid:2015960; rev:10; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request"; flow:established,to_server; content:"/p5.php?t=u00"; http_uri; fast_pattern:only; content:"&oh="; http_uri; classtype:trojan-activity; sid:2015961; rev:11; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern:only; content:"&token="; http_uri; classtype:trojan-activity; sid:2015962; rev:10; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:trojan-activity; sid:2015971; rev:8; metadata:created_at 2012_11_29, updated_at 2012_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2015970; rev:10; metadata:created_at 2012_11_29, updated_at 2012_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Landing URL"; flow:established,to_server; content:".php?dentesus=208779"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015964; rev:10; metadata:created_at 2012_11_29, updated_at 2012_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful PayPal Phish Nov 30 2012"; flow:established,to_server; content:"POST"; http_method; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"target_page="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015972; rev:3; metadata:created_at 2012_11_30, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_header; fast_pattern:only; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:trojan-activity; sid:2015974; rev:12; metadata:created_at 2012_11_30, updated_at 2012_11_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:8; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:bad-unknown; sid:2015979; rev:1; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google Account Phish Dec 04 2012"; flow:established,to_server; content:"POST"; http_method; content:"continue="; http_client_body; content:"followup="; http_client_body; content:"checkedDomains="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015980; rev:3; metadata:created_at 2012_12_03, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:trojan-activity; sid:2015981; rev:1; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"/js/java.js"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; classtype:trojan-activity; sid:2015982; rev:1; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015983; rev:1; metadata:created_at 2012_12_04, updated_at 2017_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:bad-unknown; sid:2015988; rev:1; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:bad-unknown; sid:2015989; rev:1; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]{2}\.html$/U"; classtype:bad-unknown; sid:2015990; rev:1; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern:only; content:"|22|bhjwfffiorjwe|22|"; classtype:bad-unknown; sid:2015991; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:3; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:3; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; nocase; fast_pattern:only; pcre:"/\/i.php?token=[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2015998; rev:2; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:trojan-activity; sid:2016001; rev:4; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016018; rev:1; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - POST to *.stats"; flow:established,to_server; content:"POST"; http_method; content:".stats"; http_uri; content:"pageURL="; http_client_body; classtype:bad-unknown; sid:2016023; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_12_12, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016027; rev:4; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:2; metadata:created_at 2012_12_14, updated_at 2012_12_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016052; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:trojan-activity; sid:2016053; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:trojan-activity; sid:2016054; rev:2; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html"; flow:established,to_server; content:"/pdfx.html"; http_uri; classtype:trojan-activity; sid:2016055; rev:2; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:trojan-activity; sid:2016056; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful PayPal Phish Dec 19 2012"; flow:established,to_server; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"browser_version="; http_client_body; content:"operating_system="; fast_pattern; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016063; rev:3; metadata:created_at 2012_12_19, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02  00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40  00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016065; rev:3; metadata:created_at 2012_12_19, updated_at 2012_12_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016070; rev:4; metadata:created_at 2012_12_20, updated_at 2012_12_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_header; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016071; rev:2; metadata:created_at 2012_12_20, updated_at 2012_12_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016072; rev:2; metadata:created_at 2012_12_20, updated_at 2012_12_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016073; rev:6; metadata:created_at 2012_12_21, updated_at 2012_12_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:trojan-activity; sid:2016090; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; content:"KAhFXlx9"; http_uri; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/U"; classtype:trojan-activity; sid:2016091; rev:1; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:trojan-activity; sid:2016093; rev:3; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:1; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:1; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:trojan-activity; sid:2016106; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:" Java/1";  http_header; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016107; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016108; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_header; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016111; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016113; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:trojan-activity; sid:2016128; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html "; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:trojan-activity; sid:2016129; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern:only; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|provide|08|yourtrap|03|com|00|"; fast_pattern; nocase; distance:0; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016135; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_12_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern:only; content:"/%E0%AC%B0%E0%B0%8C"; http_raw_uri; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1)"; flow:established,to_server; content:"/%E0%B4%8C%E1%88%92"; fast_pattern:only; content:"/%E0%B4%8C%E1%88%92"; http_raw_uri; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:1; metadata:created_at 2013_12_31, updated_at 2013_12_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern:only; content:"CollectGarbage"; nocase; content:"try"; nocase; distance:0; content:".values"; nocase; distance:0; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:4; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016142; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern:48,20; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:trojan-activity; sid:2016144; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern:only; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:1; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:bad-unknown; sid:2016169; rev:2; metadata:created_at 2013_01_08, updated_at 2013_01_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (2)"; flow:established,to_server; content:"/%E0%B4%8C%E1%82%AB"; fast_pattern:only; content:"/%E0%B4%8C%E1%82%AB"; http_raw_uri; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:1; metadata:created_at 2013_01_08, updated_at 2013_01_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:trojan-activity; sid:2016174; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_01_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"yaml"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])yaml\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"symbol"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])symbol\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:bad-unknown; sid:2016190; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_01_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:bad-unknown; sid:2016191; rev:5; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait...</title>"; nocase; content:"<div id="; content:"></div><div id="; distance:5; within:16; classtype:bad-unknown; sid:2016192; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_01_11, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:trojan-activity; sid:2016210; rev:1; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern:only; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016240; rev:4; metadata:created_at 2013_01_18, updated_at 2013_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016247; rev:5; metadata:created_at 2013_01_21, updated_at 2013_01_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,to_server; content:"/i.html?0x"; http_uri; depth:10; urilen:>100; pcre:"/\/i\.html\?0x\d{1,2}=[a-zA-Z0-9+=]{100}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016248; rev:5; metadata:created_at 2013_01_21, updated_at 2013_01_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:" Java/"; http_header; classtype:bad-unknown; sid:2016249; rev:5; metadata:created_at 2013_01_21, updated_at 2013_01_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2016250; rev:5; metadata:created_at 2013_01_21, updated_at 2013_01_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; content:".jar"; http_uri; pcre:"/\x2F[a-z]\x2Ejar$/U"; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016254; rev:1; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016255; rev:1; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; content:"/cve2012xxxx/Gondvv.class"; http_uri; classtype:trojan-activity; sid:2016256; rev:1; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS - in.php"; flow:established,to_server; content:"/in.php?s="; http_uri; classtype:trojan-activity; sid:2016272; rev:1; metadata:created_at 2013_01_24, updated_at 2013_01_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:bad-unknown; sid:2016276; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:bad-unknown; sid:2016277; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:3; metadata:created_at 2013_01_28, updated_at 2013_01_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:3; metadata:created_at 2013_01_28, updated_at 2013_01_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2016299; rev:7; metadata:created_at 2013_01_28, updated_at 2013_01_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016306; rev:1; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:trojan-activity; sid:2016307; rev:3; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request"; flow:established,to_server; content:"/jdb/"; http_uri; nocase; content:".class"; http_uri; nocase; pcre:"/\/jdb\/[^\/]+\.class$/Ui"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016308; rev:5; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit JAR Download"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016309; rev:4; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; content:"/lib/adobe.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016310; rev:4; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Non-Standard HTML page in Joomla /com_content/ dir (Observed in Recent Pharma Spam)"; flow:established,to_server; content:"/components/com_content/"; http_uri; content:!"index.html"; nocase; within:10; http_uri; content:".html"; nocase; http_uri; distance:0; classtype:bad-unknown; sid:2016311; rev:6; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern:only; content:"value"; pcre:"/^\s*=\s*[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016319; rev:1; metadata:created_at 2013_01_30, updated_at 2013_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish - Generic POST to myform.php Feb 01 2013"; flow:established,to_server; content:"POST"; http_method; content:"/myform.php"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016327; rev:2; metadata:created_at 2013_01_31, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:trojan-activity; sid:2016333; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing"; flow:established,to_server; content:".js"; http_uri; content:"/i.html"; http_header; fast_pattern:only; pcre:"/^[a-z]+\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\/i.html(\?[^=]{1,10}=[^&\r\n]{100,})?\r?$/Hmi"; classtype:bad-unknown; sid:2016347; rev:5; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern:only; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\.jar\?java=\d+/R"; content:" name=";  content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:trojan-activity; sid:2016348; rev:6; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern:only; nocase; content:" Java/1."; http_header; pcre:"/\.jar\?java=\d+$/Ui"; classtype:trojan-activity; sid:2016349; rev:3; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern:only; content:" Java/1."; http_header; pcre:"/\/\?whole=\d+$/Ui"; classtype:trojan-activity; sid:2016350; rev:1; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; content:"/jerk.cgi?"; fast_pattern:only; http_uri; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016352; rev:1; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016353; rev:1; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WSO WebShell Activity POST structure 2"; flow:established,to_server; content:"POST"; http_method; content:" name=|22|c|22|"; http_client_body; content:"name=|22|p1|22|"; http_client_body; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:2; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016365; rev:3; metadata:created_at 2013_02_06, updated_at 2013_02_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:"<applet "; content:"new PDFObject"; classtype:trojan-activity; sid:2016373; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016374; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016375; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:trojan-activity; sid:2016377; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016378; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows Executable"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016380; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016393; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016403; rev:1; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016407; rev:2; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarhlp32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:2; metadata:created_at 2013_02_14, updated_at 2013_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarext32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:2; metadata:created_at 2013_02_14, updated_at 2013_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern:only; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:trojan-activity; sid:2016412; rev:3; metadata:created_at 2013_02_14, updated_at 2013_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (5)"; flow:established,to_server; content:".txt?e="; http_uri; nocase; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?e=\d+(&[fh]=\d+)?$/U"; classtype:trojan-activity; sid:2016414; rev:7; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=|22|hw|22|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016426; rev:2; metadata:created_at 2013_02_18, updated_at 2013_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:trojan-activity; sid:2016427; rev:5; metadata:created_at 2013_02_18, updated_at 2013_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern:10,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016490; rev:9; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern:11,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016491; rev:9; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern:13,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016492; rev:9; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern:12,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016493; rev:9; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016497; rev:6; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern:only; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:trojan-activity; sid:2016498; rev:7; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Payload Download"; flow:established,to_server; content:".exe"; http_uri; nocase; fast_pattern:only; content:"&h="; http_uri; pcre:"/\.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$/Ui"; content:!"Referer|3a|"; http_header; classtype:bad-unknown; sid:2016499; rev:13; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:bad-unknown; sid:2016500; rev:7; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Compromise svchost.jpg Beacon - Java  Zeroday"; flow:established,to_server; content:"/svchost.jpg"; fast_pattern:only; http_uri; content:" Java/1."; http_header; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another- java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:2; metadata:created_at 2013_03_01, updated_at 2013_03_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016514; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016520; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; content:"/Java-SPLOIT.jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2016521; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016522; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Exploit Request"; flow:established,to_server; content:"/module.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016523; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Download non Jar file"; flow:established,to_server; content:!".jar"; http_uri; nocase; content:!".jnlp"; http_uri; nocase; content:!".hpi"; http_uri; nocase; content:" Java/1."; http_header; fast_pattern:only; content:!"ArduinoIDE/"; http_header; flowbits:set,ET.JavaNotJar; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016539; rev:5; metadata:created_at 2013_03_05, updated_at 2018_04_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:2; metadata:created_at 2013_03_05, updated_at 2013_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:"<applet"; content:"MyApplet"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016541; rev:3; metadata:created_at 2013_03_05, updated_at 2013_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016542; rev:2; metadata:created_at 2013_03_05, updated_at 2013_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016543; rev:1; metadata:created_at 2013_03_05, updated_at 2013_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:"<applet "; pcre:"/^((?!<\/applet>).)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016549; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_07, malware_family Angler, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:bad-unknown; sid:2016558; rev:3; metadata:created_at 2013_03_08, updated_at 2013_03_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016560; rev:9; metadata:created_at 2013_03_12, updated_at 2013_03_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SNET EK Downloading Payload"; flow:to_server,established; content:"/get?src="; http_uri; fast_pattern; content:"snet"; http_uri; distance:0; pcre:"/\/get\?src=[a-z]+snet$/U"; content:" WinHttp.WinHttpRequest"; http_header; classtype:trojan-activity; sid:2016566; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DynDNS Pro Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:i(?:s(?:-(?:a(?:-(?:(?:(?:h(?:ard-work|unt)e|financialadviso)r|d(?:e(?:mocrat|signer)|octor)|t(?:e(?:acher|chie)|herapist)|r(?:epublican|ockstar)|n(?:ascarfan|urse)|anarchist|musician)\.com|c(?:(?:(?:ubicle-sla|onservati)ve|pa)\.com|a(?:ndidate\.org|terer\.com)|hef\.(?:com|net|org)|elticsfan\.org)|l(?:i(?:ber(?:tarian|al)\.com|nux-user\.org)|(?:a(?:ndscap|wy)er|lama)\.com)|p(?:(?:ersonaltrain|hotograph|lay)er\.com|a(?:inter\.com|tsfan\.org))|b(?:(?:(?:ookkeep|logg)er|ulls-fan)\.com|ruinsfan\.org)|s(?:o(?:cialist\.com|xfan\.org)|tudent\.com)|g(?:eek\.(?:com|net|org)|(?:reen|uru)\.com)|knight\.org)|n-(?:a(?:c(?:t(?:ress|or)|countant)|(?:narch|rt)ist)|en(?:tertain|gine)er)\.com)|(?:into-(?:(?:car(?:toon)?|game)s|anime)|(?:(?:not-)?certifie|with-theban)d|uberleet|gone)\.com|(?:very-(?:(?:goo|ba)d|sweet|evil|nice)|found)\.org|s(?:aved\.org|lick\.com)|l(?:eet\.com|ost\.org)|by\.us)|a-(?:geek\.(?:com|net|org)|hockeynut\.com)|t(?:eingeek|mein)\.de|smarterthanyou\.com)|n-the-band\.net|amallama\.com)|f(?:rom-(?:(?:i[adln]|w[aivy]|o[hkr]|[hr]i|d[ce]|k[sy]|p[ar]|s[cd]|t[nx]|v[at]|fl|ga|ut)\.com|m(?:[adinost]\.com|e\.org)|n(?:[cdehjmv]\.com|y\.net)|a(?:[klr]\.com|z\.net)|c(?:[at]\.com|o\.net)|la\.net)|or(?:-(?:(?:(?:mor|som|th)e|better)\.biz|our\.info)|got\.h(?:er|is)\.name)|uettertdasnetz\.de|tpaccess\.cc)|s(?:e(?:l(?:ls(?:-(?:for-(?:less|u)\.com|it\.net)|yourhome\.org)|fip\.(?:info|biz|com|net|org))|rve(?:bbs\.(?:com|net|org)|ftp\.(?:net|org)|game\.org))|(?:aves-the-whales|pace-to-rent|imple-url)\.com|crapp(?:er-site\.net|ing\.cc)|tuff-4-sale\.(?:org|us)|hacknet\.nu)|d(?:o(?:es(?:ntexist\.(?:com|org)|-it\.net)|ntexist\.(?:com|net|org)|omdns\.(?:com|org))|yn(?:a(?:lias\.(?:com|net|org)|thome\.net)|-o-saur\.com|dns\.ws)|ns(?:alias\.(?:com|net|org)|dojo\.(?:com|net|org))|vrdns\.org)|h(?:o(?:me(?:linux\.(?:com|net|org)|unix\.(?:com|net|org)|(?:\.dyn)?dns\.org|ftp\.(?:net|org)|ip\.net)|bby-site\.(?:com|org))|ere-for-more\.info|am-radio-op\.net)|b(?:log(?:dns\.(?:com|net|org)|site\.org)|(?:uyshouses|roke-it)\.net|arrel?l-of-knowledge\.info|oldlygoingnowhere\.org|etter-than\.tv)|g(?:o(?:tdns\.(?:com|org)|\.dyndns\.org)|ame-(?:server\.cc|host\.org)|et(?:myip\.com|s-it\.net)|roks-th(?:is|e)\.info)|e(?:st-(?:(?:a-la-ma(?:is|si)|le-patr)on|mon-blogueur)\.com|ndof(?:internet\.(?:net|org)|theinternet\.org))|l(?:e(?:btimnetz|itungsen)\.de|ikes(?:candy|-pie)\.com|and-4-sale\.us)|m(?:i(?:sconfused\.org|ne\.nu)|yp(?:hotos\.cc|ets\.ws)|erseine\.nu)|w(?:ebhop\.(?:info|biz|net|org)|ritesthisblog\.com|orse-than\.tv)|t(?:eaches-yoga\.com|raeumtgerade\.de|hruhere\.net)|k(?:icks-ass\.(?:net|org)|nowsitall\.info)|o(?:ffice-on-the\.net|n-the-web\.tv)|(?:neat-url|cechire)\.com|podzone\.(?:net|org)|at-band-camp\.net|readmyblog\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016580; rev:1; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:2; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp)\.com|m(?:inecraft\.net|p3\.com)|b(?:eer\.com|log\.net))|curity(?:exploit|tactic)s\.com)|tufftoread\.com|ytes\.net)|m(?:y(?:(?:(?:dissen|effec)t|mediapc|psx)\.net|securitycamera\.(?:com|net|org)|(?:activedirectory|vnc)\.com|ftp\.(?:biz|org))|lbfan\.org|mafan\.biz)|d(?:(?:itchyourip|amnserver|ynns)\.com|dns(?:\.(?:net|me)|king\.com)|ns(?:iskinky\.com|for\.me)|vrcam\.info)|n(?:o(?:-ip\.(?:c(?:o\.uk|a)|info|biz|net|org)|ip\.(?:me|us))|et-freaks\.com|flfan\.org|hlfan\.net)|h(?:o(?:mesecurity(?:ma|p)c\.com|pto\.(?:org|me))|ealth-carereform\.com)|p(?:(?:rivatizehealthinsurance|gafan)\.net|oint(?:2this\.com|to\.us))|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem)\.org|iscofreak\.com)|g(?:o(?:lffan\.us|tdns\.ch)|eekgalaxy\.com)|b(?:logsyte\.com|ounceme\.net|rasilia\.me)|re(?:ad-books\.org|directme\.net)|u(?:nusualperson\.com|fcfan\.org)|w(?:orkisboring\.com|ebhop\.me)|(?:3utiliti|quicksyt)es\.com|eating-organic\.net|ilovecollege\.info|fantasyleague\.cc|loginto\.me|zapto\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016582; rev:3; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:ns(?:d(?:ynamic\.(?:com|net)|\.(?:info|me))|api\.info|get\.org|53\.biz)|dns01\.com)|(?:f(?:lashserv|e100|tp21)|adultdns|mysq1|wow64)\.net|(?:(?:ima|voi)p01|(?:user|ole)32|kadm5)\.com|t(?:tl60\.(?:com|org)|empors\.com|ftpd\.net)|s(?:sh(?:01\.com|22\.net)|ql01\.com)|http(?:(?:s443|01)\.com|80\.info)|n(?:s360\.info|tdll\.net)|x(?:ns01\.com|64\.me)|craftx\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016583; rev:1; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:1; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016585; rev:8; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to a *.opengw.net Open VPN Relay Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opengw|03|net|00|"; nocase; fast_pattern:only; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:5; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016587; rev:5; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/^\/search\/[0-9]{64}/U"; classtype:trojan-activity; sid:2016593; rev:5; metadata:created_at 2013_03_18, updated_at 2013_03_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:3; metadata:created_at 2013_03_19, updated_at 2013_03_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:" Java/"; http_header; content:!"hermesjms.com"; http_header; classtype:trojan-activity; sid:2016598; rev:2; metadata:created_at 2013_03_19, updated_at 2013_03_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|peocity|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016600; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|rusview|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016601; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|skyruss|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016602; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|commanal|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016603; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|natareport|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016604; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photogellrey|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016605; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|photogalaxyzone|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016606; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|insdet|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016607; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|creditrept|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016608; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|pollingvoter|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016609; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dfasonline|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016610; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|hudsoninst|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016611; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wsurveymaster|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016612; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|nhrasurvey|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016613; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pdi2012|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016614; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|nceba|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016615; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|linkedin-blog|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016616; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|aafbonus|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016617; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|milstars|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016618; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|vatdex|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016619; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|insightpublicaffairs|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016620; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|applesea|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016621; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledmg|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016622; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|appleintouch|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016623; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|seyuieyahooapis|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016624; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledns|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016625; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|emailserverctr|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016626; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dailynewsjustin|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016627; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|hi-tecsolutions|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016628; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|slashdoc|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016629; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photosmagnum|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016630; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|resume4jobs|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016631; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|searching-job|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016632; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|servagency|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016633; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gsasmartpay|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016634; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tech-att|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016635; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletHigh.jar"; flow:established,to_server; content:"/AppletHigh.jar"; http_uri; content:" Java/1."; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016639; rev:1; metadata:created_at 2013_03_21, updated_at 2013_03_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:" Java/1."; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016640; rev:1; metadata:created_at 2013_03_21, updated_at 2013_03_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; nocase; within:500; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:2016643; rev:4; metadata:created_at 2013_03_21, updated_at 2013_03_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:1; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016655; rev:4; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016663; rev:1; metadata:created_at 2013_03_25, updated_at 2013_03_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P<sep>([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016705; rev:17; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/svchost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/svchost\.exe$/Ui"; classtype:bad-unknown; sid:2016696; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/winlogon.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlogon\.exe$/Ui"; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/lsass.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lsass\.exe$/Ui"; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:11; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/explorer.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/explorer\.exe$/Ui"; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/smss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/smss\.exe$/Ui"; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/csrss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/csrss\.exe$/Ui"; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:11; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/rundll32.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/rundll32\.exe$/Ui";  reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:11; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016704; rev:2; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\/m1[1-6]\.jar$/U"; classtype:trojan-activity; sid:2016708; rev:6; metadata:created_at 2013_04_02, updated_at 2013_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016709; rev:5; metadata:created_at 2013_04_02, updated_at 2013_04_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Targeted Tibetan Android Malware C2 Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|android|06|uyghur|04|dnsd|02|me|00|"; nocase; fast_pattern; distance:0; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:trojan-activity; sid:2016711; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; content:"301"; http_stat_code; content:"Moved Permanently"; http_stat_msg; content:"/update/winword.pkg"; http_header; pcre:"/Location\x3A[^\r\n]*\x2Fupdate\x2Fwinword\x2Epkg/H"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016713; rev:1; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016716; rev:4; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016717; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016718; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016719; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; fast_pattern:22,20; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]|16|23|30))\d{2} Jul 2001/H"; classtype:trojan-activity; sid:2016721; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:5; metadata:created_at 2013_04_04, updated_at 2013_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016733; rev:3; metadata:created_at 2013_04_08, updated_at 2013_04_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016734; rev:1; metadata:created_at 2013_04_08, updated_at 2013_04_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016735; rev:2; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016736; rev:2; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016737; rev:10; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Citadel Infection or Config URL Request"; flow:established,to_server; content:"/file.php|7C|file="; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:1; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:trojan-activity; sid:2016751; rev:13; metadata:created_at 2013_04_11, updated_at 2013_04_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GrandSoft PDF Payload Download"; flow:established,to_server; content:"User-Agent|3a 20|http|3a|//"; http_header; fast_pattern:only; pcre:"/^GET (?P<uri>(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P<host>[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016764; rev:15; metadata:created_at 2013_04_17, updated_at 2018_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:3; metadata:created_at 2013_04_22, updated_at 2013_04_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016781; rev:1; metadata:created_at 2013_04_22, updated_at 2013_04_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:2; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient.SakuraPorts; content:"|0d 0a 0d 0a|PK"; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:trojan-activity; sid:2016785; rev:2; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:" Java/1."; fast_pattern:only; content:"GET "; depth:4; pcre:"/^[^\r\n]*\/[0-9]{4}\.html HTTP\/1\./R"; content:".html HTTP/1."; classtype:trojan-activity; sid:2016786; rev:2; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient.SakuraPorts; content:"filename="; pcre:"/^[a-z]{4}\.txt\x0D\x0A/R"; classtype:trojan-activity; sid:2016787; rev:2; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mfunc"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mfunc/Pi"; classtype:attempted-user; sid:2016788; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mclude"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mclude/Pi"; classtype:attempted-user; sid:2016789; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"dynamic-cached-content"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/Pi"; classtype:attempted-user; sid:2016790; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received"; flow:established,to_client; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:trojan-activity; sid:2016791; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; content:"SECID="; fast_pattern:only; content:"SECID="; http_cookie; pcre:"/\?[0-9a-f]{6}$/U"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:6; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016796; rev:4; metadata:created_at 2013_04_28, updated_at 2013_04_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:"<jnlp "; nocase; content:"__applet_ssv_validated"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016797; rev:1; metadata:created_at 2013_04_28, updated_at 2013_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:trojan-activity; sid:2016798; rev:3; metadata:created_at 2013_04_29, updated_at 2013_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; classtype:trojan-activity; sid:2016799; rev:2; metadata:created_at 2013_04_29, updated_at 2013_04_29;)

#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; content:"visibility|3a|hidden"; pcre:"/(?P<e>\d{2})(?P<t>(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P<q>(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P<dot>(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_04_30, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016804; rev:1; metadata:created_at 2013_04_30, updated_at 2013_04_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern:only; classtype:trojan-activity; sid:2016805; rev:2; metadata:created_at 2013_04_30, updated_at 2013_04_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; file_data; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:5; metadata:created_at 2013_05_01, updated_at 2013_05_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2web."; nocase; distance:2; within:10; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_05_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; content:"|55 04 03|"; content:"*.onion."; nocase; distance:2; within:8; pcre:"/^(?:sh|lu|to)/Rsi"; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_05_01, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Possible Redkit 1-4 char JNLP request "; flow:established,to_server; urilen:<11; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; content:!"weather.aero"; http_header; classtype:trojan-activity; sid:2016811; rev:6; metadata:created_at 2013_05_02, updated_at 2013_05_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016817; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016818; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016828; rev:4; metadata:created_at 2013_05_07, updated_at 2013_05_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:1; metadata:created_at 2013_05_07, updated_at 2013_05_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:trojan-activity; sid:2016831; rev:2; metadata:created_at 2013_05_07, updated_at 2013_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016832; rev:4; metadata:created_at 2013_05_07, updated_at 2013_05_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern:only; content:"eval("; nocase; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016833; rev:5; metadata:created_at 2013_05_08, updated_at 2013_05_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:".zip"; http_uri; pcre:"/\/[a-f0-9]+\.zip$/U"; classtype:trojan-activity; sid:2016839; rev:3; metadata:created_at 2013_05_09, updated_at 2013_05_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern:only; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:trojan-activity; sid:2016840; rev:4; metadata:created_at 2013_05_09, updated_at 2013_05_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016852; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"Seven guids Seven g"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016860; rev:16; metadata:created_at 2013_05_16, updated_at 2013_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016859; rev:1; metadata:created_at 2013_05_16, updated_at 2013_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit Post Exploit Payload Download"; flow:to_server,established; content:"POST"; http_method; urilen:17; pcre:"/^\/[a-f0-9]{16}$/U"; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"HTTP/1.0|0d 0a|"; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\s0\r\nConnection\x3a\sclose\r\n(\r\n)?$/H"; classtype:trojan-activity; sid:2016869; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016896; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:7; metadata:created_at 2013_05_23, updated_at 2013_05_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016923; rev:11; metadata:created_at 2013_05_24, updated_at 2013_05_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016924; rev:10; metadata:created_at 2013_05_24, updated_at 2013_05_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016925; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern:only; content:"<APPLET"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016926; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:trojan-activity; sid:2016927; rev:10; metadata:created_at 2013_05_24, updated_at 2013_05_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern:only; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:trojan-activity; sid:2016928; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern:only; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:trojan-activity; sid:2016929; rev:10; metadata:created_at 2013_05_24, updated_at 2013_05_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016930; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain May 28 2013"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016933; rev:2; metadata:created_at 2013_05_28, updated_at 2013_05_28;)

alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; content:"<div id"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27][^\x22\x27]+?[\x22\x27][^>]*?>((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version|3a 22|0.8.0|22|"; distance:0; nocase; classtype:trojan-activity; sid:2016942; rev:5; metadata:created_at 2013_05_29, updated_at 2013_05_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [81:90,9090] (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:" Java/1."; content:".pkg HTTP/1."; nocase; pcre:"/^[^\r\n]+?\/\d+\.pkg HTTP\/1\./i"; classtype:trojan-activity; sid:2016943; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;)

alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4;  classtype:trojan-activity; sid:2016945; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html HTTP/"; fast_pattern; offset:37; depth:11; content:"GET /"; depth:5; pcre:"/^[0-9a-f]{32}\.html HTTP\/1\./R"; content:"Referer|3a|"; classtype:bad-unknown; sid:2016952; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_05_31, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern:only; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:trojan-activity; sid:2016964; rev:1; metadata:created_at 2013_06_03, updated_at 2013_06_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016965; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_06_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [81:90,443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; content:"a5chZev!"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016966; rev:7; metadata:created_at 2013_06_03, updated_at 2013_06_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016970; rev:3; metadata:created_at 2013_06_04, updated_at 2013_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (9)"; flow:established,to_server; content:".txt?f="; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?f=\d+$/U"; classtype:trojan-activity; sid:2016976; rev:8; metadata:created_at 2013_06_05, updated_at 2013_06_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:5; metadata:created_at 2013_06_11, updated_at 2013_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:6; metadata:created_at 2013_06_12, updated_at 2013_06_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:1; metadata:created_at 2013_06_12, updated_at 2013_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Glazunov EK Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:trojan-activity; sid:2017011; rev:4; metadata:created_at 2013_06_12, updated_at 2013_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm (jvm.dll) Requested Over WeBDAV"; flow:established,to_server; content:"/jvm.dll"; http_uri; fast_pattern:only; pcre:"/\/jvm\.dll$/U"; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:3; metadata:created_at 2013_06_13, updated_at 2013_06_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern:only; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:1; metadata:created_at 2013_06_13, updated_at 2013_06_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern:only; classtype:trojan-activity; sid:2017014; rev:1; metadata:created_at 2013_06_13, updated_at 2013_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017016; rev:4; metadata:created_at 2013_06_13, updated_at 2013_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017017; rev:3; metadata:created_at 2013_06_13, updated_at 2013_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017018; rev:3; metadata:created_at 2013_06_13, updated_at 2013_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_header; content:"/.cache/?f|3d|"; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017019; rev:1; metadata:created_at 2013_06_14, updated_at 2013_06_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_header; classtype:trojan-activity; sid:2017020; rev:10; metadata:created_at 2013_06_14, updated_at 2013_06_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern:only; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017022; rev:2; metadata:created_at 2013_06_17, updated_at 2013_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern:only; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017023; rev:5; metadata:created_at 2013_06_17, updated_at 2013_06_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017024; rev:3; metadata:created_at 2013_06_17, updated_at 2013_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:trojan-activity; sid:2017028; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:trojan-activity; sid:2017029; rev:3; metadata:created_at 2013_06_18, updated_at 2013_06_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:trojan-activity; sid:2017031; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:2017034; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?//"; http_header; fast_pattern:only; pcre:"/^Referer\x3a\x20[^\r\n]+\/((index|toc)\.html?)?\?\/\//Hmi"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:1; metadata:created_at 2013_06_20, updated_at 2013_06_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017038; rev:1; metadata:created_at 2013_06_20, updated_at 2013_06_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:2; metadata:created_at 2013_06_20, updated_at 2013_06_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:trojan-activity; sid:2017040; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern:only; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2017041; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017042; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017043; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017044; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:trojan-activity; sid:2017055; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:trojan-activity; sid:2017056; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017064; rev:18; metadata:created_at 2013_06_25, updated_at 2013_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Pony Loader default URI struct"; flow:to_server,established; content:"GET"; http_method; content:"/pony"; http_uri; fast_pattern:only; content:"/gate.php"; http_uri; nocase; classtype:trojan-activity; sid:2017065; rev:3; metadata:created_at 2013_06_25, updated_at 2013_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; content:"/?wps="; http_uri; fast_pattern:only; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017068; rev:1; metadata:created_at 2013_06_26, updated_at 2013_06_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern:only; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017069; rev:1; metadata:created_at 2013_06_26, updated_at 2013_06_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:trojan-activity; sid:2017071; rev:2; metadata:created_at 2013_06_26, updated_at 2013_06_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern:only; content:"<|22|+"; pcre:"/^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:trojan-activity; sid:2017070; rev:1; metadata:created_at 2013_06_27, updated_at 2013_06_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017073; rev:2; metadata:created_at 2013_06_27, updated_at 2013_06_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet structure June 27 2013"; flow:established,from_server; file_data; content:"<applet"; content:"<param value=|22|1|22| name=|22|WindowSize|22|>"; fast_pattern:15,20; distance:0; content:"value"; nocase;  distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017075; rev:5; metadata:created_at 2013_06_27, updated_at 2013_06_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redirect to DotkaChef EK Landing"; flow:established,from_server; content:".js?cp="; http_header; fast_pattern:only; content:"302"; http_stat_code; pcre:"/^Location\x3a[^\r\n]+\/[A-Fa-f0-9]+\.js\?cp=/Hmi"; classtype:trojan-activity; sid:2017077; rev:2; metadata:created_at 2013_06_28, updated_at 2013_06_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Lucky7 Java Exploit URI Struct June 28 2013"; flow:established,to_server; content:" Java/1."; http_header; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:2; metadata:created_at 2013_06_28, updated_at 2013_06_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sibhost Status Check GET Jul 01 2013"; flow:established,to_server; content:"GET"; http_method; content:"|29 20|Java/1"; http_header; fast_pattern:only; content:"text="; http_uri; pcre:"/\?(s|page|id)=\d+&text=\d+$/U"; classtype:trojan-activity; sid:2017079; rev:1; metadata:created_at 2013_07_01, updated_at 2013_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack Jar Download Jul 01 2013"; flow:established,to_client; content:"j51"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)j51[a-f0-9]{21}\.jar(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017092; rev:1; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack EXE Download Jul 01 2013"; flow:established,to_client; content:"e51"; http_header; nocase; content:".exe"; http_header; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)e51[a-f0-9]{21}\.exe(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017093; rev:1; metadata:created_at 2013_07_03, updated_at 2013_07_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"|00|pipe.class"; fast_pattern; content:"|00|inc.class"; content:"|00|fdp.class"; classtype:trojan-activity; sid:2017095; rev:1; metadata:created_at 2013_07_03, updated_at 2013_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; content:"/app.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017096; rev:3; metadata:created_at 2013_07_03, updated_at 2013_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017097; rev:1; metadata:created_at 2013_07_03, updated_at 2013_07_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lucky7 EK Landing Encoded Plugin-Detect"; flow:established,from_server; file_data; content:"JTc1JTY3JTY5JTZlJTQ0JTY1JTc0JTY1JTYzJTc0JTJlJTY3JTY1JTc0JTU2JTY1JTcyJTcz"; classtype:trojan-activity; sid:2017098; rev:1; metadata:created_at 2013_07_03, updated_at 2013_07_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lucky7 EK IE Exploit"; flow:established,from_server; file_data; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern:only; content:"JTQzJTZmJTZjJTZjJTY1JTYzJTc0JTQ3JTYxJTcyJTYyJTYxJTY3JTY1"; classtype:attempted-user; sid:2017099; rev:1; metadata:created_at 2013_07_03, updated_at 2013_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS /Styx EK - /jlnp.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jlnp.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:trojan-activity; sid:2017100; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS /Styx EK - /jovf.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jovf.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:trojan-activity; sid:2017101; rev:2; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS /Styx EK - /jorg.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jorg.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:trojan-activity; sid:2017102; rev:2; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing Applet Jul 05 2013"; flow:established,to_client; file_data; content:"<applet "; nocase; fast_pattern:only; content:"|3b|document.write("; nocase; pcre:"/^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)/Rsi"; classtype:trojan-activity; sid:2017106; rev:2; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe pull"; flow:established,to_server; content:"GET"; http_method; content:"FlashPlayerSetup.x86.exe"; http_uri; content:".swf|0d 0a|"; http_header; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017107; rev:2; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe checkin UA"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| risp|0d 0a|"; http_header; flowbits:set,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017108; rev:2; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe checkin response 2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var begenilecek_sayfalar"; depth:28; flowbits:isset,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017109; rev:1; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet structure Jul 05 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; fast_pattern; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017110; rev:6; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBulletin Backdoor CMD inbound"; flow:established,to_server; content:"HTTP_ECMDE|3a|"; http_header; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017111; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBulletin Backdoor C2 URI Structure"; flow:established,to_server; content:"/ss?t=f&"; http_uri; depth:8; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017112; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBulletin Backdoor C2 Domain "; flow:established,to_server; content:"adabeupdate.com|0d 0a|"; http_header; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017113; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<h"; within:6; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{12,16}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017114; rev:4; metadata:created_at 2013_07_05, updated_at 2013_07_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet July 08 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P<dot>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<p>(?!(?P=dot))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<h>(?!((?P=p)|(?P=dot)))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=p).+?value[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P=dot)([^a-f0-9]{2}){1,20}(?P<e>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<x>(?!(?P=e))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=e)(([^a-f0-9]{2}){1,20})?[\x22\x27]/Rs"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017115; rev:8; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet July 08 2013"; flow:established,from_server; file_data; content:" Passage to India "; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017116; rev:5; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit Plugin-Detect July 08 2013"; flow:established,from_server; file_data; content:"cGRwZD17dmVyc2lvbjoiMC4"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017117; rev:1; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"getVersion("; content:"<applet"; fast_pattern; distance:0; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]archive[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017118; rev:1; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack Java Exploit Payload June 03 2013"; flow:established,to_server; content:" Java/1."; nocase; http_header; content:".php?"; http_uri; nocase; fast_pattern:only; pcre:"/\/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$/U"; classtype:trojan-activity; sid:2017119; rev:1; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Player update warning enticing clicks to malware payload"; flow:established,from_server; file_data; content:"WARNING|21| You should update your Flash Player Immediately"; classtype:trojan-activity; sid:2017122; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Adobe Flash Player malware binary requested"; flow:established,to_server; content:"&filename=Flash Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017123; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Wordpress Injection"; flow:established,to_client; file_data; content:"15,15,155,152,44,54"; classtype:trojan-activity; sid:2017124; rev:1; metadata:affected_product Any, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Perimeter, deployment Datacenter, tag DriveBy, tag Wordpress, signature_severity Major, created_at 2013_07_09, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable FlimKit Redirect July 10 2013"; flow:established,to_server; content:"/b.swf|0d 0a|"; http_header; fast_pattern:only; content:!"revolvermaps.com"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/b.swf\r$/Hm"; flowbits:set,FlimKit.SWF.Redirect; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017125; rev:4; metadata:created_at 2013_07_10, updated_at 2017_05_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing July 10 2013"; flow:established,from_server; file_data; flowbits:isset,FlimKit.SWF.Redirect; content:".substring("; fast_pattern:only; nocase; content:"document.write("; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017126; rev:1; metadata:created_at 2013_07_10, updated_at 2017_05_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1"; flow:established,to_server; content:!"Cookie|3a|"; content:"/vid.aspx?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/vid\.aspx\?id=[a-zA-Z0-9]+$/Ui"; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017131; rev:2; metadata:created_at 2013_07_11, updated_at 2013_07_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 12 2013"; flow:established,to_client; file_data; content:"function ValidateFormAol()"; fast_pattern:6,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017135; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2013_07_11, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack - Java JNLP Requested"; flow:established,to_server; urilen:>70; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:trojan-activity; sid:2017138; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef JJencode Script URI Struct"; flow:established,to_server; content:"voDc0RHa8NnZ"; http_uri; fast_pattern:only; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$/U"; classtype:trojan-activity; sid:2017139; rev:1; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - phpBB Injection"; flow:established,to_server; content:".js?"; http_uri; content:"&"; distance:6; within:1; http_uri; pcre:"/\/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$/Ui"; classtype:trojan-activity; sid:2017149; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".exe?"; fast_pattern:only; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\?/R"; classtype:trojan-activity; sid:2017151; rev:11; metadata:created_at 2013_07_15, updated_at 2013_07_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".txt?e="; fast_pattern:only; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)?/R"; classtype:trojan-activity; sid:2017150; rev:11; metadata:created_at 2013_07_15, updated_at 2013_07_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit Jar URI Struct"; flow:established,to_server; content:" Java/1."; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^[^\/]*?\/[a-f0-9]{8}[a-z0-9]+\.jar$/U"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:trojan-activity; sid:2017152; rev:3; metadata:created_at 2013_07_16, updated_at 2013_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl|0d 0a|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^[^\/]*?\/[a-z0-9]{9,16}\.jnlp$/U"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:trojan-activity; sid:2017153; rev:1; metadata:created_at 2013_07_16, updated_at 2013_07_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.|5c|n|5c|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:1; metadata:created_at 2013_07_18, updated_at 2013_07_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"jquery.js"; content:"archive"; fast_pattern; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017166; rev:3; metadata:created_at 2013_07_22, updated_at 2013_07_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS X20 EK Landing July 22 2013"; flow:established,from_server; file_data; content:"&7&.y|22|></param></applet></table></body></html>"; nocase; classtype:trojan-activity; sid:2017167; rev:3; metadata:created_at 2013_07_22, updated_at 2013_07_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_22, updated_at 2013_07_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13 2"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"param"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017169; rev:4; metadata:created_at 2013_07_22, updated_at 2013_07_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13 3"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"jnlp_"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017170; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13 4"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:".jar"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017171; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Rawin - Landing Page Received"; flow:established,to_client; file_data; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/Ri";content:"|22 20|>|0a|<applet"; within:11; fast_pattern; classtype:trojan-activity; sid:2017177; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_07_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost/FlimKit/Glazunov Jar with lowercase class names"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:!"smartsvn.com"; http_header; file_data; content:"PK|01 02|"; pcre:"/PK\x01\x02.{42}(?P<dir>[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$/s"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017181; rev:6; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded"; flow:established,to_client; file_data; content:"jnlp_embedded|3a 22|PD94b"; classtype:trojan-activity; sid:2017182; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017184; rev:1; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017185; rev:1; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017186; rev:1; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017187; rev:1; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017188; rev:1; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017189; rev:1; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017192; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017194; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017195; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura)"; flow:established,to_server; content:!"/404."; http_uri; depth:5; content:"Java/1."; http_header; pcre:"/^\/\d{2,}\.[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2017199; rev:2; metadata:created_at 2013_07_25, updated_at 2013_07_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; content:"Sun, 28 Jul 2002 "; fast_pattern; classtype:trojan-activity; sid:2017200; rev:4; metadata:created_at 2013_07_25, updated_at 2013_07_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed)"; flow:established,to_client; file_data; content:"lRXYklGbhZ3X2N3cfRXZsBHch91X"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017201; rev:5; metadata:created_at 2013_07_25, updated_at 2013_07_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed)"; flow:established,to_client; file_data; content:"detadilav_vss_telppa__"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017202; rev:3; metadata:created_at 2013_07_25, updated_at 2013_07_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed)"; flow:established,to_client; file_data; content:"0FGZpxWY29ldzN3X0VGbwBXYf9"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017203; rev:4; metadata:created_at 2013_07_25, updated_at 2013_07_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed)"; flow:established,to_client; file_data; content:"kVGdhRWasFmdfZ3cz9FdlxGcwF2Xf"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017204; rev:5; metadata:created_at 2013_07_25, updated_at 2013_07_25;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017246; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017247; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PluginDetect plus Java version check"; flow:established,from_server; file_data; content:"PluginDetect"; pcre:"/if.{1,10}[<>]=?\s*(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s*(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot)/s"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017248; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded Applet (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017249; rev:1; metadata:created_at 2013_07_29, updated_at 2016_10_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded jnlp_embedded (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|6a|25|6e|25|6c|25|70|25|5f|25|65|25|6d|25|62|25|65|25|64|25|64|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017250; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74|25|5f|25|73|25|73|25|76|25|5f|25|76|25|61|25|6c|25|69|25|64|25|61|25|74|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017251; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|58|25|31|25|39|25|68|25|63|25|48|25|42|25|73|25|5a|25|58|25|52|25|66|25|63|25|33|25|4e|25|32|25|58|25|33|25|5a|25|68|25|62|25|47|25|6c|25|6b|25|59|25|58|25|52|25|6c"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017252; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|39|25|66|25|59|25|58|25|42|25|77|25|62|25|47|25|56|25|30|25|58|25|33|25|4e|25|7a|25|64|25|6c|25|39|25|32|25|59|25|57|25|78|25|70|25|5a|25|47|25|46|25|30"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017253; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|66|25|58|25|32|25|46|25|77|25|63|25|47|25|78|25|6c|25|64|25|46|25|39|25|7a|25|63|25|33|25|5a|25|66|25|64|25|6d|25|46|25|73|25|61|25|57|25|52|25|68|25|64|25|47|25|56|25|6b"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017254; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2"; flow:established,to_server; content:"/img/info.php?info="; http_uri; nocase; classtype:trojan-activity; sid:2017257; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload Aug 02 2013"; flow:established,to_client; file_data; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2017270; rev:6; metadata:created_at 2013_08_02, updated_at 2013_08_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:trojan-activity; sid:2017271; rev:2; metadata:created_at 2013_08_02, updated_at 2013_08_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin EK Java (Old) /golem.jar"; flow:established,to_server; content:"/golem.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017272; rev:1; metadata:created_at 2013_08_02, updated_at 2013_08_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin EK Java 1.7 /caramel.jar"; flow:established,to_server; content:"/caramel.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017273; rev:1; metadata:created_at 2013_08_02, updated_at 2013_08_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017295; rev:5; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack Jar Download"; flow:established,from_server; content:"filename=j"; http_header; content:".jar"; distance:23; within:4; http_header; pcre:"/filename=j[a-f0-9]{23}\.jar/H"; classtype:trojan-activity; sid:2017296; rev:4; metadata:created_at 2013_08_08, updated_at 2013_08_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download"; flow:established,from_server; content:"filename=e"; http_header; content:".exe"; distance:23; within:4; http_header; pcre:"/filename=e[a-f0-9]{23}\.exe/H"; classtype:trojan-activity; sid:2017297; rev:5; metadata:created_at 2013_08_08, updated_at 2013_08_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS X20 EK Download Aug 07 2013"; flow:established,from_server; content:"filename=app.jar|0d 0a|"; http_header; fast_pattern:only; file_data; content:"PK"; within:2; content:"|CA FE BA BE|"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017299; rev:6; metadata:created_at 2013_08_08, updated_at 2013_08_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version"; flow:established,to_server; content:"POST"; http_method; content:"&v="; http_client_body; depth:3; pcre:"/^&v=(null|(\d+\.)+?\d+)\x3b\d+\x3b\x3b\d{3,5}x\d{3,5}\x3b/P"; classtype:trojan-activity; sid:2017300; rev:1; metadata:created_at 2013_08_08, updated_at 2013_08_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application page landing"; flow:established,from_server; content:"Unable to find |22|"; content:"|20|Please Click Here to install......"; distance:0; within:85; classtype:trojan-activity; sid:2017301; rev:1; metadata:created_at 2013_08_08, updated_at 2013_08_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader"; flow:established,to_server; content:"/findloader"; http_uri; pcre:"/findloader[^\x2f\.\?]*?\.php\?[a-z]=[^&]+$/U"; classtype:trojan-activity; sid:2017302; rev:1; metadata:created_at 2013_08_08, updated_at 2013_08_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017306; rev:4; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017307; rev:4; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FortDisco Wordpress Brute-force Site list download 10+ wp-login.php"; flow:established,to_client; file_data; content:"/wp-login.php|0d 0a|"; nocase; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017310; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_08_12, updated_at 2016_07_01;)

alert tcp any !80 -> any any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command"; flow:established,to_client; content:"PRIVMSG"; pcre:"/^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip)/Ri"; classtype:bad-unknown; sid:2017318; rev:4; metadata:created_at 2013_08_13, updated_at 2013_08_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and 3 Letter Country Code"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*[\[\|\{][A-Z]{3}[\]\|\}]/R"; classtype:bad-unknown; sid:2017319; rev:6; metadata:created_at 2013_08_13, updated_at 2013_08_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*(?:W(?:in(?:dows)?)?[^a-z0-9]?(XP|[7-8])|Vista)/Ri"; content:!"|20|XP/7"; classtype:bad-unknown; sid:2017321; rev:8; metadata:created_at 2013_08_13, updated_at 2013_08_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Win"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*win/Ri"; classtype:bad-unknown; sid:2017322; rev:4; metadata:created_at 2013_08_13, updated_at 2013_08_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and -PC"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*-PC/Ri"; classtype:bad-unknown; sid:2017323; rev:4; metadata:created_at 2013_08_13, updated_at 2013_08_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013"; flow:established,from_server; file_data; content:"fromCh"; pcre:"/(?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d)/R"; content:"<applet"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017324; rev:1; metadata:created_at 2013_08_13, updated_at 2013_08_13;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK setSecurityManager hex August 14 2013"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"73657453656375726974794d616e6167657228"; nocase; reference:url,piratebrowser.com; classtype:trojan-activity; sid:2017328; rev:2; metadata:created_at 2013_08_14, updated_at 2013_08_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx EK - /jvvn.html"; flow:established,to_server; content:"/jvvn.html"; http_uri; classtype:trojan-activity; sid:2017333; rev:2; metadata:created_at 2013_08_15, updated_at 2013_08_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL"; flow:established,to_server; content:"GET"; http_method; content:"/panel/panel.bin"; http_uri; reference:url,malwr.com/analysis/MWM3NDA2NTdhM2U4NGE0NjgwY2IzN2Y3ZDk4ZTcyMmM/; classtype:trojan-activity; sid:2017370; rev:1; metadata:created_at 2013_08_23, updated_at 2013_08_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Aug 26 2013"; flow:established,from_server; file_data; content:"Australian Holiday|22|"; fast_pattern:only; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017372; rev:4; metadata:created_at 2013_08_26, updated_at 2013_08_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CookieBomb Generic JavaScript Format"; flow:from_server,established; file_data; content:"/*/"; fast_pattern; pcre:"/^[a-f0-9]{6}\*\//R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017373; rev:5; metadata:created_at 2013_08_26, updated_at 2013_08_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb Generic PHP Format"; flow:from_server,established; file_data; content:"echo "; fast_pattern; content:"#/"; distance:0; pcre:"/^[a-f0-9]{6}#/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017374; rev:5; metadata:created_at 2013_08_26, updated_at 2013_08_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb Generic HTML Format"; flow:from_server,established; file_data; content:"<!--/"; fast_pattern; pcre:"/^[a-f0-9]{6}\-\-\>/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017375; rev:5; metadata:created_at 2013_08_26, updated_at 2013_08_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible BHEK Landing URI Format"; flow:to_server,established; urilen:>41; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php/U"; classtype:trojan-activity; sid:2017376; rev:6; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible APT-12 Related C2"; flow:to_server,established; content:"/url.asp?"; http_uri; content:"-ShowNewsID-"; http_uri; fast_pattern; distance:0; pcre:"/=[A-Za-z0-9\/\+]+={0,2}$/U"; reference:url,community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations; classtype:trojan-activity; sid:2017386; rev:1; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Aug 27 2013"; flow:established,from_server; file_data; content:"base_decode("; nocase; fast_pattern:only; content:"decodeHex("; nocase; content:"<applet"; nocase; classtype:trojan-activity; sid:2017387; rev:4; metadata:created_at 2013_08_28, updated_at 2013_08_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sweet Orange Payload Download Aug 28 2013"; flow:established,to_server; content:"=java.util.Random@"; http_uri; fast_pattern:only; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017388; rev:1; metadata:created_at 2013_08_28, updated_at 2013_08_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:"var pp100"; fast_pattern; content:"document.write("; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27]<(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?a(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?l(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?e(?:[\x27\x22]\s*?\+\s*?[\x27\x22])?t/Ri"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017405; rev:5; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin EK Java /victoria.jar"; flow:established,to_server; content:"/victoria.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017406; rev:3; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:".getVersion"; nocase; content:"|22|PGFwcGxld"; fast_pattern; content:"|22|PGFwcGxld"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017407; rev:1; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GondadEK Landing Sept 03 2013"; flow:established,from_server; file_data; content:"expires=|22|+expires.toGMTString()"; fast_pattern:3,20; nocase; content:"51yes.com/click.aspx?"; nocase; content:"|22|gb2312|22|"; nocase; content:"delete "; nocase; content:"eval"; nocase; pcre:"/^[^A-Za-z0-9]/R"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit; classtype:trojan-activity; sid:2017408; rev:2; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:1; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:1; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:1; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura EK Landing Sep 06 2013"; flow:established,from_server; file_data; content:"/deployJava.js"; fast_pattern:only; nocase; content:!"<applet"; nocase; content:" RegExp"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017433; rev:2; metadata:created_at 2013_09_06, updated_at 2013_09_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing Sep 06 2013"; flow:established,from_server; file_data; content:"DoCake()"; fast_pattern:only; nocase; content:"applet"; nocase; content:".php?e="; content:".php?e="; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017434; rev:1; metadata:created_at 2013_09_06, updated_at 2013_09_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing JAR Sep 06 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_header; content:".php?e="; nocase; http_uri; pcre:"/\.php\?e=\d+(&|$)/Ui"; classtype:trojan-activity; sid:2017435; rev:4; metadata:created_at 2013_09_06, updated_at 2013_09_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; file_data; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; pcre:"/^[\r\n\s]*?(?P<q>[\x22\x27])Java(?P=q)/Ri"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]*?a[^\x22\x27]*?p[^\x22\x27]*?p[^\x22\x27]*?l[^\x22\x27]*?e[^\x22\x27]*?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]*?p[^\x22\x27]*?a[^\x22\x27]*?r[^\x22\x27]*?a[^\x22\x27]*?m/Rs"; classtype:trojan-activity; sid:2017450; rev:4; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing Page"; flow:established,from_server; file_data; content:"|22|0x|22 3b|"; content:"="; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27][a-f0-9]{2}(?P<sep>[^a-f0-9]{1,10})(?P<a>[a-f0-9]{2})(?P=sep)(?P<p>[a-f0-9]{2})(?P=sep)(?P=p)(?P=sep)(?P<l>[a-f0-9]{2})(?P=sep)(?P<e>[a-f0-9]{2})[^\x22\x27]+?(?P=sep)(?P=p)(?P=sep)(?P=a)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=a)(?P=sep)[^\x22\x27]+?(?P=sep)(?P=a)(?P=sep)(?P=l)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=e)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017451; rev:5; metadata:created_at 2013_09_11, updated_at 2013_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection"; flow:established,to_server; urilen:27<>33; content:".js?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{7,11}\.js\?[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2017453; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_09_11, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CottonCastle EK Java Jar "; flow:to_server,established; content:"Java/1."; http_header; fast_pattern:only; pcre:"/\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$/Ui"; classtype:trojan-activity; sid:2017467; rev:3; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Fake Microsoft Security Update Applet Sep 16 2013"; flow:established,from_server; file_data; content:"JTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUy"; content:"/microsoft.jnlp"; fast_pattern:only; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017468; rev:1; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SNET EK VBS Download"; flow:to_server,established; content:"/cod/"; fast_pattern; http_uri; content:".vbs"; http_uri; distance:0; pcre:"/\/cod\/[^\x2f]+\.vbs$/U"; classtype:trojan-activity; sid:2017469; rev:5; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SNET EK Encoded VBS 1"; flow:established,from_server; file_data; content:"BDbGVhckludGVybmV0Q2FjaGUo"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017470; rev:1; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SNET EK Encoded VBS 2"; flow:established,from_server; file_data; content:"IENsZWFySW50ZXJuZXRDYWNoZS"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017471; rev:1; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SNET EK Encoded VBS 3"; flow:established,from_server; file_data; content:"Q2xlYXJJbnRlcm5ldENhY2hlK"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017472; rev:1; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CoolEK Variant Payload Download Sep 16 2013"; flow:to_server,established; content:" Java/1."; http_header; content:"&e="; http_uri; content:!"osk188.com"; http_header; pcre:"/=\d+&e=\d+$/U"; classtype:trojan-activity; sid:2017473; rev:5; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Variant Landing Page - Applet Sep 16 2013"; flow:established,to_client; file_data; content:".class"; nocase; fast_pattern:only; content:"<param"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\?\&]e=\d+[\x22\x27]/R"; classtype:trojan-activity; sid:2017474; rev:3; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:trojan-activity; sid:2017476; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_09_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Styx - TDS - Redirect To Landing Page"; flow:established,to_client; file_data; content:"<body onLoad="; content:"Redirect..."; fast_pattern; classtype:trojan-activity; sid:2017482; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_09_18, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:" DropPayload("; fast_pattern:only; classtype:trojan-activity; sid:2017483; rev:3; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function Suck("; fast_pattern:only; classtype:trojan-activity; sid:2017484; rev:2; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function align_esp("; fast_pattern:only; classtype:trojan-activity; sid:2017485; rev:1; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"eval(|27|unescape|27|)"; nocase; content:"|27|%u|27|"; classtype:trojan-activity; sid:2017486; rev:1; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"unescape"; nocase; fast_pattern:only; content:"[|22|replace|22|]("; nocase; content:"/g"; distance:0; pcre:"/^[\r\n\s]*?\,[\r\n\s]*?[\x22\x27][\%\\]u"/Rsi"; classtype:trojan-activity; sid:2017487; rev:4; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"(|22|ms-help|3a|//|22|)|3b|"; nocase; content:"(|22|ms-help|3a|//|22|)|3b|"; distance:0; content:"(|22|ms-help|3a 22|)|3b|"; nocase; content:"(|22|ms-help|3a 22|)|3b|"; nocase; distance:0; classtype:trojan-activity; sid:2017488; rev:2; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin EK - Java Exploit - bona.jar"; flow:established,to_server; content:"/bona.jar"; http_uri; classtype:trojan-activity; sid:2017497; rev:1; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blatantly Evil JS Function"; flow:established,from_server; file_data; content:"function heap"; nocase; content:"spray"; nocase; within:6; classtype:trojan-activity; sid:2017498; rev:2; metadata:created_at 2013_09_20, updated_at 2013_09_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 1"; flow:established,from_server; file_data; content:"unescape"; content:"|22|%u"; content:!"|22|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017499; rev:1; metadata:created_at 2013_09_20, updated_at 2013_09_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 2"; flow:established,from_server; file_data; content:"unescape"; content:"|27|%u"; nocase; content:!"|27|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017500; rev:1; metadata:created_at 2013_09_20, updated_at 2013_09_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|22 5f|u"; nocase; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017501; rev:1; metadata:created_at 2013_09_20, updated_at 2013_09_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|27 5f|u"; nocase; content:!"|27|"; within:100; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017502; rev:1; metadata:created_at 2013_09_20, updated_at 2013_09_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Used in various watering hole attacks"; flow:established,from_server; file_data; content:"ConVertData"; pcre:"/^[^a-z0-9]/Ri"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:trojan-activity; sid:2017503; rev:1; metadata:created_at 2013_09_20, updated_at 2013_09_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - *.com.exe HTTP Attachment"; flow:established,to_client; content:".com.exe"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2017504; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_09_20, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class|3a| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:1; metadata:created_at 2013_09_23, updated_at 2013_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cushion Redirection"; flow:established,to_server; content:".php?message="; http_uri; fast_pattern:only; pcre:"/\/(?:app|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017507; rev:1; metadata:created_at 2013_09_23, updated_at 2013_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible J7u21 click2play bypass"; flow:established,to_client; file_data; content:"<jfx|3a|"; nocase; content:"preloader-class"; nocase; content:"<jnlp"; nocase; classtype:attempted-user; sid:2017509; rev:1; metadata:created_at 2013_09_23, updated_at 2013_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js"; flow:established,to_server; content:"/statistic.js?k="; http_uri; content:"&d="; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017512; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_09_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Ping.html"; flow:established,to_server; content:"/ping.html?id="; http_uri; content:"&js="; http_uri; content:"&key="; http_uri; content:!"/utils/"; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017513; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_09_25, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS LightsOut EK Payload Download"; flow:to_server,established; content:".php?dwl="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?dwl=[a-z]+$/U"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017529; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK info3i.html"; flow:to_server,established; content:"/info3i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017530; rev:1; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK info3i.php"; flow:to_server,established; content:"/info3i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017531; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK inden2i.html"; flow:to_server,established; content:"/inden2i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017532; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK sort.html"; flow:to_server,established; content:"/sort.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017533; rev:5; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK leks.html"; flow:to_server,established; content:"/leks.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017534; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK negc.html"; flow:to_server,established; content:"/negc.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017535; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK negq.html"; flow:to_server,established; content:"/negq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017536; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK leks.jar"; flow:to_server,established; content:"/leks.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017537; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK start.jar"; flow:to_server,established; content:"/start.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017538; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK stoq.jar"; flow:to_server,established; content:"/stoq.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017539; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK erno_rfq.html"; flow:to_server,established; content:"/erno_rfq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017540; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK inden2i.php"; flow:to_server,established; content:"/inden2i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017541; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK gami.html"; flow:to_server,established; content:"/gami.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017542; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK gami.jar"; flow:to_server,established; content:"/gami.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017543; rev:3; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS LightsOut EK POST Compromise POST"; flow:to_server,established; content:"POST"; http_method; content:".php?id="; http_uri; nocase; content:"&v1="; http_uri; nocase; content:"&v2="; http_uri; nocase; fast_pattern:only; content:"&q="; http_uri; nocase; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"Content-Length|3a 20|0"; http_header; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017544; rev:1; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Sep 30 2013"; flow:established,from_server; file_data; content:"New Zealandn Holiday"; fast_pattern:only; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017545; rev:5; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible FortDisco POP3 Site list download"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|PrototypeB|0d 0a|"; http_header; fast_pattern:12,10; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,538a4cedad8791e27088666a4a6bf9c5; reference:md5,87c21bc9c804cefba6bb4148dbe4c4de; reference:url,www.abuse.ch/?p=5813; classtype:trojan-activity; sid:2017546; rev:2; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Jar Download Sep 30 2013"; flow:to_server,established; content:"Java/1."; http_header; fast_pattern:only; content:"/index.html?p="; http_uri; pcre:"/\/index\.html\?p=\d+$/U"; reference:md5,d58fea2d0f791e65c6aae8e52f7089c1; classtype:trojan-activity; sid:2017547; rev:2; metadata:created_at 2013_09_30, updated_at 2013_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cushion Redirection"; flow:established,to_server; content:"/index.php?"; http_uri; content:"="; distance:1; within:1; http_uri; content:!"=aHR0"; http_uri; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017552; rev:6; metadata:created_at 2013_10_01, updated_at 2013_10_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017549; rev:1; metadata:created_at 2013_10_01, updated_at 2013_10_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK Landing Oct 1 2013"; flow:established,from_server; file_data; content:"java3()|3b|"; fast_pattern:only; content:"java2()|3b|"; content:"pdf()|3b|"; content:"ie()|3b|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017550; rev:1; metadata:created_at 2013_10_01, updated_at 2013_10_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated http 2 digit sep in applet (Seen in HiMan EK)"; flow:established,from_server; file_data; content:"<applet"; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017551; rev:1; metadata:created_at 2013_10_01, updated_at 2013_10_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HiMan EK Reporting Host/Exploit Info"; flow:established,to_server; content:".php?ex="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ver="; http_uri; classtype:trojan-activity; sid:2017553; rev:2; metadata:created_at 2013_10_02, updated_at 2013_10_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BHEK Payload Download (java only alternate method may overlap with 2017454)"; flow:established,to_server; urilen:>48; content:"Java/1."; http_header; fast_pattern:only; content:".php?"; http_uri; pcre:"/\.php\?[^=]+=(?:[^&]?[a-z0-9]{2}){5}&[^=]+=(?:[^&]?[a-z0-9]{2}){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017554; rev:1; metadata:created_at 2013_10_02, updated_at 2013_10_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign"; flow:established,to_server; content:".js?cp="; http_uri; fast_pattern:only; pcre:"/\/[A-F0-9]{8}\.js\?cp=/U"; classtype:trojan-activity; sid:2017555; rev:1; metadata:created_at 2013_10_02, updated_at 2013_10_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/java.sql.Drivers"; fast_pattern:14,20; content:"META-INF/services/java.lang.Object"; reference:cve,2013-1488; reference:url,www.contextis.com/research/blog/java-pwn2own/; reference:url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager; classtype:attempted-user; sid:2017557; rev:2; metadata:created_at 2013_10_03, updated_at 2013_10_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Oct 4 2013"; flow:established,from_server; file_data; content:"Embassy  Tokyo, Japan"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017562; rev:5; metadata:created_at 2013_10_04, updated_at 2013_10_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java CVE-2013-2465 Based on PoC"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"$MyColorModel.class"; content:"$MyColorSpace.class"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; classtype:attempted-user; sid:2017563; rev:2; metadata:created_at 2013_10_07, updated_at 2013_10_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"name=|22|kurban|22|"; distance:0; nocase; content:".exe"; nocase; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; reference:url,seclists.org/fulldisclosure/2013/Aug/134; classtype:attempted-user; sid:2017564; rev:2; metadata:created_at 2013_10_07, updated_at 2013_10_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FiestaEK js-redirect"; flow:established,to_server; content:"/?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+[0-9][a-z0-9]+\/\?\d$/U"; classtype:trojan-activity; sid:2017567; rev:2; metadata:created_at 2013_10_07, updated_at 2013_10_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java CVE-2013-2465 Class Name Sub Algo"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:".classPK"; content:"$"; distance:-21; within:1; content:".classPK"; distance:0; content:"$"; distance:-21; within:1; pcre:"/\b(?P<xps>[a-zA-Z]{7})\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK/s"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_storeimagearray.rb; classtype:attempted-user; sid:2017568; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_10_08, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx EK jply.html"; flow:established,to_server; content:"/jply.html"; http_uri; classtype:trojan-activity; sid:2017576; rev:2; metadata:created_at 2013_10_09, updated_at 2013_10_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Oct 09 2013"; flow:established,from_server; file_data; content:"|27|urn|3a|schemas-microsoft-com|3a|vml|27|"; content:"=String.fromCharCode|3b|"; fast_pattern:1,20; content:"return parseInt"; content:"return |27 27|"; classtype:trojan-activity; sid:2017577; rev:3; metadata:created_at 2013_10_10, updated_at 2013_10_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake MS Security Update EK (Payload Download)"; flow:established,to_server; content:"/winddl32.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017578; rev:1; metadata:created_at 2013_10_10, updated_at 2013_10_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)"; flow:established,to_server; content:"/javax.xml.datatype.DatatypeFactory"; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017579; rev:1; metadata:created_at 2013_10_10, updated_at 2013_10_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef Payload October 09"; flow:to_server,established; content:"sm_main.mp3"; http_uri; fast_pattern; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017580; rev:1; metadata:created_at 2013_10_10, updated_at 2013_10_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Initial Payload Internet Connectivity Check"; flow:established,to_server; content:"/ep/cl.php"; http_uri; fast_pattern:only; pcre:"/^\/ep\/cl\.php$/U"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:2017589; rev:2; metadata:created_at 2013_10_13, updated_at 2013_10_13;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA"; flow:to_server,established; content:"xmlset_roodkcableoj28840ybtide"; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?xmlset_roodkcableoj28840ybtide/Hm"; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/; classtype:attempted-admin; sid:2017590; rev:2; metadata:created_at 2013_10_13, updated_at 2013_10_13;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Related EK Landing Oct 14 2013"; flow:established,from_server; content:"(2)!=7"; fast_pattern:only; content:"(7)==0"; content:"(6)==1"; content:"javafx_version"; content:"jnlp_href"; content:".getVersion("; pcre:"/^[\r\n\s]*?[\x22\x27]Java[\x22\x27]/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2017591; rev:2; metadata:created_at 2013_10_15, updated_at 2013_10_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Related EK Redirect Oct 14 2013"; flow:established,to_server; content:".php?tnzppl="; fast_pattern; content:"&endovenafsl="; distance:0; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/mi"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:2017592; rev:1; metadata:created_at 2013_10_15, updated_at 2013_10_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 IE Exploit URI Struct"; flow:established,to_server; content:".tpl"; http_uri; fast_pattern:only; pcre:"/\/1[34]\d{8}\.tpl$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017601; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_10_17, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013"; flow:established,to_client; file_data; content:"applet"; nocase; fast_pattern; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?\/(?:[\/_]*?[a-f0-9][\/_]*?){64}[\x22\x27]/R"; classtype:trojan-activity; sid:2017602; rev:5; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013"; flow:established,to_server; urilen:>64; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){64}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017603; rev:8; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}$/Ui"; content:"Referer|3a| http|3a|//"; pcre:"/^[^\/\r\n]+/R"; content:"/?"; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/R"; content:" MSIE "; http_header; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017613; rev:7; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Cutwail Redirect to Magnitude EK"; flow:established,to_server; urilen:15; content:"/messag_id.html"; http_uri; fast_pattern:only; reference:url,www.secureworks.com/resources/blog/research/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit/; classtype:trojan-activity; sid:2017621; rev:2; metadata:created_at 2013_10_21, updated_at 2013_10_21;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 1"; content:"w302r_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017623; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 2"; content:"rlink_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017624; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017625; rev:5; metadata:created_at 2013_10_22, updated_at 2013_10_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017626; rev:6; metadata:created_at 2013_10_22, updated_at 2013_10_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download Oct 22 2013"; flow:to_server,established; content:!".jar"; http_uri; content:"Java/1."; http_header; fast_pattern:only; content:".pl|3a|"; http_header; pcre:"/^\/[a-z]+([_-][a-z]+)*\.[a-z]{1,3}$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.pl\x3a\d{2,5}\r$/Hm"; classtype:trojan-activity; sid:2017628; rev:2; metadata:created_at 2013_10_23, updated_at 2013_10_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack Oct 23 2013"; flow:to_server,established; content:".php?cashe="; http_uri; fast_pattern:only; content:"Java/1."; http_header; pcre:"/\.php\?cashe=\d+$/U"; classtype:trojan-activity; sid:2017629; rev:2; metadata:created_at 2013_10_23, updated_at 2013_10_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; http_uri; nocase; reference:url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp; classtype:attempted-admin; sid:2017631; rev:1; metadata:created_at 2013_10_24, updated_at 2013_10_24;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass"; flow:to_server,established; content:"/BRS_02_genieHelp.html"; http_uri; nocase; reference:url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html; classtype:attempted-admin; sid:2017632; rev:1; metadata:created_at 2013_10_24, updated_at 2013_10_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"domestic transit area.<br>"; fast_pattern:6,20; content:"display"; nocase; pcre:"/^[\r\n\s]*?\x3a[\r\n\s]*?none/Ri"; content:"<li"; nocase; pcre:"/^[^>]*?\>/R"; content:!"</li>"; nocase; within:500; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017634; rev:5; metadata:created_at 2013_10_25, updated_at 2013_10_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"fromCharCode"; content:"+0+0+3-1-1"; fast_pattern; within:100; content:"substr"; content:"(3-1)"; within:100; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017635; rev:1; metadata:created_at 2013_10_25, updated_at 2013_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.pdf$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-z0-9A-Z\_\-]{26,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding;  classtype:trojan-activity; sid:2017636; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_10_28, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure"; flow:to_server,established; content:"/APIS/returnJSON.htm"; http_uri; reference:url,packetstorm.foofus.com/1208-exploits/asl26555_pass_disclosure.txt; classtype:attempted-admin; sid:2017638; rev:1; metadata:created_at 2013_10_28, updated_at 2013_10_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Host Domain .bit"; flow:established,to_server; content:".bit|0D 0A|"; fast_pattern:only; http_header; pcre:"/^Host\x3a [^\r\n]+?\.bit\r\n$/Hmi"; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017644; rev:1; metadata:created_at 2013_10_30, updated_at 2013_10_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query Domain .bit"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|bit|00|"; fast_pattern; nocase; distance:0; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017645; rev:2; metadata:created_at 2013_10_30, updated_at 2013_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sweet Orange payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,20}\.php\?(?:[a-z\_\-]{4,20}=\d+?&){3,}[a-z\_\-]{4,20}=-?\d+$/U"; content:"Java/1."; http_header; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017648; rev:5; metadata:created_at 2013_10_31, updated_at 2013_10_31;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; classtype:trojan-activity; sid:2017649; rev:4; metadata:created_at 2013_10_31, updated_at 2013_10_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/Grandsoft Plugin-Detect"; flow:established,to_client; file_data; content:"go2Page(|27|/|27|+PluginDetect.getVersion(|22|AdobeReader|22|)+|27|.pdf|27|)|3b|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017650; rev:1; metadata:created_at 2013_10_31, updated_at 2013_10_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Cookie Set By Flash Malvertising"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|asg325we234=1|0d 0a|"; reference:md5,cce9dcad030c4cba605a8ee65572136a; classtype:trojan-activity; sid:2017660; rev:1; metadata:created_at 2013_11_04, updated_at 2013_11_04;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_header; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:2; metadata:created_at 2013_11_04, updated_at 2013_11_04;)

#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 21 (msg:"ET CURRENT_EVENTS Fredcot campaign payload download"; flow:to_server,established; content:"PASS fredcot123|0d 0a|"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017664; rev:5; metadata:created_at 2013_11_04, updated_at 2013_11_04;)

#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fredcot campaign IRC CnC"; flow:to_server,established; content:"JOIN #1111 ddosit"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017665; rev:3; metadata:created_at 2013_11_04, updated_at 2013_11_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013"; flow:established,to_server; content:"/14"; fast_pattern:only; http_uri; content:"Java/1."; http_header; pcre:"/\/14\d{8}(?:\.jar)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017666; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_11_05, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013"; flow:established,to_server; content:"/f/"; http_uri; depth:3; pcre:"/^\/f(?:\/[^\x2f]+)?\/14\d{8}(?:\/\d{9,10})?(?:\/\d)+(?:\/x[a-f0-9]+(?:\x3b\d)+?)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017667; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_11_05, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Word DOCX with Many ActiveX Objects and Media"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"word/activeX/activeX40.xml"; nocase; content:"word/media/"; nocase; reference:url,blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2; classtype:trojan-activity; sid:2017670; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_11_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2013-3906 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a| MyWebClient"; http_header; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017671; rev:3; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS msctcd.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/msctcd.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/msctcd\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017672; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS taskmgr.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/taskmgr.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/taskmgr\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017673; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS wsqmocn.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/wsqmocn.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/wsqmocn\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017674; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS connhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/connhost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/connhost\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017675; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/lgfxsrvc.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lgfxsrvc\.exe$/Ui"; classtype:trojan-activity; sid:2017676; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS wimhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/wimhost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/wimhost\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017677; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/winlog.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlog\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017679; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS waulct.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/waulct.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/waulct\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017680; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS alg.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/alg.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/alg\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017681; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS mssrs.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/mssrs.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/mssrs\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017682; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS winhosts.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/winhosts.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winhosts\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017683; rev:1; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx iframe with obfuscated CVE-2013-2551"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017693; rev:1; metadata:created_at 2013_11_07, updated_at 2013_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2017694; rev:4; metadata:created_at 2013_11_08, updated_at 2013_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FaceBook IM & Web Driven Facebook Trojan Download"; flow:established,to_server; content:"/dlimage4.php"; http_uri; content:".best.lt.ua|0d 0a|"; http_header; pcre:"/Host\x3a\x20[a-z]{6}\.best.lt\.ua\r$/Hm"; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017696; rev:4; metadata:created_at 2013_11_08, updated_at 2013_11_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude Landing Nov 11 2013"; flow:established,from_server; file_data; content:".fromCharCode("; nocase; pcre:"/^[^\)]+\][\r\n\s]*?\^[\r\n\s]*?\d+?[\r\n\s]*?\)/R"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval\([^\)\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:trojan-activity; sid:2017698; rev:1; metadata:created_at 2013_11_08, updated_at 2013_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Grandsoft/SofosFO EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017699; rev:2; metadata:created_at 2013_11_08, updated_at 2013_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017706; rev:5; metadata:created_at 2013_11_12, updated_at 2013_11_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Fake Codec Download"; flow:established,to_server; content:"/Setup.exe?tid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017711; rev:1; metadata:created_at 2013_11_13, updated_at 2013_11_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Styx EK SilverLight Payload"; flow:established,to_server; urilen:19; content:"/1"; depth:2; http_uri; fast_pattern; pcre:"/^\/1[a-z0-9]{13}\.[a-z]{3}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2017731; rev:2; metadata:created_at 2013_11_19, updated_at 2013_11_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteLotus EK PluginDetect Nov 20 2013"; flow:established,from_server; file_data; content:"makeid"; pcre:"/^[\r\n\s]*?\(/R"; content:"replaceIt"; pcre:"/^[\r\n\s]*?\(/R"; content:".getVersion"; nocase; content:"Silverlight"; nocase; content:"Java"; nocase; content:"Reader"; nocase; content:"Flash"; nocase; classtype:trojan-activity; sid:2017735; rev:3; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1"; flow:established,from_server; file_data; content:"a0dmblxmL5FmcyFmLlxWe0NHazFGZ"; classtype:trojan-activity; sid:2017736; rev:3; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2"; flow:established,from_server; file_data; content:"gGdn5WZs5SehJnch5SZslHdzh2chR"; classtype:trojan-activity; sid:2017737; rev:3; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3"; flow:established,from_server; file_data; content:"oR3ZuVGbukXYyJXYuUGb5R3coNXYk"; classtype:trojan-activity; sid:2017738; rev:3; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible WhiteLotus Java Payload"; flow:established,to_server; content:"Java/1."; http_header; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[^\/\.]+$/U"; classtype:trojan-activity; sid:2017739; rev:2; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Nov 21 2013"; flow:established,from_server; file_data; content:"object|22|.substring(15)"; content:"|22|"; distance:-37; within:1; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017740; rev:2; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_header; content:!"Referer|3a|"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:3; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS StyX EK Payload Cookie"; flow:established,to_server; content:"Cookie|3a 20|fGGhTasdas=http"; classtype:trojan-activity; sid:2017744; rev:1; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Media Player malware binary requested"; flow:established,to_server; content:"&filename=Media Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017745; rev:1; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful AOL Phish Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2017750; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2013_11_25, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2017751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2013_11_25, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Gmail Phish Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/gmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2013_11_25, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Remax Phish - Hotmail Creds Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/hotmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2017753; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2013_11_25, updated_at 2017_07_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish - Other Credentials Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017754; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2013_11_25, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Goon EK Java Payload"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:".mp3"; http_uri; pcre:"/\/\d{6}\.mp3$/U"; classtype:trojan-activity; sid:2017755; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Goon EK Jar Download"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"Goon.class"; classtype:trojan-activity; sid:2017756; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 1"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"amF2YS9sYW5nL1J1bnRpbW"; classtype:trojan-activity; sid:2017757; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 2"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"phdmEvbGFuZy9SdW50aW1l"; classtype:trojan-activity; sid:2017758; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 3"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"qYXZhL2xhbmcvUnVudGltZ"; classtype:trojan-activity; sid:2017759; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"etSecurityManager"; classtype:bad-unknown; sid:2017760; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/security/ProtectionDomain"; classtype:bad-unknown; sid:2017761; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Accessing Importing glassfish"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/gmbal"; classtype:bad-unknown; sid:2017762; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"yv66v"; classtype:bad-unknown; sid:2017763; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; classtype:bad-unknown; sid:2017764; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; classtype:bad-unknown; sid:2017765; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; classtype:bad-unknown; sid:2017766; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; classtype:bad-unknown; sid:2017767; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; classtype:trojan-activity; sid:2017768; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; classtype:bad-unknown; sid:2017769; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; classtype:bad-unknown; sid:2017770; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; classtype:bad-unknown; sid:2017771; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; classtype:bad-unknown; sid:2017772; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; classtype:bad-unknown; sid:2017773; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/\d{8,11}(\/\d)?\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017774; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_11_27, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:".takeCameraPicture"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017777; rev:1; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"getGalleryImage"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017778; rev:2; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:1; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"postToSocial"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017780; rev:1; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendMail"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017781; rev:1; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendSMS"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017782; rev:1; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"registerMicListener"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017783; rev:1; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK IE Exploit CVE-2013-2551"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern:only; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"Array"; nocase; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[\x22\x27]f([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?m([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?C([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?h([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?a([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?c([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?d([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?e[\x22\x27]/Ri"; classtype:trojan-activity; sid:2017785; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2013_11_27, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SNET EK Activity Nov 27 2013"; flow:established,to_server; content:"?src="; content:"request|3a 20|microsoft_update|0d 0a|"; pcre:"/^[^\s]*?\s*?\/[^\r\n\s]*?\?src=/i"; classtype:trojan-activity; sid:2017786; rev:2; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"|2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b|"; reference:md5,6776bda19a3a8ed4c2870c34279dbaa9; classtype:trojan-activity; sid:2017789; rev:3; metadata:created_at 2013_11_29, updated_at 2013_11_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign"; flow:established,to_server; content:"/golden/index.php"; http_uri; fast_pattern:only; content:" MSIE 7.0"; http_header; content:"q=0.1|0d 0a|"; http_header; classtype:trojan-activity; sid:2017791; rev:1; metadata:created_at 2013_12_02, updated_at 2013_12_02;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Hostile fake DHL mailing campaign"; flow:established,to_server; content:"but no one bell unresponsive"; content:"The best regard DHL.com."; content:"filename=Notice"; classtype:trojan-activity; sid:2017792; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK - Flash Exploit"; flow:established,to_client; file_data; content:"function Flash_Exploit() {"; classtype:trojan-activity; sid:2017794; rev:1; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK - Landing Page"; flow:established,to_client; file_data; content:"687474703a2f2f"; fast_pattern:only; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f/Rsi"; classtype:trojan-activity; sid:2017796; rev:2; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:trojan-activity; sid:2017797; rev:1; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Jar Download"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}$/U"; content:"_"; http_uri; content:"/"; http_uri; offset:1; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017811; rev:1; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/\/load(?:fla(2001[34]|0515)|msie\d{0,2}|20132551|jimage|silver|0322|db|im|rh)\.php/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2017813; rev:8; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack URI Struct .php?id=Hex"; flow:established,to_server; content:".php?id="; http_uri; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=/U"; classtype:trojan-activity; sid:2017814; rev:3; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect"; flow:established,to_client; file_data; content:"|7C|PluginDetect|7C|"; classtype:trojan-activity; sid:2017815; rev:2; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013"; flow:established,from_server; file_data; content:"display|3a| none|3b 22|"; nocase; content:">"; within:500; content:!">"; nocase; within:500; content:"f"; within:200; pcre:"/^(?P<sep>.{1,50})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017817; rev:10; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx EK iexp.html"; flow:established,to_server; content:"/iexp.html"; http_uri; content:!"&"; http_uri; classtype:trojan-activity; sid:2017819; rev:4; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS heapSpray in jjencode"; flow:from_server,established; file_data; content:".__$+"; pcre:"/^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$/R"; reference:url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/; classtype:trojan-activity; sid:2017823; rev:1; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Landing Dec 09 2013"; flow:from_server,established; file_data; content:"$.getVersion(|22|Silverlight|22|)"; content:"$.getVersion(|22|Java|22|)"; content:"calcMD5(encode_utf8(location"; classtype:trojan-activity; sid:2017826; rev:3; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_header; content:".html%3fjar"; http_raw_uri; pcre:"/\.html\?jar$/U"; classtype:trojan-activity; sid:2017827; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit - JAR Exploit"; flow:to_server,established; urilen:>300; content:"Java/1."; http_header; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:trojan-activity; sid:2017840; rev:1; metadata:created_at 2013_12_11, updated_at 2013_12_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit - EOT Exploit"; flow:to_server,established; urilen:>300; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:trojan-activity; sid:2017844; rev:2; metadata:created_at 2013_12_11, updated_at 2013_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS winhost(32|64).exe in URI"; flow:established,to_server; content:"GET"; http_method; content:"/winhost"; http_uri; nocase; fast_pattern:only; pcre:"/\/winhost(?:32|64)\.(exe|pack)$/Ui"; classtype:trojan-activity; sid:2017842; rev:3; metadata:created_at 2013_12_11, updated_at 2013_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS pony.exe in URI"; flow:established,to_server; content:"GET"; http_method; content:"/pony."; http_uri; nocase; fast_pattern:only; pcre:"/\/pony\.(exe|pack)$/Ui"; classtype:trojan-activity; sid:2017843; rev:1; metadata:created_at 2013_12_11, updated_at 2013_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY FakeUpdate - URI - /styles/javaupdate.css"; flow:established,to_server; content:"/styles/javaupdate.css"; http_uri; classtype:trojan-activity; sid:2017845; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_12_13, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY FakeUpdate - URI - Payload Requested"; flow:established,to_server; content:"DDL Java Installer.php?dv1="; http_uri; classtype:trojan-activity; sid:2017846; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_12_13, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Browlock Landing Page URI Struct"; flow:to_server,established; content:"/?flow_id"; http_uri; content:"/case_id="; http_uri; fast_pattern:only; pcre:"/\/\?flow_id=\d+?&\d+?=\d+?\/case_id=\d+$/U"; classtype:trojan-activity; sid:2017847; rev:2; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK SilverLight"; flow:to_server,established; content:".html?sv="; http_uri; fast_pattern:only; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; classtype:trojan-activity; sid:2017848; rev:2; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK"; flow:from_server,established; file_data; content:".dashstyle.array.length"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?:-[\r\n\s]*?\d|0[\r\n\s]*?-)/Ri"; classtype:trojan-activity; sid:2017849; rev:1; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HiMan EK Exploit URI Struct"; flow:to_server,established; content:"=687474703a2f2f"; http_uri; content:".php?"; http_uri; pcre:"/\/(?:d|xie|fla)\.php\?[a-z]+?=687474703a2f2f/U"; classtype:trojan-activity; sid:2017851; rev:2; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK Secondary Landing"; flow:from_server,established; file_data; content:"<body onload=|27|Exploit()|3b 27|>"; fast_pattern:6,20; content:"|3a|stroke"; nocase; classtype:trojan-activity; sid:2017852; rev:2; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Grandsoft/SofosFO EK Java Payload URI Struct"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; pcre:"/^\/\d{4,5}\/\d{7}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017861; rev:2; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack PDF Exploit"; flow:established,to_server; content:"/pdf.php?pdf="; http_uri; fast_pattern:only; content:"type="; http_uri; pcre:"/\/pdf\.php\?pdf=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017862; rev:2; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack Java Exploit"; flow:established,to_server; content:"Java/1."; http_header; content:"/java.php?eid="; http_uri; fast_pattern:only; content:"type="; http_uri; pcre:"/\/java\.php\?eid=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017863; rev:2; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack HCP Exploit"; flow:established,to_server; content:"/hcp.php?"; http_uri; fast_pattern:only; content:"type="; nocase; http_uri; content:"o="; nocase; http_uri; content:"b="; nocase; http_uri; pcre:"/[&?]type=\d+(?:$|&)/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017864; rev:1; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack Jar 1 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_header; content:"/cp.jar"; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017865; rev:1; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack Jar 2 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_header; content:"/serial.jar"; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017866; rev:1; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013"; flow:established,to_server; content:"/blam/flashplayerv"; nocase; http_uri; reference:url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/; reference:url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; classtype:trojan-activity; sid:2017874; rev:1; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef Landing URI Struct"; flow:established,to_server; content:"/?"; http_uri; content:"LvoDc0RHa8NnZ"; http_uri; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$/U"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:trojan-activity; sid:2017893; rev:3; metadata:created_at 2013_12_20, updated_at 2013_12_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef Payload Dec 20 2013"; flow:established,to_server; content:"/?f=bb.mp3"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:trojan-activity; sid:2017894; rev:2; metadata:created_at 2013_12_20, updated_at 2013_12_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible PDF Dictionary Entry with Hex/Ascii replacement"; flow:established,from_server; file_data; content:"%PDF-"; fast_pattern; within:5; content:"obj"; pcre:"/^[\r\n\s]*?<<(?:(?!>>).)+?\/[a-zA-Z\d]*?#(?:[46][1-9a-fA-F]|[57][\daA])(?:[a-zA-Z\d])*?#(?:[46][1-9a-fA-F]|[57][\daA])/Rsi"; classtype:trojan-activity; sid:2017899; rev:3; metadata:created_at 2013_12_23, updated_at 2013_12_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; pcre:"/^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>>/Rs"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:trojan-activity; sid:2017900; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft PDF"; flow:established,from_server; file_data; content:"/TM(gawgewafgwe[0].#subform[0]"; classtype:trojan-activity; sid:2017905; rev:2; metadata:created_at 2013_12_26, updated_at 2013_12_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso"; flow:established,to_server; content:".aso"; http_uri; fast_pattern:only; pcre:"/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$/U"; classtype:bad-unknown; sid:2017906; rev:1; metadata:created_at 2013_12_26, updated_at 2013_12_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing with CVE-2013-2551 Dec 29 2013"; flow:established,from_server; file_data; content:"javafx_version"; fast_pattern:only; content:"fromCharCode"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*?\.charCodeAt[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*[\r\n\s]*?\)[\r\n\s]*?\^[\r\n\s]*?[a-zA-Z_$][^\r\n\s]*\.charCodeAt[\r\n\s]*?\(/Rsi"; content:"decodeURIComponent"; content:"applet"; classtype:trojan-activity; sid:2017907; rev:3; metadata:created_at 2014_12_30, updated_at 2014_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK encrypted binary (1)"; flow:established,to_client; file_data; content:"|20 69 c3 34 55 6d 33 53|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017908; rev:2; metadata:created_at 2014_12_30, updated_at 2014_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Injection - Modified Edwards Packer Script"; flow:established,to_client; file_data; content:"function(s,a,c,k,e,d"; classtype:trojan-activity; sid:2017931; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_01_03, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"javafx_version"; fast_pattern:only; nocase; content:"46"; pcre:"/^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep)/R"; classtype:trojan-activity; sid:2017957; rev:1; metadata:created_at 2014_01_10, updated_at 2014_01_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017963; rev:3; metadata:created_at 2014_01_13, updated_at 2017_03_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"|22|"; nocase; within:500; content:!"|22|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017973; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_01_15, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible AnglerEK Landing URI Struct"; flow:established,to_server; content:"?thread="; http_uri; nocase; fast_pattern:only; content:"key="; http_uri; nocase; pcre:"/^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$/U"; classtype:trojan-activity; sid:2017975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_16, malware_family Angler, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:trojan-activity; sid:2017977; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate marchsf"; flow:established,from_server; content:"|02 07 04 81 e4 de 05 6a 5a|"; content:"|0b|marchsf.com"; distance:0; fast_pattern; classtype:trojan-activity; sid:2017978; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate california89"; flow:established,from_server; content:"|02 07 2b 00 ee 19 5e ab 1f|"; content:"|10|california89.com"; distance:0; classtype:trojan-activity; sid:2017979; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate thebostonshaker"; flow:established,from_server; content:"|02 07 27 7d 65 4a cd bf 4e|"; content:"|17|www.thebostonshaker.com"; distance:0; classtype:trojan-activity; sid:2017981; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_16, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre SSL Compromised site appsredeeem"; flow:established,to_client; content:"|12|www.appsredeem.com"; nocase; classtype:trojan-activity; sid:2017987; rev:2; metadata:created_at 2014_01_17, updated_at 2014_01_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBS.Dunihi Check-in UA"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"User-Agent|3A 20|"; content:"|3C 7C 3E|"; fast_pattern; distance:0; content:"|3C 7C 3E|"; distance:0; pcre:"/^User-Agent\x3a\x20[^\r\n]+?\x3c\x7c\x3e[^\r\n]+?\x3c\x7c\x3e[^\r\n]+?\x3c\x7c\x3e/m"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24761/en_US/McAfee%20Labs%20Threat%20Advisory-VBSAutorun%20Worm.pdf; reference:url, www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?ThreatId=-2147283579&mstLocPickShow=False#tab=2; classtype:trojan-activity; sid:2017994; rev:3; metadata:created_at 2014_01_21, updated_at 2017_01_24;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 1"; flow:established,from_server; file_data; content:"Y21kLmV4ZSA"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:trojan-activity; sid:2017995; rev:1; metadata:created_at 2014_01_22, updated_at 2014_01_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 2"; flow:established,from_server; file_data; content:"NtZC5leGUg"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:trojan-activity; sid:2017996; rev:1; metadata:created_at 2014_01_22, updated_at 2014_01_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 3"; flow:established,from_server; file_data; content:"jbWQuZXhlI"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:trojan-activity; sid:2017997; rev:1; metadata:created_at 2014_01_22, updated_at 2014_01_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013"; flow:established,to_client; file_data; content:"0x3dcde1&&"; nocase; content:"0x4e207d"; nocase; within:50; classtype:attempted-user; sid:2018011; rev:1; metadata:created_at 2014_01_24, updated_at 2014_01_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ehow/livestrong Malicious Flash 10/11"; flow:established,to_server; urilen:13; content:".swf"; http_uri; offset:9; depth:4; pcre:"/^\/[a-f0-9]{8}\.swf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[a-f0-9]{8}\/1(?:0\/[0-2]|1\/\d)\/\r$/Hm"; classtype:trojan-activity; sid:2018029; rev:1; metadata:created_at 2014_01_28, updated_at 2014_01_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Jan 29 2014"; flow:from_server,established; file_data; content:"<applet"; fast_pattern:only; content:".exe"; pcre:"/^[\x22\x27]/R"; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s*?=\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s*?=\s*?(?:\x22\x27|\x27\x22)\s*?\+\s*?(?P=vname)\s*?\+\s*?(?:\x22\x27|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:3; metadata:created_at 2014_01_29, updated_at 2014_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern:only; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:3; metadata:created_at 2014_01_29, updated_at 2014_01_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign"; flow:established,to_server; urilen:>60; content:"/viewtopic.php?"; http_uri; fast_pattern:only; pcre:"/\/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018041; rev:3; metadata:created_at 2014_01_29, updated_at 2014_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing Jan 30 2014"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information</title>"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018042; rev:2; metadata:created_at 2014_01_30, updated_at 2017_10_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PHISH Visa - Landing Page"; flow:established,to_client; file_data; content:"Enter your password Verified by Visa / MasterCard SecureCode"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018043; rev:1; metadata:created_at 2014_01_30, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Verified by Visa Phish Jan 30 2014"; flow:established,to_server; content:"/vbv.php"; http_uri; fast_pattern; content:"password="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018044; rev:5; metadata:created_at 2014_01_30, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Visa Phishing Landing Jan 30 2014"; flow:established,to_server; content:"/Verified by Visa"; http_uri; nocase; content:!"Referer|3a| http|3a 2f 2f|www.crdbbank.com"; http_header; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018045; rev:5; metadata:created_at 2014_01_30, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:!"conf.v.xunlei.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:7; metadata:created_at 2014_02_01, updated_at 2014_02_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect 8x8 script tag"; flow:established,from_server; file_data; content:".php?id="; content:"/"; distance:-17; within:1; pcre:"/^[a-z0-9A-Z]*?[A-Z0-9][a-z0-9A-Z]*?\.php\?id=\d{6,9}[\x22\x27]/R"; content:"<script"; nocase; pcre:"/^(?:(?!<\/script>).)*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]+?\/[a-z0-9A-Z]{8}\.php\?id=\d{6,9}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018053; rev:3; metadata:created_at 2014_02_01, updated_at 2014_02_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:4; metadata:created_at 2014_02_06, updated_at 2016_07_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Flash Exploit CVE-2014-0497"; flow:established,from_server; file_data; content:"makePayloadWin"; reference:url,www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability; classtype:trojan-activity; sid:2018091; rev:1; metadata:created_at 2014_02_06, updated_at 2014_02_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TecSystems (Possible Mask) Signed PE EXE Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|55 04 0a|"; content:"|0e|TecSystem Ltd."; distance:1; within:15; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018103; rev:2; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EXE Accessing Kaspersky System Driver (Possible Mask)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|5c 5c 2e 5c|KLIF"; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018104; rev:3; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious Jar name JavaUpdate.jar"; flow:established,to_server; content:"/JavaUpdate.jar"; http_uri; nocase; content:" Java/1."; http_header; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018106; rev:2; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS .PIF File Inside of Zip"; flow:established,from_server; file_data; content:"PK"; within:2; content:".pif"; nocase; fast_pattern; within:500; reference:md5,2e760350a5c692bd94c7c6d1233af72c; classtype:trojan-activity; sid:2018125; rev:5; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS .CPL File Inside of Zip"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".cpl"; nocase; fast_pattern; distance:42; within:500; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018126; rev:2; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Goon EK Java JNLP URI Struct Feb 12 2014"; flow:established,to_server; content:"Java/1."; http_header; content:".xml"; http_uri; pcre:"/\/[A-Z]\.xml$/U"; classtype:trojan-activity; sid:2018127; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign 2"; flow:established,to_server; urilen:>60; content:"/handler.php?"; http_uri; fast_pattern:only; pcre:"/\/handler\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018135; rev:2; metadata:created_at 2014_02_13, updated_at 2014_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"var"; pcre:"/^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\s*\.\s*createElement/Rsi"; classtype:bad-unknown; sid:2018145; rev:4; metadata:created_at 2014_02_14, updated_at 2014_02_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"<script"; nocase; content:"CollectGarbage"; distance:0; fast_pattern; content:"while"; pcre:"/^\s*?\([^\)]*?(?P<var>[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:3; metadata:created_at 2014_02_14, updated_at 2014_02_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible GoonEK Landing Feb 19 2014 1"; flow:from_server,established; file_data; content:"javafx_version"; nocase; fast_pattern:only; content:"jnlp_href"; nocase; content:"</applet><object"; nocase; content:"data|3a|application/x-silverlight-2"; nocase; within:100; classtype:trojan-activity; sid:2018161; rev:1; metadata:created_at 2014_02_19, updated_at 2014_02_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect Evernote Spam Campaign Feb 19 2014"; flow:to_server,established; content:"/1.txt"; http_uri; nocase; pcre:"/\/1\.txt$/Ui"; content:"/1.html"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]+?\/1\.html[\x3a\r]/Hi"; classtype:attempted-admin; sid:2018162; rev:2; metadata:created_at 2014_02_19, updated_at 2014_02_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Feb 19 2014 2"; flow:from_server,established; file_data; content:"stroke>"; fast_pattern:only; content:!"#default#VML"; content:"eval"; content:"35"; pcre:"/^(?P<sep>((?!100).){1,20})100(?P=sep)101(?P=sep)102(?P=sep)97(?P=sep)117(?P=sep)108(?P=sep)116(?P=sep)35(?P=sep)86(?P=sep)77(?P=sep)76(?P=sep)/Rsi"; classtype:trojan-activity; sid:2018163; rev:2; metadata:created_at 2014_02_19, updated_at 2014_02_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Lang Runtime in Response"; flow:from_server,established; file_data; content:!"|CA FE BA BE|"; within:4; content:"getClass"; nocase; content:"java.lang.Runtime"; nocase; fast_pattern:only; content:"getRuntime"; nocase; content:"exec"; nocase; content:"script"; nocase; classtype:bad-unknown; sid:2018172; rev:1; metadata:created_at 2014_02_25, updated_at 2014_02_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS XXTEA UTF-16 Encoded HTTP Response"; flow:from_server,established; content:"u|00|t|00|f|00|8|00|t|00|o|00|1|00|6|00|"; nocase; content:"x|00|x|00|t|00|e|00|a|00|_|00|d|00|e|00|c|00|r|00|y|00|p|00|t|00|"; nocase; fast_pattern; content:"b|00|a|00|s|00|e|00|6|00|4|00|d|00|e|00|c|00|o|00|d|00|e"; nocase; classtype:bad-unknown; sid:2018175; rev:2; metadata:created_at 2014_02_25, updated_at 2014_02_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/tds/"; http_uri; fast_pattern:only; nocase; pcre:"/\/tds\/[a-f0-9]{32}$/U"; content:"ua="; http_client_body; content:"ip="; http_client_body; classtype:trojan-activity; sid:2018177; rev:4; metadata:created_at 2014_02_25, updated_at 2014_02_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014"; flow:established,from_server; file_data; content:"<form"; nocase; content:"action"; nocase; distance:0; content:"/tds/"; fast_pattern; distance:0; pcre:"/^[a-f0-9]{32}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018178; rev:3; metadata:created_at 2014_02_25, updated_at 2014_02_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscation Technique Used in CVE-2014-0322 Attacks"; flow:established,from_server; file_data; content:"|2f|%u([0-9a-fA-F]{1,4}"; nocase; fast_pattern:only; content:"decode"; nocase; pcre:"/^\s*?\(\s*?key\s*?,\s*?js\s*?/Rsi"; content:"decode"; nocase; pcre:"/^\s*?\(\s*?[^,\s]*?\s*?,\s*?[\x22\x27][a-f0-9]{100}/Rsi"; classtype:trojan-activity; sid:2018179; rev:3; metadata:created_at 2014_02_25, updated_at 2014_02_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition"; flow:established,to_client; content:".exe.vbe"; http_header; nocase; fast_pattern:only; pcre:"/Content-Disposition\x3a[^\r\n]*?\.exe\.vbe/Hi"; reference:url,www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/; classtype:trojan-activity; sid:2018190; rev:2; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS .exe Downloaded from SVN/HTTP on GoogleCode"; flow:established,to_server; content:".googlecode.com"; nocase; http_header; content:"/svn/"; http_uri; nocase; content:".exe"; distance:0; http_uri; nocase; fast_pattern; pcre:"/^Host\x3a[^\r\n]+\.googlecode\.com[\x3a\r]/Hmi"; classtype:trojan-activity; sid:2018191; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Spam Redirection Feb 28 2014"; flow:established,from_server; file_data; content:"Connecting to server...</div></td></tr></table>"; within:500; classtype:trojan-activity; sid:2018196; rev:2; metadata:created_at 2014_02_28, updated_at 2014_02_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hello/LightsOut EK Secondary Landing"; flow:established,to_server; content:".php?a="; http_uri; fast_pattern:only; content:"&f="; http_uri; content:"&u="; http_uri; pcre:"/\.php\?a=[^&]+&f=[a-f0-9]{32}&u=[^&]+$/I"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; classtype:trojan-activity; sid:2018206; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS LightsOut EK Exploit/Payload Request"; flow:to_server,established; content:".php?a="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?a=(?:dw[a-z0-9]|[hr][2-7])$/U"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; classtype:trojan-activity; sid:2018207; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin EK Java fakav.jar"; flow:established,to_server; content:"/fakav.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2018209; rev:5; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF filename used in IE 2014-0322 Watering Hole Attacks"; flow:established,to_server; content:"/Tope.swf"; http_uri; classtype:trojan-activity; sid:2018223; rev:2; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Fiesta Jar with four-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(PK\x01\x02.{24}\x0a\x00.{16}[a-z]{4}.class){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018225; rev:2; metadata:created_at 2014_03_05, updated_at 2014_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018226; rev:2; metadata:created_at 2014_03_05, updated_at 2017_03_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Flash Landing URI Struct March 05 2014"; flow:established,to_server; content:".php?b="; http_uri; content:"&css="; http_uri; pcre:"/\.php\?b=[A-F0-9]{6}&css=[a-z]+$/"; classtype:trojan-activity; sid:2018227; rev:1; metadata:created_at 2014_03_06, updated_at 2014_03_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:trojan-activity; sid:2018235; rev:1; metadata:created_at 2014_03_07, updated_at 2014_03_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight Secondary Landing"; flow:established,from_server; file_data; content:"/x-silverlight-2"; content:"aHR0cDov"; distance:0; pcre:"/^[A-Za-z0-9\+\/]+(?:(?:LmVvdA=|5lb3Q)=|uZW90)[\x22\x27]/Rsi"; content:".eot"; classtype:trojan-activity; sid:2018236; rev:1; metadata:created_at 2014_03_07, updated_at 2014_03_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot"; flow:established,from_server; content:"Content-Type|3a 20|application/vnd.ms-fontobject|0d 0a|"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; distance:0; fast_pattern; classtype:trojan-activity; sid:2018237; rev:1; metadata:created_at 2014_03_07, updated_at 2014_03_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php"; flow:established,to_server; content:"/javadb.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018238; rev:3; metadata:created_at 2014_03_07, updated_at 2014_03_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php"; flow:established,to_server; content:"/javaim.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018239; rev:2; metadata:created_at 2014_03_07, updated_at 2014_03_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php"; flow:established,to_server; content:"/javarh.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018240; rev:1; metadata:created_at 2014_03_07, updated_at 2014_03_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gamut Spambot Checkin"; flow:established,to_server; content:"file=SenderClient.conf"; http_uri; nocase; fast_pattern:only; pcre:"/file=SenderClient.conf$/Ui"; content:!"Referer|3a 20|"; flowbits:set,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:trojan-activity; sid:2018245; rev:1; metadata:created_at 2014_03_11, updated_at 2014_03_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gamut Spambot Checkin Response"; flow:established,from_server; file_data; content:"count_threads|09 09 09 3d 09|"; depth:18; fast_pattern; content:"|0a|efficiency_limit|09 09 3d 09|"; distance:1; within:22; flowbits:isset,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:trojan-activity; sid:2018246; rev:1; metadata:created_at 2014_03_11, updated_at 2014_03_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gamut Spambot Checkin 2"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/?8080"; http_uri; fast_pattern:only; content:"name=|22|action|22 0d 0a 0d 0a|"; http_client_body; pcre:"/(?:Get(?:Subscription(?:EmailsBlock|Content)|PTR|IP)|Port25(?:Close|Open))\x0d\x0a/P"; content:"name=|22|location|22 0d 0a 0d 0a|"; distance:0; http_client_body; pcre:"/(?:winload(?:32)?|cmms)\x0d\x0a/P"; content:!"Referer|3a 20|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:trojan-activity; sid:2018257; rev:1; metadata:created_at 2014_03_12, updated_at 2014_03_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF URI Struct March 12 2014"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/1[34]\d{8}\.pdf$/U"; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018258; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_03_12, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018259; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_03_12, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Styx Landing Page Mar 08 2014"; flow:established,from_server; file_data; content:"fromCharCode"; content:"substr"; within:200; content:",2,"; within:20; fast_pattern; content:"-"; distance:2; within:4; pcre:"/^\s*?\d/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018260; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_03_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Page Mar 12 2014"; flow:established,from_server; file_data; content:"/[a-zA-Z]/g|3b|"; fast_pattern; content:"/[0-9]/g|3b|"; content:"|22|f"; pcre:"/^\d+r\d+o\d+m\d/R"; content:"|22|p"; pcre:"/^\d+u\d+s\d+h\d/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_03_12, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK IE Exploit CVE-2013-2551 March 12 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern:only; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"|22|f"; nocase; pcre:"/^\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?m\d+([\x22\x27]\s*?,\s*[\x22\x27])?C\d+([\x22\x27]\s*?,\s*[\x22\x27])?h\d+([\x22\x27]\s*?,\s*[\x22\x27])?a\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?c\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?d\d+([\x22\x27]\s*?,\s*[\x22\x27])?e\d+[\x22\x27]/Ri"; classtype:trojan-activity; sid:2018262; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_03_12, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp any any -> any $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; pcre:"/(?:\.\.\/)+kboxwww\/tmp\//Ri"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:1; metadata:created_at 2014_03_12, updated_at 2014_03_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EMET.DLL in jjencode"; flow:established,from_server; file_data; content:"|22 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 22|+"; pcre:"/^(?P<var>.{1,10})\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\$\_\+(?P=var)\.\$\_\_\+\x22\.\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22/R"; classtype:trojan-activity; sid:2018286; rev:2; metadata:created_at 2014_03_17, updated_at 2014_03_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Joomla 3.2.1 SQL injection attempt"; flow:established,to_server; content:"weblinks-categories?"; nocase; fast_pattern; http_uri; content:"id="; nocase; distance:0; http_uri; content:"select password"; nocase; http_uri; distance:0; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018288; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2014_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Joomla 3.2.1 SQL injection attempt 2"; flow:established,to_server; content:"weblinks-categories?"; nocase; fast_pattern; http_uri; content:"id="; nocase; distance:0; http_uri; pcre:"/id\=[^\r\n]*?(?:select|delete|union|update|insert)/Ui"; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018289; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2014_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK encrypted binary (3) "; flow:established,to_client; file_data; content:"|89 b4 f4 6a 24 1f 46 14|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018297; rev:1; metadata:created_at 2014_03_20, updated_at 2014_03_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Mar 20 2014"; flow:established,from_server; file_data; content:"jnlp_href"; nocase; fast_pattern:only; content:"application/x-silverlight-2"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-zA-z0-9\/\+]{10}/R"; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-f0-9]{20}/R"; classtype:trojan-activity; sid:2018298; rev:2; metadata:created_at 2014_03_20, updated_at 2014_03_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible iTunes Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>iTunes Connect</TITLE>"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018303; rev:2; metadata:created_at 2014_03_21, updated_at 2017_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iTunes Phish Mar 21 2014"; flow:established,to_server; content:"theAccountName="; http_client_body; content:"theAccountPW="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018304; rev:5; metadata:created_at 2014_03_21, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iTunes Phish Mar 21 2014"; flow:established,to_server; content:"POST"; http_method; content:"fname="; http_client_body; content:"lname="; http_client_body; content:"hnum="; http_client_body; content:"snam="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018305; rev:4; metadata:created_at 2014_03_21, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:8; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:7; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:5; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:5; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:4; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:4; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre SSL Compromised site trudeausociety"; flow:established,to_client; content:"|12|trudeausociety.com"; fast_pattern:only; classtype:trojan-activity; sid:2018319; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Captcha Malware C2 SSL Certificate"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|Mojolicious"; distance:1; within:17; content:"|55 04 0a|"; distance:0; content:"|0b|Mojolicious"; distance:1; within:17; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/25/captcha-protected-malware-downloader; classtype:trojan-activity; sid:2018322; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_03_26, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit"; flow:established,from_server; file_data; content:"6f"; fast_pattern; nocase; content:"6c"; within:12; nocase; content:"43"; distance:-26; within:26; content:!"|22|"; within:14; content:!"|27|"; within:14; pcre:"/^(?P<sep>[^\x22\x27]{0,10})6f(?P=sep)6c(?P=sep)6c(?P=sep)65(?P=sep)63(?P=sep)74(?P=sep)47(?P=sep)61(?P=sep)72(?P=sep)62(?P=sep)61(?P=sep)67(?P=sep)65(?P=sep)/Rsi"; classtype:trojan-activity; sid:2018330; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_03_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Payload Filename Used in Various 2014-0322 Attacks"; flow:established,to_server; content:"/Erido.jpg"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018329; rev:1; metadata:created_at 2014_03_27, updated_at 2014_03_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:".text+=String.fromCharCode"; content:"35"; pcre:"/^[^\d]{1,20}100[^\d]{1,20}101[^\d]{1,20}102[^\d]{1,20}97[^\d]{1,20}117[^\d]{1,20}108[^\d]{1,20}116[^\d]{1,20}35[^\d]{1,20}86[^\d]{1,20}77[^\d]{1,20}76/Rsi"; classtype:trojan-activity; sid:2018337; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_03_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:"117"; fast_pattern; content:"108"; within:24; content:"116"; within:24; content:"35"; pcre:"/^[^\d](?:.{0,20}[^\d])?100[^\d](?:.{0,20}[^\d])?101[^\d](?:.{0,20}[^\d])?102[^\d](?:.{0,20}[^\d])?97[^\d](?:.{0,20}[^\d])?117[^\d](?:.{1,20}[^\d])?108[^\d](?:.{0,20}[^\d])?116[^\d](?:.{0,20}[^\d])?35[^\d](?:[^\d].{0,20}[^\d])?86[^\d](?:.{0,20}[^\d])?77[^\d](?:.{0,20}[^\d])?76[^\d]/Rsi"; classtype:trojan-activity; sid:2018342; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_04_01, updated_at 2016_07_01;)

alert tcp any any -> any 5000 (msg:"ET CURRENT_EVENTS Hikvision DVR  attempted Synology Recon Scan"; flow:established,to_server; content:"GET /webman/info.cgi?host= HTTP/1."; depth:34; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018343; rev:1; metadata:created_at 2014_04_01, updated_at 2014_04_01;)

alert tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/k.php?h="; http_uri; depth:9; content:"User-Agent|3a  20|ballsack"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018344; rev:1; metadata:created_at 2014_04_01, updated_at 2014_04_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct"; flow:established,to_server; content:".php?v=webhp"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018348; rev:2; metadata:created_at 2014_04_01, updated_at 2014_04_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre SSL Compromised site potpourriflowers"; flow:established,to_client; content:"|55 04 03|"; content:"|1a|www.potpourriflowers.co.uk"; distance:1; within:27; nocase; classtype:trojan-activity; sid:2018350; rev:2; metadata:created_at 2014_04_03, updated_at 2014_04_03;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre SSL Compromised site kionic"; flow:established,to_client; content:"|55 04 03|"; content:"|0a|kionic.com"; distance:1; within:11; nocase; reference:url,blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html; classtype:trojan-activity; sid:2018351; rev:2; metadata:created_at 2014_04_03, updated_at 2014_04_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible FakeAV binary download (setup)"; content:"GET"; http_method; content:"index.php?key="; http_uri; content:"&key2=download"; http_uri; classtype:trojan-activity; sid:2018352; rev:1; metadata:created_at 2014_04_03, updated_at 2014_04_03;)

alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (Outgoing)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"User-Agent|3a 20|Microsoft-WebDAV-MiniRedir/5.1.2600|0d 0a|"; http_header; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018353; rev:2; metadata:created_at 2014_04_03, updated_at 2014_04_03;)

alert tcp $EXTERNAL_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (incoming)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"User-Agent|3a 20|Microsoft-WebDAV-MiniRedir/5.1.2600|0d 0a|"; http_header; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018354; rev:2; metadata:created_at 2014_04_03, updated_at 2014_04_03;)

alert tcp any any -> any 80 (msg:"ET CURRENT_EVENTS Win32.RBrute http server request"; flow:to_server,established; content:"User-Agent|3a 20|BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831|0d 0a|"; http_header; fast_pattern; nocase; flowbits:set,ET.Rbrute.incoming; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018355; rev:3; metadata:created_at 2014_04_03, updated_at 2014_04_03;)

alert tcp any 80 -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute http response"; flow:to_client,established; file_data; content:"<html>kenji oke</html>|0d 0a|"; depth:24; flowbits:isset,ET.Rbrute.incoming; reference:md5,055a9be75e469f8817c9311390a449f6; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018356; rev:2; metadata:created_at 2014_04_03, updated_at 2014_04_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS EvilTDS Redirection"; flow:established,to_server; content:"/zyso.cgi?"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018357; rev:9; metadata:created_at 2014_04_03, updated_at 2014_04_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/13"; http_uri; fast_pattern:only; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}.swf$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:trojan-activity; sid:2018360; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_04_04, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/14"; fast_pattern:only; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:trojan-activity; sid:2018361; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_04_04, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"ZWS"; classtype:trojan-activity; sid:2018362; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_04_04, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF"; flow:established,from_server; file_data; content:"13 0 obj"; pcre:"/^\s*?<<\s*?\/[A-Z0-9a-z]+\([A-Z0-9a-z]+\)\s*?/Rs"; content:"/XFA[(config)17 0 R] /Fields [14 0 R]|0d 0a|>>"; classtype:trojan-activity; sid:2018363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_04_04, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans)"; flow:established,to_client; content:"|55 04 03|"; byte_test:1,>,11,1,relative; byte_test:1,<,14,1,relative; content:"ssl"; distance:2; within:3; pcre:"/^\d{1,2}/R"; content:".ovh.net"; within:8; reference:url,help.ovh.co.uk/SslOnHosting; reference:md5,63079a2471fc18323f355ec28f36303c; reference:md5,20b1c30ef1f5dae656529b277e5b73fb; classtype:bad-unknown; sid:2018364; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_04_04, updated_at 2016_07_01;)

alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:2; metadata:created_at 2014_04_08, updated_at 2014_04_08;)

alert tcp $HOME_NET !$HTTP_PORTS -> any any (msg:"ET CURRENT_EVENTS Malformed HeartBeat Response"; flow:established,from_server; flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018373; rev:3; metadata:created_at 2014_04_08, updated_at 2014_04_08;)

alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Malformed HeartBeat Request method 2"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018374; rev:2; metadata:created_at 2014_04_08, updated_at 2014_04_08;)

alert tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:4; metadata:created_at 2014_04_09, updated_at 2014_04_09;)

alert tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Request.SI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018375; rev:3; metadata:created_at 2014_04_09, updated_at 2014_04_09;)

alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.CI; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Response.CI; flowbits:unset,ET.HB.Request.CI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018377; rev:3; metadata:created_at 2014_04_09, updated_at 2014_04_09;)

alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.SI; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Response.SI; flowbits:unset,ET.HB.Request.SI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018378; rev:4; metadata:created_at 2014_04_09, updated_at 2014_04_09;)

alert tcp $HOME_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_dst,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018382; rev:8; metadata:created_at 2014_04_11, updated_at 2014_04_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)"; flow:established,from_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018383; rev:8; metadata:created_at 2014_04_11, updated_at 2014_04_11;)

alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:2; metadata:created_at 2014_04_14, updated_at 2014_04_14;)

alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:3; metadata:created_at 2014_04_14, updated_at 2014_04_14;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|*.browsetor.com"; nocase; distance:1; within:16; classtype:bad-unknown; sid:2018396; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_04_16, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity/Magnitude EK SilverLight Exploit"; flow:established,to_server; content:".xap"; nocase; fast_pattern:only; http_uri; pcre:"/\/\d{2,}\.xap$/Ui"; classtype:trojan-activity; sid:2018402; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_04_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EL8 EK Landing"; flow:established,from_server; file_data; content:"lady8vhc"; nocase; fast_pattern:only; content:"eval(function("; classtype:trojan-activity; sid:2018405; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_04_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fiesta URI Struct"; flow:established,to_server; urilen:>64; content:"|3b|"; http_uri; offset:63; fast_pattern; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/^\/[^\x2f]+?\/\??[a-f0-9]{60,66}(?:\x3b\d+){1,4}$/U"; flowbits:set,ET.Fiesta.Exploit.URI; classtype:trojan-activity; sid:2018407; rev:9; metadata:created_at 2014_04_22, updated_at 2014_04_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta PDF Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"%PDF"; within:1024; classtype:trojan-activity; sid:2018408; rev:1; metadata:created_at 2014_04_22, updated_at 2014_04_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta SilverLight Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"AppManifest.xaml"; nocase; classtype:trojan-activity; sid:2018409; rev:1; metadata:created_at 2014_04_22, updated_at 2014_04_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"ZWS"; within:3; classtype:trojan-activity; sid:2018410; rev:1; metadata:created_at 2014_04_22, updated_at 2014_04_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"CWS"; within:3; classtype:trojan-activity; sid:2018411; rev:1; metadata:created_at 2014_04_22, updated_at 2014_04_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible W32/Zbot.InfoStealer SSL Cert Parallels.com"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:"|16 03 01|"; distance:0; content:"|52 14 cb 90|"; distance:0; content:"|12|info@parallels.com"; distance:0; reference:md5,19e17898e99af83e5fff9c3bad553bb2; classtype:trojan-activity; sid:2018418; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_04_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Crystalize Filter in Uncompressed Flash"; flow:from_server,established; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"Crystallize -filter"; content:"|41 41 41 41|"; distance:0; reference:url,www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks; classtype:trojan-activity; sid:2018428; rev:1; metadata:created_at 2014_04_28, updated_at 2014_04_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Common Bad Actor Indicators Used in Various Targeted 0-day Attacks"; flow:from_server,established; file_data; content:"dword2data"; fast_pattern; pcre:"/^\s*?\(/Rs"; content:"function"; pcre:"/^\s*?fun\s*?\(/Rs"; content:"CollectGarbage"; reference:cve,2014-0322; reference:cve,2014-1776; classtype:trojan-activity; sid:2018439; rev:3; metadata:created_at 2014_04_30, updated_at 2014_04_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern:only; content:"/*"; pcre:"/^\d+?\*\/\s*?(?P<vname>[^\s\(\x3b]{1,20})\s*?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)\s*?(?:\/\*\d+?\*\/\s*?)?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)/Rs"; classtype:trojan-activity; sid:2018440; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_05_02, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014"; flow:established,to_server; content:".php?req="; nocase; http_uri; fast_pattern; content:"&PHPSSESID="; http_uri; pcre:"/\.php\?req=(?:swf(?:IE)?|x(?:ap|ml)|jar|mp3)&/Ui"; classtype:trojan-activity; sid:2018441; rev:9; metadata:created_at 2014_05_02, updated_at 2014_05_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST"; flow:established,to_server; urilen:72; content:"POST"; http_method; content:".php?q="; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2018442; rev:2; metadata:created_at 2014_05_02, updated_at 2014_05_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 05 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?=/R"; classtype:trojan-activity; sid:2018451; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_05_05, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct"; flow:established,to_server; content:"/assets/js/jquery-"; depth:18; http_uri; fast_pattern; content:"min.js?ver="; http_uri; distance:0; pcre:"/^\/assets\/js\/jquery-[0-9]\.[0-9]\.[0-9]\.min\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018454; rev:5; metadata:created_at 2014_05_07, updated_at 2014_05_07;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Compromised site iclasshd.net"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|iclasshd.net"; distance:1; within:14; nocase; reference:md5,abe131828ce5beae41ef341238016547; classtype:trojan-activity; sid:2018460; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_05_09, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Compromised site sabzevarsez.com"; flow:established,to_client; content:"|55 04 03|"; content:"|13|www.sabzevarsez.com"; distance:1; within:21; nocase; reference:md5,36cf205b39bd27b6dc981dd0da8a311a; classtype:trojan-activity; sid:2018461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_05_09, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack 2013-2551 May 13 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern:only; content:"|3a|stroke"; nocase; content:"|3a|oval"; nocase; content:"66"; pcre:"/^(?P<sep>[^\x22\x27]{0,10})75(?P=sep)6e(?P=sep)63(?P=sep)74(?P=sep)69(?P=sep)6f(?P=sep)6e(?P=sep)20/Rsi"; classtype:trojan-activity; sid:2018469; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_05_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash2013.php"; flow:established,to_server; content:"/flash2013.php"; http_uri; nocase; classtype:trojan-activity; sid:2018470; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_05_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash2014.php"; flow:established,to_server; content:"/flash2014.php"; http_uri; nocase; classtype:trojan-activity; sid:2018471; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_05_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack Plugin-Detect May 13 2014"; flow:from_server,established; file_data; content:"javarhino"; fast_pattern; nocase; pcre:"/^[\x22\x27]/R"; content:"javaimage"; pcre:"/^[\x22\x27]/R"; content:"javadb"; pcre:"/^[\x22\x27]/R"; content:"getVersion"; content:"SilverLight"; classtype:trojan-activity; sid:2018472; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_05_14, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Compromised site dfsdirect.ca"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|dfsdirect.ca"; distance:1; within:14; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; classtype:trojan-activity; sid:2018480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_05_16, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET CURRENT_EVENTS .gadget Email Attachment - Possible Upatre"; flow:established,to_server; content:"Content-Type|3a| application/zip|3b|"; nocase; content:".gadget|22|"; distance:7; within:30; nocase; pcre:"/name=\x22[a-z0-9\-_\.\s]{0,25}\.gadget\x22/i"; reference:url,pastebin.com/5eNDazpL; classtype:trojan-activity; sid:2018490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_05_20, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange WxH redirection"; flow:established,to_server; urilen:23<>50; content:"x"; http_uri; depth:4; offset:2; content:".php?"; fast_pattern; http_uri; content:"="; http_uri; within:3; pcre:"/^\/[0-9]{2,3}x[0-9]{2,3}\/[a-z]+\.php\?[a-z]{2}=[0-9a-z]+$/U"; classtype:trojan-activity; sid:2018493; rev:3; metadata:created_at 2014_05_20, updated_at 2014_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Malicious Plugin Detect URI struct"; flow:established,to_server; content:"v_ja="; http_uri; nocase; fast_pattern:only; content:"v_f="; http_uri; nocase; content:"v_m="; http_uri; nocase; content:"v_s="; http_uri; nocase; content:"v_a="; http_uri; nocase; content:"v_q="; http_uri; nocase; content:"js="; nocase; http_uri; content:"ref="; http_uri; nocase; pcre:"/[&?]v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=/Ui"; classtype:trojan-activity; sid:2018920; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_05_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern:only; classtype:attempted-user; sid:2018500; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2014_05_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gongda EK Secondary Landing"; flow:established,from_server; file_data; content:"fdsaw[fwegg]"; nocase; pcre:"/^\s*?=\s*?window\.document\.createElement/Rsi"; classtype:trojan-activity; sid:2018501; rev:1; metadata:created_at 2014_05_27, updated_at 2014_05_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gongda EK Landing 1"; flow:established,from_server; file_data; content:"{var bmw=[263,275,275,271,217,206,206,262,256,274,269,260,274,205,258,270,268,217,215,207,210,206,207,207,208,205,260,279,159,260]"; classtype:trojan-activity; sid:2018502; rev:1; metadata:created_at 2014_05_27, updated_at 2014_05_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gongda EK Landing 2"; flow:established,from_server; file_data; content:"function(/*jsckvip*/p,/*jsckvip*/a,/*jsckvip*/c,k,/*jsckvip*/e,/*jsckvip*/d/*jsckvip*/)"; classtype:trojan-activity; sid:2018503; rev:1; metadata:created_at 2014_05_27, updated_at 2014_05_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Injected Redirect June 02 2014"; flow:established,to_client; file_data; content:"s.src"; content:"+Math.random()|3b|document.body.appendChild(s)|3b|"; distance:0; classtype:trojan-activity; sid:2018514; rev:1; metadata:created_at 2014_06_02, updated_at 2014_06_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CottonCastle EK URI Struct"; flow:established,to_server; content:"/3/"; http_uri; fast_pattern:only;  pcre:"/\/3\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(?:\.[^\x2f]+|\/\d+\.\d+\.\d+\.\d+\/?)?$/U"; classtype:trojan-activity; sid:2018534; rev:2; metadata:created_at 2014_06_05, updated_at 2014_06_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle EK Landing June 05 2014"; flow:established,from_server; content:"lrtCfdP.FDP,FDP.FDPorcA"; fast_pattern:only; content:"reverse"; classtype:trojan-activity; sid:2018535; rev:3; metadata:created_at 2014_06_05, updated_at 2014_06_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CottonCastle EK Landing EK Struct"; flow:established,to_server; content:"/3/"; http_uri; fast_pattern:only; content:"/http|3a|/"; http_uri; pcre:"/\/3\/[a-f0-9]{32}\/http\x3a\x2f/U"; classtype:trojan-activity; sid:2018536; rev:2; metadata:created_at 2014_06_05, updated_at 2014_06_05;)

alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET CURRENT_EVENTS tor2www .onion Proxy SSL cert"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2www."; nocase; distance:2; within:10; classtype:trojan-activity; sid:2018538; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_06_06, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET CURRENT_EVENTS TorExplorer Certificate - Potentially Linked To W32/Cryptowall.Ransomware"; flow:established,to_client; content:"|55 04 03|"; content:"torexplorer.com"; distance:0; reference:url,www.malware-traffic-analysis.net/2014/05/28/index.html; classtype:trojan-activity; sid:2018539; rev:1; metadata:created_at 2014_06_06, updated_at 2014_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash0515.php"; flow:established,to_server; content:"/flash0515.php"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018540; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_06_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PlugX/Destory HTTP traffic"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|X-Sn|3a 20|"; fast_pattern; content:"|0d 0a|X-Session|3a 20|"; content:"|0d 0a|X-Status|3a 20|"; content:"|0d 0a|X-Size|3a 20|"; reference:url,circl.lu/pub/tr-24/; classtype:trojan-activity; sid:2018541; rev:1; metadata:created_at 2014_06_06, updated_at 2014_06_06;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert"; flow:established,to_client; content:"|55 04 03|"; content:"|1e|static-182-18-143-140.ctrls.in"; distance:1; within:31; reference:md5,b4d63a1178027f64c4c868181437284d; classtype:trojan-activity; sid:2018542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_06_06, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neverquest/Vawtrak Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/viewforum.php?f="; http_uri; fast_pattern:only; pcre:"/\/viewforum\.php\?f=\d+&sid=[A-F0-9]{32}$/U"; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream"; http_header; metadata: former_category CURRENT_EVENTS; reference:md5,0400671fd3804fbf3fd1d6cf707bced4; reference:md5,1dfaeb7b985d2ba039cd158f63b8ae54; classtype:trojan-activity; sid:2018543; rev:2; metadata:created_at 2014_06_06, updated_at 2017_05_31;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle EK Landing June 05 2014 2"; flow:established,from_server; content:"hsalFevawkcohS.hsalFevawkcohS"; content:"reverse"; classtype:trojan-activity; sid:2018544; rev:1; metadata:created_at 2014_06_09, updated_at 2014_06_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle EK Jar Download Method 2"; flow:established,from_server; content:"Content-Type|3a 20|application/octed-stream"; http_header; fast_pattern:18,20; flowbits:isset,ET.http.javaclient; classtype:trojan-activity; sid:2018545; rev:2; metadata:created_at 2014_06_09, updated_at 2014_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from Google Common Data Storage with no Referer"; flow: established, to_server; content:".exe"; fast_pattern:only; http_uri; content:"Host|3a| commondatastorage.googleapis.com|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9fcbc6def809520e77dd7af984f82fd5; reference:md5,71e752dd4c4df15a910c17eadb8b15ba; classtype:trojan-activity; sid:2018556; rev:1; metadata:created_at 2014_06_11, updated_at 2014_06_11;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2; metadata:created_at 2014_06_13, updated_at 2014_06_13;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative;  reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:2; metadata:created_at 2014_06_13, updated_at 2014_06_13;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:3; metadata:created_at 2014_06_13, updated_at 2014_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BleedingLife Exploit Kit Landing Page Requested"; flow:established,to_server; content:"/load_module.php?user="; http_uri; depth:22; pcre:"/^\x2Fload\x5Fmodule\x2Ephp\x3Fuser\x3D(n1|11?|2)$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; classtype:trojan-activity; sid:2018562; rev:1; metadata:created_at 2014_06_13, updated_at 2014_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BleedingLife Exploit Kit SWF Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".swf"; http_uri; distance:1; within:5; pcre:"/^\x2Fmodules\x2F(?:n[u3]|1|2)\x2Eswf$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2013-0634; reference:cve,2014-0515; classtype:trojan-activity; sid:2018563; rev:1; metadata:created_at 2014_06_13, updated_at 2014_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BleedingLife Exploit Kit JAR Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".jar"; http_uri; distance:1; within:4; pcre:"/^\x2Fmodules\x2F(1|2)\x2Ejar$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2013-2465; classtype:trojan-activity; sid:2018564; rev:1; metadata:created_at 2014_06_13, updated_at 2014_06_13;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 02 00 02 01 01|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018568; rev:1; metadata:created_at 2014_06_16, updated_at 2014_06_16;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 01 00 02 01 02|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018569; rev:1; metadata:created_at 2014_06_16, updated_at 2014_06_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing"; flow:established,to_client; file_data; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Java[\x22\x27]/Rsi"; content:"621"; distance:0; pcre:"/^\W.{0,50}<\s*?=\s*?645\W[^{]*?{[^\}]*?\(\s*?document\s*?\)\s*?\[\s*?[\x22\x27]body[\x22\x27]\s*?\]\[\s*?[\x22\x27]appendChild[\x22\x27]\s*?\]/Rsi"; content:"700"; pcre:"/^\W.{0,50}<\s*?725\W/Rsi"; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Flash[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018573; rev:2; metadata:created_at 2014_06_16, updated_at 2014_06_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing 2"; flow:established,to_client; file_data; content:"/[a-z]/gi"; fast_pattern; content:"substring"; pcre:"/^(?:[\x22\x27]\s*?\])?\s*?\(\s*?(?P<num>\d+)\s*?\*\s*?(?P<cnt>\w+)\s*?,\s*?(?P=num)\s*?\*\s*?(?P=cnt)\s*?\+\s*?(?P=num)\s*?\)\s*?,\s*?\d+\s*?\)/Rsi"; content:"="; pcre:"/^\s*?[\x22\x27][A-Za-z0-9\s]{500}/Rsi"; classtype:trojan-activity; sid:2018577; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange EK Common Java Exploit"; flow:to_server,established; content:"/testi.jnlp HTTP/1."; content:" Java/1."; classtype:trojan-activity; sid:2018583; rev:1; metadata:created_at 2014_06_19, updated_at 2014_06_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trojan-Banker.JS.Banker fraudulent redirect boleto payment code"; flow:to_server,established; content:"/boleto"; http_uri; fast_pattern:only; content:".php?"; http_uri; pcre:"/^Host\x3a\x20[^\r\n]+(\r\n)?\r\n$/Hi"; reference:url,brazil.kaspersky.com/sobre-a-kaspersky/centro-de-imprensa/blog-da-kaspersky/extensoes-maliciosas-boleto; reference:md5,de38bc962f92eb99d63eebecb3930906; classtype:trojan-activity; sid:2018591; rev:5; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Multiple EKs CVE-2013-3918"; flow:established,from_server; file_data; content:"C|3a 5c|rock.png"; nocase; fast_pattern:only; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:trojan-activity; sid:2018592; rev:1; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK CVE-2013-3918"; flow:established,to_server; content:"/m20133918.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018593; rev:1; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert webhostingpad.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|10 00 89 36 39 2c a7 4f ef 26 13 4f 11 2e d4 22 64|"; fast_pattern:only; content:"|55 04 03|"; content:"|13|*.webhostingpad.com"; distance:1; within:20; reference:md5,be7a7252865b3407498170f142efe471; classtype:trojan-activity; sid:2018594; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_06_23, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:trojan-activity; sid:2018595; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_06_23, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 25 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; fast_pattern:only; content:"<body>"; pcre:"/^[\r\n\s]*?<script>[\r\n\s]*?[A-Za-z]+[\r\n\s]*?=[\r\n\s]*?[\x22\x27][A-Za-z]{9}\x20[A-Za-z\x20]{300}/R"; classtype:trojan-activity; sid:2018606; rev:3; metadata:created_at 2014_06_25, updated_at 2014_06_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil EK Redirector Cookie June 27 2014"; flow:established,from_server; content:"|0d 0a|Set-Cookie|3a 20|lvqwg="; nocase; classtype:trojan-activity; sid:2018613; rev:1; metadata:created_at 2014_06_27, updated_at 2014_06_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert 999servers.com"; flow:established,to_client; content:"|55 04 03|"; content:"|10|*.999servers.com"; distance:1; within:17; reference:md5,b9ffad739bb47a0e4619b76af51d9a74; classtype:trojan-activity; sid:2018647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_07, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing Jul 11 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"/[a-z]/gi"; content:"|5c|x66|5c|x72|5c|x6F|5c|x6D|5c|x43|5c|x68|5c|x61|5c|x72|5c|x43|5c|x6F|5c|x64|5c|x65"; fast_pattern; classtype:trojan-activity; sid:2018668; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert acesecureshop.com"; flow:established,to_client; content:"|55 04 03|"; content:"|11|acesecureshop.com"; distance:1; within:18; reference:md5,c2e85512ceaacbf8306321f9cc2b1eaf; classtype:trojan-activity; sid:2018671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_14, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert new-install.privatedns.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|1a|new-install.privatedns.com"; distance:1; within:27; fast_pattern; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|1e|ssl@new-install.privatedns.com"; distance:1; within:31; reference:md5,280a3a944878d57bc44ead271a0cc457; classtype:trojan-activity; sid:2018672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_14, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert July 14 2014"; flow:established,to_client; content:"|55 04 03|"; content:"|0f|groberts.com.au"; distance:1; within:16; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|info@dctreasure.com"; distance:1; within:20; reference:md5,9f48eb74687492978259edb8f79ac397; classtype:trojan-activity; sid:2018673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_14, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert faithmentoringandmore.com"; flow:established,to_client; content:"|55 04 03|"; content:"|1d|www.faithmentoringandmore.com"; distance:1; within:31; reference:md5,b5df3ba04c987692929f35d9c64e0c0d; classtype:trojan-activity; sid:2018674; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_14, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct Jul 16 2014"; flow:established,to_server; content:"/js/metrika/watch.js?ver="; depth:25; http_uri; fast_pattern; pcre:"/^\/js\/metrika\/watch\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018686; rev:4; metadata:created_at 2014_07_16, updated_at 2014_07_16;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert karinejoncas.com"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.karinejoncas.com"; distance:1; within:21; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_17, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert deslematin.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|deslematin.ca"; distance:1; within:14; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_17, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake CDN Sweet Orange Gate July 17 2014"; flow:established,to_server; content:"GET"; http_method; urilen:>10; content:"?"; http_uri; offset:2; depth:1; content:"Host|3a 20|cdn"; http_header; fast_pattern:only; pcre:"/^\/[a-z]\?[a-z]=[0-9]{5,}$/U"; classtype:trojan-activity; sid:2018737; rev:1; metadata:created_at 2014_07_18, updated_at 2014_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fiesta EK randomized javascript Gate Jul 18 2014"; flow:established,to_server; content:"GET"; http_method; urilen:24<>84; content:".js?"; http_uri; fast_pattern; content:"="; distance:7; within:26; http_uri; content:!"&"; http_uri; pcre:"/^Host\x3a\x20[^\.\r\n]+?\.[a-z]{2,4}\r\n/Hmi"; pcre:"/^\/[A-Za-z0-9]{6,16}\.js\?[a-zA-Z0-9]{7,32}=(?![0-9]+$)[a-f0-9]{5,30}$/U"; classtype:trojan-activity; sid:2018741; rev:1; metadata:created_at 2014_07_18, updated_at 2014_07_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection 21 July 2014"; flow:to_client,established; file_data; content:"jquery_datepicker=|27|"; pcre:"/[^0-9a-f]{1,3}68[^0-9a-f]{1,3}74[^0-9a-f]{1,3}74[^0-9a-f]{1,3}70[0-9a-f]{1,3}3a/Ri"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018751; rev:1; metadata:created_at 2014_07_22, updated_at 2014_07_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS XMLDOM Check for Presence Kaspersky AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|kl1.sys"; nocase; pcre:"/^[\x22\x27]/Rs"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:trojan-activity; sid:2018756; rev:1; metadata:created_at 2014_07_23, updated_at 2014_07_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS XMLDOM Check for Presence TrendMicro AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|tm"; nocase; pcre:"/^(?:e(?:vtmgr|ext)|actmon|nciesc|EBC32|comm|tdi)\.sys[\x22\x27]/Rsi"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:trojan-activity; sid:2018757; rev:1; metadata:created_at 2014_07_23, updated_at 2014_07_23;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert twitterbacklinks.com"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.twitterbacklinks.com"; distance:1; within:25; reference:md5,4cb5a748416b9f03d875245437344177; classtype:trojan-activity; sid:2018758; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_23, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert thelabelnashville.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|thelabelnashville.com"; distance:1; within:22; reference:md5,f75b9bffe33999339d189b1a3d8d8b4e; classtype:trojan-activity; sid:2018776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_25, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert cactussports.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cactussports.com"; distance:1; within:17; reference:md5,fe557165290ae68b768591eb746fa1c5; classtype:trojan-activity; sid:2018777; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_25, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert yellowdevilgear.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.yellowdevilgear.com"; distance:1; within:24; reference:md5,2def687d8159d7859e86855b6c4a20c8; classtype:trojan-activity; sid:2018778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_25, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert michaelswinecellar.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|www.michaelswinecellar.com"; distance:1; within:27; reference:md5,c9869431ad760912a553a63266173442; classtype:trojan-activity; sid:2018779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_25, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert migsparkle.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|migsparkle.com"; distance:1; within:15; reference:md5,bc74dd7e0350ad7ad8f75ca0de6fb9dc; classtype:trojan-activity; sid:2018780; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_25, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File"; flow:from_server,established; file_data; content:"-2147023083"; nocase; fast_pattern:only; content:"res|3a 2f|"; nocase; content:"!DOCTYPE"; nocase; reference:url,alienvault.com/open-threat-exchange/blog/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi/; classtype:trojan-activity; sid:2018783; rev:2; metadata:created_at 2014_07_25, updated_at 2014_07_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ShellCode Passed as Argument to FlashVars"; flow:from_server,established; file_data; content:",0x"; fast_pattern; content:",0x"; distance:8; within:3; content:",0x"; distance:8; within:3; content:"FlashVars"; nocase; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=\x22\x27]+=(?:0x[a-f0-9]{8},){15}/Rsi"; classtype:trojan-activity; sid:2018785; rev:2; metadata:created_at 2014_07_25, updated_at 2014_07_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange EK CDN Landing Page"; flow:established,to_server; content:"GET "; depth:4; content:"stargalaxy.php?nebula="; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:trojan-activity; sid:2018786; rev:1; metadata:created_at 2014_07_25, updated_at 2014_07_25;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert server.abaphome.net"; flow:established,from_server; content:"|55 04 03|"; content:"|13|server.abaphome.net"; distance:1; within:20; reference:md5,cfe7cade32e463f0ef7efd134c56b5c8; classtype:trojan-activity; sid:2018790; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_28, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert 1stopmall.us"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.1stopmall.us"; distance:1; within:17; reference:md5,b833914b8171bc8f400b41449c3ef06b; classtype:trojan-activity; sid:2018791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_28, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 28 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"hex2bin"; fast_pattern:only; content:"eval"; pcre:"/^(?:[\x22\x27]\s*?\])?\(\s*?(?:\[[\x22\x27])?rc4(?:[\x22\x27]\s*?\])?\(\s*?[\x22\x27][^\x22\x27]+?[\x22\x27]\s*?,\s*?(?:\[[\x22\x27])?hex2bin(?:[\x22\x27]\s*?\])?\(/Rsi"; classtype:trojan-activity; sid:2018794; rev:4; metadata:created_at 2014_07_28, updated_at 2014_07_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE Exploit"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|"; content:"|7c|2551"; pcre:"/^[\x22\x27]/R"; distance:0; content:"|7c|3918"; pcre:"/^[\x22\x27]/R"; content:"|7c|0322"; pcre:"/^[\x22\x27]/R"; classtype:trojan-activity; sid:2018795; rev:4; metadata:created_at 2014_07_28, updated_at 2014_07_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Java Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Java"; distance:0; content:"3544"; pcre:"/^[\x22\x27]/R"; distance:0; content:"2471"; pcre:"/^[\x22\x27]/R"; content:"2460"; pcre:"/^[\x22\x27]/R"; classtype:trojan-activity; sid:2018796; rev:4; metadata:created_at 2014_07_28, updated_at 2014_07_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Flash Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Flash"; distance:0; content:"0515"; pcre:"/^[\x22\x27]/R"; distance:0; content:"0634"; pcre:"/^[\x22\x27]/R"; content:"0497"; pcre:"/^[\x22\x27]/R"; classtype:trojan-activity; sid:2018797; rev:4; metadata:created_at 2014_07_28, updated_at 2014_07_28;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert disenart.info"; flow:established,from_server; content:"|55 04 03|"; content:"|0c 0d|disenart.info"; distance:0; within:15; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018801; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_29, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert host-galaxy.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|host-galaxy.com"; distance:1; within:16; reference:md5,83c2eb9a2a5315e7fc15d85387886a19; classtype:trojan-activity; sid:2018802; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_29, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert fxbingpanel.fareexchange.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|fxbingpanel.fareexchange.co.uk"; distance:1; within:31; reference:md5,3c4e0c0e4dbe2bf0e4d3ca825b95209c; classtype:trojan-activity; sid:2018803; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_29, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert 66h.66hosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|11|66h.66hosting.net"; distance:1; within:18; reference:md5,f9c0bc6e8c08acbe520df0ab6efcd962; classtype:trojan-activity; sid:2018804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_29, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert businesswebstudios.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|businesswebstudios.com"; distance:1; within:23; reference:md5,b8ca6c78deeb448421073a65f708c34e; classtype:trojan-activity; sid:2018805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_29, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.udderperfection.com"; distance:1; within:24; reference:md5,c8020934a53e888059e734b934043794; classtype:trojan-activity; sid:2018806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_29, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert www.senorwooly.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.senorwooly.com"; distance:1; within:19; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018849; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_30, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert ns2.sicher.in"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|ns2.sicher.in"; distance:1; within:14; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018850; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_30, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET CURRENT_EVENTS Possible Phishing E-ZPass Email Toll Notification July 30 2014"; flow:to_server,established; content:"|0d 0a|Subject|3a|"; nocase; content:"toll road"; distance:2; within:75; nocase; content:"|0d 0a|From|3a|"; nocase; content:"E-ZPass"; distance:2; within:10; nocase; fast_pattern; reference:url,isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389; classtype:trojan-activity; sid:2018853; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert chinasemservice.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|chinasemservice.com"; distance:1; within:20; reference:md5,c2ecc111018491cee3853e2c93472bb9; classtype:trojan-activity; sid:2018868; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_01, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert ns7-777.777servers.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|ns7-777.777servers.com"; distance:1; within:23; reference:md5,b5b97b4da688aaa6ddbdb6a6e567ffba; classtype:trojan-activity; sid:2018870; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_01, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert adodis.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|adodis.com"; distance:1; within:11; reference:md5,cca48e10973344ccc4e995be8e151176; classtype:trojan-activity; sid:2018871; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_01, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert power2.mschosting.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|power2.mschosting.com"; distance:1; within:22; reference:md5,fb89ab865465d9bf38e24af73cdcd656; classtype:trojan-activity; sid:2018881; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_01, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|15 2a 2e|tradeledstore.co.uk"; distance:1; within:22; reference:md5,5b447247c8778b91650e0a9c2e36b1e6; classtype:trojan-activity; sid:2018898; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_05, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malvertising Redirection to Exploit Kit Aug 07 2014"; flow:established,to_server; content:".js?ver="; http_uri; fast_pattern:only; pcre:"/\.js\?ver=[0-9]\.[0-9]{2}\.[0-9]{4}$/U"; classtype:trojan-activity; sid:2018909; rev:3; metadata:created_at 2014_08_07, updated_at 2014_08_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload"; flow:established,to_client; content:"Content-disposition|3A| attachment|3B| filename=exe.exe"; http_header; fast_pattern:32,17; reference:url,www.malware-traffic-analysis.net/2014/08/06/index.html; classtype:trojan-activity; sid:2018914; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_08_08, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Turla/SPL EK Java Applet"; flow:established,from_server; file_data; content:"/x-java-applet"; fast_pattern:only; content:"spl"; nocase; pcre:"/^[\x22\x27]/R"; content:"<object"; nocase; pcre:"/^(?=(?:(?!<\/object>).)+?codebase\s*?=\s*?[\x22\x27]spl[\x22\x27])(?=(?:(?!<\/object>).)+?\/x-java-applet)/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:trojan-activity; sid:2018922; rev:1; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"fawa/"; nocase; pcre:"/^[\w.]*?\.class/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:trojan-activity; sid:2018923; rev:1; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"a/hidden.class"; nocase; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:trojan-activity; sid:2018924; rev:1; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Turla/SPL EK Java Exploit Requested - /spl/"; flow:established,to_server; content:"/spl/"; http_uri; fast_pattern:only; content:".jar"; http_uri; content:"Java/"; http_header; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:trojan-activity; sid:2018925; rev:4; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Archie.EK PluginDetect URI Struct"; flow:to_server,established; content:"GET|20|"; depth:4; content:"/log.html?"; distance:0; content:"java="; distance:0; content:"gie="; distance:0; content:"header="; distance:0; content:"HTTP/1."; distance:0; classtype:trojan-activity; sid:2018930; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_08_13, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Archie.EK CVE-2013-2551 URI Struct"; flow:to_server,established; content:"GET|20|"; depth:4; content:"/ie8910.html"; distance:0; content:"|20|HTTP/1."; distance:0; classtype:trojan-activity; sid:2018931; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_08_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Archie.EK Landing"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|i"; content:"Exploit.class"; nocase; fast_pattern:only; reference:cve,2014-2820; classtype:trojan-activity; sid:2018933; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_08_13, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ZeroLocker EXE Download"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|5c 50 72 6f 6a 65 63 74 73 5c 5a 65 72 6f 4c 6f 63 6b 65 72 5c|"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018963; rev:2; metadata:created_at 2014_08_19, updated_at 2014_08_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M3"; flow:established,from_server; file_data; content:"<script>function z("; content:"createElement|28 22|iframe|22 29|"; distance:0; content:".style.left = |22|-"; content:".style.top = |22|-"; content:"|3b|}z()|3b|</script></body></html>"; distance:0; fast_pattern; classtype:trojan-activity; sid:2018965; rev:1; metadata:created_at 2014_08_20, updated_at 2014_08_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M1"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie"; pcre:"/^\s*?=\s*?[\x22\x27](?P<var>[^\s\x3b]+)\s*?=\s*?readed\x3b.*?document.cookie.indexOf\s*?\(\s*?[\x22\x27](?P=var)[\x22\x27]/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:trojan-activity; sid:2018966; rev:1; metadata:created_at 2014_08_20, updated_at 2014_08_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M2"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie.indexOf"; pcre:"/^\s*?\(\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27].+?document\.cookie\s*?=\s*?[\x22\x27][^\x22\x27]*?(?P=var)\s*?=\s*?readed\x3b/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:trojan-activity; sid:2018967; rev:1; metadata:created_at 2014_08_20, updated_at 2014_08_20;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 20 2014 D1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 89 aa ac b6 40 58 a5 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,70bb2e450fe927ee32884cda6fe948b5; classtype:trojan-activity; sid:2018973; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 20 2014 D2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9c 96 01 9e 7e d5 38 fd|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2018974; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_20, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange EK Thread Specific Java Exploit"; flow:established,to_server; content:"GET "; depth:4; content:"/Fqxzdh.jar HTTP/1."; distance:0; content:" Java/1."; distance:0; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:trojan-activity; sid:2018987; rev:1; metadata:created_at 2014_08_22, updated_at 2014_08_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Landing Aug 22 2014"; flow:established,from_server; file_data; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; within:500; content:"ActiveXObject"; pcre:"/^\s*?\(\s*?[\x22\x27](?!AgControl\.AgControl)[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?\.[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?[\x22\x27]\s*?\.\s*?replace\s*?\(/Rsi"; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018988; rev:1; metadata:created_at 2014_08_23, updated_at 2014_08_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Landing URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/eipm.php"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018989; rev:1; metadata:created_at 2014_08_23, updated_at 2014_08_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/yztl.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018990; rev:1; metadata:created_at 2014_08_23, updated_at 2014_08_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/vpclcy.x"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018991; rev:1; metadata:created_at 2014_08_23, updated_at 2014_08_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Flash URI Sruct Aug 22 2014"; flow:established,to_server; urilen:17; content:"/nhqdxa/oujyt.swf"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018992; rev:1; metadata:created_at 2014_08_23, updated_at 2014_08_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:19; content:"/nhqdxa/gjtzssq.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018993; rev:1; metadata:created_at 2014_08_23, updated_at 2014_08_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK CVE-2014-0515 Aug 24 2014"; flow:established,to_server; content:"GET "; depth:4; content:"flashhigh.swf HTTP/1."; distance:0; pcre:"/^GET [^\r\n]*?\/(?:pruncd)?flashhigh\.swf HTTP\/1\./"; classtype:trojan-activity; sid:2018995; rev:2; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK CVE-2014-0497 Aug 24 2014"; flow:established,to_server; content:"GET "; depth:4; content:"flashlow.swf HTTP/1."; distance:0; pcre:"/^GET [^\r\n]*?\/(?:pruncd)?flashlow\.swf HTTP\/1\./"; classtype:trojan-activity; sid:2018996; rev:2; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Secondary Landing Aug 24 2014"; flow:established,to_server; content:"/ie8910b.html HTTP/1."; fast_pattern:only; classtype:trojan-activity; sid:2018997; rev:2; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing Aug 24 2014"; flow:established,from_server; file_data; content:"+payload"; fast_pattern; nocase; content:"flashLow"; nocase; classtype:trojan-activity; sid:2018998; rev:7; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack EK Exploit Flash Post Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&dom=687474703a2f2f"; http_client_body; fast_pattern:only; content:"2e706870"; http_client_body; pcre:"/^id=[^&]+&dom=687474703a2f2f[a-f0-9]+2e706870\s*?$/Ps"; classtype:trojan-activity; sid:2019004; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack EK Redirect Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"gate.php"; http_uri; fast_pattern:only; content:".swf/[[DYNAMIC]]/1"; http_header; classtype:trojan-activity; sid:2019005; rev:2; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack EK Exploit Landing Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/msie.php"; http_uri; pcre:"/[^=]+?=(?:(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+?2e)+(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+\s*?/P"; classtype:trojan-activity; sid:2019006; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlashPack EK JS Include Aug 25 2014"; flow:established,from_server; file_data; content:"function hex2bin(hex)"; within:21; content:"function rc4"; distance:0; content:!"function "; distance:0; classtype:trojan-activity; sid:2019007; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php?id="; content:"Java/1."; http_header; classtype:trojan-activity; sid:2019008; rev:6; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BleedingLife EK Variant Aug 26 2014"; flow:established,to_server; content:".php?spl="; http_uri; fast_pattern:only; pcre:"/\.php\?spl=[\w_]+$/Ui"; classtype:trojan-activity; sid:2019023; rev:1; metadata:created_at 2014_08_26, updated_at 2014_08_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Offensive Security EMET Bypass Observed in BleedingLife Variant Aug 26 2014"; flow:established,to_client; file_data; content:"|22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 31 2b 22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 32 29|"; classtype:trojan-activity; sid:2019024; rev:2; metadata:created_at 2014_08_26, updated_at 2014_08_26;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert freeb4u.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|freeb4u.com"; distance:1; within:12; reference:md5,3c140d775b33a5201089e8f8118b7fb5; classtype:trojan-activity; sid:2019025; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert developmentinn.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.developmentinn.com"; distance:1; within:23; reference:md5,2f17d82e939efe315a89f1aa42e93cf1; classtype:trojan-activity; sid:2019026; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert directory92.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|directory92.com"; distance:1; within:16; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019027; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert epr-co.ch"; flow:established,from_server; content:"|55 04 03|"; content:"|09|epr-co.ch"; distance:1; within:10; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019028; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert pouyasazan.org"; flow:established,from_server; content:"|55 04 03|"; content:"|15|linux4.pouyasazan.org"; distance:1; within:22; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019029; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.ara-photos.net"; distance:1; within:19; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019030; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert tecktalk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.tecktalk.com"; distance:1; within:17; reference:md5,0181d134ff73743e8dd5e23b9cf7ff51; classtype:trojan-activity; sid:2019031; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert cyclivate.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.cyclivate.com"; distance:1; within:18; reference:md5,b911327d0ba6ce016e8e33ba97e87e83; classtype:trojan-activity; sid:2019032; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert mentoringgroup.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.mentoringgroup.com"; distance:1; within:23; reference:md5,444dd80b551ac28e43380c2ef0bc4df0; classtype:trojan-activity; sid:2019033; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert dineshuthayakumar.in"; flow:established,from_server; content:"|55 04 03|"; content:"|14|dineshuthayakumar.in"; distance:1; within:21; reference:md5,0c96fd25ec4139063ac7d83511835d20; classtype:trojan-activity; sid:2019034; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert ssshosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|ssshosting.net"; distance:1; within:15; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert erotikturk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|server.erotikturk.com"; distance:1; within:22; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019036; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert mtnoutfitters.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|mtnoutfitters.com"; distance:1; within:18; reference:md5,ebca10e0a4eb99758f0fb3612fa970ba; classtype:trojan-activity; sid:2019037; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert jojik-international.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|jojik-international.com"; distance:1; within:24; reference:md5,ffa19cd3be6a89da96bcfb5a1a52b6ae; classtype:trojan-activity; sid:2019038; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert abarsolutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|abarsolutions.com"; distance:1; within:18; reference:md5,029e3713002bd3514b1f2493caea8294; classtype:trojan-activity; sid:2019039; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert eastwoodvalley.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.eastwoodvalley.com"; distance:1; within:23; reference:md5,450b394d88a69f6cb9722a5b56168ce6; classtype:trojan-activity; sid:2019040; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert pejlain.se"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|pejlain.se"; distance:1; within:11; reference:md5,1658e12bb1fe8a25127e8bd09b923acd; classtype:trojan-activity; sid:2019042; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert dominionthe.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dominionthe.com"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019043; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert delanecanada.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|delanecanada.ca"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019044; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert hebergement-solutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|19|hebergement-solutions.com"; distance:1; within:26; reference:md5,e5f8caba2b2832de5c13a16d5b4f6d6f; classtype:trojan-activity; sid:2019045; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert sportofteniq.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sportofteniq.com"; distance:1; within:17; reference:md5,d06ec89944b566df8dcd959a2196b37c; classtype:trojan-activity; sid:2019046; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert adoraacc.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|adoraacc.com"; distance:1; within:13; reference:md5,a938c50d686663f97d62dff812fc575b; classtype:trojan-activity; sid:2019047; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert tristacey.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|tristacey.com"; distance:1; within:14; reference:md5,e40ec448fd7cfea641a18fb6b38e4e92; classtype:trojan-activity; sid:2019048; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert nbc-mail.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nbc-mail.com"; distance:1; within:13; reference:md5,348b8a9e693a6784a6cf26d9afe6fed9; classtype:trojan-activity; sid:2019049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert tridayacipta.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|tridayacipta.com"; distance:1; within:17; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert trainthetrainerinternational.com"; flow:established,from_server; content:"|55 04 03|"; content:"|20|trainthetrainerinternational.com"; distance:1; within:33; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert lingayasuniversity.edu.in"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|www.lingayasuniversity.edu.in"; distance:1; within:30; reference:md5,b2c3bb2b56876e325d86731a693fd138; classtype:trojan-activity; sid:2019052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert uleideargan.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.uleideargan.com"; distance:1; within:20; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert picklingtank.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|picklingtank.com"; distance:1; within:17; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert vcomdesign.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|vcomdesign.com"; distance:1; within:15; reference:md5,9ad86fc9a57b620e96082cd61aa1b494; classtype:trojan-activity; sid:2019055; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert technosysuk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|technosysuk.com"; distance:1; within:16; reference:md5,fc23d6cbe926a022cac003214679ec7a; classtype:trojan-activity; sid:2019056; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert slmp-550-105.slc.westdc.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|slmp-550-105.slc.westdc.net"; distance:1; within:28; reference:md5,f053b1aa875751944bae74fce67fe965; classtype:trojan-activity; sid:2019057; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert itiltrainingcertworkshop.com"; flow:established,from_server; content:"|55 04 03|"; content:"|23|server.itiltrainingcertworkshop.com"; distance:1; within:36; reference:md5,f7b715ad4235599ed21179a369279225; classtype:trojan-activity; sid:2019058; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|udderperfection.com"; distance:1; within:20; reference:md5,27938e57f7928e9559e71d384a8fffe6; classtype:trojan-activity; sid:2019059; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert efind.co.il"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|efind.co.il"; distance:1; within:12; reference:md5,6d8a5b36f61e392aaa048b97b3d9e090; classtype:trojan-activity; sid:2019060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert bloodsoft.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|bloodsoft.com"; distance:1; within:14; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019061; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert walletmix.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.walletmix.com"; distance:1; within:18; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019062; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert turnaliinsaat.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|turnaliinsaat.com"; distance:1; within:18; reference:md5,feb5304d966a0f1610e642984a64d54c; classtype:trojan-activity; sid:2019063; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert mdus-pp-wb12.webhostbox.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|mdus-pp-wb12.webhostbox.net"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert plastics-technology.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|www.plastics-technology.com"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019065; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert deserve.org.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|deserve.org.uk"; distance:1; within:15; reference:md5,9d16352f292d86f40236afc7e06bce08; classtype:trojan-activity; sid:2019067; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert worldbuy.biz"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.worldbuy.biz"; distance:1; within:17; reference:md5,57c73f511f3ed23df07e2c1b88e007ca; classtype:trojan-activity; sid:2019068; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole EK Landing Aug 27 2014"; flow:established,to_client; file_data; content:"|28 36 39 33 37 34 31 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 3b 77 69 6e 64 6f 77|"; classtype:trojan-activity; sid:2019071; rev:2; metadata:created_at 2014_08_27, updated_at 2014_08_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK Landing URI Struct"; flow:established,to_server; content:"/?PHPSSESID=njr"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019072; rev:2; metadata:created_at 2014_08_27, updated_at 2014_08_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole EK Landing Redirect Aug 27 2014"; flow:established,to_client; content:"Server|3a 20|CppCMS-Embedded/1.0.4|0d 0a|"; http_header; content:"302"; http_stat_code; content:"Set-Cookie|3a| nhweb="; classtype:trojan-activity; sid:2019073; rev:2; metadata:created_at 2014_08_27, updated_at 2014_08_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert paydaypedro.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|11|paydaypedro.co.uk"; distance:1; within:18; reference:md5,39877be17bd3435f275fc54577beaa6e; classtype:trojan-activity; sid:2019075; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert chatso.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|chatso.com"; distance:1; within:11; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019076; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014"; flow:from_server,established; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}(?:\r\n)*?<script>[^\r\n]+?\We[\x22\x27\+]*?v[\x22\x27\+]*?a[\x22\x27\+]*?l\W/R"; classtype:trojan-activity; sid:2019078; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_08_27, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:2; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks Initial (POST)"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; fast_pattern:only; content:"seed="; http_client_body; content:"&referrer="; http_client_body; content:"&agent="; http_client_body; content:"&location="; http_client_body; content:"&toplocation="; http_client_body; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019094; rev:4; metadata:created_at 2014_08_29, updated_at 2018_03_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:2; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&alivetime="; http_uri; content:"&r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:2; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK SilverLight URI Struct"; flow:to_server,established; content:"GET "; depth:4; content:"silverapp1.xap HTTP/1."; distance:0; pcre:"/^GET [^\r\n]*?\/(?:pruncd)?silverapp1\.xap HTTP\/1\./"; classtype:trojan-activity; sid:2019097; rev:2; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK Sending Plugin-Detect Data"; flow:to_server,established; content:"dump="; http_client_body; depth:5; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"&ua="; http_client_body; distance:0; content:"&ref="; http_client_body; distance:0; classtype:trojan-activity; sid:2019098; rev:1; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Archie/Metasploit SilverLight Exploit"; flow:from_server,established; file_data; content:"SilverApp1.dllPK"; classtype:trojan-activity; sid:2019099; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2014_08_29, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack EK Redirect Sept 01 2014"; flow:established,to_server; content:".php"; http_uri; pcre:"/\.php$/U"; content:".php/[[DYNAMIC]]/"; http_header; pcre:"/Referer\x3a[^\r\n]+\.php\/\[\[DYNAMIC\]\]\/\d/Hm"; classtype:trojan-activity; sid:2019100; rev:2; metadata:created_at 2014_09_02, updated_at 2014_09_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9c c5 8b 5d c7 8a 96 b7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0d5ad9759753cb4639cd405eddbe2a16; classtype:trojan-activity; sid:2019104; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_03, updated_at 2016_07_01;)

#alert tcp 66.147.244.132 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert bluehost.com Aug 27 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e 2a 2e|bluehost.com"; distance:1; within:15; reference:md5,19bb8e0b16c14194862d0750916ce338; classtype:trojan-activity; sid:2019105; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_09_03, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"Wy9GbCAvRmxd"; classtype:trojan-activity; sid:2019117; rev:2; metadata:created_at 2014_09_04, updated_at 2014_09_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"L0ZsIC9GbF0g"; classtype:trojan-activity; sid:2019118; rev:3; metadata:created_at 2014_09_04, updated_at 2014_09_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"IFsvRmwgL0Zs"; classtype:trojan-activity; sid:2019119; rev:2; metadata:created_at 2014_09_04, updated_at 2014_09_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Astrum EK Landing"; flow:established,from_server; file_data; content:"|7b 72 65 74 75 72 6e 20 75 6e 65 73 63 61 70 65|"; content:"|3e 3e 38 26 32 35 35 29 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a|"; content:"|29 5e 32 35 35 26|"; classtype:trojan-activity; sid:2019130; rev:2; metadata:created_at 2014_09_08, updated_at 2014_09_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Astrum EK Landing"; flow:established,from_server; file_data; content:"%65%64%6f%43%72%61%68%43%6d%6f%72%66"; content:"%74%41%65%64%6f%43%72%61%68%63"; classtype:trojan-activity; sid:2019131; rev:2; metadata:created_at 2014_09_08, updated_at 2014_09_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Flashpack Redirect Method 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; content:"fvers="; fast_pattern; http_client_body; content:"osa="; http_client_body; classtype:trojan-activity; sid:2019134; rev:4; metadata:created_at 2014_09_08, updated_at 2014_09_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 09 2014 Method 2"; flow:established,to_server; content:"/k?t"; http_uri; fast_pattern:only; pcre:"/\/k\?t[a-z]*=\d{5,}$/U"; classtype:trojan-activity; sid:2019146; rev:5; metadata:created_at 2014_09_10, updated_at 2014_09_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange EK Java Exploit"; flow:established,to_server; content:"/view_policy_free.jnlp"; content:"Java/1."; classtype:trojan-activity; sid:2019154; rev:1; metadata:created_at 2014_09_10, updated_at 2014_09_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK Silverlight URI Struct"; flow:established,to_server; content:".xap"; http_uri; fast_pattern:only; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.xap$/U"; classtype:trojan-activity; sid:2019167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_12, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 95 9f e1 a6 33 7b d9|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edefcbba2944872f31454fcb98802488; classtype:trojan-activity; sid:2019173; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Astrum EK URI Struct"; flow:established,to_server; urilen:60<>100; content:"|2e 20|HTTP/1."; fast_pattern:only; pcre:"/^\/(?=[A-Za-z_-]*?\d)(?=[a-z0-9_-]*?[A-Z])(?:[A-Za-z0-9_-]{4}){15,}(?:[[A-Za-z0-9_-]{2}\x2e?\x2e|[A-Za-z0-9_-]{3}\x2e)$/U"; classtype:trojan-activity; sid:2019176; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 8c bf 77 7c 33 77 06|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5dd6e69b1e9049f295e314b523679d98; classtype:trojan-activity; sid:2019178; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_16, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M4"; flow:established,from_server; content:"Server|3a 20|nginx|0d 0a|"; http_header; content:"X-Powered-By|3a 20|PHP"; http_header; content:"text/javascript"; http_header; file_data; content:"if|28|[removed].indexOf|28|"; within:27; fast_pattern; pcre:"/^\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27]\s*?\x29\s*?==\s*?-1\x29\x7b[^\r\n]*?document\.cookie\s*?=\s*?[\x22\x27](?P=var)\s*?\x3d\s*?[^\r\n]+?[\r\n]*?$/Rsi"; content:"iframe"; content:"top"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; content:"left"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; classtype:trojan-activity; sid:2019180; rev:2; metadata:created_at 2014_09_16, updated_at 2014_09_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u000"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,1337day.com/exploit/22581; classtype:trojan-activity; sid:2019181; rev:5; metadata:created_at 2014_09_16, updated_at 2014_09_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Gate"; flow:established,from_server; file_data; content:"AgControl.AgControl"; content:"document.cookie.indexOf|28 22|xap|22 29|"; fast_pattern:10,20; content:"Math.random()|3b|"; classtype:trojan-activity; sid:2019183; rev:2; metadata:created_at 2014_09_16, updated_at 2014_09_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Silverlight Based Redirect"; flow:established,from_server; file_data; content:"AppManifest.xamlPK"; fast_pattern:only; content:"iframe.dllPK"; classtype:trojan-activity; sid:2019184; rev:2; metadata:created_at 2014_09_16, updated_at 2014_09_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Gate Sep 16 2014"; flow:established,from_server; file_data; content:"16.html"; fast_pattern:only; content:"etCookie"; content:"document.write(|27|<iframe"; pcre:"/^(?=(?:(?!<\/iframe>).)+?src\s*?=\s*?\x22http\x3a[^\x22]+16\.html\x22)(?=(?:(?!<\/iframe>).)+?left\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?=(?:(?!<\/iframe>).)+?top\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29/Rsi"; classtype:trojan-activity; sid:2019185; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_16, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 66 93 12 61 52 ba b4|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|Zatusim.com"; distance:1; within:12; reference:md5,2f52d3921613b2fe06c9eb9051d45e60; classtype:trojan-activity; sid:2019186; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 Sept 17 2014 "; flow:established,from_server; file_data; content:"|76 5c 3a 2a 7b 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 23 64 65 66 61 75 6c 74 23 56 4d 4c 29 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d|"; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28|"; distance:0; content:"|3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 62 6c 61 63 6b|"; distance:0; classtype:trojan-activity; sid:2019188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_17, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014"; flow:established,to_server; content:"/14"; http_uri; content:".htm"; http_uri; distance:8; within:4; pcre:"/^\/[a-z0-9]+?(?:\/\d)?\/14\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{14,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019189; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_17, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Page Sept 17 2014"; flow:established,from_server; file_data; content:"|41 63 74 69 76 65 58 4F 62 6A 65 63 74 28 22 4D 69 63 72 6F 73 22 2B 2F 2A|"; pcre:"/^[a-z0-9]+\x2A\x2F\x22\x6F\x66\x74\x2E/R"; classtype:trojan-activity; sid:2019193; rev:2; metadata:created_at 2014_09_18, updated_at 2014_09_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?ds="; http_uri; fast_pattern:only; content:"&dr="; http_uri; pcre:"/&dr=\d+$/U"; reference:url, blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/; classtype:trojan-activity; sid:2019194; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_18, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?acc="; http_uri; fast_pattern:only; content:"&nrk="; http_uri; pcre:"/&nrk=\d+$/U"; classtype:trojan-activity; sid:2019195; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_18, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Androm SSL Cert Sept 18 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|09 00 bf 91 db e3 f1 fb 7c cc|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,ca2f3e2568ac5c01ecf2747f778e13a1; classtype:trojan-activity; sid:2019196; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 19 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f8 69 16 89 bb bc f3 d7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1da03b89c25c9f8999edb8c1abb0c4ed; classtype:trojan-activity; sid:2019200; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_19, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF Struct (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern:only; pcre:"/\/14\d{8}(?:\.pdf)?$/U"; flowbits:set,et.Nuclear.PDF; flowbits:noalert; classtype:trojan-activity; sid:2019209; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_22, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF"; flow:established,from_server; flowbits:isset,et.Nuclear.PDF; content:"Content-Disposition|3a|"; http_header; content:".pdf|0d 0a|"; http_header; fast_pattern:only; content:"X-Powered-By|3a|"; http_header; content:"nginx"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]+(?<!\W14\d{8})\.pdf\r?$/Hm"; file_data; content:"|25|PDF-1.6"; within:8; classtype:trojan-activity; sid:2019210; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_22, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 95 78 dc d3 77 1b bc 30|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bf019054fced52ff03ed8d371dfd371d; classtype:trojan-activity; sid:2019213; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK 2013-3918"; flow:established,from_server; content:"X-Powered-By|3a|"; http_header; file_data; content:"C|3a 5c|Rock.png"; nocase; fast_pattern:only; content:"|7b|return"; pcre:"/^\s*?[A-Z0-9a-z\+]+?\s*?\x7d/R"; content:"|7d|function"; content:"|3b|function"; classtype:trojan-activity; sid:2019226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_24, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Spy.Zbot.ACB SSL Cert Sept 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 56 02 06 27 f8 97 08|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,2ceda25b44378583dfb6df64b92ac654; classtype:trojan-activity; sid:2019227; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb c0 73 38 d6 b1 99 a5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0fa515ad9fd1031b7a7891a46f72f122; classtype:trojan-activity; sid:2019275; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 86 50 03 11 16 99 16|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,75a2e3c9f8783dfc953f6aeb8a9eda2f; classtype:trojan-activity; sid:2019276; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert santa.my"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|www.santa.my"; distance:1; within:13; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019277; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_09_26, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert glynwedasia.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|glynwedasia.com"; distance:1; within:16; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019278; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_09_26, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackEnergy Possible SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; sid:2019282; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Job314 EK Landing"; flow:established,from_server; file_data; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern:only; content:"swfobject.embedSWF"; nocase; pcre:"/^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head>/Rs"; classtype:trojan-activity; sid:2019287; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Possible Job314 EK JAR URI Struct"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:".pack.gz"; http_uri; pcre:"/^(?=(?:\/[a-z]+?)*?\/\d+\/)(?=(?:\/\d+?)*?\/[a-z]+?\/)(?:\/(?:[a-z]+|\d+)){4,}\/[a-z]+\.pack\.gz$/U"; classtype:trojan-activity; sid:2019288; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014"; flow:established,to_server; content:".php?h="; http_uri; fast_pattern; pcre:"/\.php\?h=\d+&w=\d+&ua=.+&e=1$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019311; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014"; flow:from_server,established; file_data; content:"|28 2f 5b 40 5c 2a 5c 2d 5d 2f 67 2c 27 27 29|"; fast_pattern:only; content:"return"; pcre:"/^\s[^\r\n]*?[\x28\x5b]\s*?[\x22\x27][^\x22\x27]?s[^\x22\x27]?u[^\x22\x27]?b[^\x22\x27]?s[^\x22\x27]?t[^\x22\x27]?r[^\x22\x27]?[\x22\x27]\s*?[\x29\x5d]\s*?(?:\x5d\s*?)?\x28/R"; classtype:trojan-activity; sid:2019315; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_09_29, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 04 eb 4f 91 0a 85 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,a3dd0964ee346db49192836569b41203; classtype:trojan-activity; sid:2019319; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba c8 fb e2 d7 61 26 81|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27ec921595f9e05e7e8933e71d336fa7; classtype:trojan-activity; sid:2019320; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Upatre redirector 29 Sept 2014 - POST"; flow:established,to_server; content:"POST"; http_method; content:"h="; http_client_body; depth:3; content:"w="; http_client_body; within:8; content:"ua="; http_client_body; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019321; rev:2; metadata:created_at 2014_09_30, updated_at 2014_09_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS suspicious embedded zip file in web page"; flow:established,to_client; file_data; content:"data|3a|"; nocase; content:"base64,UEsDB"; within:40; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019324; rev:1; metadata:created_at 2014_09_30, updated_at 2014_09_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert mypreschool.sg"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|mypreschool.sg"; distance:1; within:15; reference:md5,f186984320d0cf0a4fd501e50c7a40c5; classtype:trojan-activity; sid:2019337; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_10_02, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic CollectGarbage in Hex"; flow:established,from_server; file_data; content:"|5c|x43|5c|x6f|5c|x6c|5c|x6c|5c|x65|5c|x63|5c|x74|5c|x47|5c|x61|5c|x72|5c|x62|5c|x61|5c|x67|5c|x65"; nocase; classtype:trojan-activity; sid:2019338; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic URLENCODED CollectGarbage"; flow:established,from_server; file_data; content:"%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65"; classtype:trojan-activity; sid:2019339; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_02, updated_at 2016_07_01;)

alert tcp any any -> any [25,587] (msg:"ET CURRENT_EVENTS Possible ComputerCop Log Transmitted via SMTP"; flow:to_server,established; content:"Subject|3a 20|CCOP|20|"; nocase; fast_pattern:only; reference:url,www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies; classtype:trojan-activity; sid:2019340; rev:1; metadata:created_at 2014_10_02, updated_at 2014_10_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cryptowall 2.0 DL URI Struct Oct 2 2014"; flow:to_server,established; content:"GET"; http_method; content:"/blog/"; http_uri; depth:6; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/blog\/[a-z0-9]+$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a11\.0)[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019341; rev:1; metadata:created_at 2014_10_02, updated_at 2014_10_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 02 84 39 97 d9 ef df|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27b8d15950022f53ca4ca7004932cf2b; classtype:trojan-activity; sid:2019342; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_03, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set)"; flow:to_server,established; content:" rv|3a|11.0"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+rv\x3a11\.0[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019343; rev:2; metadata:created_at 2014_10_03, updated_at 2017_02_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FAKEIE Minimal Headers (flowbit set)"; flow:to_server,established; content:"GET"; http_method; content:" MSIE "; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+\sMSIE\s[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; metadata: former_category CURRENT_EVENTS; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019344; rev:3; metadata:created_at 2014_10_03, updated_at 2017_05_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CryptoLocker TorComponent DL"; flow:from_server,established; flowbits:isset,FakeIEMinimal; file_data; byte_extract:1,0,size,relative; content:"|00 00 00|"; within:3; content:!"|00|"; within:size; content:"|00|"; distance:size; within:1; pcre:"/^.\x00\x00\x00[a-z0-9]+?\x00/s"; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019345; rev:1; metadata:created_at 2014_10_03, updated_at 2014_10_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection 19 September 2014"; flow:to_client,established; file_data; content:"var ajax_data_source"; within:20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/03/index.html; classtype:trojan-activity; sid:2019352; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK Payload URI Struct Oct 5 2014 (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern:only; pcre:"/\/14\d{8}(?:\/\d+)*?(?:\/x[a-f0-9]+[\x3b0-9]*)?$/U"; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:trojan-activity; sid:2019358; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_10_06, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Payload URI Struct Oct 5 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".exe"; http_header; fast_pattern:only; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.exe/Hm"; classtype:trojan-activity; sid:2019359; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_10_06, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK Landing"; flow:established,from_server; file_data; content:"DetectFlashForMSIE()"; content:"DetectPdfForMSIE()"; content:"http|3a 2f 2f|localhost"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019367; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"dword2data"; content:"localhost"; content:".swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019368; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2"; flow:established,from_server; file_data; content:"|5c|x3c|5c|x64|5c|x69|5c|x76|5c|x20|5c|x69|5c|x64|5c|x3d|5c|x22|5c|x6c|5c|x6f|5c|x6c|5c|x22"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019369; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3"; flow:established,from_server; file_data; content:"1776_concat.swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019370; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1"; flow:established,from_server; file_data; content:"SharePoint.OpenDocuments.3"; nocase; content:"SharePoint.OpenDocuments.4"; nocase; content:"|3a|ANIMATECOLOR "; nocase; content:"ms-help|3a 2f 2f|"; fast_pattern:only; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019371; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2"; flow:established,from_server; file_data; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; distance:0; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 70 61 72 73 65 49 6e 74 28|"; content:"|2e 73 75 62 73 74 72 28 30 2c 32 29 2c 31 36 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29|"; distance:4; within:29; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019372; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic CollectGarbage in JJEncode (Observed in Sednit)"; flow:established,from_server; file_data; content:".__$+"; pcre:"/^(?P<sep>.{1,20})\.___\+(?P=sep)\._\$\$\+(?P=sep)\._\$\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+(?P=sep)\.\$\$\$_\+(?P=sep)\.\$\$__\+(?P=sep)\.__\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$\$_\+(?P=sep)\._\$_\+(?P=sep)\.\$_\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$__\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$\$\$_\+/R"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019373; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1"; flow:established,from_server; file_data; content:"|5c|x76|5c|x61|5c|x72|5c|x20|5c|x73|5c|x74|5c|x72|5c|x3d|5c|x75|5c|x6e|5c|x65|5c|x73|5c|x63|5c|x61|5c|x70|5c|x65|5c|x28|5c|x22|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x22|5c|x29|5c|x3b"; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019374; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_08, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection Oct 8 2014"; flow:established,to_client; file_data; content:"String.fromCharCode(parseInt|28 28|"; pcre:"/^\s*?(?P<var1>[^\x29\x5b]+)\x5b\s*?(?P<cntr>[^\x5d]+)\s*?\x5d\s*?\+\s*?(?P=var1)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*?16\s*?\x29\s*?\^\s*?parseInt\x28\x28\s*?(?P<var2>[^\x29\x5b]+)\x5b\s*?(?P=cntr)\s*?\x5d\s*?\+\s*?(?P=var2)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*16\s*?\x29\x29\s*?\x3b\s*?(?P=cntr)\s*?\+=\s*?2\s*?\x3b/Rs"; reference:url,malware-traffic-analysis.net/2014/10/06/index2.html; classtype:trojan-activity; sid:2019375; rev:4; metadata:created_at 2014_10_08, updated_at 2014_10_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Napolar / Shifu SSL Cert Oct 9 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|19|secure.barrentomedear.com"; distance:1; within:26; metadata: former_category CURRENT_EVENTS; reference:md5,958804a1191cb281a3a967de17763cf4; classtype:trojan-activity; sid:2019376; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_09, updated_at 2018_03_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 9 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be cf d6 29 b3 79 8f e2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,3a9f4fc34e121fc2e5c0d7775091714c; classtype:trojan-activity; sid:2019382; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_09, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible TWiki RCE attempt"; flow:established,to_server; content:"debugenableplugins="; http_uri; pcre:"/debugenableplugins=[a-zA-Z0-9]+?\x3b/U"; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236; reference:cve,2014-7236; classtype:attempted-admin; sid:2019385; rev:1; metadata:created_at 2014_10_09, updated_at 2014_10_09;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt"; flow:established,to_server; content:"POST"; http_method; content:"filename=|22 00|.htaccess"; http_client_body; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237; reference:cve,2014-7237; classtype:attempted-admin; sid:2019386; rev:1; metadata:created_at 2014_10_09, updated_at 2014_10_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm INF Download"; flow:to_client,established; file_data; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019395; rev:1; metadata:created_at 2014_10_14, updated_at 2014_10_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:1; metadata:created_at 2014_10_14, updated_at 2014_10_14;)

alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm INF Download (SMB)"; flow:to_client,established; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; fast_pattern; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019398; rev:2; metadata:created_at 2014_10_14, updated_at 2014_10_14;)

alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm INF Download (SMB UNICODE)"; flow:to_client,established; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; fast_pattern; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019399; rev:3; metadata:created_at 2014_10_14, updated_at 2014_10_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PPT Download with Embedded OLE Object"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"ppt/embeddings/oleObject"; classtype:misc-activity; sid:2019405; rev:5; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M1"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?B[\x0d\x0a]{0,2}w[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}C[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}z[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}s[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}U[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}j[\x0d\x0a]{0,2}d/R"; classtype:misc-activity; sid:2019406; rev:2; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M2"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}B[\x0d\x0a]{0,2}0[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}t[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}u[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}3[\x0d\x0a]{0,2}M[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}x[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}T[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}q[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}N[\x0d\x0a]{0,2}0/R"; classtype:misc-activity; sid:2019407; rev:1; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M3"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}Q[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}1[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}5[\x0d\x0a]{0,2}n[\x0d\x0a]{0,2}c[\x0d\x0a]{0,2}y[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}P[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}3/R"; classtype:misc-activity; sid:2019408; rev:1; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M4"; flow:established,to_server; content:"cHB0L2VtYmVkZGluZ3Mvb2xlT2JqZWN0"; classtype:misc-activity; sid:2019409; rev:1; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M5"; flow:established,to_server; content:"cHQvZW1iZWRkaW5ncy9vbGVPYmplY3"; classtype:misc-activity; sid:2019410; rev:1; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M6"; flow:established,to_server; content:"BwdC9lbWJlZGRpbmdzL29sZU9iamVjd"; classtype:misc-activity; sid:2019411; rev:1; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 2e c1 9c b6 e5 96 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,05823d6ec6d2a483f94ae1794a06c1a6; classtype:trojan-activity; sid:2019413; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_15, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_dst, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019417; rev:4; metadata:created_at 2014_10_15, updated_at 2016_06_21;)

alert tcp $HOME_NET [443,465,993,995,25] -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SSL excessive fatal alerts (possible POODLE attack against server)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_src, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:attempted-recon; sid:2019418; rev:5; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 29 c6 1c 85 a5 85 33|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,38f4f489bd7e59ed91dc6ff95f37999f; classtype:trojan-activity; sid:2019419; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_15, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 16 2014"; flow:established,to_server; content:"/loxotrap.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019456; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE1"; flow:established,to_server; content:"/YXJyYWtpczAy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019461; rev:1; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE2"; flow:established,to_server; content:"/aG91c2VhdHJlaWRlczk0/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019462; rev:1; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE3"; flow:established,to_server; content:"/QmFzaGFyb2Z0aGVTYXJkYXVrYXJz/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019463; rev:1; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE4"; flow:established,to_server; content:"/U2FsdXNhU2VjdW5kdXMy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019464; rev:1; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE5"; flow:established,to_server; content:"/ZXBzaWxvbmVyaWRhbmkw/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019465; rev:1; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 a0 9e 7c 8c 25 3a d0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,ae773f234152fb5df1ab35116dbb82bd; classtype:trojan-activity; sid:2019470; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_17, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Job314 EK URI Exploit/Payload Struct"; flow:established,to_server; content:"?action="; http_uri; content:"&exp="; http_uri; fast_pattern:only; pcre:"/\?action=(?:pld|exp)&exp=/U"; classtype:trojan-activity; sid:2019479; rev:2; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Job314 EK URI Landing Struct"; flow:established,to_server; content:".html?action=lnd"; http_uri; pcre:"/\?action=lnd$/U"; classtype:trojan-activity; sid:2019480; rev:1; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 1"; flow:established,to_server; content:"=1/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hm"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019481; rev:1; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 2"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hm"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:1; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 3"; flow:established,to_server; content:"=1/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hm"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019483; rev:1; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 4"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hm"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019484; rev:1; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 21 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca 38 a4 ec ec c1 f1 9a|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1fedcd44951c3dfb861fa83ddcec2b84; classtype:trojan-activity; sid:2019485; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_21, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 22 2014"; flow:established,to_server; content:"/ldcigar.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019487; rev:1; metadata:created_at 2014_10_22, updated_at 2014_10_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca f1 2e 3e cb c1 4a c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f4c26252042b9d520cd832b8b4a66de0; classtype:trojan-activity; sid:2019493; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8c 54 a8 06 20 b6 93 90|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1754d4765a05e4637d2dcdbd1c28eaf1; classtype:trojan-activity; sid:2019494; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 cd df 4e c0 3c fc 13|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5159780c47b8df01d5eb00d858b4d35a; classtype:trojan-activity; sid:2019495; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 be 1b e1 6a 4d bf 01|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f66bf24aa5516e335873c758d007ed3c; classtype:trojan-activity; sid:2019496; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Gate Injected iframe Oct 22 2014"; flow:established,from_server; file_data; content:"|2f 2a 0a 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 30 37 20 46 72 65 65 20 53 6f 66 74 77 61 72 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2c 20 49 6e 63 2e 20 68 74 74 70 3a 2f 2f 66 73 66 2e 6f 72 67 2f 0a 2a 2f 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 6f 6f 6b 69 65 28 65 29|"; within:93; fast_pattern:73,20; classtype:trojan-activity; sid:2019497; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_10_23, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host"; flow:established,from_server; content:"|14|www.kitchensinks.n0t"; nocase; classtype:trojan-activity; sid:2019503; rev:1; metadata:created_at 2014_10_24, updated_at 2014_10_24;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert Oct 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 91 76 a5 11 ca 47 2d|"; within:35; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|04|none"; distance:1; within:5; content:"|55 04 08|"; distance:0; content:"|0c|Someprovince"; distance:1; within:13; reference:md5,35f6b510f94bd96ed9bc44e1f7bf7f38; classtype:trojan-activity; sid:2019506; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_10_24, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert www.tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.tradeledstore.co.uk"; distance:1; within:24; reference:md5,b12730a51341a8bfaa5c7d7e4421fe6c; classtype:trojan-activity; sid:2019507; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_10_24, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba 53 8e c8 a2 a1 6c 17|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019520; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe d5 e3 3b b2 f8 4e f4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019521; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 81 01 15 1a 78 7f e9 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,2841fb14060f579e46a301baf234a1e7; classtype:trojan-activity; sid:2019522; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 10 4b 4c 47 43 e9 4b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bd3fd9f55900e2c63d5f4977053e8f68; classtype:trojan-activity; sid:2019523; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"|22 5c|x6C|5c|x6F|5c|x63|5c|x61|5c|x74|5c|x69|5c|x6F|5c|x6E"; nocase; content:"window[_0x"; content:"[1]][_0x"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:trojan-activity; sid:2019540; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_10_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JAR)"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:".jar"; http_uri; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,20}\.jar$/U"; classtype:trojan-activity; sid:2019542; rev:8; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Likely SweetOrange EK Flash Exploit URI Struct"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,11}$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[^\r\n]*?[a-z]+?\.php\?[a-z]+?=\d/Hm"; classtype:trojan-activity; sid:2019543; rev:1; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sweet Orange Flash/IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{0,10}=\d{1,3}&){3,}[a-z\_\-]{4,10}=-?\d+$/U"; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; flowbits:set,et.SweetOrangeURI; flowbits:noalert; classtype:trojan-activity; sid:2019544; rev:5; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=0oPDPAP6Prooodj"; http_client_body; fast_pattern; classtype:trojan-activity; sid:2019594; rev:1; metadata:created_at 2014_10_29, updated_at 2014_10_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack Payload Download Oct 29"; flow:established,to_server; content:"/lofla1.php"; http_uri; classtype:trojan-activity; sid:2019595; rev:1; metadata:created_at 2014_10_29, updated_at 2014_10_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29"; flow:established,from_server; file_data; content:"Windows%20"; within:10; content:"<br>|0d 0a|"; within:10; pcre:"/^\d/R"; content:"FlashVars=|22|exec="; pcre:"/^(?!687474703a2f2f)(?P<h>[a-f0-9]{2})(?P<t>[a-f0-9]{2})(?P=t)(?P<p>[a-f0-9]{2})(?P<colon>[a-f0-9]{2})(?P<slash>[a-f0-9]{2})(?P=slash)/R"; classtype:trojan-activity; sid:2019596; rev:1; metadata:created_at 2014_10_29, updated_at 2014_10_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FakeSupport - Landing Page - Windows Firewall Warning"; flow:established,to_client; file_data; content:"<title>Windows Firewall warning!</title>"; nocase; classtype:trojan-activity; sid:2019597; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY FakeSupport - URI - windows-firewall.png"; flow:established,to_server; content:"windows-firewall.png"; http_uri; classtype:trojan-activity; sid:2019598; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FakeSupport - Landing Page - Operating System Check"; flow:established,to_client; file_data; content:"<title>Operating System Check</title>"; classtype:trojan-activity; sid:2019599; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_10_29, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JNLP)"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:".jnlp"; http_uri; pcre:"/\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Z-a-z]{18}\.jnlp$/U"; classtype:trojan-activity; sid:2019600; rev:1; metadata:created_at 2014_10_30, updated_at 2014_10_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Trustezeb.J SSL Cert Oct 30 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|17|bestofthebestrussia.com"; distance:1; within:24; reference:md5,2d8211ad47b36893b6e1b3fdceb00012; classtype:trojan-activity; sid:2019605; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fiesta Java Exploit/Payload URI Struct"; flow:established,to_server; urilen:69<>100; content:"Java/1."; http_header; fast_pattern; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/\/\??[a-f0-9]{60,}(?:\x3b\d+){1,4}$/U"; classtype:trojan-activity; sid:2019611; rev:6; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fiesta Flash Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|1"; http_uri; offset:60; content:"|3b|"; http_uri; distance:5; within:1; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/\/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}$/U"; classtype:trojan-activity; sid:2019612; rev:6; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fiesta SilverLight 4.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|4"; http_uri; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b4[0-1]\d{5}$/U"; classtype:trojan-activity; sid:2019623; rev:1; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fiesta SilverLight 5.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|5"; http_uri; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b5[0-1]\d{5}$/U"; classtype:trojan-activity; sid:2019624; rev:1; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"|61 72 73 79 6d 5b 30 5d 3d 22 65 6e 74 22 3b|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019634; rev:5; metadata:created_at 2014_11_04, updated_at 2014_11_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32.Zbot.umpz SSL Cert Nov 4 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|16|boogermanshoptools.net"; distance:1; within:33; reference:md5,c6796076a24f35119ebe441725ec9da7; classtype:trojan-activity; sid:2019639; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_04, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil EK Redirector Cookie Nov 03 2014"; flow:established,from_server; content:"ruarc="; fast_pattern:only; content:"ruarc="; depth:6; http_cookie; classtype:trojan-activity; sid:2019638; rev:3; metadata:created_at 2014_11_04, updated_at 2014_11_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection Nov 4 2014"; flow:established,from_server; file_data; content:"var main_request_data_content"; within:29; fast_pattern:9,20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/27/index2.html; classtype:trojan-activity; sid:2019642; rev:1; metadata:created_at 2014_11_04, updated_at 2014_11_04;)

#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data;  content:"class=|22|green_class|22|"; pcre:"/^[^>\r\n<]+>[A-Za-z]{70}/R"; classtype:trojan-activity; sid:2019643; rev:2; metadata:created_at 2014_11_04, updated_at 2014_11_04;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Nov 04 2013"; flow:from_server,established; file_data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e|"; fast_pattern:only; content:"|20|id=|22|"; pcre:"/^(?=[a-z]{0,7}[A-Z])(?=[A-Z]{0,7}[a-z])[A-Za-z]{8}\x22[^>]+?>[A-Za-z]{70}/Rs"; classtype:trojan-activity; sid:2019647; rev:5; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 05 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 49 68 e1 31 97 48 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c078788d86c653f428fc3a62dd030ede; classtype:trojan-activity; sid:2019651; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Trustezeb.E SSL Cert Nov 05 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|easy-access.me"; distance:1; within:15; reference:md5,b648562ee817b3635fa7725afe28577c; classtype:trojan-activity; sid:2019652; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; pcre:"/^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)?/R"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:trojan-activity; sid:2019655; rev:5; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashhigh.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashhigh\.swf$/U"; classtype:trojan-activity; sid:2019656; rev:1; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashlow\.swf$/U"; classtype:trojan-activity; sid:2019657; rev:1; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK Exploit SilverLight URI Struct"; flow:established,to_server; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?silverapp1\.xap$/U"; classtype:trojan-activity; sid:2019658; rev:3; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK Exploit IE URI Struct"; flow:established,to_server; content:"iebasic.html"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?iebasic\.html$/U"; classtype:trojan-activity; sid:2019659; rev:1; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear SilverLight URI Struct (noalert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern:only; pcre:"/\/14\d{8}(?:\.xap)?$/U"; flowbits:set,et.Nuclear.SilverLight; flowbits:noalert; classtype:trojan-activity; sid:2019668; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_11_06, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.SilverLight; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; classtype:trojan-activity; sid:2019669; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_11_06, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HanJuan EK Flash Payload DL"; flow:to_server,established; content:"/"; http_uri; content:".php"; http_uri; fast_pattern; within:11; pcre:"/\/[a-z]{3,7}\.php$/U"; content:!"User-Agent"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"Cache-Control|3a|"; http_header; classtype:trojan-activity; sid:2019672; rev:1; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

#alert tcp $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HanJuan EK URI Struct Actor Specific"; flow:to_server,established; content:"?zho="; http_uri; fast_pattern:only; pcre:"/\/(?:[a-z0-9]{1,7}\.php)?\?zho=/U"; classtype:trojan-activity; sid:2019673; rev:1; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

#alert tcp $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HanJuan Flash Exploit"; flow:to_server,established; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]{3,7}\/)?[a-z]{3,7}\.swf$/U"; classtype:trojan-activity; sid:2019674; rev:1; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible HanJuan EK Actor Specific Injected iframe"; flow:from_server,established; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; content:"|22 20 63 6c 61 73 73 3d 22 74 6f 6f 6c 74 69 70 22 20 74 69 74 6c 65 3d 22 22 3e|"; nocase; distance:0; content:"<iframe"; nocase; distance:0; content:" vspace="; nocase; content:"0"; within:3; content:" hspace="; content:"0"; within:3; content:" marginwidth="; content:"0"; within:3; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; distance:0; classtype:trojan-activity; sid:2019675; rev:1; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 07 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".dll"; http_header; fast_pattern:only; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.dll/Hm"; classtype:trojan-activity; sid:2019676; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_11_07, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"prancerBlit15xa.swf"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019677; rev:1; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil EK Redirector Cookie Nov 07 2014"; flow:established,from_server; content:"usid=sid|3a 7b 27|"; fast_pattern:only; reference:url,blog.malwarebytes.org/malvertising-2/2014/11/the-proof-is-in-the-cookie/; classtype:trojan-activity; sid:2019684; rev:2; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Operation Huyao Landing Page Nov 07 2014"; flow:established,to_server; content:"/tslyphper"; fast_pattern:only; http_uri; pcre:"/\/tslyphper(?:[A-Za-z0-9+/-_]{4})*(?:[A-Za-z0-9+/-_]{2}==|[A-Za-z0-9+/-_]{3}=|[A-Za-z0-9+/-_]{4})\.html$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:trojan-activity; sid:2019681; rev:2; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Operation Huyao Phishing Page Nov 07 2014"; flow:established,to_server; content:"/cart.php?site="; fast_pattern:only; http_uri; content:"&p="; http_uri; content:"&nm="; http_uri; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:trojan-activity; sid:2019682; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_11_07, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing URI Struct"; flow:established,to_server; urilen:15; content:"/abhgtnedg.html"; http_uri; classtype:trojan-activity; sid:2019685; rev:1; metadata:created_at 2014_11_10, updated_at 2014_11_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314 EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"embedSWF(|22|index.swf?action=swf|22|"; fast_pattern:11,20; content:"src=|22|index.js?action=swfobject|22|"; classtype:trojan-activity; sid:2019689; rev:2; metadata:created_at 2014_11_10, updated_at 2014_11_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"xmlhttp.open(|22|POST|22|, |22|/foo|22|, false)|3b|"; fast_pattern:16,20; content:"xmlhttp.send(sendstr)|3b|"; distance:0; classtype:trojan-activity; sid:2019690; rev:2; metadata:created_at 2014_11_10, updated_at 2014_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/bin.exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/bin\.exe$/U"; classtype:trojan-activity; sid:2019696; rev:1; metadata:created_at 2014_11_11, updated_at 2014_11_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/get/get.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/get\/get\.php$/U"; classtype:trojan-activity; sid:2019697; rev:1; metadata:created_at 2014_11_11, updated_at 2014_11_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 9e 51 1d eb 97 c1 ea|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|08|Sometown"; distance:1; within:9; reference:md5,37f927437de627777c5b571fc46fb218; classtype:trojan-activity; sid:2019698; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 e0 8a 96 fb 4a 1b b6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019699; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 65 21 19 a2 a2 9e 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019700; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 3d b1 87 b3 12 ff 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019701; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 e8 67 40 49 01 84 b1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019702; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b c4 77 4f 2c d1 50 37|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019703; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 12 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 48 5c e9 94 c7 59 03|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,31536d977dfc0e158d8f7a365c0543ec; classtype:trojan-activity; sid:2019705; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; content:!"download.bitdefender.com|0d 0a|"; http_header; content:!".appspot.com|0d 0a|"; http_header; nocase; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; content:!"kaspersky.com|0d 0a|"; http_header; content:!".sophosxl.net"; http_header; content:!"koggames"; http_header; classtype:bad-unknown; sid:2019714; rev:7; metadata:created_at 2014_11_14, updated_at 2017_02_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 9e 89 2a 06 f4 80 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,b7214b7ff246175e7b6bbe2db600f98e; classtype:trojan-activity; sid:2019719; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_17, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing Nov 17 2014"; flow:established,from_server; file_data; content:"flash_run2"; nocase; content:"silver_run"; nocase; content:"msie_run"; nocase; classtype:trojan-activity; sid:2019722; rev:1; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing Nov 17 2014 M2"; flow:established,from_server; file_data; content:"|66 66 62 67 72 6e 74 68 35 77 65 28 61 29|"; classtype:trojan-activity; sid:2019723; rev:1; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK Flash Exploit URI Struct Nov 17 2014"; flow:established,to_server; content:"/5c5390116e606055c51b2c86340beb2bd1668f6e3bbf56240a01d43db5ac6b9d.swf"; http_uri; classtype:trojan-activity; sid:2019724; rev:1; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK Flash Exploit URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/6896a114d0047db5679d5da0be7eb87d77ef59ed49ef942e7b74f60fb3df2ce3.swf"; http_uri; classtype:trojan-activity; sid:2019725; rev:1; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK Landing URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/9e675626486f3804603227533ab83b26f4a95a0c4f5eebbc00507558da27edc0.html"; http_uri; classtype:trojan-activity; sid:2019726; rev:1; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NullHole EK Exploit URI Struct"; flow:established,to_server; urilen:>34; content:"/"; offset:33; depth:1; http_uri; content:"Cookie|3a 20|nhweb="; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$/U"; classtype:trojan-activity; sid:2019727; rev:1; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Landing Nov 18 2014"; flow:established,from_server; file_data; content:"v|3a|stroke id=|27|beg|27|"; fast_pattern:only; content:"<h1>Forbidden</h1>"; classtype:trojan-activity; sid:2019742; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK PluginDetect Data Hash Nov 18 2014"; flow:to_server,established; content:".html?"; http_uri; fast_pattern:only; content:"-"; http_uri; pcre:"/\/[a-z]+?-[a-z]+?-[a-z]+?\.html\?[a-z]+\d*?=[a-f0-9]{32}$/U"; content:"GET "; pcre:"/^[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?[a-z]+?\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(?:\d{1,5})?\r\n/Rs"; classtype:trojan-activity; sid:2019743; rev:4; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK JS HashLib Nov 18 2014"; flow:to_server,established; urilen:8; content:"/mdd5.js"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019744; rev:2; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK Flash Exploit Nov 18 2014"; flow:to_server,established; content:"/Drop2"; http_uri; fast_pattern:only; pcre:"/^\/Drop2(?:-\d+)\.swf$/U"; classtype:trojan-activity; sid:2019745; rev:1; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SweetOrange EK Landing Nov 19 2014"; flow:established,from_server; file_data;  content:"|6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 76 61 72 70 72 6f 74 3d 5b|"; classtype:trojan-activity; sid:2019751; rev:5; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; content:"GET /"; depth:5; content:".php?"; distance:0; content:"HTTP/1."; distance:0; pcre:"/^GET \/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+ HTTP\/1\./"; content:!"Referer|3a|"; distance:0; content:"User-Agent|3a|"; distance:0; pcre:"/^[^\r\n]+?WinHttp.WinHttpRequest/R"; content:"WinHttp.WinHttpRequest"; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2019752; rev:8; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible FlashPack (FlashOnly) Payload Struct Nov 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"/load.php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+\/load\.php$/U"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2019753; rev:1; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"CWS"; classtype:trojan-activity; sid:2019765; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_11_21, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack Flash Exploit Nov 20 2014"; flow:established,to_server; content:"/Main.swf"; http_uri; content:"/gate.php"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/gate.php\r$/Hm"; classtype:trojan-activity; sid:2019766; rev:2; metadata:created_at 2014_11_21, updated_at 2014_11_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 Landing Struct Nov 20 2014"; flow:established,to_server; urilen:70; content:".html"; http_uri; offset:65; depth:5; pcre:"/^\/[a-f0-9]{64}\.html$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:trojan-activity; sid:2019769; rev:4; metadata:created_at 2014_11_21, updated_at 2014_11_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 PD Struct Nov 20 2014"; flow:established,to_server; urilen:68; content:".js"; http_uri; offset:65; depth:3; pcre:"/^\/[a-f0-9]{64}\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[a-f0-9]{64}\.html\r$/Hm"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:trojan-activity; sid:2019768; rev:5; metadata:created_at 2014_11_21, updated_at 2014_11_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 SWF Exploit Struct Nov 20 2014"; flow:established,to_server; urilen:69; content:".swf"; http_uri; offset:65; depth:4; pcre:"/^\/[a-f0-9]{64}\.swf$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a/Hmi"; classtype:trojan-activity; sid:2019770; rev:4; metadata:created_at 2014_11_21, updated_at 2014_11_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK)"; flow:established,from_server; content:"Y2hydygwMSkmY2hydygyMTc2KSZjaHJ3KDAxKSZjaHJ3KDAwK"; reference:cve,2014-6332; classtype:attempted-user; sid:2019773; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 2 (Observed in Archie EK)"; flow:established,from_server; content:"NocncoMDEpJmNocncoMjE3NikmY2hydygwMSkmY2hydygwMC"; reference:cve,2014-6332; classtype:attempted-user; sid:2019774; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK)"; flow:established,from_server; content:"jaHJ3KDAxKSZjaHJ3KDIxNzYpJmNocncoMDEpJmNocncoMDAp"; reference:cve,2014-6332; classtype:attempted-user; sid:2019775; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful AOL/PayPal Phish Nov 24 2014"; flow:established,to_server; content:"POST"; http_method; content:"1="; http_client_body; content:"2="; http_client_body; content:"submit.x=Login"; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2019781; rev:3; metadata:created_at 2014_11_24, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful PayPal Phish Nov 24 2014"; flow:established,to_server; content:"_fn="; http_client_body; content:"_ln="; http_client_body; content:"_birthd="; http_client_body; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2019782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_11_24, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Nov 24 2014 "; flow:established,to_server; content:"_fulln="; http_client_body; fast_pattern:only; content:"_ccn="; http_client_body; content:"_ccv="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2019783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_11_24, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Nov 24 2014"; flow:established,to_server; content:"_bkid="; http_client_body; content:"_bkpass="; http_client_body; fast_pattern:only; content:"_accn="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2019784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_11_24, updated_at 2017_08_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PayPal Phishing Landing Nov 24 2014"; flow:established,to_client; file_data; content:"<title>Login - PayPal</title>"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2019785; rev:3; metadata:created_at 2014_11_24, updated_at 2017_10_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE"; flow:established,from_server; file_data; content:"%63%68%72%77%28%30%31%29%26%63%68%72%77%28%32%31%37%36%29%26%63%68%72%77%28%30%31%29%26%63%68%72%77%28%30%30%29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019792; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct HEX"; flow:established,from_server; file_data; content:"63687277283031292663687277283231373629266368727728303129266368727728303029"; reference:cve,2014-6332; classtype:attempted-user; sid:2019793; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct HEXC"; flow:established,from_server; file_data; content:"63,68,72,77,28,30,31,29,26,63,68,72,77,28,32,31,37,36,29,26,63,68,72,77,28,30,31,29,26,63,68,72,77,28,30,30,29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019794; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS"; flow:established,from_server; file_data; content:"63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 32, 31, 37, 36, 29, 26, 63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 30, 30, 29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019795; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct DECC"; flow:established,from_server; file_data; content:"99,104,114,119,40,48,49,41,38,99,104,114,119,40,50,49,55,54,41,38,99,104,114,119,40,48,49,41,38,99,104,114,119,40,48,48,41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019796; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct DECCS"; flow:established,from_server; file_data; content:"99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 50, 49, 55, 54, 41, 38, 99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 48, 48, 41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019797; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Iframe Leading to EK"; flow:established,from_server; file_data; content:"document.write((|22|<iframe src=|27|http|3a|"; within:35; pcre:"/^[^\x27]+[\x27]\s*/R"; content:"width=12 height=12 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></|22| + |22|iframe>|22|))|3b|"; fast_pattern:73,20; within:93; isdataat:!3,relative; classtype:trojan-activity; sid:2019798; rev:2; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude Flash Exploit (IE)"; flow:established,to_server; urilen:31<>69; content:"x-flash-version"; http_header; fast_pattern:only; pcre:"/^\/\??[a-f0-9]{32}(?:\/[a-f0-9]{32})?\/?$/U"; pcre:"/Host\x3a\x20(?:\.*[a-f0-9]\.*){32}\./Hm"; classtype:trojan-activity; sid:2019799; rev:2; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude Flash Payload"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; fast_pattern; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:trojan-activity; sid:2019800; rev:1; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)"; flow:established,from_server; file_data; content:"(wrhc&)6712(wrhc&)10"; reference:cve,2014-6332; classtype:attempted-user; sid:2019806; rev:1; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing Page Nov 25 2014"; flow:established,from_server; file_data; content:"function ckl|28|"; content:"return bmw|3b|"; distance:0; classtype:trojan-activity; sid:2019807; rev:1; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WinHttpRequest Downloading EXE"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019822; rev:6; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019823; rev:6; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct"; flow:established,to_server; urilen:>32; content:"/AwoVG"; http_uri; fast_pattern; depth:6; pcre:"/^\/AwoVG[A-Za-z0-9_]+$/U"; content:".html|0d 0a|"; http_header; flowbits:set,et.Nuclear.Exploit; flowbits:noalert; classtype:trojan-activity; sid:2019844; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_12_03, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/filename=[a-z0-9]*\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2019845; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_12_03, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/filename=[a-z0-9]*\r\n/H"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2019846; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_12_03, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (flowbits set)"; flow:established,to_server; urilen:>32; content:"/ABs"; http_uri; fast_pattern; depth:4; pcre:"/^\/ABs[A-Za-z0-9_]+(?:\/x?[a-f0-9]+(?:\x3b\d+)+)?$/U"; content:!"Referer"; http_header; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:trojan-activity; sid:2019872; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_12_03, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:"application/octet-stream"; http_header; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/filename=[a-z0-9]*\r\n/H"; classtype:trojan-activity; sid:2019873; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_12_03, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Dec 03 2014"; flow:established,from_server; file_data; content:"=|22|replace|22 3b 27 29 3b|"; content:"|7b 41 3d 5b 5b 61 5d 2c 5b 65 76 61 6c 5d 5d 3b 7d 41 5b 31 5d 5b 30 5d 28 41 5b 30 5d 5b 30 5d 29 3b|"; classtype:trojan-activity; sid:2019874; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_12_04, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS  Possible Dyre SSL Cert Dec 4 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 24 bd ca a0  48 b4 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|08|thfgtjyj"; distance:1; within:9; classtype:trojan-activity; sid:2019875; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_04, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2; metadata:created_at 2014_12_05, updated_at 2014_12_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Iframe Leading to EK Dec 08 2014"; flow:established,from_server; file_data; content:"document.write(|22|<iframe name=|27|"; within:30; pcre:"/^[A-Za-z0-9]+\x27\s*?src=\x27http\x3a[^\x27]+[\x27]\s*width=1\d\s+height=1\d\s+/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no"; content:"</|22| +  |22|iframe>|22|)|3b|"; fast_pattern; isdataat:!3,relative; classtype:trojan-activity; sid:2019892; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable malicious download from e-mail link /1.php"; flow:established,to_server; content:"GET"; http_method; content:"/1.php?r"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; pcre:"/\/1\.php\?r$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2019894; rev:2; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect Leading to EK Dec 08 2014"; flow:established,from_server; content:"Content-Type|3a 20 0d 0a|"; http_header; fast_pattern:only; pcre:"/^Last-Modified\x3a\x20[^A-Za-z]{2}/Hm"; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; classtype:trojan-activity; sid:2019895; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS QNAP Shellshock CVE-2014-6271"; flow:established,to_server; content:"authLogin.cgi"; http_uri; content:"|28 29 20 7b|"; http_header; fast_pattern:only; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019904; rev:1; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern:only; content:"unset HISTFIE"; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:1; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gootkit SSL Cert Dec 10 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 a9 3c 29 28 ec b0 b1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,c05453a18b6dc45bc258a377d2161b1c; classtype:trojan-activity; sid:2019907; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_10, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan Landing Dec 10 2014"; flow:established,from_server; file_data; content:"|27|.replace(/["; pcre:"/^[A-Za-z]{10,}/R"; content:"]/g,|27 27|).substr|28|"; fast_pattern; content:"document.write("; content:"d"; content:!"27cdb6e-ae6d-11cf-96b8-444553540000"; within:35; pcre:"/^[^\x27]*?2[^\x27]*?7[^\x27]*?c[^\x27]*?d[^\x27]*?b[^\x27]*?6[^\x27]*?e[^\x27]*?-[^\x27]*?a[^\x27]*?e[^\x27]*?6[^\x27]*?d[^\x27]*?-[^\x27]*?1[^\x27]*?1[^\x27]*?c[^\x27]*?f[^\x27]*?-[^\x27]*?9[^\x27]*?6[^\x27]*?b[^\x27]*?8[^\x27]*?-[^\x27]*?4[^\x27]*?4[^\x27]*?4[^\x27]*?5[^\x27]*?5[^\x27]*?3[^\x27]*?5[^\x27]*?4[^\x27]*?0[^\x27]*?0[^\x27]*?0[^\x27]*?0/Rsi"; classtype:trojan-activity; sid:2019916; rev:2; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/filename=[a-z0-9]*\r\n/H"; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2019917; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2014_12_10, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JS Leading to Fiesta EK"; flow:established,from_server; file_data; content:"xapLoad"; fast_pattern; content:"swfLoad"; content:"xapURL"; content:"swfURL"; content:"errURL"; content:"var id"; classtype:trojan-activity; sid:2019920; rev:1; metadata:created_at 2014_12_11, updated_at 2014_12_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Spy.Zbot.ACB SSL Cert Dec 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe 69 db 33 70 71 2c 70|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,d271218da70d0bceb69c477e7d13dcc8; classtype:trojan-activity; sid:2019936; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_15, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/xteas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:2; metadata:created_at 2014_12_15, updated_at 2014_12_15;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query SoakSoak Malware"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|soaksoak|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019940; rev:1; metadata:created_at 2014_12_15, updated_at 2014_12_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Referer Bulk Traffic Sometimes Leading to EKs (Possible Bedep infection) Dec 16 2014"; flow:established,to_server; content:"rowedmedia.com/search.php"; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+?rowedmedia\.com\/search\.php\r?$/Hmi"; threshold: type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2019950; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Upatre Redirector Dec 16 2014 set"; flow:established,to_server; content:"GET"; http_method; urilen:27; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]{10}\/[a-z]{10}\.html$/U"; flowbits:set,Upatre.Redirector; flowbits:noalert; classtype:trojan-activity; sid:2019953; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector Dec 16 2014"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:isset,Upatre.Redirector; classtype:trojan-activity; sid:2019954; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Zbot SSL Cert Dec 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cc c9 0f 16 44 47 71 3d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,417a42f5e244ce2f340f16fa2fed0412; classtype:trojan-activity; sid:2019955; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_16, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Flash Redirector to RIG EK Dec 17 2014"; flow:established,to_server; content:"GET"; http_method; content:".swf?myid="; http_uri; fast_pattern:only; pcre:"/\.swf\?myid=[a-zA-Z0-9]+$/U"; classtype:trojan-activity; sid:2019967; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre Download Redirection Dec 18 2014"; flow:established,from_server; file_data; content:"<br><meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; pcre:"/^[^\x2f\x22]+?\x22>/R"; classtype:trojan-activity; sid:2019970; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 Activity Dec 18 2014"; flow:established,to_server; content:"/landing?action="; http_uri; fast_pattern:only; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r\n)/Hmi"; classtype:trojan-activity; sid:2019973; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Dridex Distribution Campaign Dec 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"stat/lldv"; http_uri; fast_pattern:only; content:".php"; offset:10; http_uri; pcre:"/\/s?stat\/lldvs?\.php$/U"; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; classtype:trojan-activity; sid:2019977; rev:2; metadata:created_at 2014_12_19, updated_at 2014_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014 Video"; flow:established,to_server; content:"/video.php?id="; fast_pattern:only; http_uri; pcre:"/\/video.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2019989; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2014_12_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014 Player"; flow:established,to_server; content:"/player.php?pid="; fast_pattern:only; http_uri; pcre:"/\/player.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2019990; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2014_12_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014 Search"; flow:established,to_server; content:"/search.php?pid="; fast_pattern:only; http_uri; pcre:"/\/search.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2019991; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2014_12_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern:only; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:trojan-activity; sid:2020082; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_12_29, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cushion Redirection URI Struct Mon Jan 05 2015"; flow:established,to_server; urilen:13; content:"/get_gift.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2020091; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 06 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern:4,20; pcre:"/^(?=[A-Z0-9]*?[a-z])(?=[a-z0-9]*?[A-Z])[A-Za-z0-9]+\x2a\x2f[^\n]*?Function\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28\s*?(?P=var1)\s*[=!]{2}\s*?[\x27\x22][\x22\x27]\s*?\x29\s*?\{/Rs"; classtype:trojan-activity; sid:2020103; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_07, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Jan 7 2015"; flow:to_server,established; content:"GET"; http_method; content:"/pops"; offset:1; fast_pattern; http_uri; content:".php"; within:5; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[^\x2f]+\/pops[a-z]?\.php$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2020148; rev:3; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Upatre Redirector Jan 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?"; http_uri; fast_pattern; content:".js"; distance:30; http_uri; pcre:"/\d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$/U"; content:".html"; http_header; content:"Referer|3a|"; http_header; pcre:"/^Referer\x3a[^\r\n]+\.html\r?$/Hmi"; flowbits:set,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020159; rev:4; metadata:created_at 2015_01_09, updated_at 2015_01_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre IE Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|attachment|3b 20|"; http_header; content:".zip|20 3b 0d 0a|"; distance:0; http_header; content:"Content-Type|3a 20|$ctype|0d 0a|"; http_header; fast_pattern:2,20; file_data; content:"PK|03 04|"; within:4; classtype:trojan-activity; sid:2020160; rev:2; metadata:created_at 2015_01_09, updated_at 2015_01_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre Firefox/Chrome Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; file_data; content:"UEsDB"; content:"var"; pcre:"/^\s*?\w+\s*?=\s*?[\x22\x27]UEsDB/R"; flowbits:isset,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020161; rev:2; metadata:created_at 2015_01_09, updated_at 2015_01_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 14 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern:4,20; content:"|24 2c|"; distance:0; pcre:"/^\s*?(?P<var1>[^\x29]+)\x29[^\n]*?=\s*?(?P=var1)\s*?\x7c{2}\s*?\d+?\s*?\x2c/R"; classtype:trojan-activity; sid:2020180; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_14, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 19 2014"; flow:established,from_server; file_data; content:"|73 74 61 72 74 7C 7C 30|"; nocase; fast_pattern:only; content:"|24 2c|"; pcre:"/^\s*?\x73\x74\x61\x72\x74\s*?\x29\s*?\x7b\s*?for\s*?\x28\s*?var\s+?[^\s]+?\s*?=\s*?\x73\x74\x61\x72\x74\x7C\x7C\x30\s*\x2c/Rsi"; content:"|22 6c|"; distance:0; pcre:"/^[^a-z]?\x65[^a-z]?\x6e[^a-z]?\x67[^a-z]?\x74[^a-z]?\x68/Ri"; classtype:trojan-activity; sid:2020207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_19, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Upatre Redirector IE Requesting Payload Jan 19 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?get_message"; http_uri; fast_pattern:only; pcre:"/\d\.js\?get_message(?:=-?\d+?)?$/U"; content:"Referer|3a|"; pcre:"/^[^\r\n]+?\.html?\r?$/Rmi"; classtype:trojan-activity; sid:2020212; rev:3; metadata:created_at 2015_01_19, updated_at 2015_01_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phishing Attempt Jan 20 2015"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/js/moontools-1.7.js"; http_uri; fast_pattern:only; content:"username="; depth:9; http_client_body; content:"&password="; distance:0; http_client_body; classtype:trojan-activity; sid:2020224; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 21 2014"; flow:established,from_server; file_data; content:".replace|28|"; fast_pattern:only; content:"<script>"; content:"|3d 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; content:"|3d 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; classtype:trojan-activity; sid:2020236; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_21, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 47 06 dd 12 ae 21|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0f|Dniepropetrovsk"; distance:1; within:16; classtype:trojan-activity; sid:2020288; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 87 8f 35 b4 aa 08 d1|"; within:35; fast_pattern; content:"|55 04 07|"; content:"|06|Taipei"; distance:1; within:7; classtype:trojan-activity; sid:2020289; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre or Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02 43 4e|"; distance:0; content:"|06 03 55 04 08 0c 02|ST"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}(?P<var>[a-zA-Z0-9]{24}[01]).+?\x55\x04\x07.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2020290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_01_22, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection Jan 22 2015"; flow:established,from_server; file_data; content:"var theme_customize"; within:19; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020291; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23 2015"; flow:established,to_server; urilen:51<>150; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; pcre:"/^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$/U"; content:".htm"; http_header; fast_pattern:only; content:"Referer|3a 20|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\x2f]+\/[A-Z](?=[a-z0-9]+[A-Z])(?=[A-Z0-9]+[a-z])[A-Za-z0-9]{9,}\.html?\r?$/Hmi"; classtype:trojan-activity; sid:2020300; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_23, malware_family Nuclear, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Upatre Redirector Jan 23 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/jquery-"; http_uri; fast_pattern:only; pcre:"/^\/js\/jquery-\d+\.\d{2}\.\d{2}\.js$/U"; content:"Referer|3a|"; pcre:"/^[^\r\n]+?\.html?\r?$/Rmi"; classtype:trojan-activity; sid:2020304; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2020311; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_26, malware_family Nuclear, updated_at 2016_09_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"CWS"; within:3; classtype:trojan-activity; sid:2020312; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_26, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SilverLight M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"X-Powered-By|3a 20|"; http_header; content:"Server|3a 20|nginx"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2020317; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_27, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:"|5b 2f 2a|"; fast_pattern; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f[a-zA-Z]{3,5}\W/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; classtype:trojan-activity; sid:2020318; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_28, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; distance:15; within:16; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22|>"; within:23; pcre:"/^[a-zA-Z0-9]{9}<\/[^>]+>\s+?<[^\s]+\sid=\x22[a-zA-Z]{3,5}\x22\sstyle=\x22display\x3anone\x22>[A-Za-z0-9]{500}/Rs"; classtype:trojan-activity; sid:2020319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_01_28, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Dridex Campaign Download Jan 28 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/bin.exe?="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/js\/bin\.exe\?=\d+$/U"; classtype:trojan-activity; sid:2020328; rev:1; metadata:created_at 2015_01_28, updated_at 2015_01_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Sign in</title>"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2020332; rev:2; metadata:created_at 2015_01_29, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Feb 01 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22| title="; within:29; fast_pattern:9,20; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:trojan-activity; sid:2020342; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_02_01, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Possible Dridex e-mail inbound"; flow:established,to_server; content:"<no-replay"; fast_pattern:only; content:"User-Agent|3a 20|Roundcube"; classtype:bad-unknown; sid:2020351; rev:1; metadata:created_at 2015_02_03, updated_at 2015_02_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|visibility|3a|hidden|22| title="; within:34; fast_pattern:14,20; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:trojan-activity; sid:2020352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_02_03, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"</script></head>|0d 0a|<body>"; fast_pattern:2,20; content:" id="; pcre:"/^\s*?[\x22\x27][A-Za-z]{3,10}[\x22\x27]/R"; content:" title="; content:!"<"; within:100; pcre:"/^\s*?[\x22\x27](?=[A-Z]{0,19}[a-z]{1,19}[A-Z])[a-zA-Z]{14,20}[\x22\x27][^<>]*?>(?=[A-Za-z]{0,99}\d)[A-Za-z0-9\x20]{100}/R"; classtype:trojan-activity; sid:2020354; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_02_04, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern:only; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:trojan-activity; sid:2020392; rev:3; metadata:created_at 2015_02_10, updated_at 2015_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,1337day.com/exploit/22581; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:1; metadata:created_at 2015_02_11, updated_at 2015_02_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern:only; reference:url,1337day.com/exploit/22581; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:1; metadata:created_at 2015_02_11, updated_at 2015_02_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing Page M2"; flow:from_server,established; file_data; content:"deconcept.SWFObjectUtil.getPlayerVersion"; fast_pattern; content:"navigator.userAgent.toLowerCase()|3b|"; content:"if|28|document.cookie"; content:"var "; pcre:"/^(?P<vname>[A-Za-z0-9]+)\s*?=\s*?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if\(document.cookie[^\r\n]+\([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]b[\x22\x27+\s]*o[\x22\x27+\s]*t[\x22\x27+\s]*[\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]s[\x22\x27+\s]*p[\x22\x27+\s]*i[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*r[\x22\x27+\s]*[\x22\x27]/Rs"; classtype:trojan-activity; sid:2020407; rev:5; metadata:created_at 2015_02_11, updated_at 2015_02_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 11 2015 Banner"; flow:established,to_server; content:"/banner.php?sid="; fast_pattern:only; http_uri; pcre:"/\/banner.php\?sid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2020408; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_02_11, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 11 2015 Blog"; flow:established,to_server; content:"/blog.php?id="; fast_pattern:only; http_uri; pcre:"/\/blog.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2020409; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_02_11, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Upatre Common URI Struct Feb 12 2015"; flow:established,to_server; content:"GET /"; depth:5; content:!"Accept-"; distance:0; content:!"Referer|3a|"; distance:0; pcre:"/^[^\r\n]+\/(?:5[12]|6[0-3])\/0\/[A-Z]* HTTP\/1\./R"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/mi"; content:"/0/"; fast_pattern:only; classtype:trojan-activity; sid:2020419; rev:1; metadata:created_at 2015_02_13, updated_at 2015_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1"; flow:established,from_server; file_data; content:"lRXdjVGeFxGblh2U"; classtype:trojan-activity; sid:2020423; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1"; flow:established,from_server; file_data; content:"Z0V3YlhXRsxWZoN"; classtype:trojan-activity; sid:2020424; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 3 M1"; flow:established,from_server; file_data; content:"Gd1NWZ4VEbsVGaT"; classtype:trojan-activity; sid:2020425; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Double-Encoded Reverse Base64/Dean Edwards Packed JavaScript Observed in Unknown EK Feb 16 2015 b64 1 M2"; flow:established,from_server; file_data; content:"CZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ"; classtype:trojan-activity; sid:2020426; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M2"; flow:established,from_server; file_data; content:"pQGLlxyasMGLhxCco42bpR3YuVnZowWY2V"; classtype:trojan-activity; sid:2020427; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 3 M2"; flow:established,from_server; file_data; content:"KkxSZssGLjxSYsAHKu9Wa0Nmb1ZGKsFmdl"; classtype:trojan-activity; sid:2020428; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Uknown EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"DFE42z.class"; classtype:trojan-activity; sid:2020429; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2014-6332 DECS2"; flow:established,from_server; file_data; content:"102,117,110,99,116,105,111,110,32,114,117,110,109,117,109,97,97"; classtype:trojan-activity; sid:2020460; rev:2; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin EK Jar URI Struct"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern; content:".jar"; http_uri; pcre:"/(?:\/[A-Z][a-z][A-Z][a-z][A-Z][a-z]|(?:b(?:m(?:nw|wn)|n(?:mw|wm)|w(?:mn|nm))|m(?:b(?:nw|wn)|n(?:bw|wb)|w(?:bn|nb))|n(?:b(?:mw|wm)|m(?:bw|wb)|w(?:bm|mb))|w(?:b(?:mn|nm)|m(?:bn|nb)|n(?:bm|mb))))\.jar$/U"; classtype:trojan-activity; sid:2020476; rev:2; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_header; content:"=Yes"; http_cookie; content:"cck_lasttime="; http_cookie; content:"cck_count="; http_cookie; classtype:trojan-activity; sid:2020477; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_header; content:"=Yes"; http_cookie; pcre:"/nb[\d+]=Yes/C"; classtype:trojan-activity; sid:2020478; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY GENERIC CollectGarbage in Hex String No Seps"; flow:to_client,established; file_data; content:"436f6c6c6563744761726261676528"; nocase; classtype:trojan-activity; sid:2020481; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in Hex No Seps"; flow:to_client,established; file_data; content:"5368656c6c45786563757465"; nocase; classtype:trojan-activity; sid:2020482; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in URLENCODE"; flow:to_client,established; file_data; content:"%53%68%65%6c%6c%45%78%65%63%75%74%65"; nocase; classtype:trojan-activity; sid:2020483; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Comment in Body"; flow:to_client,established; file_data; content:"|3c 21 2d 2d 20 30 39 38 30 32 33 37 36 34 32 20 2d 2d 3e|"; classtype:trojan-activity; sid:2020484; rev:1; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page M2"; flow:established,from_server; file_data; content:"function llll|28|"; content:"return bmw|3b|"; distance:0; classtype:trojan-activity; sid:2020494; rev:2; metadata:created_at 2015_02_20, updated_at 2015_02_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M3"; flow:established,from_server; file_data; content:"|2a|0xffffffff|2a|"; content:"|2a|str2long|2a|"; content:"|2a|long2str|2a|"; classtype:trojan-activity; sid:2020495; rev:2; metadata:created_at 2015_02_20, updated_at 2015_02_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Possible Unknown EK HFS CVE-2014-6332"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; fast_pattern; file_data; content:"Wscript.Shell"; content:"Microsoft.XMLHTTP"; content:"ADODB.Stream"; content:"cmd.exe"; classtype:trojan-activity; sid:2020498; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)"; flow:established,from_server; flowbits:isset,exe.no.referer; content:"Server|3a 20|HFS"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2020500; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown EK Landing"; flow:established,from_server; content:"|64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 6c 65 6e 67 74 68 3e 30 29 7b|"; content:"|3d 22 31 22 2b 22 31 22 3b 64 65 6c 65 74 65|"; distance:0; content:"|2b 3d 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22|"; distance:0; classtype:trojan-activity; sid:2020501; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes PDF"; flow:established,from_server; file_data; content:"plugin_pdf_ie()"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework-whos-affected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020558; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole iframe"; flow:established,from_server; file_data; content:".item(0).appendChild(iframe_tag)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020559; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes ActiveX Call"; flow:established,from_server; file_data; content:"var version|3b|var ax|3b|var e|3b|try{axo=new ActiveXObject";  reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020560; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, tag DriveBy, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole Content form tag appended to head"; flow:established,from_server; file_data; content:"document.getElementsByTagName('head').item(0).appendChild(form_tag)|3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020561; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole function return value"; flow:established,from_server; file_data; content:"return ((!a) ? 'x-'|3a| a) + Math.floor(Math.random() * 99999|29 3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020562; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Deobfuscation function"; flow:established,from_server; file_data; content:"Chr(CInt(ns(i)) Xor n)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020563; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern:only; pcre:"/\/main\.html$/U"; content:"/connector.html|0d 0a|"; http_header; classtype:trojan-activity; sid:2020570; rev:2; metadata:created_at 2015_02_25, updated_at 2015_02_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS INFO .exe download with no referer (noalert)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; flowbits:set,exe.no.referer; flowbits:noalert; classtype:bad-unknown; sid:2020573; rev:1; metadata:created_at 2015_02_26, updated_at 2015_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Sweet Orange EK Flash Exploit IE March 03 2015"; flow:established,to_server; urilen:>12; content:!".swf"; nocase; http_uri; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".php?"; http_header; pcre:"/\/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$/U"; pcre:"/^Referer\x3a[^\r\n]+?\x3a\d+[^\r\n]*?\/[a-z0-9]+\.php\?[a-z0-9]+=\d+(?:\r\n|&)/Hm"; classtype:trojan-activity; sid:2020584; rev:2; metadata:created_at 2015_03_02, updated_at 2015_03_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING! Your PC may not be protected!"; content:"remove malicious malware and adware"; distance:0; classtype:trojan-activity; sid:2020588; rev:1; metadata:created_at 2015_03_03, updated_at 2015_03_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING|3a| Your PC may have a serious virus!"; content:"assistance removing malicious viruses"; classtype:trojan-activity; sid:2020589; rev:1; metadata:created_at 2015_03_03, updated_at 2015_03_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|atob|7C|"; nocase; content:"|7C|iframe|7C|"; nocase; fast_pattern:only; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/; classtype:bad-unknown; sid:2020605; rev:4; metadata:created_at 2015_03_04, updated_at 2017_05_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS rechnung zip file download"; flow:established,to_server; content:"GET"; http_method; content:"rechnung"; fast_pattern; http_uri; nocase; content:"|2e|zip"; nocase; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; pcre:"/\.zip$/Ui"; classtype:trojan-activity; sid:2020622; rev:2; metadata:created_at 2015_03_05, updated_at 2015_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Tsukuba Banker Edwards Packed proxy.pac"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|credicard|7c|"; nocase; reference:url,securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters; classtype:trojan-activity; sid:2020623; rev:2; metadata:created_at 2015_03_05, updated_at 2015_03_05;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert www.eshaalfoundation.org"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 06 49 5e 75 fb 3f 44|"; within:35; fast_pattern; content:"|55 04 03|"; content:"|18|www.eshaalfoundation.org"; distance:1; within:25; reference:md5,e36073ba13e2df22348cd624ab0a9fbc; classtype:trojan-activity; sid:2020624; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_03_05, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fiesta EK Landing URI Struct March 6 2015"; flow:established,to_server; urilen:>40; content:"GET"; http_method; content:"/tdstest/"; http_uri; fast_pattern:only; pcre:"/^\/tdstest\/[a-f0-9]{32,}\/?$/U"; classtype:trojan-activity; sid:2020626; rev:2; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct M1 Feb 06 2015"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern:only; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{44,54}&rnd=[0-9]{3,7}$/U"; classtype:trojan-activity; sid:2020643; rev:2; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct M2 Feb 06 2015"; flow:established,to_server; content:".php?rnd="; http_uri; fast_pattern:only; content:"&id="; http_uri; pcre:"/\.php\?rnd=[0-9]{3,7}&id=[0-9A-F]{44,54}$/U"; classtype:trojan-activity; sid:2020644; rev:1; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 16 2015"; flow:established,to_server; urilen:51<>61; content:"/a"; http_uri; depth:2; pcre:"/^\/a[a-z]{9,}\/[a-f0-9]{40}$/U"; pcre:"/^GET \/(?P<name>a[a-z]{9,})\/.+?\r\nHost\x3a\x20(?P=name)\./sm"; classtype:trojan-activity; sid:2020698; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_03_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Windows Security Warning - Alert"; flow:established,to_client; file_data; content:"<title>WARNING - SECURITY ALERT</title>"; classtype:trojan-activity; sid:2020710; rev:1; metadata:created_at 2015_03_19, updated_at 2015_03_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Windows Security Warning - png"; flow:established,to_server; content:"gp-warning-img.png"; http_uri; classtype:trojan-activity; sid:2020711; rev:1; metadata:created_at 2015_03_19, updated_at 2015_03_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"4c2H"; nocase; http_uri; pcre:"/\/\??4c2H(?:$|[&?]utm_source=)/U"; classtype:trojan-activity; sid:2020715; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_03_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!"<body>"; content:!"<html>"; content:"<script>"; within:8; pcre:"/^\s*[a-z]+\s*?=\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr\(\s*?\d+\s*?,\s*?\d+\s*?\)\s*?\x3b\s*?[a-z]+\s*?=\s*?(?P<q2>[\x22\x27])(?:(?!(?P=q2)).)+?(?P=q2)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr/Rs"; content:"]/g,|27 27|).substr|28|"; fast_pattern:only; classtype:trojan-activity; sid:2020719; rev:1; metadata:created_at 2015_03_20, updated_at 2015_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG Payload URI Struct March 20 2015"; flow:established,to_server; urilen:>220; content:"/index.php?"; http_uri; depth:11; content:"=l3S"; fast_pattern; http_uri; offset:26; depth:4; content:!"Referer|3a|"; http_header; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; classtype:trojan-activity; sid:2020720; rev:1; metadata:created_at 2015_03_20, updated_at 2015_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG Exploit URI Struct March 20 2015"; flow:established,to_server; urilen:>220; content:"/index.php?"; http_uri; depth:11; content:"=l3S"; fast_pattern; http_uri; offset:26; depth:4; content:"/?"; http_header; content:"=l3S"; http_header; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2020721; rev:2; metadata:created_at 2015_03_20, updated_at 2015_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG Landing URI Struct March 20 2015"; flow:established,to_server; content:"/?"; http_uri; depth:2; content:"=l3S"; http_uri; fast_pattern; offset:17; depth:4; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/U"; classtype:trojan-activity; sid:2020722; rev:2; metadata:created_at 2015_03_20, updated_at 2015_03_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing March 20 2015"; flow:established,from_server; file_data; content:"function iu7("; content:"ji2"; within:100; pcre:"/^\W/R"; content:"hu2"; pcre:"/^\W/R"; classtype:trojan-activity; sid:2020725; rev:1; metadata:created_at 2015_03_20, updated_at 2015_03_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing March 20 2015 M2"; flow:established,from_server; file_data; content:"|22 29 3b 2f 2a|"; pcre:"/^[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P<arg>[a-z0-9]{3,})(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28[^\x29]+\x29\x3b\x2f\x2a[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P=arg)(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28/R"; classtype:trojan-activity; sid:2020726; rev:1; metadata:created_at 2015_03_23, updated_at 2015_03_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unauthorized SSL Cert for Google Domains"; flow:established,from_server; content:"|55 04 0a|"; content:"|0a|MCSHOLDING"; distance:1; within:11; reference:url,googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html; classtype:trojan-activity; sid:2020736; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan EK Landing March 24 2015 M1"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|27 27|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:trojan-activity; sid:2020743; rev:2; metadata:created_at 2015_03_24, updated_at 2015_03_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan EK Landing March 24 2015 M2"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|22 22|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:trojan-activity; sid:2020744; rev:2; metadata:created_at 2015_03_24, updated_at 2015_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; reference:md5,cb2903c89d60947fa4badec41e065d71; classtype:trojan-activity; sid:2020758; rev:1; metadata:created_at 2015_03_26, updated_at 2015_03_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful GoogleFile Phish"; flow:established,to_server; content:"g2-choseyouremailprovider="; http_client_body; content:"g2-password="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2020803; rev:2; metadata:created_at 2015_03_30, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBA Office Document Dridex Binary Download User-Agent 2"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern:4,20; reference:md5,2f53b7669482c2d9216a74050630fbb7; classtype:trojan-activity; sid:2020806; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBScript Driveby MAR 31 2015"; flow:established,to_server; content:"/content/dl.php?sl=vbs"; http_uri; fast_pattern:only; pcre:"/\/content\/dl\.php\?sl=vbs[a-z0-9]{32}$/U"; classtype:trojan-activity; sid:2020823; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_03_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBScript Driveby Related TDS MAR 31 2015"; flow:established,to_server; content:"/content/getvbslink.php?d="; http_uri; fast_pattern:only; pcre:"/\/content\/getvbslink\.php\?d=[a-z0-9]{32}$/U"; classtype:trojan-activity; sid:2020824; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_03_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<40; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; content:!"Mozilla/"; http_header; content:!"Referer|3A 20|"; http_header; content:!"Accept"; http_header; content:!"MstarUpdate"; http_header; content:"User-Agent|3a 20|"; depth:12; http_header; content:!".bitdefender.com|0d 0a|"; http_header; pcre:"/\/[a-z0-9]+\/[a-z0-9]+\.exe$/Ui"; pcre:"/^User-Agent\x3A\x20[a-z\x20]{2,30}\r\nHost\x3A[^\r\n]+\r\n(?:\r\n)?$/Hmi"; content:!".homestead.com|0d 0a|"; http_header; metadata: former_category CURRENT_EVENTS; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:2020826; rev:5; metadata:created_at 2015_04_01, updated_at 2017_03_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 2 2015"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/8u5_cb06/?"; depth:11; http_uri; classtype:trojan-activity; sid:2020832; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_04_02, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Doc Download EXE Primer (flowbits set)"; flow:established,to_server; content:"?id="; http_uri; content:"&act="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.[^\x3F]+\?id=\d+&act=\d+$/U"; flowbits:set,ET.MalDocEXEPrimer; flowbits:noalert; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020837; rev:5; metadata:created_at 2015_04_03, updated_at 2015_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Doc Downloading EXE"; flow:established,from_server; flowbits:isset,ET.MalDocEXEPrimer; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020838; rev:3; metadata:created_at 2015_04_03, updated_at 2015_04_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect Leading to EK Apr 03 2015"; flow:established,to_server; content:"/wordpress/?bf7N&utm_source="; http_uri; classtype:trojan-activity; sid:2020840; rev:1; metadata:created_at 2015_04_03, updated_at 2015_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"eval|3b|"; fast_pattern:only; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:trojan-activity; sid:2020841; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_04_03, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"return eval"; fast_pattern:only; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:trojan-activity; sid:2020842; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_04_03, malware_family Nuclear, updated_at 2016_07_01;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS Possible Upatre DNS Query (jamco.com.pk)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jamco|03|com|02|pk|00|"; fast_pattern:only; reference:md5,407cce4873bc8af9077dbb21a8762f37; classtype:bad-unknown; sid:2020846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_04_06, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015"; flow:established,to_server; content:".php?type=form&site="; fast_pattern:only; http_uri; metadata: former_category CURRENT_EVENTS; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020847; rev:1; metadata:created_at 2015_04_06, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Chrome Cookie Data Theft April 06 2015"; flow:established,to_server; content:".php?type=cookie&site="; fast_pattern:only; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020848; rev:1; metadata:created_at 2015_04_06, updated_at 2015_04_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015"; flow:established,from_server; file_data; content:"|69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:trojan-activity; sid:2020854; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_04_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Apr 08 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"Q|22|"; fast_pattern;  content:"length"; pcre:"/^\s*?\<\s*?10/Rs"; content:"replace"; within:500; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22(?:\!(?:\x22\s*?\+\s*?\x22)?)?Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:trojan-activity; sid:2020865; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_04_08, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; classtype:trojan-activity; sid:2020866; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|22|4D5A90"; fast_pattern; nocase; content:!"|22|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020893; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_04_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M2"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|27|4D5A90"; fast_pattern; nocase; content:!"|27|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020894; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_04_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern:only; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:trojan-activity; sid:2020895; rev:5; metadata:created_at 2015_04_11, updated_at 2015_04_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 M2"; flow:established,from_server; file_data; content:"|22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22|"; content:!"vidzi.tv|0d 0a|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:trojan-activity; sid:2020896; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2015_04_13, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK Post-Compromise Data Dump M1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"QWRtaW5SaWdodHMy"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:trojan-activity; sid:2020903; rev:1; metadata:created_at 2015_04_14, updated_at 2015_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK Post-Compromise Data Dump M2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"FkbWluUmlnaHRzM"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:trojan-activity; sid:2020904; rev:1; metadata:created_at 2015_04_14, updated_at 2015_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK Post-Compromise Data Dump M3"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"BZG1pblJpZ2h0cz"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:trojan-activity; sid:2020905; rev:1; metadata:created_at 2015_04_14, updated_at 2015_04_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_14, updated_at 2015_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<15; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; pcre:"/^\/\d+\/\d+\.exe$/U"; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n)?(?:\r\n)?$/Hmi"; reference:md5,2cea5182d71b768e8b669cacdea39825; classtype:trojan-activity; sid:2020941; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020943; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing Apr 20 2015"; flow:established,from_server; file_data; content:"|27 3b|d=unescape(m)|3b|document.write(d|29 3b|</script>"; content:".swf"; nocase; content:".swf"; nocase; content:"vbscript"; nocase; content:"System.Net.WebClient"; nocase; content:".exe"; nocase; classtype:trojan-activity; sid:2020950; rev:3; metadata:created_at 2015_04_20, updated_at 2015_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sundown EK Flash Exploit Apr 20 2015"; flow:established,to_server; content:"/bad/"; http_uri; fast_pattern:only; pcre:"/\/bad\/[A-Z0-9]+\.swf$/U"; classtype:trojan-activity; sid:2020951; rev:2; metadata:created_at 2015_04_20, updated_at 2015_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Apr 22 2015"; flow:established,from_server; content:"nginx"; http_header; file_data; content:"|0d 0a|<textarea "; fast_pattern; content:!">"; within:21; content:!"</textarea>"; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:trojan-activity; sid:2020975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_04_22, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern:only; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:trojan-activity; sid:2020979; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"<title>some"; fast_pattern:only; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:trojan-activity; sid:2020980; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".swf"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/Hm"; file_data; content:"WS"; within:3; classtype:trojan-activity; sid:2020981; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".xap"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; classtype:trojan-activity; sid:2020982; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2020983; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020984; rev:1; metadata:created_at 2015_04_23, updated_at 2017_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern:only; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:trojan-activity; sid:2020985; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:trojan-activity; sid:2020987; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern:only; pcre:"/\/street[1-5]\.php$/U"; classtype:trojan-activity; sid:2020988; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern:only; pcre:"/\/XV-\d+\.exe$/U"; classtype:trojan-activity; sid:2020989; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:trojan-activity; sid:2020990; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/U"; classtype:trojan-activity; sid:2020991; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2020992; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:trojan-activity; sid:2020994; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; depth:3; content:"/%20http%3A%2F"; distance:0; nocase; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/%20http%3A%2F/i"; classtype:trojan-activity; sid:2021033; rev:3; metadata:created_at 2015_04_29, updated_at 2015_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET "; depth:4; content:"/5/"; distance:0; content:"/"; distance:32; within:1; content:"http%3A%2F%2F"; within:17; content:"|20|HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^GET [^\s]*?\/5\/[a-f0-9]{32}\/%20http%3A%2F%2F/i"; classtype:trojan-activity; sid:2021034; rev:2; metadata:created_at 2015_04_29, updated_at 2015_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"GET"; depth:3; content:"|20|HTTP/1."; distance:0; content:"Java/"; distance:0; fast_pattern; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)? HTTP\/1\./"; classtype:trojan-activity; sid:2021035; rev:4; metadata:created_at 2015_04_29, updated_at 2015_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"|20|/"; offset:3; depth:3; content:"/5/"; fast_pattern; distance:0; content:"HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^[A-Z]{3,4} [^\s]*?\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)? HTTP\/1\.[01]\r\n/"; classtype:trojan-activity; sid:2021036; rev:5; metadata:created_at 2015_04_29, updated_at 2015_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"GET"; depth:3; content:"/5/"; distance:0; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})? HTTP\/1\./"; content:"Referer|3a 20|"; distance:0; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r/R"; classtype:trojan-activity; sid:2021037; rev:6; metadata:created_at 2015_04_29, updated_at 2015_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; depth:4; content:"0/"; distance:0; content:"|20|HTTP/1."; distance:0; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; distance:0; fast_pattern:21,20; content:"%"; distance:0; pcre:"/^POST \/[a-z]+\/[a-z]+\//"; content:"|0d 0a 0d 0a|"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/R"; classtype:trojan-activity; sid:2021038; rev:5; metadata:created_at 2015_04_29, updated_at 2015_04_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:trojan-activity; sid:2021039; rev:1; metadata:created_at 2015_04_29, updated_at 2015_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET "; depth:4; content:"/"; distance:2; content:"|20|HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^GET [^\s]*?\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/? HTTP\/1\.[01]\r\n/"; content:"/%20http%3A%2F"; distance:0; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021042; rev:4; metadata:created_at 2015_04_30, updated_at 2015_04_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021043; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021044; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021045; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:trojan-activity; sid:2021046; rev:1; metadata:created_at 2015_05_01, updated_at 2015_05_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:trojan-activity; sid:2021047; rev:1; metadata:created_at 2015_05_01, updated_at 2015_05_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:trojan-activity; sid:2021048; rev:1; metadata:created_at 2015_05_01, updated_at 2015_05_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:trojan-activity; sid:2021054; rev:1; metadata:created_at 2015_05_04, updated_at 2015_05_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"Content-Type|3a 20|application/postscript|0d 0a|"; fast_pattern:18,20; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; content:"Content-Disposition|3a 20|inline|3b| filename="; pcre:"/^[a-z]{10}\.[a-z]{3}\r\n\r\n/R"; classtype:trojan-activity; sid:2021064; rev:2; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"JnB3ZD"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"Zwd2Q9"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"mcHdkP"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021090; rev:3; metadata:created_at 2015_05_12, updated_at 2015_05_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:1; metadata:created_at 2015_05_13, updated_at 2015_05_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:1; metadata:created_at 2015_05_13, updated_at 2015_05_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021110; rev:1; metadata:created_at 2015_05_16, updated_at 2015_05_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:trojan-activity; sid:2021136; rev:1; metadata:created_at 2015_05_21, updated_at 2015_05_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021137; rev:2; metadata:created_at 2015_05_21, updated_at 2015_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"/stat/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:trojan-activity; sid:2021141; rev:1; metadata:created_at 2015_05_22, updated_at 2015_05_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021169; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 2 2015"; flow:established,from_server; file_data; content:"<title>WARNING|3a| INTERNET SECURITY ALERT</title>"; nocase; fast_pattern; content:"function myFunction|28 29|"; nocase; distance:0; content:"Due to Suspicious Activity"; nocase; distance:0; classtype:trojan-activity; sid:2021177; rev:1; metadata:created_at 2015_06_03, updated_at 2015_06_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M1"; flow:established,to_client; file_data; content:"<title>MICROSOFT WINDOWS SECURITY ALERT</title>"; nocase; fast_pattern; content:"<title>WARNING: VIRUS CHECK</title>"; nocase; distance:0; classtype:trojan-activity; sid:2021181; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M2"; flow:established,to_client; file_data; content:"<title>WARNING: VIRUS CHECK</title>"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"There is a .net frame work file missing due to some harmfull virus"; nocase; distance:0; classtype:trojan-activity; sid:2021182; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"<title>Advised System Support!</title>"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; classtype:trojan-activity; sid:2021183; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"<title>INTERNET BROWSER PROCESS WARNING ERROR</title>"; nocase; fast_pattern:33,20; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:trojan-activity; sid:2021206; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"<title>Norton Firewall Warning</title>"; fast_pattern:18,20; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:trojan-activity; sid:2021207; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:trojan-activity; sid:2021217; rev:1; metadata:created_at 2015_06_09, updated_at 2015_06_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern:only; content:"long2str"; nocase; content:"str2long"; nocase; classtype:trojan-activity; sid:2021218; rev:2; metadata:created_at 2015_06_09, updated_at 2015_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern:only; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:trojan-activity; sid:2021219; rev:3; metadata:created_at 2015_06_09, updated_at 2015_06_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|<iframe src=|27|"; pcre:"/^http\x3a\x2f[^\x27]+[\x27](?:\swidth=\d{1,2}\sheight=\d{1,2}\s|\sheight=\d{1,2}\swidth=\d{1,2}\s)/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no> </|22 20|+|20 22|iframe>|22 29 29 3b|"; fast_pattern:55,20; isdataat:!3,relative; classtype:trojan-activity; sid:2021249; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_06_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 11 2015 M2"; flow:established,to_client; file_data; content:"<title>Firewall Alert!</title>"; nocase; fast_pattern:10,20; content:"myFunction|28 29|"; nocase; distance:0; content:"warning_message.png"; nocase; distance:0; classtype:trojan-activity; sid:2021256; rev:1; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 11 2015 M1"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>*** Security Error Code 0x80070424</title>"; fast_pattern:29,20; nocase; classtype:trojan-activity; sid:2021255; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 11 2015 M3"; flow:established,to_client; file_data; content:"<title>VIRUS WARNING!</title>"; nocase; fast_pattern:9,20; content:"myFunction|28 29|"; nocase; distance:0; content:"gp-msg.mp3"; nocase; distance:0; classtype:trojan-activity; sid:2021258; rev:1; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 16 2015 M1"; flow:established,to_client; file_data; content:"<title>WINDOWS WARNING ERROR</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; classtype:trojan-activity; sid:2021285; rev:1; metadata:created_at 2015_06_17, updated_at 2015_06_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 16 2015 M2"; flow:established,to_client; file_data; content:"<title>Security Error</title>"; nocase; content:"myFunction|28 29|"; content:"setInterval"; content:"WARNING"; nocase; classtype:trojan-activity; sid:2021286; rev:2; metadata:created_at 2015_06_17, updated_at 2015_06_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 16 2015 M4"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; content:"onmouseover=|22|myFunction|28 29 3b 22|"; distance:1; content:"onclick=|22|myFunction|28 29 3b 22|"; distance:1; content:"onkeydown=|22|myFunction|28 29 3b 22|"; distance:1; content:"onunload=|22|myFunction|28 29 3b 22|"; distance:1; classtype:trojan-activity; sid:2021288; rev:1; metadata:created_at 2015_06_17, updated_at 2015_06_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M4"; flow:established,from_server; file_data; content:"|76 68 7a 32 7a 3d 27 27 3b 74 72 79 7b 77 69 6e 64 6f 77|"; classtype:trojan-activity; sid:2021291; rev:3; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/win.html"; http_uri; fast_pattern:only; pcre:"/\/win\.html$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?[^\r\n]*?\/(?:index.html)?\r\n.*?\r\nHost\x3a\x20(?P=refhost)[\x3a\r]/Hsi"; classtype:trojan-activity; sid:2021292; rev:1; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/win.html"; http_uri; fast_pattern:only; pcre:"/\/win\.html$/U"; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/Hsi";  content:!"Host|3a 20|www.carrona.org"; classtype:trojan-activity; sid:2021293; rev:2; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 17 2015 M1"; flow:established,to_client; file_data; content:"/Alert_files/"; nocase; fast_pattern; content:"Due to a third party application"; nocase; distance:0; content:"iOS is crashed"; nocase; distance:0; classtype:trojan-activity; sid:2021294; rev:1; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 17 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"a=HT&u="; http_uri; fast_pattern; content:"&clickid="; http_uri; distance:0; content:"&browser="; http_uri; distance:0; content:"&country="; http_uri; distance:0; content:"&device="; http_uri; distance:0; content:"&model="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; classtype:trojan-activity; sid:2021295; rev:1; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Adobe Phish Jun 17 2015"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"username="; depth:9; nocase; http_client_body; fast_pattern; content:"&pass"; nocase; http_client_body; distance:0; content:"&vi="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021296; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_06_18, updated_at 2017_07_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google Drive Phish June 17 2015"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"email="; depth:6; http_client_body; nocase; content:"&pswd="; http_client_body; distance:0; nocase; fast_pattern; content:"&Button1="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021297; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_06_18, updated_at 2017_07_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Dropbox Phish June 17 2015"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"server="; depth:7; nocase; http_client_body; fast_pattern; content:"&username="; nocase; http_client_body; distance:0; content:"&password="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021298; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_06_18, updated_at 2017_07_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3"; flow:established,to_server; content:"GET /"; depth:5; content:"/%3Ahttp%3A%2F"; distance:0; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/%3Ahttp%3A%2F/i"; classtype:trojan-activity; sid:2021305; rev:1; metadata:created_at 2015_06_19, updated_at 2015_06_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely CottonCastle/Niteris EK Response June 19 2015"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|3b 20|url"; distance:0; content:"/999/00000/|0d 0a|"; distance:0; fast_pattern; content:"Refresh|3a 20|"; pcre:"/^\d+\x3b\x20url[^\r\n]+\/999\/00000\/\r?$/Rm"; classtype:trojan-activity; sid:2021306; rev:1; metadata:created_at 2015_06_19, updated_at 2015_06_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit URI Struct June 19 2015"; flow:established,to_server; content:"|20 2f|"; offset:3; depth:3; content:"?time="; distance:0; fast_pattern; content:"&stamp="; distance:0; content:"."; distance:0; content:"|20|HTTP/1."; distance:0; pcre:"/^(?:GET|POST) \/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.[a-z]+\?time=[^&]+&stamp=[a-z]*\d+(?:\.[a-z]*\d+)+ HTTP\/1\./"; classtype:trojan-activity; sid:2021307; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload June 19 2015"; flow:established,to_server; content:"|20 2f|"; offset:3; depth:3; content:"/4/"; fast_pattern:only; pcre:"/^(?:GET|POST) \/[a-z]+\/[a-z]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})? HTTP\/1\./"; content:"Referer|3a 20|"; distance:0; pcre:"/^[^\r\n]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?$/Rm"; classtype:trojan-activity; sid:2021308; rev:1; metadata:created_at 2015_06_19, updated_at 2015_06_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Flash Exploit URI Struct June 19 2015"; flow:established,to_server; content:"GET"; depth:3; content:"|20|HTTP/1."; distance:0; content:"/%"; distance:0; content:"http%3A%2F%2F"; distance:2; within:13; nocase; fast_pattern; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\//"; content:"Referer|3a 20|http"; distance:0; pcre:"/^[^\r\n]+\/%(?:3A|20)http%3A%2F%2F/Hmi"; classtype:trojan-activity; sid:2021309; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing June 19 2015"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a 0d 0a|"; distance:0; content:"ScriptEngineMajorVersion"; distance:0; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; content:"javafx_version"; nocase; content:"ip"; pcre:"/^\s*?=\s*?[\x22\x27]8\.8\.8\.8[\x22\x27]/Rsi"; content:"8.8.8.8"; fast_pattern:only; classtype:trojan-activity; sid:2021310; rev:1; metadata:created_at 2015_06_19, updated_at 2015_06_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious wininet UA Downloading EXE"; flow:established,from_server; flowbits:isset,ET.wininet.UA; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2021312; rev:1; metadata:created_at 2015_06_19, updated_at 2015_06_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious JS Observed in Unknown EK Landing"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 58 4f 52 28 75 6e 65 73 63 61 70 65 28 73 74 72 48 54 4d 4c 29|"; nocase; classtype:trojan-activity; sid:2021313; rev:1; metadata:created_at 2015_06_19, updated_at 2015_06_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page June 22 2015"; flow:established,from_server; file_data; content:"return binary_to_base64|28|"; content:"return "; pcre:"/^\s*?[\x22\x27][^\x22\x27a-f0-9]68[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]70[^\x22\x27a-f0-9]3a[^\x22\x27a-f0-9]2f[^\x22\x27a-f0-9]2f[^\x22\x27]+?[^\x22\x27a-f0-9]00[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021320; rev:1; metadata:created_at 2015_06_22, updated_at 2015_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Remax Phish - AOL Creds Jun 23 2015"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"sitedomain="; depth:11; http_client_body; content:"&isSiteStateEncoded="; http_client_body; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2021322; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_06_23, updated_at 2017_07_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Jun 23 2015"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:".tries="; http_client_body; nocase; depth:7; content:"&.challenge="; http_client_body; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2021323; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_06_23, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Remax Phish - Other Creds Jun 23 2015"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"&_task=login&_action=login"; http_client_body; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2021324; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_06_23, updated_at 2017_07_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|aa|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type limit,track by_src,count 3,seconds 60; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021326; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns1.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns1|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021327; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns2.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns2|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021328; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns3.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns3|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021329; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns4.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns4|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021330; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (gh.dsaj2a1.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|gh|07|dsaj2a1|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021331; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (navert0p.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|navert0p|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021332; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (wangzongfacai.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wangzongfacai|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021333; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 10 2015"; flow:established,from_server; file_data; content:"60*60*24*7*1000|29 3b| document.cookie=|22|PHP_SESSION_PHP="; fast_pattern:31,20; pcre:"/^\d+\x3b/R"; classtype:trojan-activity; sid:2021338; rev:10; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 08|"; distance:0; content:"|06|hacked"; distance:1; within:7; content:"|01 09 01|"; distance:0; content:"|10|hackking@126.com"; distance:1; within:17; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".php?cid="; http_uri; fast_pattern; content:"-w"; distance:0; http_uri; pcre:"/\.php\?cid=[0-9]+?-w[A-Z0-9]{23}$/U"; classtype:trojan-activity; sid:2021357; rev:3; metadata:created_at 2015_06_26, updated_at 2015_06_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M2"; flow:established,to_client; file_data; content:"<title>SCANNING.."; fast_pattern; content:"myFunction|28 29|"; distance:0; content:"virus"; nocase; distance:0; classtype:trojan-activity; sid:2021358; rev:1; metadata:created_at 2015_06_26, updated_at 2015_06_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M3"; flow:established,to_client; file_data; content:"e.ctrlKey &&"; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"IP has been Registed"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2021359; rev:1; metadata:created_at 2015_06_26, updated_at 2015_06_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude CVE-2015-3113 Jun 29 2015 M1"; flow:established,to_server; urilen:10; content:"/video.flv"; nocase; http_uri; fast_pattern:only; pcre:"/Referer\x3a\x20http\x3a\x2f+?(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\.[^\x2f\r\n]*?\x2f+\[\[DYNAMIC\]\]\x2f\d*?\r\n?/H"; pcre:"/Host\x3a\x20(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\./H"; classtype:trojan-activity; sid:2021364; rev:1; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M4"; flow:established,to_client; file_data; content:"div class=|22|what-to-do|22|"; content:"div class=|22|more-about-the-virus|22|"; fast_pattern:11,20; distance:0; content:"div class=|22|service|22|"; distance:0; content:"div class=|22|windows-logo|22|"; distance:0; classtype:trojan-activity; sid:2021365; rev:1; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Stylesheet June 26 2015"; flow:established,to_client; content:"Content-Type|3a 20|text/css"; http_header; file_data; content:".header-warning"; content:".what-to-do"; distance:0; content:"more-about-the-virus"; distance:0; fast_pattern; classtype:trojan-activity; sid:2021366; rev:1; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M5"; flow:established,to_server; content:"GET"; http_method; content:"isp="; http_uri; content:"&browser="; distance:0; http_uri; content:"&browserversion"; http_uri; distance:0; fast_pattern; content:"&ip="; http_uri; distance:0; content:"&os="; http_uri; distance:0; content:"&osversion="; http_uri; distance:0; classtype:trojan-activity; sid:2021367; rev:1; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M6"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING|3a|"; nocase; fast_pattern; content:"onbeforeunload"; nocase; distance:0; content:"function|28 29|"; nocase; distance:0; content:"virus"; nocase; distance:0; classtype:trojan-activity; sid:2021368; rev:2; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NullHole EK Landing URI struct"; flow:established,to_server; content:"/e.html"; http_uri; fast_pattern:only; pcre:"/\/e\.html$/U"; content:"nhweb="; http_cookie; classtype:trojan-activity; sid:2021373; rev:1; metadata:created_at 2015_07_01, updated_at 2015_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 02"; flow:established,from_server; file_data; content:"|2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 5d 2e 62 6f 72 64 65 72 20 3d 20 22 6e 6f 6e 65 22 3b|"; fast_pattern:46,20; content:" +="; pcre:"/^\s+\d{1,2}\x3b\s+else\s+(?P<var>[a-z]+)\s+\-=\s+\d{1,2}\x3b\s+return\s+[a-z]+\.charAt\x28(?P=var)\/\d{1,2}\x29\x7d/R"; classtype:trojan-activity; sid:2021374; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_07_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 08"; flow:established,from_server; file_data; content:"></script><!--|2f|"; fast_pattern:only; content:"<!--"; pcre:"/^(?P<var>[a-f0-9]{6})-->\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script><!--\/(?P=var)-->/Rs"; classtype:trojan-activity; sid:2021394; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_07_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Google Drive/Dropbox Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:policy-violation; sid:2021400; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_07_10, updated_at 2017_08_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:".php|22 20|method=|22|POST|22|"; fast_pattern; content:"Sign in with Gmail"; distance:0; content:"Sign in with Yahoo"; distance:0; content:"Sign in with Hotmail"; distance:0; content:"Sign in with AOL"; distance:0; content:"Sign in with Others"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:policy-violation; sid:2025683; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_07_10, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern:only; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:trojan-activity; sid:2021405; rev:4; metadata:created_at 2015_07_13, updated_at 2015_07_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; content:!"/"; offset:1; http_uri; content:".asp"; http_uri; pcre:"/^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp/U"; pcre:"/[a-z].*?[a-z]/U"; pcre:"/[A-Z].*?[A-Z]/U"; pcre:"/\d.*?\d/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/Hm"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2021407; rev:3; metadata:created_at 2015_07_13, updated_at 2015_07_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (gggatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gggatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021409; rev:1; metadata:created_at 2015_07_13, updated_at 2015_07_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (xxxatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|xxxatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021410; rev:1; metadata:created_at 2015_07_13, updated_at 2015_07_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious SWF filename movie(dot)swf in doc root"; flow:established,to_server; urilen:10; content:"/movie.swf"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2021414; rev:2; metadata:created_at 2015_07_15, updated_at 2015_07_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|10|mixticmotion.com"; distance:1; within:17; classtype:trojan-activity; sid:2021415; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern:only; content:".dll"; classtype:trojan-activity; sid:2021429; rev:2; metadata:created_at 2015_07_15, updated_at 2015_07_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern:only; content:".sys"; classtype:trojan-activity; sid:2021430; rev:2; metadata:created_at 2015_07_15, updated_at 2016_10_17;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M1 (L O)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P<var>[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M2 (L CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M3 (O CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:trojan-activity; sid:2021435; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_07_17, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (v8.f1122.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|v8|05|f1122|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; classtype:trojan-activity; sid:2021443; rev:1; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/IptabLesX C2 Domain Lookup (GroUndHog.MapSnode.CoM)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|GroUndHog|08|MapSnode|03|CoM"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; classtype:trojan-activity; sid:2021444; rev:1; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing July 20 2015 M2"; flow:to_server,established; content:"GET"; http_method; content:"index.html?city="; http_uri; fast_pattern; content:"&ip="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021447; rev:1; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing July 20 2015 M4"; flow:to_client,established; file_data; content:"myFunction|28 29|"; content:"setInterval"; distance:0; content:"alert"; distance:0; content:"gp-msg.mp3"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021449; rev:1; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing July 20 2015 M1"; flow:to_client,established; file_data; content:"us_win.mp3"; fast_pattern; content:"yourOS|28 29|"; distance:0; content:"myFunction|28 29|"; distance:0; content:"onload_fun|28 29|"; distance:0; classtype:trojan-activity; sid:2021500; rev:1; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M2"; flow:established,to_server; urilen:40; content:"/e.html"; http_uri; offset:33; depth:7; pcre:"/^\/[a-f0-9]{32}\/e\.html$/U"; classtype:trojan-activity; sid:2021507; rev:1; metadata:created_at 2015_07_22, updated_at 2015_07_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern:only; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:1; metadata:created_at 2015_07_22, updated_at 2015_07_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Jul 24 2015"; flow:to_client,established; file_data; content:"GOOGLE.com?</title>"; fast_pattern:only; content:"view shared document"; content:"ValidateFormYahoo"; distance:0; content:"ValidateFormGmail"; distance:0; content:"ValidateFormHotmail"; distance:0; content:"ValidateFormAol"; distance:0; content:"ValidateFormOther"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025682; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_07_24, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing M1 July 24 2015"; flow:to_client,established; file_data; content:"<title>Document Shared</title>"; nocase; fast_pattern:10,20; content:"name=|22|GENERATOR|22 22|>"; nocase; distance:0; content:"name=|22|HOSTING|22 22|>"; nocase; distance:0; content:"Login with your email"; nocase; distance:0; content:"Choose your email provider"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021535; rev:2; metadata:created_at 2015_07_27, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing M2 July 24 2015"; flow:to_client,established; file_data; content:"invoicetoptables"; nocase; fast_pattern; content:"invoicecontent"; nocase; distance:0; content:"displayTextgmail"; nocase; distance:0; content:"displayTexthotmail"; nocase; distance:0; content:"displayTextaol"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021536; rev:2; metadata:created_at 2015_07_27, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormOther()"; fast_pattern:8,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021537; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_07_27, updated_at 2017_08_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormHotmail()"; fast_pattern:10,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021538; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_07_27, updated_at 2017_08_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormGmail()"; fast_pattern:8,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021539; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_07_27, updated_at 2017_08_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern:8,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021540; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_07_27, updated_at 2017_08_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021542; rev:1; metadata:created_at 2015_07_28, updated_at 2015_07_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021543; rev:1; metadata:created_at 2015_07_28, updated_at 2015_07_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M3 T1"; flow:established,from_server; file_data; content:"|5b 28 28 32 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29  29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 28 34 39 39 39 32 37 34 38 29 2e 74  6f 53 74 72 69 6e 67 28 33 36 29 5d 3b|"; fast_pattern:25,20; classtype:trojan-activity; sid:2021544; rev:1; metadata:created_at 2015_07_28, updated_at 2015_07_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Redirect 8x8 script tag URI struct"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern:only; pcre:"/\/(?=[a-zA-Z\d]{0,6}[a-z][A-Z])[A-Za-z\d]{8}\.php\?id=\d{6,9}$/U"; classtype:trojan-activity; sid:2021552; rev:1; metadata:created_at 2015_07_30, updated_at 2015_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:trojan-activity; sid:2021559; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"getEnvInfo"; content:"getPlatform"; content:"<embed"; pcre:"/^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021595; rev:1; metadata:created_at 2015_08_04, updated_at 2015_08_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:5; metadata:created_at 2015_08_10, updated_at 2015_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Credential Phishing Landing Aug 11 2015"; flow:to_client,established; file_data; content:"<title>Email Service Provider</title>"; nocase; fast_pattern:17,20; content:"<title>Signin</title>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025665; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_08_11, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 14 63 ad 72 a8 8a 36|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; classtype:trojan-activity; sid:2021615; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK Exploit URI Struct Aug 12"; flow:to_server,established; urilen:>100; content:!"|20|"; http_uri; content:!"+"; http_uri; content:!"_"; http_uri; content:!"-"; http_uri; content:"search?q="; http_header; fast_pattern:only; pcre:"/\/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)[^\r\n]*?\/search\?q=(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/^Host\x3a\x20(?:[^\r\n]+\.)?(?:ya(?:ndex|hoo)|google|bing)\.(?:com?)?(?:\.[a-z]{2})?(:?\x3a\d{1,5})?\r$/Hmi"; content:!"Cookie|3a 20|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2021620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_08_12, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]vb[\x22\x27]/Rsi"; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2021637; rev:1; metadata:created_at 2015_08_17, updated_at 2015_08_17;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing Aug 17 2015"; flow:established,from_server; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; fast_pattern; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021638; rev:1; metadata:created_at 2015_08_17, updated_at 2018_04_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Secondary Landing URI Struct Aug 17 2015"; flow:established,to_server; content:"GET /"; depth:5; content:".html&"; distance:0; fast_pattern; content:"/"; distance:-47; content:"HTTP/1."; distance:0; pcre:"/^GET (?:\/[^\x2f]+){0,3}?\/\d\/?[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.html&[a-z]+=[^&]+&[a-z]+=\d{3}\.\d{3}\.\d{3,}(?:\.\d{3,})? HTTP\/1\./"; classtype:trojan-activity; sid:2021639; rev:1; metadata:created_at 2015_08_17, updated_at 2015_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit URI Struct Aug 17 2015"; flow:established,to_server; content:"GET /"; depth:5; content:"HTTP/1."; content:"|0d 0a|"; distance:1; within:2; content:"Referer|3a|"; distance:0; content:"|3a|443/"; distance:0; fast_pattern; pcre:"/^GET (?:\/[^\x2f]+){0,3}?\/\d\/?[A-Z]+\/[a-f0-9]{40}\/ HTTP\/1\./"; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021640; rev:1; metadata:created_at 2015_08_17, updated_at 2015_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Tsunami DDoS Attack Participation (s-p-o-o-f-e-d.h-o-s-t.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|s-p-o-o-f-e-d|07|h-o-s-t|04|name"; fast_pattern; nocase; distance:0; threshold:type limit,track by_src,count 3,seconds 60; reference:md5,c01991d55133d0057c9b721bb141a5d9; classtype:trojan-activity; sid:2021691; rev:1; metadata:created_at 2015_08_19, updated_at 2015_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish - Credit Card"; flow:established,to_server; content:"POST"; http_method; content:"ccnum"; http_client_body; fast_pattern; content:"&exp"; distance:0; http_client_body; content:"&cvv"; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021692; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_08_19, updated_at 2017_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish - Three Security Questions"; flow:established,to_server; content:"POST"; http_method; content:"q1="; http_client_body; content:"&answer1="; distance:0; http_client_body; fast_pattern; content:"&q2="; http_client_body; distance:0; content:"&answer2="; distance:0; http_client_body; content:"&q3="; distance:0; http_client_body; content:"&answer3="; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_08_19, updated_at 2017_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bank of America Phishing Landing Aug 19 2015"; flow:to_client,established; file_data; content:"boaVIPAAuseGzippedBundles"; fast_pattern:5,20; content:"boaVIPAAjawrEnabled"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025666; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_08_19, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TDS Redirecting to EK Aug 19 2015"; flow:established,from_server; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; content:"|27|att|27|+|27|achEve|27|+|27|nt|27|"; content:"|27|DOMCo|27|+|27|ntentL|27|+|27|oad|27|+|27|ed|27|"; classtype:trojan-activity; sid:2021696; rev:1; metadata:created_at 2015_08_19, updated_at 2015_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Magnitude EK Landing URI Struct Aug 21 2015"; flow:established,to_server; urilen:33<>67; content:"/?"; http_uri; depth:2; content:".pw|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/\?[a-f0-9]{32,64}$/U"; classtype:trojan-activity; sid:2021698; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing Aug 21 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern:only; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:trojan-activity; sid:2021699; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude/Hunter EK IE Exploit Aug 23 2015"; flow:from_server,established; file_data; content:"|22 3a 22 4d 4f 56 20 5b 45 43 58 2b 30 43 5d 2c 45 41 58 22|"; fast_pattern; content:"|22 3a 22 76 69 72 74 75 61 6c 70 72 6f 74 65 63 74 22|"; classtype:trojan-activity; sid:2021707; rev:2; metadata:created_at 2015_08_24, updated_at 2015_08_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK IE Exploit Aug 23 2015"; flow:to_server,established; urilen:>50; content:"POST"; http_method; content:"application/json"; http_header; content:"|22 67 22 3a 22|"; http_client_body; fast_pattern; content:"|22 70 22 3a 22|"; http_client_body; content:"|22 41 22 3a 22|"; http_client_body; pcre:"/\?(?=[a-z\d\x3d&\x2e]*?[A-Z])(?=[A-Z\d=&\x2e]*?[a-z])(?=[A-Za-z=&\x2e]*?\d)[A-Za-z\d=&\x2e]{50,}$/U"; classtype:trojan-activity; sid:2021708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_08_24, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:1; metadata:created_at 2015_08_24, updated_at 2015_08_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cryptowall docs campaign Aug 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|65 5d d1 c6 b0 88 68 62|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021725; rev:1; metadata:created_at 2015_08_27, updated_at 2015_08_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 1 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 08 47 4f 47 4f 47 4f 47 4f|"; content:"|01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c|"; content:"|01 00 0f 53 74 61 72 74 69 6e 67 20 41 70 70 6c 65 74|"; classtype:trojan-activity; sid:2021726; rev:1; metadata:created_at 2015_08_28, updated_at 2015_08_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 2 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0e 4c 50 68 61 6e 74 6f 6d 53 75 70 65 72 3b|"; fast_pattern; content:"|01 00 32 4c 6a 61 76 61 2f 75 74 69 6c 2f 63 6f 6e 63 75 72 72 65 6e 74 2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 3b|"; classtype:trojan-activity; sid:2021727; rev:1; metadata:created_at 2015_08_28, updated_at 2015_08_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 2 M2 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0a 63 6f 72 6d 61 63 2e 6d 63 72|"; classtype:trojan-activity; sid:2021728; rev:1; metadata:created_at 2015_08_28, updated_at 2015_08_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PawnStorm Sednit DL Aug 28 2015"; flow:established,to_server; content:"/cormac.mcr"; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021729; rev:1; metadata:created_at 2015_08_28, updated_at 2015_08_28;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; byte_test:1,>,9,1,relative; byte_test:1,<,121,1,relative; pcre:"/^.{2}[A-Z]{10,120}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021736; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug 31 2015 T2 (BizCN)"; flow:from_server,established; file_data; content:"|3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b|"; classtype:trojan-activity; sid:2021740; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_08_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 2 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK September 04 2015"; flow:established,from_server; content:"Set-Cookie|3a 20|_PHP_SESSION_PHP="; fast_pattern:9,20; pcre:"/^\d+\x3b/R"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:trojan-activity; sid:2021746; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_09_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_09_08, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Sept 3"; flow:established,from_server; file_data; content:"<title>Google Drive</title>"; fast_pattern:7,20; content:"For security reasons"; distance:0; content:"access shared files and folders"; distance:0; content:"select your email provider below"; distance:0; content:"-- Select your email provider --"; distance:0; content:"G Mail"; distance:0; content:"Others"; distance:0; content:"Email:"; distance:0; content:"Password:"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025004; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_09_09, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS possible Sofacy encrypted binary (1)"; flow:established,to_client; file_data; content:"|57 46 e8 67 27 3d 66 1a|"; within:8; flowbits:set,et.exploitkitlanding; reference:url,labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/; reference:url,www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:trojan-activity; sid:2021755; rev:1; metadata:created_at 2015_09_09, updated_at 2015_09_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Generic Status Messages Sept 11 2015"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021761; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_09_11, updated_at 2017_08_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spartan EK Secondary Flash Exploit DL"; flow:established,from_server; content:"|43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 0d 0a|"; fast_pattern:18,20; http_header; file_data; content:"|3c 74 6f 70 70 69 6e 67 73 3e|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:trojan-activity; sid:2021762; rev:1; metadata:created_at 2015_09_12, updated_at 2015_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Grey Advertising Often Leading to EK"; flow:established,from_server; file_data; content:"|69 66 20 28 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 26 26 20 74 79 70 65 6f 66 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 29|"; content:"|66 75 6e 63 74 69 6f 6e 20 28 73 72 63 2c 20 61 73 79 6e 63 2c 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 2c 20 63 61 6c 6c 62 61 63 6b 29|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:trojan-activity; sid:2021763; rev:2; metadata:created_at 2015_09_12, updated_at 2016_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".xml"; http_uri; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/U"; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:".swf"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/H"; classtype:trojan-activity; sid:2021764; rev:1; metadata:created_at 2015_09_14, updated_at 2015_09_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Spartan/Nuclear EK Payload"; flow:established,from_server; content:"nginx"; http_header; content:"X-Powered-By|3a|"; http_header; content:"application/octet-stream"; http_header; content:"Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; http_header; fast_pattern:20,20; classtype:trojan-activity; sid:2021765; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_09_14, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern:only; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_09_14, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DHL Phish Landing Sept 14 2015"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; fast_pattern:9,20; content:"<title>TRADE FILE</title>"; nocase; distance:0; content:"Sign In With Your Correct Email"; nocase; distance:0;  metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025690; rev:3; metadata:created_at 2015_09_15, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cryptowall docs campaign Sept 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|23 31 f9 4f 62 57 73 67|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021778; rev:1; metadata:created_at 2015_09_15, updated_at 2015_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?rnd="; http_uri; fast_pattern:only; content:"&id="; http_uri; pcre:"/\.php\?rnd=\d+&id=[0-9A-F]{32,}$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021786; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern:only; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021787; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Sept 21 2015"; flow:established,to_client; file_data; content:"malware error 895-system 32.exe"; nocase; fast_pattern; content:"RESOLVE THE ISSUE ON TOLL FREE - 1-855-"; nocase; content:"DO NOT SHUT DOWN OR RESTART"; nocase; classtype:trojan-activity; sid:2021811; rev:1; metadata:created_at 2015_09_22, updated_at 2015_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"<div style="; pcre:"/^(?:(?!<\/div).)+?top\x3a\s*?\x2d[0-9]+px\x3b.+left\x3a\s*?\x2d[0-9]+px\x3b.+<iframe\x20.+?stack=\d+/Rsi"; content:"absolute|3b|"; content:"<iframe src="; distance:0; content:" stack="; fast_pattern:only; classtype:trojan-activity; sid:2021841; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_09_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JavaScript Injection Sep 29 2015"; flow:established,to_client; file_data; content:"|76 61 72 20 61 3d 22 27 31 41 71 61 70 6b 72 76 27|"; content:"|27 30 30 27 30 32 29 27 30 32 27 30 30|"; fast_pattern; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021846; rev:1; metadata:created_at 2015_09_29, updated_at 2015_09_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/snitch?default|5f|keyword="; depth:24; http_uri; fast_pattern; content:"&referrer="; http_uri; distance:0; content:"&se_referrer="; http_uri; distance:0; content:"&source="; http_uri; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021847; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_09_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector from iframe Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/in/?|5f|BC="; depth:9; http_uri; fast_pattern; pcre:"/^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$/U"; content:"Referer|3a|"; http_header; content:"/snitch?default|5f|keyword="; distance:0; http_header; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021848; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_09_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Sep 30 2015"; flow:to_server,established; urilen:5; content:"/052F"; http_uri; classtype:trojan-activity; sid:2021870; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Phish Outlook Credentials Oct 01 2015"; flow:established,to_server; content:"POST"; http_method; content:"outlookuser="; depth:12; nocase; fast_pattern; http_client_body; content:"outlookpassword="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021890; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_10_01, updated_at 2017_10_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Phish Yahoo Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"yahoopassword="; depth:14; nocase; fast_pattern; http_client_body; content:"&Button"; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021892; rev:2; metadata:created_at 2015_10_01, updated_at 2017_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Potential Data URI Phishing Oct 02 2015"; flow:established,to_client; file_data; content:"<script type=|22|text/javascript|22|>"; nocase; content:"window.location="; nocase; within:17; content:"PCFET0NUWVBFIGh0bWw+DQo"; fast_pattern; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.org/online-security/2015/10/this-pdf-version-is-not-supported-data-uri-phish; classtype:bad-unknown; sid:2021893; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_10_02, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M5 1 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern:only; content:"long2str"; content:"0xffffffff"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:trojan-activity; sid:2021905; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M5 2 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern:only; content:"0xffffffff"; content:"long2str"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep)/Rs"; classtype:trojan-activity; sid:2021906; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M5 3 Oct 05 2015"; flow:established,from_server; file_data; content:"long2str"; fast_pattern:only; content:"0xffffffff"; content:"str2long"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:trojan-activity; sid:2021907; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing Page Oct 05 2015"; flow:established,from_server; file_data; content:"function ckl"; content:"VIP*/"; nocase; classtype:trojan-activity; sid:2021908; rev:2; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing Oct 08 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern:only; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<param"; nocase; pcre:"/^(?=[^>]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021939; rev:5; metadata:created_at 2015_10_09, updated_at 2015_10_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Netgear Multiple Router Auth Bypass"; flow:to_server,established; content:"/BRS_netgear_success.html"; depth:25; nocase; http_uri; fast_pattern:5,20; reference:url,www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html; classtype:attempted-admin; sid:2021944; rev:1; metadata:created_at 2015_10_12, updated_at 2015_10_12;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_10_13, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Magento Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/magmi-importer/web/"; fast_pattern; http_uri; content:"download_file.php?file="; http_uri; distance:0; content:"|2e 2e 2f|"; http_raw_uri; content:!"Referer|3a|"; http_header; reference:url,threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/; classtype:trojan-activity; sid:2021951; rev:1; metadata:created_at 2015_10_15, updated_at 2015_10_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:".html?a="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:trojan-activity; sid:2021963; rev:1; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M2"; flow:established,from_server; file_data; content:"<!-- saved from url="; content:"<title>WARNING-ERROR</title>"; fast_pattern:8,20; distance:0; classtype:trojan-activity; sid:2021964; rev:1; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M3"; flow:established,from_server; file_data; content:".net frame work file missing"; fast_pattern:8,20; nocase; content:"Debug malware error"; nocase; distance:0; content:"Please do not open"; nocase; distance:0; content:"avoid data corruption"; nocase; distance:0; content:"PLEASE DO NOT SHUT DOWN"; nocase; distance:0; content:"RESTART YOUR COMPUTER"; nocase; distance:0; classtype:trojan-activity; sid:2021965; rev:1; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M4"; flow:established,to_server; content:"GET"; http_method; content:"WINDOWS HEALTH IS CRITICAL"; http_uri; fast_pattern:6,20; classtype:trojan-activity; sid:2021966; rev:1; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Redirector Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:"/scan"; depth:5; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/scan[A-Z][a-z]?\/?$/U"; classtype:trojan-activity; sid:2021967; rev:1; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Redirector Oct 19 M2"; flow:established,to_server; content:"GET"; http_method; content:".dill/"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.dill\/$/U"; classtype:trojan-activity; sid:2021968; rev:1; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Redirector Oct 19 M3"; flow:established,to_server; content:"GET"; http_method; content:"/eyJscCI6InRlc3Q"; depth:16; fast_pattern; http_uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\/$/U"; classtype:trojan-activity; sid:2021974; rev:1; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M5"; flow:established,from_server; file_data; content:"<title>SECURITY WARNING</title>"; nocase; content:"dontdisplaycheckbox()"; distance:0; nocase; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"Infection ID"; distance:0; nocase; classtype:trojan-activity; sid:2021975; rev:1; metadata:created_at 2015_10_19, updated_at 2015_10_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 as observed in PawnStorm"; flow:established,from_server; file_data; content:"javax.naming.InitialContext"; fast_pattern:only; content:"progress-class"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]javax.naming.InitialContext/Rsi"; content:"</jnlp>"; nocase; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021985; rev:3; metadata:created_at 2015_10_21, updated_at 2015_10_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 B64 1"; flow:established,from_server; file_data; content:"cHJvZ3Jlc3MtY2xhc3"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021986; rev:1; metadata:created_at 2015_10_21, updated_at 2015_10_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 B64 2"; flow:established,from_server; file_data; content:"Byb2dyZXNzLWNsYXNz"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021987; rev:1; metadata:created_at 2015_10_21, updated_at 2015_10_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 B64 3"; flow:established,from_server; file_data; content:"wcm9ncmVzcy1jbGFzc"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021988; rev:1; metadata:created_at 2015_10_21, updated_at 2015_10_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Java Installer Landing Page Oct 21"; flow:established,to_server; content:"GET"; http_method; content:"/download.php?id="; http_uri; content:"&sid="; http_uri; distance:0; content:"&name=Java|20|Runtime|20|Environment|20|"; http_uri; distance:0; fast_pattern; pcre:"/^\/[0-9]+\/download\.php\?id=/U"; pcre:"/&name=[a-z0-9\x20]+$/Ui"; reference:url,heimdalsecurity.com/blog/security-alert-blackhat-seo-campaign-passes-around-malware-to-unsuspecting-users; classtype:trojan-activity; sid:2021991; rev:1; metadata:created_at 2015_10_21, updated_at 2015_10_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Account Phish Landing Oct 22"; flow:established,from_server; file_data; content:"<title>Sign in</title>"; content:"name=chalbhai"; fast_pattern; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025692; rev:1; metadata:created_at 2015_10_22, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS AES Crypto Observed in Javascript - Possible Phishing Landing"; flow:established,from_server; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern:40,20; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025656; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_10_22, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 26 2015"; flow:established,from_server; content:"|0d 0a|Set-Cookie|3a 20|qtaho="; classtype:trojan-activity; sid:2022001; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_10_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Redirect Leading to EK Oct 29"; flow:to_server,established; urilen:5; content:"/533L"; classtype:trojan-activity; sid:2022009; rev:2; metadata:created_at 2015_10_29, updated_at 2015_10_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Oct 29"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING! Windows Update Required"; nocase; fast_pattern; content:"Call US Toll Free|20 3a 20|1-877"; nocase; distance:0; content:"System connected with OVERSEAS IP Address"; nocase; distance:0; content:"YOUR COMPUTER HAS BEEN LOCKED!!"; nocase; distance:0; reference:url,threatglass.com/malicious_urls/funu-info; classtype:trojan-activity; sid:2022010; rev:1; metadata:created_at 2015_10_29, updated_at 2015_10_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 30"; flow:established,from_server; file_data; content:"<title>*** Security Error Code"; fast_pattern:10,20; content:"Suspicious Connection Was Trying"; nocase; distance:0; content:"Your Accounts May be Suspended"; nocase; distance:0; classtype:trojan-activity; sid:2022011; rev:1; metadata:created_at 2015_10_30, updated_at 2015_10_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Audio Oct 30"; flow:established,from_server; file_data; content:"<audio"; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"audio/mpeg"; distance:0; nocase; content:"</audio>"; distance:0; nocase; classtype:trojan-activity; sid:2022012; rev:1; metadata:created_at 2015_10_30, updated_at 2015_10_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Video Player Update Scam Oct 30"; flow:established,from_server; file_data; content:"<title>Please Update"; nocase; fast_pattern; content:"downloadUrl"; nocase; distance:0; content:"update your video player"; nocase; distance:0; content:"please send a message <a href=|22|#|22|>here</a>"; nocase; distance:0; classtype:trojan-activity; sid:2022013; rev:1; metadata:created_at 2015_10_30, updated_at 2015_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Account Phish Oct 30"; flow:to_server,established; content:"POST"; http_method; content:".php?Go=_"; http_uri; content:"1="; depth:2; http_client_body; content:"&2="; http_client_body; nocase; distance:0; content:"Log+In=Log+In"; http_client_body; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022017; rev:2; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Account Phish Oct 30 2"; flow:to_server,established; content:"POST"; http_method; content:".php?Go=_"; http_uri; content:"name="; depth:5; http_client_body; content:"&adress1="; http_client_body; nocase; distance:0; content:"&phone="; http_client_body; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022018; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Account Phish Oct 30 3"; flow:to_server,established; content:"POST"; http_method; content:".php?Go=_"; http_uri; content:"chldr="; depth:7; http_client_body; content:"&ccnum="; http_client_body; nocase; distance:0; content:"&password="; http_client_body; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022019; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jimdo.com Phishing PDF via HTTP"; flow:established,from_server; file_data; content:"/Subtype/Link/Rect"; content:"/BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI (http|3a|//"; distance:0; content:".jimdo.com/)>"; distance:0; fast_pattern; content:"www.Neevia.com"; distance:0; content:"Neevia Document Converter"; distance:0; metadata: former_category CURRENT_EVENTS; reference:md5,70eaba2ab6410e3541a2e24a482ddddd; classtype:trojan-activity; sid:2022029; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_04, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Nov 4 M2"; flow:established,from_server; file_data; content:"<title>SYSTEM ERROR WARNING"; nocase; fast_pattern:7,20; content:"Window's Defender"; nocase; distance:0; content:"right-click has been disabled"; nocase; distance:0; classtype:trojan-activity; sid:2022030; rev:1; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam JS Landing Nov 4"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; content:"Content-Encoding|3a 20|gzip"; http_header; file_data; content:"tfnnumber"; content:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; distance:0; content:"msgencoded"; content:"returnmsgencoded"; distance:0; content:"Base64"; pcre:"/^\s*?\.\s*?decode\s*?\(\s*?msgencoded\s*?\)\s*?\.\s*?replace/Rsi"; classtype:trojan-activity; sid:2022031; rev:2; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam GET Nov 4"; flow:to_server,established; content:"GET"; http_method; content:".html?cid="; nocase; http_uri; fast_pattern; content:"&caid="; http_uri; nocase; distance:0; content:"&oid="; http_uri; nocase; distance:0; content:"&zid="; http_uri; nocase; distance:0; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; content:!"www.google-analytics.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2022032; rev:2; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Nov 4 M1"; flow:established,from_server; file_data; content:"<title>Microsoft Official Support</title>"; nocase; fast_pattern:21,20; content:"function myFunction()"; nocase; distance:0; content:"setInterval(function(){alert"; nocase; distance:0; classtype:trojan-activity; sid:2022033; rev:1; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive (Remax) Phish Landing Nov 4"; flow:established,from_server; file_data; content:"#MyRemax_Password"; nocase; fast_pattern; content:"#MyRemax_Email"; nocase; distance:0; content:"<title>Meet Google Drive"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022035; rev:1; metadata:created_at 2015_11_04, updated_at 2017_08_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google Drive (Remax) Phish Nov 4"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=---------"; http_header; content:"form-data|3b 20|name=|22|server|22|"; nocase; http_client_body; fast_pattern; content:"form-data|3b 20|name=|22|ipLists|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|ipEmpty|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Email|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Password|22|"; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022036; rev:1; metadata:created_at 2015_11_04, updated_at 2017_08_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible vBulletin object injection vulnerability Attempt"; flow:established,to_server; content:"/api/hook/decodeArguments"; nocase; http_uri; content:"arguments="; nocase; http_uri; content:"|7b|"; distance:0; http_uri; content:"|3a|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"free_result"; nocase; distance:0; http_uri; reference:url,blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html; classtype:attempted-admin; sid:2022039; rev:1; metadata:created_at 2015_11_05, updated_at 2015_11_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leadking to EK Nov 2015"; flow:to_server,established; content:".pw|0d 0a|"; nocase; http_header; fast_pattern:only; content:"/?id="; http_uri; nocase; content:"&keyword="; nocase; http_uri; pcre:"/^Host\x3a[^\r\n]*?\.pw\r$/Hmi"; classtype:trojan-activity; sid:2022040; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_11_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Nov 6 2015 M1"; flow:established,from_server; file_data; content:"<title>Google Docs</title>"; nocase; distance:0; fast_pattern:6,20; content:"input[type=email]"; nocase; distance:0; content:"input[type=number]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; content:"input[type=tel]"; nocase; distance:0; content:"signin-card #Email"; nocase; distance:0; content:"signin-card #Pass"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025681; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_06, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Nov 6 2015 M2"; flow:established,from_server; file_data; content:"Welcome to Google Docs"; nocase; fast_pattern:2,20; content:"Upload and Share Your Documents Securely"; nocase; distance:0; content:"Enter your email"; nocase; distance:0; content:"Enter a valid email"; nocase; distance:0; content:"Enter your password"; nocase; distance:0; content:"Sign in to view attachment"; nocase; distance:0; content:"Access your documents securely"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025680; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_06, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022050; rev:3; metadata:created_at 2015_11_09, updated_at 2015_11_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022051; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022053; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK Nov 09 2015 M1"; flow:to_server,established; content:".php?sid="; http_uri; offset:4; depth:26; pcre:"/^\/[a-z]{3,20}\.php\?sid=[A-F0-9]{40,200}$/U"; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2022070; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK Nov 09 2015 M2"; flow:to_server,established; content:".php?id=4"; http_uri; offset:4; depth:25; pcre:"/^\/[a-z]{3,20}\.php\?id=4[A-F0-9]{39,200}$/U"; content:!"|0d 0a|Cookie|3a|"; content:!".hostingcatalog.com|0d 0a|"; http_header; nocase; classtype:trojan-activity; sid:2022071; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Nov 11"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 22|"; fast_pattern; content:"onclick=|22|myFunction|28 29 22|"; distance:0; content:"onkeydown=|22|myFunction|28 29 22|"; distance:0; content:"onunload=|22|myFunction|28 29 22|"; distance:0; classtype:trojan-activity; sid:2022079; rev:2; metadata:created_at 2015_11_12, updated_at 2015_11_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Renewal Phish Landing Nov 13"; flow:established,from_server; file_data; content:"<title>Mailbox renewal"; fast_pattern; nocase; content:"autorised email address"; nocase; distance:0; content:"To complete this autorization"; nocase; distance:0; content:"Online MailBox Renewal"; nocase; distance:0; classtype:trojan-activity; sid:2022083; rev:1; metadata:created_at 2015_11_13, updated_at 2015_11_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Revalidation Phish Nov 13 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"user="; depth:5; nocase; http_client_body; fast_pattern; content:"&email_address="; nocase; http_client_body; distance:0; content:"&pass"; nocase; http_client_body; distance:0; content:"&captcha="; nocase; http_client_body; distance:0; content:"&submitbutton="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022084; rev:1; metadata:created_at 2015_11_13, updated_at 2017_10_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Revalidation Phish Nov 13 M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"<META HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"Revalidation</title>"; fast_pattern; nocase; distance:0; content:"Account Revalidated"; nocase; distance:0; content:"you have sucessfully revalidated"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022085; rev:1; metadata:created_at 2015_11_13, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Revalidation Phish Landing Nov 13 2015"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"Revalidation</title>"; fast_pattern; nocase; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; content:"REVALIDATION"; nocase; distance:0; content:"password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022086; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_11_13, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Nuclear EK Nov 13 2015 Landing URI struct"; flow:established,to_server; urilen:>25; content:"_id="; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}(?:&[a-z]{1,40}_id=\d{2,5})?&[^&\x3d]+=(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{15,}\x2e{0,2}?$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:g[aq]|cf|ml|tk|xyz|info|space)(?:\x3a\d{1,5})?\r$/Hm"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2022090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_11_13, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Nov 16"; flow:established,from_server; file_data; content:"Windows Browser"; fast_pattern; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]country[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]isp[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]ip[\x22\x27]/Rsi"; content:"Hello China"; nocase; distance:0; classtype:trojan-activity; sid:2022092; rev:1; metadata:created_at 2015_11_16, updated_at 2015_11_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jimdo Outlook Web App Phishing Landing Nov 16"; flow:established,from_server; file_data; content:"Outlook"; nocase; content:"jimdo.com"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm Password"; fast_pattern; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022093; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_16, updated_at 2017_10_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Jimdo Outlook Web App Phishing Nov 16 2105"; flow:to_server,established; content:"POST"; http_method; content:"|2f 66 6f 72 6d 2f 73 75  62 6d 69 74 2f|"; http_uri; content:"|6a 69 6d 64 6f 2e 63 6f 6d 0d 0a|"; http_header; fast_pattern; content:"|6d 6f 64 75 6c 65 49 64 3d|"; nocase; http_client_body; depth:9; content:"|26 64 61 74 61 3b 3d|"; nocase; distance:0; http_client_body; content:"|45 6d 61 69 6c|"; nocase; distance:0; http_client_body; content:"|50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; content:"|43 6f 6e 66 69 72 6d 2b  50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; pcre:"/\/form\/submit\/$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022094; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_16, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Square Phish Nov 16 2015"; flow:to_server,established; content:"POST"; http_method; content:"cmd=_identifier_Demarrer_ID="; http_header; nocase; fast_pattern:8,20; content:"&submit.x="; nocase; http_client_body; content:"&submit.y="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024547; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_16, updated_at 2017_08_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Nov 16"; flow:established,to_server; content:"GET"; http_method; content:".html?os="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:trojan-activity; sid:2022103; rev:1; metadata:created_at 2015_11_16, updated_at 2015_11_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Nuclear EK Landing Nov 17 2015"; urilen:>51; flow:to_server,established; content:"_id="; http_uri; content:"_id="; distance:0; http_uri; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}?&[a-z]{1,40}_id=\d{2,5}&[^&\x3d]+(?<!_id)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2022112; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_11_17, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Nov 20"; flow:established,from_server; file_data; content:"<title>VIRUS WARNING"; fast_pattern; nocase; content:"onload=|22|myFunction()|22|"; nocase; content:"YOUR COMPUTER HAS BEEN BLOCKED"; nocase; content:"CALL IMMEDIATLY"; nocase; content:"|5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e|"; nocase; classtype:trojan-activity; sid:2022125; rev:1; metadata:created_at 2015_11_20, updated_at 2015_11_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Spartan/Nuclear EK Payload"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; depth:13; content:"Content-Type|3a 20|application/octet-stream"; http_header; content:"Accept-Ranges|3a 20|bytes|0d 0a|Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; http_header; fast_pattern:42,20; pcre:"/\x20filename=\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2022135; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_11_24, malware_family Nuclear, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Netsolhost SSL Proxying - Possible Phishing Nov 24 2015"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|secure|0a|netsolhost|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022136; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_24, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Generic Phishing Landing Uri Nov 25 2015"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022187; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_25, updated_at 2017_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel/Adobe Online Phishing Landing Nov 25 2015"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"Online - 09KSJDJR4843984NF98738UNFD843"; within:100; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025686; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_25, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Nuclear EK Landing Nov 27 2015"; flow:to_server,established; urilen:>55; content:"&cat_no="; http_uri; content:"&no="; http_uri; distance:0; pcre:"/&cat_no=\d{2,5}?&no=\d{2,5}&[^&\x3d]+(?<!_no)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2022193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_11_30, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Chase Online - Identification</title>"; fast_pattern:24,20; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025674; rev:2; metadata:created_at 2015_12_01, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google Drive Phish Dec 4 2015 M1"; flow:to_server,established; content:"POST"; http_method; content:"hidCflag="; nocase; depth:9; http_client_body; fast_pattern; content:"&Email="; nocase; http_client_body; distance:0; content:"&Pass"; http_client_body; distance:0; nocase; content:"sign"; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022217; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_12_03, performance_impact Low, updated_at 2017_09_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook password stealing inject Jan 04"; flow:from_server,established; file_data; content:"facebook.com"; nocase; content:"localStorage"; fast_pattern:only; nocase; content:"email"; nocase; content:"pass"; nocase; content:"login_form"; nocase; content:"location"; nocase; pcre:"/^\s*\.\s*hostname\s*.indexOf\s*\([\x22\x27]facebook\.com[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/^\s*\(\s*[\x22\x27]login_form[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/\s*\(\s*[\x22\x27](email|pass)[\x22\x27]/Rsi"; content:"image"; nocase; pcre:"/[^.]*\.\s*src\s*\=[\x22\x27][^\x22\x27]*\.php\?[ -~]+?\=[\x22\x27]\s*\+localStorage\./Rsi"; classtype:web-application-attack; sid:2022221; rev:2; metadata:created_at 2015_12_04, updated_at 2015_12_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 09"; flow:established,from_server; file_data; content:"<!--/"; fast_pattern:only; content:"<!--"; pcre:"/^(?P<ccode>[a-f0-9]{6})-->.*?<script.+?<\/script>.*?<!--/(?P=ccode)-->/Rsi"; classtype:trojan-activity; sid:2022242; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_12_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Macro Downloading Trojan Dec 16 2015 Post to EXE"; flow:established,to_server; content:"POST"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; pcre:"/^[\x2fa-z\d]+\.exe$/U"; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|0|0d 0a|Connection|3a 20|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; classtype:trojan-activity; sid:2022270; rev:1; metadata:created_at 2015_12_17, updated_at 2015_12_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 21 2015 5"; flow:from_server,established; file_data; content:"|3f 22 5c 78|"; fast_pattern; byte_test:1,>,0x2f,-5,relative; byte_test:1,<,0x3a,-5,relative; content:"var "; pcre:"/^\s*?[a-z]+\s*?=\s*?\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b]/Rsi"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:trojan-activity; sid:2022290; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_12_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering)"; flow:established,to_server; content:"POST"; http_method; content:"content-types|3a|"; http_header; nocase; fast_pattern:only; content:"Referer|3a|"; http_header; content:"content-type|3a|"; http_header; nocase; classtype:trojan-activity; sid:2022304; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_12_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 26 2015"; flow:to_server,established; content:"/st1.phtml"; http_uri; classtype:trojan-activity; sid:2022312; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_12_28, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 26 2015 2"; flow:to_server,established; content:"/lobo.phtml"; http_uri; classtype:trojan-activity; sid:2022313; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS AES Crypto Observed in Javascript - Possible Phishing Landing M1 Dec 28 2015"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025657; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_28, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Dec 30 M1"; flow:to_client,established; file_data; content:"/windowslogo.jpg"; fast_pattern; nocase; content:"/winborder.html"; nocase; distance:0; content:"bug1.html"; nocase; distance:0; content:"infected your system"; nocase; distance:0; content:"TCP connection already exists"; nocase; distance:0; content:"TOLL FREE"; nocase; distance:0; classtype:trojan-activity; sid:2022319; rev:1; metadata:created_at 2016_12_30, updated_at 2016_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Dec 30 M2"; flow:to_client,established; file_data; content:"/sound.mp3"; fast_pattern; nocase; content:"function goodbye"; nocase; distance:0; content:"DetectMobile()"; nocase; distance:0; content:"stopPropagation"; nocase; distance:0; content:"preventDefault"; nocase; distance:0; classtype:trojan-activity; sid:2022320; rev:1; metadata:created_at 2016_12_30, updated_at 2016_12_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:trojan-activity; sid:2022338; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_01_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:1; metadata:created_at 2016_01_06, updated_at 2016_01_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern;  file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:3; metadata:created_at 2016_01_06, updated_at 2016_01_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:trojan-activity; sid:2022341; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_01_07, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible Phishing Landing (set) Jan 7"; flow:to_server,established; content:"GET"; http_method; content:"/wp-"; http_uri; depth:4; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,ET.wpphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025696; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Perimeter, deployment Datacenter, tag Phishing, tag Wordpress, signature_severity Major, created_at 2016_01_07, updated_at 2018_07_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible Phishing Landing Jan 7 2016"; flow:to_client,established; content:"302"; http_stat_code; content:"|0d 0a|Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"|0d 0a|location|3a 20|"; nocase; pcre:"/^[a-f0-9]{32}(?:\/index\.php)?\x0d\x0a/R"; flowbits:isset,ET.wpphish; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025671; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Perimeter, deployment Datacenter, tag Phishing, tag Wordpress, signature_severity Major, created_at 2016_01_07, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:trojan-activity; sid:2022349; rev:1; metadata:created_at 2016_01_11, updated_at 2016_01_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SECURITY WARNING"; fast_pattern:3,20; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; classtype:trojan-activity; sid:2022364; rev:1; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern:6,20; distance:0; content:"myFunction()|3b|"; classtype:trojan-activity; sid:2022365; rev:2; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern:5,20; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; classtype:trojan-activity; sid:2022366; rev:1; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"email"; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024554; rev:6; metadata:created_at 2016_01_14, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"user"; nocase; http_client_body; content:"pass"; nocase; http_client_body; fast_pattern; content:!"useragent"; nocase; http_client_body; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024555; rev:6; metadata:created_at 2016_01_14, updated_at 2018_01_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish Jan 14 2016"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Location|3a 20|http"; nocase; fast_pattern; http_header; content:"Location|3a 20|http"; nocase; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:(?:a(?:m(?:ericanexpress|azon)|(?:dob|ppl)e|libaba|ol)|r(?:e(?:gions|max)|bcroyalbank)|f(?:irst-online|acebook|edex)|m(?:icrosoft(?:online)?|atch)|u(?:s(?:bank|aa|ps)|ps)|(?:technologyordi|googl)e|na(?:twest|ver)|d(?:ropbox|hl)|yahoo(?:mail)?|1(?:26|63)|keybank|qq)\.com|i(?:n(?:t(?:ertekgroup\.org|uit\.com)|vestorjunkie\.com|g\.(?:be|nl))|c(?:icibank\.com|scards\.nl)|mpots\.gouv\.fr|rs\.gov)|c(?:(?:h(?:ristianmingl|as)e|apitalone(?:360)?|ibcfcib|panel)\.com|om(?:mbank\.com\.au|cast\.net)|redit-agricole\.fr)|b(?:a(?:nkofamerica\.com|rclays\.co\.uk)|(?:igpond|t)\.com|luewin\.ch)|o(?:(?:utlook|ffice)\.com|range\.(?:co\.uk|fr)|nline\.hmrc\.gov\.uk)|s(?:(?:(?:aatchiar|untrus)t|c)\.com|ecure\.lcl\.fr|parkasse\.de)|h(?:a(?:lifax(?:-online)?\.co\.uk|waiiantel\.net)|otmail\.com)|p(?:(?:rimelocation|aypal)\.com|ostbank\.de)|l(?:i(?:nkedin|ve)\.com|abanquepostale\.fr)|we(?:llsfargo\.com|stpac\.co\.nz)|etisalat\.ae)\/?/Ri"; content:!"domain=.facebook.com|3b|"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025005; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_14, updated_at 2017_11_16;)

#alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022372; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_19, updated_at 2016_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Chrome Extension Phishing HTTP Request"; flow:to_server,established; content:"Host|3a| chrome-extension."; http_header; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022373; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_19, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; content:"GET"; http_method; content:"/tabDialog.html?dialog=login"; http_uri; fast_pattern:only; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022374; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_01_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern:only; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:1; metadata:created_at 2016_01_19, updated_at 2016_01_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern:7,20; content:"contact Microsoft Support"; nocase; distance:0; classtype:trojan-activity; sid:2022409; rev:1; metadata:created_at 2016_01_26, updated_at 2016_01_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; classtype:trojan-activity; sid:2022410; rev:1; metadata:created_at 2016_01_26, updated_at 2016_01_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:trojan-activity; sid:2022464; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,ET.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; classtype:trojan-activity; sid:2022465; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Keitaro TDS Redirect"; flow:established,from_server; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; nocase; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/Hs"; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; classtype:bad-unknown; sid:2022466; rev:4; metadata:created_at 2016_01_27, updated_at 2017_02_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern:32,20; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:2022479; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern:2,20; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022484; rev:2; metadata:created_at 2016_02_02, updated_at 2017_08_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Phishing Landing via GetGoPhish Phishing Tool"; flow:to_server,established; content:"GET"; http_method; content:"?rid="; http_uri; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}$/Ui"; content:!"xerox.com|0d 0a|"; http_header; reference:url,getgophish.com; classtype:trojan-activity; sid:2022486; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_03, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; content:"POST"; http_method; content:"?rid="; http_header; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/Hi"; content:!"xerox.com|0d 0a|"; http_header; reference:url,getgophish.com; classtype:trojan-activity; sid:2022487; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_03, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; content:"/?keyword="; http_uri; fast_pattern:only; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/U"; classtype:trojan-activity; sid:2022493; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:trojan-activity; sid:2022496; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Feb 06 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"id="; depth:3; nocase; http_client_body; content:"&password="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022497; rev:2; metadata:created_at 2016_02_08, updated_at 2017_10_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Feb 06 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"fName="; depth:6; nocase; http_client_body; content:"&lName="; nocase; http_client_body; distance:0; content:"&ZIPCode="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022498; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_08, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M3 Feb 06 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"ccNum="; depth:6; nocase; http_client_body; content:"&NameOnCard="; nocase; http_client_body; distance:0; content:"&CVV="; nocase; http_client_body; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022499; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_08, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/U"; classtype:trojan-activity; sid:2022500; rev:4; metadata:created_at 2016_02_10, updated_at 2016_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Feb 09 2016"; flow:to_client,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"|0d 0a|location|3a 20|"; fast_pattern; http_header; content:"|0d 0a|location|3a 20|"; pcre:"/^[a-f0-9]{32}\??\x0d\x0a/Ri"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025006; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_10, updated_at 2017_11_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016"; flow:established,to_server; urilen:15<>50; content:"MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:!"="; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; pcre:"/\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}$/U"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2022503; rev:1; metadata:created_at 2016_02_10, updated_at 2016_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern:5,20; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; classtype:trojan-activity; sid:2022525; rev:1; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern:6,20; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; classtype:trojan-activity; sid:2022526; rev:1; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern:3,20; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; classtype:trojan-activity; sid:2022527; rev:1; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function main_alert"; nocase; fast_pattern; content:"WARNING"; nocase; distance:0; content:"Your hard drive will be DELETED"; nocase; distance:0; content:"To Stop This Process"; nocase; distance:0; classtype:trojan-activity; sid:2022528; rev:1; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Feb 17"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"keyframes poplzatvci"; fast_pattern; content:"#lzatvciovlwmiiqxbwxywuerkhtunrlvherk"; nocase; distance:0; classtype:trojan-activity; sid:2022530; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dridex DL Pattern Feb 18 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe?."; http_uri; fast_pattern:only; pcre:"/\.exe\?\.\d+$/U"; content:"MSIE 7.0|3b| Windows NT"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022549; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/Ui"; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!".bitdefender.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2022550; rev:13; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_02_18, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chalbhai Phishing Landing Feb 18 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"name=|22|chalbhai|22|"; fast_pattern; nocase; content:"id=|22|chalbhai|22|"; nocase; content:"method=|22|post|22|"; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025654; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_02_19, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:trojan-activity; sid:2022565; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:7; content:"/xLMCJ4"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_25, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!"leg1.state.va.us"; http_header; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022566; rev:4; metadata:created_at 2016_02_25, updated_at 2017_03_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:trojan-activity; sid:2022567; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"&address"; nocase; fast_pattern; http_client_body; content:"&cc"; nocase; http_client_body; content:"&cvv"; nocase; http_client_body; distance:0; content:"&ssn"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024556; rev:3; metadata:created_at 2016_02_29, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:5; content:"/5c2C"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025039; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_02_29, updated_at 2017_11_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:trojan-activity; sid:2022574; rev:2; metadata:created_at 2016_02_29, updated_at 2016_08_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M1 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"helpdesk"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022575; rev:1; metadata:created_at 2016_02_29, updated_at 2016_02_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M2 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorcode"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022576; rev:1; metadata:created_at 2016_02_29, updated_at 2016_02_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phishing Landing Obfuscation Mar 01 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"unescape=function"; fast_pattern; content:"replace(new RegExp(|22|%26|22|, |22|g|22|), |22|&|22|)|3b|"; nocase; distance:0; content:"replace(new RegExp(|22|%3B|22|, |22|g|22|), |22 3b 22|)|3b|"; nocase; distance:0; content:"document.write"; nocase; distance:0; content:"replace(|27|<!--?--><?"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022578; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_01, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M1 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorfound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022591; rev:1; metadata:created_at 2016_03_03, updated_at 2016_03_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M2 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unattendedfile"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022592; rev:1; metadata:created_at 2016_03_03, updated_at 2016_03_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M3 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"internetsituation"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022593; rev:1; metadata:created_at 2016_03_03, updated_at 2016_03_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing - Data URI Inline Javascript Mar 07 2016"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; distance:0; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; metadata: former_category CURRENT_EVENTS; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022597; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_07, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam Mar 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; nocase; content:"function myFunction()"; pcre:"/^\s*?\{\s*?setInterval\s*?\(\s*?function/Rsi"; content:"alert2.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022602; rev:1; metadata:created_at 2016_03_07, updated_at 2016_03_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022603; rev:1; metadata:created_at 2016_03_08, updated_at 2016_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Enom Phish Mar 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:trojan-activity; sid:2022604; rev:3; metadata:created_at 2016_03_08, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M1"; flow:established,from_server; file_data; content:"Callpixels"; fast_pattern; nocase; pcre:"/^\s*?\.\s*?Campaign\s*?\(\s*?\{\s*?campaign_key/Rsi"; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022605; rev:1; metadata:created_at 2016_03_09, updated_at 2016_03_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M2"; flow:established,from_server; file_data; content:"//Flag we have not"; fast_pattern; nocase; content:"//The location of the page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; content:"//allow for the traffic source to send in their own default number"; nocase; distance:0; content:"//if no unformatted number just use it"; nocase; distance:0; classtype:trojan-activity; sid:2022606; rev:1; metadata:created_at 2016_03_09, updated_at 2016_03_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M3"; flow:established,from_server; file_data; content:"<title>ALERT"; fast_pattern; content:"makeNewPosition"; nocase; distance:0; content:"animateDiv"; nocase; distance:0; content:"div.fakeCursor"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:trojan-activity; sid:2022607; rev:1; metadata:created_at 2016_03_09, updated_at 2016_03_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 9 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function myFunction"; nocase; fast_pattern; content:"MICROSOFT COMPUTER HAS BEEN BLOCKED"; nocase; distance:0; content:"Windows System Alert"; nocase; distance:0; content:"Contact Microsoft"; nocase; distance:0; classtype:trojan-activity; sid:2022608; rev:1; metadata:created_at 2016_03_09, updated_at 2016_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Chase Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022615; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_14, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Apple Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022616; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_14, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible USAA Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022617; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_14, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022618; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_03_14, updated_at 2017_11_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; classtype:trojan-activity; sid:2022619; rev:1; metadata:created_at 2016_03_15, updated_at 2016_03_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:trojan-activity; sid:2022620; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:trojan-activity; sid:2022621; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; content:"/image/"; http_uri; depth:13; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/Ui"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022622; rev:1; metadata:created_at 2016_03_16, updated_at 2016_03_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"suspiciousactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022625; rev:1; metadata:created_at 2016_03_16, updated_at 2016_03_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:trojan-activity; sid:2022628; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:trojan-activity; sid:2022629; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_19, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:trojan-activity; sid:2022630; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_19, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorunauthorized"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022631; rev:1; metadata:created_at 2016_03_21, updated_at 2016_03_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"drivercrashed"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022632; rev:1; metadata:created_at 2016_03_21, updated_at 2016_03_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"computer-is-locked"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022633; rev:1; metadata:created_at 2016_03_21, updated_at 2016_03_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:trojan-activity; sid:2022635; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_22, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unauthorized-transaction"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022648; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:trojan-activity; sid:2022649; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download Mar 23 2016"; flow:to_server,established; content:"GET"; http_method; content:"/dana/home.php"; http_uri; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"MSIE 7.0"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\/home\.php$/U"; reference:md5,2f32bf996e093d5a4107d6daa6c51ec4; classtype:trojan-activity; sid:2022650; rev:2; metadata:created_at 2016_03_24, updated_at 2016_10_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Flash Update Mar 23"; flow:established,to_client; file_data; content:"<title>Flash"; nocase; fast_pattern; content:"#prozor"; nocase; distance:0; content:"#dugme"; nocase; distance:0; content:"Latest version of Adobe"; nocase; distance:0; classtype:trojan-activity; sid:2022651; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"WinHttp.WinHttpRequest."; http_header;  pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; content:!"download.nai.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2022658; rev:4; metadata:created_at 2016_03_24, updated_at 2016_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:trojan-activity; sid:2022666; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_28, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:trojan-activity; sid:2022682; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_03_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Microsoft BITS/7.5|0d 0a|"; http_header; fast_pattern:12,20; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+(?:xyz|pw)\r?$/Hmi"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:3; metadata:created_at 2016_03_30, updated_at 2016_03_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"diskissue"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022690; rev:1; metadata:created_at 2016_03_30, updated_at 2016_03_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"avirus"; fast_pattern; distance:0; nocase; content:!"|07|spotify|03|com"; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022691; rev:2; metadata:created_at 2016_03_30, updated_at 2016_03_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 1"; flow:established,to_client; file_data; content:"<title>SYSTEM ERROR WARNING"; fast_pattern; nocase; content:"function loadNumber"; nocase; distance:0; content:"campaign_key:"; nocase; distance:0; classtype:trojan-activity; sid:2022695; rev:1; metadata:created_at 2016_04_01, updated_at 2016_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish to Hostinger Domains Apr 4 M4"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"username"; nocase; http_client_body; fast_pattern; content:"pass"; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)\r\n/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025000; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_04_04, updated_at 2017_11_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"callasap"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022696; rev:1; metadata:created_at 2016_04_04, updated_at 2016_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; classtype:trojan-activity; sid:2022697; rev:1; metadata:created_at 2016_04_04, updated_at 2016_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:trojan-activity; sid:2022724; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:trojan-activity; sid:2022725; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_12, updated_at 2016_07_01;)

alert tcp any !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2; metadata:created_at 2016_04_14, updated_at 2016_04_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputer"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022739; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unusualactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022740; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yoursystem"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022741; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"howcanwehelp"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022742; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"bluescreen"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022743; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"cloud-on"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022744; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"call-now"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022745; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:trojan-activity; sid:2022751; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_20, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:trojan-activity; sid:2022752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022770; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022771; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern:only; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:trojan-activity; sid:2022772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern:only; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:trojan-activity; sid:2022774; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern:17,20; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:trojan-activity; sid:2022779; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_05_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam May 10"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive Safety"; nocase; content:"myFunction()"; content:"Warning|3a| Internet Security Damaged"; content:"err.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022802; rev:1; metadata:created_at 2016_05_11, updated_at 2016_05_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:trojan-activity; sid:2022805; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_05_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Update Phishing Landing M1 May 16"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025677; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_05_16, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Update Phishing Landing M2 May 16"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Email Upgrade</title>"; nocase; fast_pattern; content:"Confirm your account"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025676; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_05_16, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Mozilla/4.0|20|(compatible|3b|)"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:1; metadata:created_at 2016_05_19, updated_at 2016_05_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN May 2016 (No UA)"; flow:established,to_server; content:"GET"; http_method; content:"/system/"; depth:8; http_uri; nocase; fast_pattern; pcre:"/^\/system\/(?:cache|logs)\/[^\x2f]+\.(?:exe|dll|doc|bin)$/Ui"; content:!"Referer|3a 20|"; http_header; reference:md5,c6747ca29d5c28f4349a5a8343d6b025; classtype:trojan-activity; sid:2022834; rev:3; metadata:created_at 2016_05_24, updated_at 2016_05_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible ReactorBot .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:1; metadata:created_at 2016_05_27, updated_at 2016_05_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Official"; nocase; fast_pattern:2,20; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; classtype:trojan-activity; sid:2022853; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M5 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// escape function context"; nocase; content:"// necessary to prevent infinite loop"; nocase; distance:0; content:"// that kills your browser"; nocase; distance:0; fast_pattern:6,20; content:"// pressing leave will still leave, but the GET may be fired first anyway"; nocase; distance:0; classtype:trojan-activity; sid:2022854; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; classtype:trojan-activity; sid:2022855; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script to pull the number yet"; nocase; content:"// alert the visitor"; fast_pattern; nocase; distance:0; content:"// repeat alert, whatever you want them to see"; nocase; distance:0; content:"// end function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022856; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function countdown"; nocase; content:"function loadNumber"; nocase; distance:0; content:"function main_alert"; nocase; distance:0; fast_pattern; content:"function repeat_alert"; nocase; distance:0; content:"function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022857; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:to_server,established; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:6,20; content:".exe"; http_uri; nocase; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; metadata: former_category CURRENT_EVENTS; classtype:misc-activity; sid:2022858; rev:2; metadata:created_at 2016_06_03, updated_at 2017_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022859; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_03, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern:77,20; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1;  content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:trojan-activity; sid:2022869; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 8 2016"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; content:"&email="; nocase; fast_pattern; http_uri; content:"&pass"; nocase; distance:0; http_uri; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024557; rev:3; metadata:created_at 2016_06_08, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; content:".exe"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:1; metadata:created_at 2016_06_09, updated_at 2016_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; content:!"sync-eu.exe.bid"; http_header; classtype:trojan-activity; sid:2022894; rev:4; metadata:created_at 2016_06_13, updated_at 2016_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022895; rev:2; metadata:created_at 2016_06_13, updated_at 2016_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; content:".exe"; nocase; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2022896; rev:4; metadata:created_at 2016_06_14, updated_at 2017_02_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 14 2016"; flow:established,from_server;file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R";content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:trojan-activity; sid:2022898; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_15, updated_at 2016_08_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern:only; content:"campaigns"; http_cookie; classtype:trojan-activity; sid:2022904; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_16, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; metadata: former_category CURRENT_EVENTS; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:trojan-activity; sid:2022905; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_06_17, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern:only; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:trojan-activity; sid:2022909; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern:only; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:trojan-activity; sid:2022910; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:trojan-activity; sid:2022916; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_06_26, performance_impact Low, updated_at 2016_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jun 29 2016"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"has been blocked"; http_header; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022925; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_06_29, performance_impact Low, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx508"; fast_pattern; nocase; content:"Warning_0001"; nocase; distance:0; classtype:trojan-activity; sid:2022926; rev:1; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M3"; flow:to_server,established; content:"GET"; http_method; content:"your-computer-is-locked-"; nocase; http_uri; fast_pattern; content:"your-computer-is-locked-"; http_uri; distance:0; nocase; classtype:trojan-activity; sid:2022927; rev:1; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"Warning|3a 20|Internet Security"; nocase; distance:0; classtype:trojan-activity; sid:2022928; rev:1; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Pony DLL Download"; flow:established,to_server; content:"/pm"; http_uri; content:".dll"; http_uri; fast_pattern:only; pcre:"/\/pm\d?\.dll$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2017_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2;  content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:1; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; content:".dll"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:1; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2016_07_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern:12,20; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:trojan-activity; sid:2023480; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_06, malware_family SunDown, updated_at 2016_11_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:trojan-activity; sid:2022954; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_07, performance_impact Low, updated_at 2016_07_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:trojan-activity; sid:2022955; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_07, performance_impact Low, updated_at 2016_07_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:trojan-activity; sid:2022956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_11, performance_impact Low, updated_at 2016_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022957; rev:1; metadata:created_at 2016_07_11, updated_at 2016_07_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:trojan-activity; sid:2022962; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_12, malware_family PsuedoDarkLeech, updated_at 2016_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:trojan-activity; sid:2022964; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_13, performance_impact Low, updated_at 2016_07_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google Drive/Dropbox Phish Nov 20 2016"; flow:to_server,established; content:"POST"; http_method; content:"mailtype="; depth:9; nocase; http_client_body; fast_pattern; content:"&Email"; distance:0; nocase; http_client_body; content:"&Passwd"; distance:0; nocase; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022967; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_13, performance_impact Low, updated_at 2017_10_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"email"; fast_pattern; nocase; http_client_body; content:"pwd"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024558; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_14, performance_impact Low, updated_at 2017_10_13;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:trojan-activity; sid:2022974; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_18, performance_impact Low, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish M1 Jul 21 2016"; flow:to_server,established; content:"POST"; http_method; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&forgotPassword="; nocase; distance:0; http_client_body; content:"&lat="; nocase; distance:0; http_client_body; content:"&userName="; nocase; distance:0; http_client_body; fast_pattern; content:"&password="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022978; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2017_10_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish M2 Jul 21 2016"; flow:to_server,established; content:"POST"; http_method; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&bankId="; fast_pattern; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&q1="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022979; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2017_10_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M1"; flow:to_server,established; content:"GET"; http_method; content:"/your-computer-is-locked-call-us-at-tollfreenow"; fast_pattern:27,20; nocase; http_uri; content:"your-computer-is-locked-call-us-at-tollfreenow"; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2022980; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2016_07_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; classtype:trojan-activity; sid:2022981; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2016_07_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Settings Phishing Landing Jul 22 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Windows Settings"; fast_pattern; nocase; distance:0; content:"Enter account password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024098; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2016_07_22, performance_impact Low, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server;content:!".exe"; http_uri; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/U"; content:"|3a 20|Microsoft BITS"; http_header; fast_pattern:only; content:!".microsoft.com|0d 0a|"; http_header; nocase; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_26, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:trojan-activity; sid:2022984; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_26, performance_impact Low, updated_at 2016_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; content:"yatutuzebil"; http_cookie; classtype:trojan-activity; sid:2022990; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_28, performance_impact Low, updated_at 2016_07_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:trojan-activity; sid:2022991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2016_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jul 29 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern:2,20; content:"alertCall"; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022992; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2017_09_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern:34,20; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; classtype:trojan-activity; sid:2022993; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2016_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:trojan-activity; sid:2022994; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_07_29, performance_impact Low, updated_at 2016_07_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_07_30, updated_at 2016_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Mobile Phishing Landing Aug 1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"content=|22|Please verify"; nocase; content:"<meta name=|22|apple-mobile"; nocase; distance:0; content:"<title>Wells Fargo"; fast_pattern; nocase; distance:0; content:"your account is disabled"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025670; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_01, performance_impact Low, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:trojan-activity; sid:2022998; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_08_01, performance_impact Low, updated_at 2016_08_01;)

alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24] 80 (msg:"ET CURRENT_EVENTS EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern:4,20; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; classtype:trojan-activity; sid:2023037; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:trojan-activity; sid:2023038; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:trojan-activity; sid:2023039; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2023040; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; classtype:trojan-activity; sid:2023041; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2016_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish M1 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023042; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_10_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish M2 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"holdername="; nocase; depth:11; fast_pattern; http_client_body; content:"&numcard"; nocase; distance:0; http_client_body; content:"&ccv"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023043; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Suspended Account Phishing Landing Aug 09 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Log in to my account"; nocase; fast_pattern:7,20; content:"iCloud"; distance:0; nocase; content:"disabled for security reasons"; distance:0; nocase; content:"confirm your account information"; distance:0; nocase; content:"account has been frozen"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023044; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel Online Phishing Landing Aug 09 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Excel Online"; nocase; fast_pattern; content:"someone@example.com"; nocase; distance:0; content:"password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023045; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_10_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Excel Online Phish Aug 9"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Excel; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023046; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_10, performance_impact Low, updated_at 2017_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"pagename=|22|login|22|"; nocase; content:"<title>Sign in - Adobe"; nocase; distance:0; fast_pattern:2,20; content:"password-revealer"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:trojan-activity; sid:2023047; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_11, performance_impact Low, updated_at 2017_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023048; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_11, performance_impact Low, updated_at 2017_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern:26,20; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; classtype:trojan-activity; sid:2023051; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:trojan-activity; sid:2023052; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (err.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"err.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023055; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (msg.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"msg.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023056; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Infect"; nocase; fast_pattern; content:"toggleFullScreen"; distance:0; content:"countdown"; distance:0; content:"twoDigits"; distance:0; classtype:trojan-activity; sid:2023057; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"vendorName"; nocase; content:"alertCall"; fast_pattern; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"setInterval"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; content:"onkeydown"; nocase; distance:0; content:"e.ctrlKey"; nocase; distance:0; content:"e.keyCode"; nocase; distance:0; content:"onbeforeunload"; nocase; distance:0; classtype:trojan-activity; sid:2023058; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Excel Phish Aug 15 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd=login_submit"; http_header; nocase; fast_pattern; content:"login="; depth:6; nocase; http_client_body; content:"&passwd="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2016_08_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Storage Upgrade Phishing Landing Aug 15 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<TITLE>Login Authorization"; fast_pattern; nocase; content:"STORAGE UPGRADE"; nocase; distance:0; content:"Global Internet Administration!"; nocase; distance:0; classtype:trojan-activity; sid:2023062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2016_08_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023063; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2017_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023064; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2017_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Square Enix Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"square-enix.com"; http_header; fast_pattern; content:!"square-enix.com|0d 0a|"; http_header; pcre:!"/^Referer\x3a[^\r\n]+square-enix\.com/Hmi"; classtype:trojan-activity; sid:2023065; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2016_09_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023066; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2016_08_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2023068; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_16, performance_impact Low, updated_at 2016_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; classtype:trojan-activity; sid:2023069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_16, performance_impact Low, updated_at 2016_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Adobe Online Phish Aug 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"=sent"; nocase; http_uri; content:"feedback="; nocase; depth:9; http_client_body; fast_pattern; content:"&feedbacknow="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; pcre:"/=sent$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024559; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_16, performance_impact Low, updated_at 2017_08_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023072; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_17, performance_impact Low, updated_at 2017_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing Aug 17 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:trojan-activity; sid:2023073; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_17, performance_impact Low, updated_at 2016_08_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern:19,20; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2023074; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_08_17, performance_impact Low, updated_at 2016_08_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:trojan-activity; sid:2023079; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_18, performance_impact Low, updated_at 2016_08_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern:only; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:trojan-activity; sid:2023080; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_18, performance_impact Low, updated_at 2016_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 19 2016"; flow:to_server,established; content:"POST"; http_method; content:"login"; depth:5; fast_pattern; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024560; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_19, performance_impact Low, updated_at 2017_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Blockchain Account Phish Aug 19 2016"; flow:to_server,established; content:"POST"; http_method; content:"UID_input="; depth:10; nocase; http_client_body; fast_pattern; content:"&pass"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024616; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2016_08_19, performance_impact Low, updated_at 2017_08_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Office 365 Phishing Landing Aug 24 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name=|22|SiteID|22 20|content=|22 22|"; nocase; content:"<meta name=|22|ReqLC|22 20|content=|22|1033|22|"; fast_pattern; nocase; distance:0; content:"<meta name=|22|LocLC|22 20|content="; nocase; distance:0; content:"microsoftonline-p.com"; nocase; distance:0; content:"id=|22|credentials|22|"; nocase; distance:0; content:!"action=|22|/common/login|22|"; nocase; distance:0; within:50; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_24, performance_impact Low, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Google Drive Phishing Domain Aug 25 2016"; flow:to_server,established; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023092; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_25, performance_impact Low, updated_at 2016_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish to .tk domain Aug 26 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; content:"POST"; http_method; content:".tk|0d 0a|"; http_header; fast_pattern; metadata: former_category INFO; classtype:trojan-activity; sid:2023137; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_26, performance_impact Low, updated_at 2017_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; content:"/distr/Proxifier"; http_uri; nocase; depth:16; fast_pattern; content:!"User-Agent|3a|"; http_header; nocase; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:!"Cookie|3a|"; content:"proxifier.com|0d 0a|"; http_header; nocase; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_08_26, performance_impact Low, updated_at 2016_08_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful TeamIPwned Phish Aug 30 2016"; flow:to_server,established; content:"POST"; http_method; content:"hellion.php"; nocase; http_uri; fast_pattern; content:"pass"; nocase; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025003; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_30, performance_impact Low, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phish Landing Sept 1 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function popupwnd"; fast_pattern; nocase; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"liamg"; nocase; distance:0; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"kooltuo"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025684; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_01, performance_impact Low, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_01, malware_family IEiExploit, performance_impact Low, updated_at 2016_09_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; file_data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_01, malware_family IEiExploit, performance_impact Low, updated_at 2016_09_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Sept 02 2016"; flow:to_server,established; content:"POST"; http_method; content:"usr="; fast_pattern; nocase; http_client_body; content:"pwd="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024561; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_02, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:trojan-activity; sid:2023150; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_02, performance_impact Low, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024230; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing_07012016, signature_severity Major, created_at 2016_09_02, performance_impact Low, updated_at 2017_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:trojan-activity; sid:2023151; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_02, updated_at 2016_09_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:trojan-activity; sid:2023152; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_02, updated_at 2016_09_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:trojan-activity; sid:2023153; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_02, updated_at 2016_09_02;)

#alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023180; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing_07012016, signature_severity Major, created_at 2016_09_08, performance_impact Low, updated_at 2017_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023181; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_08, performance_impact Low, updated_at 2017_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern:only; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:trojan-activity; sid:2023186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_12, malware_family EvilTDS, performance_impact Low, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:trojan-activity; sid:2023188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, created_at 2016_09_12, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:trojan-activity; sid:2023189; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, created_at 2016_09_12, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:attempted-admin; sid:2023190; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:attempted-admin; sid:2023191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:attempted-admin; sid:2023192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:attempted-admin; sid:2023193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:attempted-admin; sid:2023194; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:attempted-admin; sid:2023195; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023196; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family RIG, performance_impact Low, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD";  flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_13, malware_family RIG, updated_at 2016_09_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9";  flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023199; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_13, malware_family RIG, updated_at 2016_09_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP";  flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_13, malware_family RIG, updated_at 2016_09_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M1 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Download Security Essentials"; nocase; fast_pattern; content:"Malicious Software Removal"; nocase; distance:0; content:"<audio"; content:"autoplay="; nocase; distance:0; content:"autoplay"; distance:1; nocase; content:"audio/mpeg"; nocase; distance:0; content:"getURLParameter"; content:"setTimeout"; distance:0; classtype:trojan-activity; sid:2023235; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M2 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security Error"; nocase; fast_pattern; content:"+screen.availHeight"; nocase; distance:0; content:"screen.availWidth"; nocase; distance:0; content:"<audio"; content:"autoplay="; content:"autoplay"; distance:1; within:9; classtype:trojan-activity; sid:2023236; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Sept 15 2016"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"issuefound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00/Rsi"; classtype:trojan-activity; sid:2023237; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_10_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:trojan-activity; sid:2023238; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; distance:0; within:40; classtype:trojan-activity; sid:2023239; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:trojan-activity; sid:2023248; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_19, malware_family EvilRedirector, malware_family Magnitude, performance_impact Low, updated_at 2016_09_19;)

alert tcp $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET CURRENT_EVENTS Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023249; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector_07012016, signature_severity Major, created_at 2016_09_19, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_09_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:trojan-activity; sid:2023250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_19, malware_family EvilTDS, malware_family EITest, updated_at 2016_09_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:trojan-activity; sid:2023251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_19, malware_family EvilTDS, malware_family EITest, updated_at 2016_09_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:trojan-activity; sid:2023252; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_20, malware_family EvilTDS, malware_family Malvertising, performance_impact Low, updated_at 2016_09_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023272; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023273; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"x7soyTdaNq94NWpdLGZ4NWpd";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"MlADchNaR0LGZ4NWpdLGZ4N";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"azTEhyWNbKGpdLGZ4NWpdLG";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023276; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, malware_family Exploit_Kit, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023277; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, cve CVE_2015_0016, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, cve CVE_2015_0016, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, cve CVE_2015_0016, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023283; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023284; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_09_22, malware_family SunDown, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern:only; classtype:trojan-activity; sid:2023302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_26, malware_family AfraidGate, performance_impact Low, updated_at 2016_09_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:trojan-activity; sid:2023303; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_27, performance_impact Low, updated_at 2016_09_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data;  content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:trojan-activity; sid:2023307; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_28, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_09_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:trojan-activity; sid:2023312; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_10_03, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:trojan-activity; sid:2023313; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_10_03, malware_family SunDown, performance_impact Low, updated_at 2016_10_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:trojan-activity; sid:2023314; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_10_03, malware_family SunDown, performance_impact Low, updated_at 2016_10_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern:37,20; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_03, malware_family Locky, updated_at 2016_10_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_03, malware_family Locky, updated_at 2016_10_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Personalized OWA Webmail Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"&email="; nocase; http_uri; distance:0; content:"curl="; depth:5; nocase; http_client_body; content:"&flags="; nocase; distance:0; http_client_body; content:"&forcedownlevel="; nocase; distance:0; http_client_body; content:"&formdir="; nocase; distance:0; http_client_body; content:"&trusted="; nocase; distance:0; http_client_body; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&SubmitCreds="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025002; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_04, updated_at 2017_11_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&session="; nocase; http_uri; content:"provider="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023964; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_04, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iCloud Phish Oct 10 2016"; flow:to_server,established; content:"POST"; http_method; content:"/save.asp"; nocase; http_uri; fast_pattern; content:"apple"; http_header; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023592; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_11, updated_at 2016_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"jar"; nocase; http_client_body; depth:3; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&login="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024562; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_14, performance_impact Low, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:trojan-activity; sid:2023343; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_10_17, malware_family EITest, performance_impact Low, updated_at 2016_10_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:trojan-activity; sid:2023352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_10_19, performance_impact Low, updated_at 2016_10_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:trojan-activity; sid:2023353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_10_19, performance_impact Low, updated_at 2016_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016  (RIG-v)"; flow:established,to_server; content:"/?"; http_uri; depth:2; content:"q="; http_uri; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023401; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2016_10_24, performance_impact Low, updated_at 2016_12_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 25 2016"; flow:to_server,established; content:"POST"; http_method; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024563; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_26, performance_impact Low, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"formtext"; nocase; http_client_body; content:"&formtext"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024564; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_10_26, performance_impact Low, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Tor Module Download"; flow:established,to_server; content:"/tor/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/Ui"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs";  content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:attempted-admin; sid:2023473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_01, malware_family DNSEK, performance_impact Low, updated_at 2016_11_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:trojan-activity; sid:2023474; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_11_03, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2016_12_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023487; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_08, updated_at 2017_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023488; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_08, updated_at 2016_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Cartasi Phishing Domain Nov 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023495; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_09, performance_impact Low, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 15 2016"; flow:to_server,established; content:"POST"; http_method; content:"form"; nocase; http_client_body; fast_pattern; content:"&form"; nocase; http_client_body; distance:0; content:"&form"; nocase; http_client_body; distance:0; content:"&form"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_15, performance_impact Low, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern:47,20; classtype:trojan-activity; sid:2023513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_11_15, performance_impact Low, updated_at 2016_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"e-mail="; depth:7; fast_pattern; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024566; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_16, performance_impact Low, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Shared Document Phishing Landing Nov 16 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function checkemail"; nocase; content:"function checkbae"; nocase; distance:0; fast_pattern; content:"Sign in to view"; nocase; distance:0; content:"Select your email"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025672; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_17, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Settings Error Phishing Landing Nov 16 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>An error"; nocase; fast_pattern; content:"settings is blocking"; nocase; distance:0; within:50; content:"incoming emails"; nocase; distance:0; within:50; content:"error in your SSL settings"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025687; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_17, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 22 2016"; flow:to_server,established; content:"POST"; http_method; content:"feedback="; depth:9; fast_pattern; nocase; http_client_body; content:"&feedback"; nocase; http_client_body; distance:0; content:"&feedback"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_22, performance_impact Low, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern:only; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:trojan-activity; sid:2023547; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_11_28, malware_family EvilTDS, malware_family EITest, performance_impact Low, updated_at 2017_01_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; content:"GET"; http_method; content:".php?f="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/U"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_28, performance_impact Low, updated_at 2017_01_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; distance:0; within:50; classtype:trojan-activity; sid:2023557; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_29, updated_at 2016_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websc-"; nocase; http_uri; content:".php?SessionID-xb="; nocase; http_uri; fast_pattern; within:40; classtype:trojan-activity; sid:2023558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_11_29, updated_at 2016_11_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2016_12_06, malware_family Exploit_Kit_RIG, updated_at 2016_12_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023587; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2016_12_06, malware_family Exploit_Kit_RIG, updated_at 2016_12_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 07 2016"; flow:to_server,established; content:"POST"; http_method; content:"Editbox1="; depth:9; nocase; http_client_body; content:"&Editbox2="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024568; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_08, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Stripe Phishing Landing Dec 09 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Stripe|3a|"; nocase; fast_pattern; content:"|2f 2a 20 56 4f 44 4b 41 20 2a 2f|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025668; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_09, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Linkedin Phishing Domain Dec 09 2016"; flow:to_server,established; content:"GET"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023596; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_09, updated_at 2016_12_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"UserID="; depth:7; nocase; http_client_body; fast_pattern; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024569; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_13, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Dec 13 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Page Redirection"; nocase; fast_pattern:3,20; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023638; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_13, performance_impact Low, updated_at 2018_03_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:trojan-activity; sid:2023657; rev:1; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_16, malware_family Tech_Support_Scam, performance_impact Low, updated_at 2016_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 20 2016"; flow:to_server,established; content:"POST"; http_method; content:"name"; depth:7; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024570; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_20, updated_at 2017_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 27 2016"; flow:to_server,established; content:"POST"; http_method; content:"uid="; depth:4; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024571; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_29, updated_at 2017_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_email"; depth:11; nocase; fast_pattern; http_client_body; content:"login_pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024572; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_03, updated_at 2017_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Netflix Payment Phish M1 Jan 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"firstName="; depth:10; nocase; http_client_body; content:"&lastName="; nocase; distance:0; http_client_body; content:"&cardNumber="; nocase; distance:0; http_client_body; content:"&expirationMonth="; nocase; distance:0; http_client_body; content:"&expirationYear="; nocase; distance:0; http_client_body; content:"&securityCode="; nocase; distance:0; http_client_body; fast_pattern; content:"&SubmitButton="; nocase; distance:0; http_client_body; content:"&msg_agree="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_05, updated_at 2017_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"p="; depth:2; nocase; http_client_body; content:"&a2="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&a1="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; fast_pattern; content:"&aa="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&age="; nocase; distance:0; http_client_body; content:"&ir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023696; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_05, updated_at 2017_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&entrada_1="; nocase; distance:0; http_client_body; fast_pattern; content:"&entrada_2="; nocase; distance:0; http_client_body; content:"&entrada_3="; nocase; distance:0; http_client_body; content:"&entrada_4="; nocase; distance:0; http_client_body; content:"&looking1="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023697; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_05, updated_at 2017_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful National Bank Phish Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:"redirect="; depth:9; nocase; http_client_body; content:"&txtState="; nocase; distance:0; http_client_body; content:"&txtCount="; nocase; distance:0; http_client_body; content:"&txtOneTime="; nocase; distance:0; http_client_body; content:"&Account_ID="; nocase; distance:0; http_client_body; content:"&active_Password="; nocase; distance:0; http_client_body; fast_pattern; content:"&Submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_05, updated_at 2017_01_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Jan 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name=|22|description|22 20|content=|22 78 50 61 79 50 61 6c 5f 32 30 31 37|"; content:"|43 61 5a 61 4e 6f 56 61 31 36 33|"; within:50; fast_pattern; classtype:trojan-activity; sid:2023712; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_09, performance_impact Low, updated_at 2017_01_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"ID="; depth:3; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024573; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_12, performance_impact Low, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi";  content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_17, malware_family EITest, performance_impact Low, updated_at 2017_01_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern:only; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:trojan-activity; sid:2023743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_17, malware_family EITest, updated_at 2017_01_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023744; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_17, malware_family EITest, updated_at 2017_01_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:trojan-activity; sid:2023745; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_17, malware_family EITest, updated_at 2017_01_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"user="; depth:5; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024574; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_01_17, updated_at 2017_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"user_id="; depth:8; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024575; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_01_17, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, signature_severity Major, created_at 2017_01_19, malware_family EITest, performance_impact Low, updated_at 2017_01_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jan 20 2017"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"Warning|3a|"; nocase; http_header; distance:0; fast_pattern; content:"Call Microsoft"; http_header; nocase; classtype:trojan-activity; sid:2023751; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_20, updated_at 2017_01_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern:3,20; content:"background-color|3a 20|#FF0000"; nocase; distance:0; classtype:trojan-activity; sid:2023752; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_20, updated_at 2017_01_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_24, performance_impact Low, updated_at 2017_01_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:trojan-activity; sid:2023757; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tag Phishing, signature_severity Major, created_at 2017_01_24, updated_at 2017_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tag Phishing, signature_severity Major, created_at 2017_01_24, updated_at 2017_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websrc"; http_uri; fast_pattern; content:"email"; nocase; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\/websrc$/U"; classtype:trojan-activity; sid:2023759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tag Phishing, signature_severity Major, created_at 2017_01_24, updated_at 2017_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"locale.x="; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; fast_pattern; content:"email="; nocase; distance:0; http_client_body; content:"password="; nocase; distance:0; http_client_body; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023760; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tag Phishing, signature_severity Major, created_at 2017_01_24, updated_at 2017_01_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; content:"Content-Type|3a 20|application/x-msdownload|0d 0a|"; http_header; content:"Content-Length|3a 20|3|0d 0a|"; http_header; fast_pattern; file_data; content:"|3d 28 28|"; within:3; isdataat:!1,relative; classtype:trojan-activity; sid:2023768; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_01_27, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&ROLLOUT="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_01_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:trojan-activity; sid:2023772; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023773; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023774; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_30, updated_at 2017_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023775; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_01_31, updated_at 2017_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023776; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_01_31, updated_at 2017_01_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Font_Update.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/Hmi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:trojan-activity; sid:2023817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_01_31, performance_impact Low, updated_at 2017_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023820; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023821; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023822; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023823; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023824; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023825; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023826; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023827; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023828; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023829; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_11_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 01"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|account-google|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023833; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 02"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|aramex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023834; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 03"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|device-activation|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023835; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 04"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dropbox-service|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023836; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 05"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dropbox-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023837; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 06"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dropboxsupport|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023838; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 07"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-mail|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023839; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 08"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|fedex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023840; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 09"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023841; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googledriver-sign|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023842; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|googledrive-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023843; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|google-maps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023844; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googlesecure-serv|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023845; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|googlesignin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023846; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|googleverify-signin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023847; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|mailgooglesign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023848; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 17"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023849; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 18"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|secure-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023850; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 19"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|security-myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023851; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 20"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|verification-acc|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023852; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 21"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dropbox-verfy|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023853; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 22"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fedex-s|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023854; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|watchyoutube|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023855; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 24"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|verification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023856; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 25"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|securityteam-notify|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023857; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 26"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|secure-alert|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023858; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 27"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|quota-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023859; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 28"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|notification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023860; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|fedex-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023861; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 30"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|docs-mails|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023862; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 31"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|restricted-videos|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023863; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 32"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|dropboxnotification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023864; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 33"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|moi-gov|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023865; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 34"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|activate-google|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023866; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 35"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|googlemaps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023867; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Feb 2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Microsoft Official Support <"; fast_pattern; nocase; content:"var stroka"; nocase; distance:0; content:"wM/8AAEQgADQCgAwEiAAIRAQMRAf/dAAQACv/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIE"; distance:0; classtype:trojan-activity; sid:2023869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_03, performance_impact Low, updated_at 2017_02_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern:only; classtype:trojan-activity; sid:2023878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_02_07, malware_family Exploit_Kit, performance_impact Low, updated_at 2017_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern:only; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:trojan-activity; sid:2023879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_02_07, malware_family Exploit_Kit, performance_impact Low, updated_at 2017_02_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023880; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_07, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern:9,20; classtype:trojan-activity; sid:2023888; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_09, updated_at 2017_02_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Feb 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft Official Support"; nocase; fast_pattern:13,20; content:"<audio"; nocase; distance:0; content:"loop="; nocase; within:50; classtype:trojan-activity; sid:2023889; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_09, updated_at 2017_02_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023890; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_09, updated_at 2017_02_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023891; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_09, updated_at 2017_02_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M1 Feb 13 2017"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"jQuery(function($)"; nocase; content:"cc-number"; within:50; nocase; fast_pattern; content:"formatCardNumber"; within:50; content:"cc-exp"; nocase; distance:0; content:"formatCardExpiry"; within:50; content:"cc-cvc"; nocase; distance:0; content:"formatCardCVC"; within:50; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025658; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_13, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M2 Feb 13 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#dob"; nocase; content:".mask"; within:10; content:"#ccexp"; nocase; distance:0; content:".mask"; within:10; content:"#ssn"; nocase; distance:0; content:".mask"; within:10; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025667; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_13, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live External Link Phishing Landing M2 Feb 14 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Secure redirect"; nocase; fast_pattern:2,20; content:"auth.gfx.ms"; nocase; distance:0; content:"access sensitive information"; nocase; distance:0; content:"Confirm your password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025675; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_14, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"locked.php"; nocase; http_uri; content:"Account-Unlock"; nocase; distance:0; http_uri; fast_pattern; content:"user="; depth:5; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_17, updated_at 2017_02_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024000; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_17, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024001; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_17, updated_at 2017_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"&txtCelular="; nocase; http_client_body; content:"&txtSenhaCartao="; nocase; distance:0; http_client_body; fast_pattern; content:"btnLogIn"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024002; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_17, updated_at 2017_02_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; classtype:trojan-activity; sid:2024003; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_17, performance_impact Low, updated_at 2017_02_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Shared Document Phishing Landing Feb 21 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"openOffersDialog"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025688; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_21, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"self.location.replace("; within:100; fast_pattern:2,20; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2024007; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:"location|3a 20|"; http_header; fast_pattern; content:"|2f 3f|"; distance:32; within:2; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:trojan-activity; sid:2024008; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"step=confirmation"; depth:17; nocase; http_client_body; content:"&rt="; nocase; distance:0; http_client_body; content:"&rp="; nocase; distance:0; http_client_body; content:"&p="; nocase; distance:0; http_client_body; content:"&whichForm="; nocase; distance:0; http_client_body; content:"&Email="; nocase; distance:0; http_client_body; content:"&Parola="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024009; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"NumarCard="; depth:10; nocase; http_client_body; fast_pattern; content:"&CVV="; nocase; distance:0; http_client_body; content:"&Luna="; nocase; distance:0; http_client_body; content:"&NumeCard="; nocase; distance:0; http_client_body; content:"&PrenumeCard="; nocase; distance:0; http_client_body; content:"&NumedeContact="; nocase; distance:0; http_client_body; content:"&NumardeTelefon="; nocase; distance:0; http_client_body; content:"&EmaildeContact="; nocase; distance:0; http_client_body; content:"&cryptedStepCheck="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024010; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024011; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024012; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024013; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024014; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/signin"; content:"/signin|0d 0a|"; http_header; fast_pattern; content:"_token="; depth:7; nocase; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"|25|40"; nocase; distance:0; http_client_body; content:"&pass"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024015; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"location|3a 20|"; nocase; http_header; content:".php?cmd=_update-information&account_bank="; nocase; http_header; fast_pattern:22,20; distance:0; content:"&dispatch="; distance:32; within:10; nocase; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; classtype:trojan-activity; sid:2024016; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:trojan-activity; sid:2024017; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Common Paypal Phishing URI Feb 24 2017"; flow:to_server,established; content:"GET"; http_method; content:"/webapps/"; http_uri; content:"/websrc"; distance:5; within:7; http_uri; fast_pattern; pcre:"/\/webapps\/[a-f0-9]{5}\/websrc/Ui"; classtype:trojan-activity; sid:2024018; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; file_data; content:"<title></title>"; nocase; fast_pattern; content:"<meta name=|22|application-name|22 20|content=|22|PayPal"; distance:0; classtype:trojan-activity; sid:2024019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_02_24, updated_at 2017_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_02_27, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_02_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_02_27, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_02_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing Feb 27 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"app.png"; nocase; distance:0; content:"live.png"; nocase; distance:0; content:"off.png"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025689; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_27, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Vanguard Phish Mar 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"dmform-0="; depth:9; nocase; http_client_body; content:"&label-dmform-0=User+name"; nocase; distance:0; http_client_body; content:"&label-dmform-1=Password"; nocase; distance:0; http_client_body; content:"&label-dmform-8=Account+Email"; nocase; distance:0; http_client_body; content:"&label-dmform-9=Password"; nocase; distance:0; http_client_body; content:"&dmformsubject=Vang"; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024032; rev:1; metadata:created_at 2017_03_06, updated_at 2017_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Android Fake AV Download Landing Mar 06 2017"; flow:to_server,established; content:"GET"; http_method; content:".php?model="; nocase; http_uri; content:"&brand="; nocase; distance:0; http_uri; content:"&osversion="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; content:"&voluumdata=BASE64"; nocase; distance:0; http_uri; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024033; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Internet, signature_severity Minor, created_at 2017_03_06, malware_family Fake_Alert, updated_at 2017_03_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Docusign Phishing Landing Mar 08 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>|26 23|68|3b 26 23|111|3b 26 23|99|3b 26 23|117|3b 26 23|115|3b 26 23|105|3b 26 23|103|3b 26 23|110|3b|"; fast_pattern:33,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025662; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_03_08, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern:70,20; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024037; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_08, performance_impact Low, updated_at 2017_03_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; content:"Content-Disposition|3a|"; nocase; http_header; content:"|43 68 72 ce bf 6d 65|"; nocase; http_header; fast_pattern:only; content:"|66 ce bf 6e 74|"; nocase; http_header; content:"|2e 65 78 65|"; nocase; http_header; file_data; content:"MZ"; within:2; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_09, updated_at 2017_03_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Virus Alert"; nocase; fast_pattern:5,20; content:"|3a|-webkit-full-screen"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024042; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_09, updated_at 2017_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024046; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_13, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful National Bank Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"aliasDispatcher="; depth:16; nocase; http_client_body; content:"&indBNCFunds="; nocase; distance:0; http_client_body; content:"&accountNumber1="; nocase; distance:0; http_client_body; content:"&cardExpirDate="; nocase; distance:0; http_client_body; fast_pattern; content:"&registrationMode="; nocase; distance:0; http_client_body; content:"&cardActionTypeSelected="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&clientIpAdress="; nocase; distance:0; http_client_body; content:"&clientUserAgent="; nocase; distance:0; http_client_body; content:"&clientScreenResolution="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024047; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_13, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024048; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_03_13, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; content:"QMvXcJ"; http_uri; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_03_13, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_03_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS INTERAC Payment Multibank Phishing Landing Mar 14 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta property=|22|og|3a|title|22 20|content=|22|Deposit your INTERAC e-Transfer|22|"; nocase; content:"<title>INTERAC e-Transfer"; nocase; distance:0; fast_pattern:5,20; content:"INTERAC|25|20e-Transfer"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025679; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_14, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024050; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_14, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Instagram Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"cek=login"; depth:9; nocase; http_client_body; fast_pattern; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024051; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_14, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_cmd="; depth:10; nocase; http_client_body; content:"&login_params="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024052; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_14, updated_at 2017_03_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_03_14, malware_family Exploit_Kit_Terror, updated_at 2017_03_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_03_14, malware_family Exploit_Kit_Terror, updated_at 2017_03_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern:only; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024055; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_14, malware_family terror_EK, performance_impact Moderate, updated_at 2017_03_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024059; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_15, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"appid="; depth:6; nocase; http_client_body; fast_pattern; content:"|25|40"; distance:0; http_client_body; content:"&pwd"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024060; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_15, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"fname="; depth:6; nocase; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&cchn="; nocase; distance:0; http_client_body; content:"&ccnum="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate="; nocase; distance:0; http_client_body; content:"&cvv2="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024061; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_15, updated_at 2017_03_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live Email Account Phishing Landing Mar 16 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name="; nocase; content:"mswebdialog-title"; nocase; distance:1; within:18; content:"Arcadis Office 365"; nocase; within:50; fast_pattern; content:"<title>Sign In"; nocase; within:50; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025664; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_16, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024092; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_17, performance_impact Low, updated_at 2017_03_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017 M2"; flow:established,from_server; file_data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri";content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_17, performance_impact Low, updated_at 2017_03_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"identif="; depth:8; nocase; http_client_body; content:"&elserr="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024100; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_22, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024101; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_27, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024102; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_27, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024103; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_27, updated_at 2017_03_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Online Document Phishing Landing M1 Mar 25 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Your session has timed out"; fast_pattern; nocase; content:"Click OK to sign in and continue"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025694; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_27, performance_impact Low, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; metadata: former_category CURRENT_EVENTS; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_29, performance_impact Moderate, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"/mang.bbk"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/mang\.bbk$/Ui"; metadata: former_category CURRENT_EVENTS; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_30, malware_family Maldoc, performance_impact Moderate, updated_at 2017_03_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"telefone="; depth:9; nocase; http_client_body; content:"&senha6="; nocase; distance:0; http_client_body;  fast_pattern; content:"&ir="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha8="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024328; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_03_30, updated_at 2017_05_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|wide.singldays.top"; distance:1; within:19; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024124; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern:2,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024125; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern:1,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024126; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|13|web.machinerysc.top"; distance:1; within:20; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024127; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|sub.contentedy.top"; distance:1; within:19; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024128; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern:1,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024129; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern:2,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024130; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern:2,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024131; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern:1,20; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024132; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|0"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024133; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024134; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|2"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024135; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|3"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024136; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|4"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024137; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|5"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024138; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|6"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024139; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|7"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024140; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|8"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024141; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|9"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024142; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, malware_family RIG, updated_at 2017_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024167; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_04, updated_at 2017_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern:only; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; metadata: former_category CURRENT_EVENTS; reference:cve,2016-0189; classtype:trojan-activity; sid:2024168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_04_04, malware_family Exploit_Kit_Terror, performance_impact Low, updated_at 2017_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; metadata: former_category CURRENT_EVENTS; reference:cve,2016-0189; classtype:trojan-activity; sid:2024169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_04_04, malware_family Exploit_Kit_Terror, performance_impact Low, updated_at 2017_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; metadata: former_category CURRENT_EVENTS; reference:cve,2016-0189; classtype:trojan-activity; sid:2024170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_04_04, malware_family Exploit_Kit_Terror, performance_impact Low, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Terror EK Payload Download"; flow:established,to_server; content:"e=cve"; http_uri; fast_pattern:only; pcre:"/[&?]e=cve\d{8}(?:&|$)/U"; pcre:"/=[a-f0-9]{32,}(?:&|$)/U"; content:!"Referer|3a|"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024180; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_04_04, malware_family Exploit_Kit_Terror, performance_impact Low, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"gender="; depth:7; nocase; http_client_body; fast_pattern; content:"&name1="; nocase; distance:0; http_client_body; content:"&name2="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024184; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnumber="; depth:8; nocase; http_client_body; fast_pattern; content:"&expm="; nocase; distance:0; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&cname="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024185; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024186; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024187; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024188; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; fast_pattern:9,20; nocase;  metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024197; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, signature_severity Major, created_at 2017_04_11, performance_impact Low, updated_at 2017_08_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_11, malware_family EITest, updated_at 2017_04_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024199; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_11, malware_family EITest, updated_at 2017_04_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_11, malware_family EITest, updated_at 2017_04_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; content:"Expires|3A| Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; http_header; fast_pattern:9,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_20, performance_impact Moderate, updated_at 2017_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024231; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_20, updated_at 2017_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024232; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_20, updated_at 2017_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; metadata: former_category CURRENT_EVENTS; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:trojan-activity; sid:2024237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_24, performance_impact Moderate, updated_at 2017_04_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HoeflerText Chrome Popup DriveBy Download Attempt 1"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:trojan-activity; sid:2024238; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_24, performance_impact Moderate, updated_at 2017_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful OWA Phish Apr 25 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/owa/"; nocase; distance:0; fast_pattern; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; within:20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024999; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_25, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M1 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Alert</title>"; fast_pattern:7,20; nocase; content:"<script type=|22|text/javascript|22 20|src=|22|/alert.php?h="; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024266; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_05_03, updated_at 2017_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M2 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/alert.php?h="; depth:13; http_uri; fast_pattern; nocase; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024267; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_05_03, updated_at 2017_05_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M3 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/javascript"; http_header; content:"alert="; http_cookie; file_data; content:"navigator.languages"; nocase; content:"Your computer is infected"; nocase; distance:0; fast_pattern:5,20; content:"navegador contiene malware"; nocase; distance:0; content:"navigateur contient MALWARE"; nocase; distance:0; content:"&subid=alertyes"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024268; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_05_03, updated_at 2017_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M4 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/tds.php?h="; depth:11; http_uri; fast_pattern; nocase; content:"&subid=alert"; nocase; distance:32; within:12; http_uri; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024269; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_05_03, updated_at 2017_05_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bingo Exploit Kit Landing May 08 2017"; flow:established,from_server; file_data; content:"+=String.fromCharCode("; pcre:"/^[a-z]\d{3}\[[a-z]\d{3}\]\^[a-z]\d{3}\)\x3breturn [a-z]\d{3}\x3b\}/R"; content:"|29 29 29 5e|"; fast_pattern:only; content:".text="; pcre:"/^[a-z]\d{3}\x3b[a-z]\d{3}\.getElementsByTagName\([a-z]\d{3}\(new Array\(\d+\,/R"; content:".type="; pcre:"/^[a-z]\d{3}\(new Array\(/R"; flowbits:set,ET.Fiesta.Exploit.URI; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_10, performance_impact Low, updated_at 2017_11_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Multibrowser Resource Exhaustion observed in Tech Support Scam"; flow:from_server,established; file_data; content:"var|20|total|20|=|20 22 22 3b|"; nocase; content:"total|20|=|20|total"; nocase; distance:0; content:"history.pushState"; nocase; fast_pattern; distance:0; pcre:"/^\s*\(\s*0\s*,\s*0\s*,\s*total\s*\)/Ri"; metadata: former_category CURRENT_EVENTS; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1246773; classtype:trojan-activity; sid:2024305; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_16, updated_at 2017_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"email"; depth:5; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"senha"; nocase; http_client_body; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024576; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_05_24, updated_at 2017_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"ET CURRENT_EVENTS Successful Scotiabank Phish M1 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"signon_form="; depth:12; nocase; http_client_body; content:"trusteeCompatible="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"card-nickname="; nocase; distance:0; http_client_body; fast_pattern; content:"enter_sol="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024326; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_05_24, updated_at 2017_05_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024327; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_05_24, updated_at 2017_05_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish May 25 2017"; flow:to_server,established; content:"POST"; http_method; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha8="; nocase; distance:0; http_client_body; fast_pattern; content:"&ir="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024329; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_05_25, updated_at 2017_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 25 2017"; flow:to_server,established; content:"POST"; http_method; content:"handle="; depth:7; nocase; http_client_body; fast_pattern; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024577; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_05_25, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing May 31 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Dropbox"; nocase; content:"Select your email provider"; nocase; fast_pattern:6,20; distance:0; content:"Gmail"; nocase; distance:0; content:"Yahoo"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025661; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_05_31, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 31 2017"; flow:to_server,established; content:"POST"; http_method; content:"password="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; http_client_body; distance:0; content:"|25|40"; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024578; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_05_31, updated_at 2017_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Terror EK Landing URI T1 Jun 02 2017"; flow:established,to_server; content:"/e71cac9dd645d92189c49e2b30ec627a/dcb4c6c6149b2208fbcf7c9d8c59548e"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_06_02, malware_family Exploit_Kit_Terror, updated_at 2017_06_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Terror EK Payload URI T1 Jun 02 2017"; flow:established,to_server; content:"/d/"; http_uri; content:"/?q=r4&"; http_uri; fast_pattern:only; pcre:"/\&e=(?:cve|flash)/Ui"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_06_02, malware_family Exploit_Kit_Terror, updated_at 2017_06_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload URI T1 Jun 02 2017 M2"; flow:established,from_server; content:"Content-Description|3a 20|File Transfer"; http_header; pcre:"/Content-Disposition\x3a[^\r\n]+\.exe-rc4\.exe\r\n/Hi"; content:"ci_session"; http_cookie; content:"Expires|3a 20|0"; http_header; file_data; content:!"MZ"; within:2; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024345; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_06_02, malware_family Exploit_Kit_Terror, updated_at 2017_06_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing T1 Jun 02 2017 M1"; flow:established,from_server; file_data; content:"|3c 70 61 72 61 6d 20 6e 61 6d 65 3d 46 6c 61 73 68 56 61 72 73 20 76 61 6c 75 65 3d 22 69 64 64 71 64 3d 27|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_06_02, malware_family Exploit_Kit_Terror, updated_at 2017_06_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing T1 Jun 02 2017 M2"; flow:established,from_server; file_data; content:"|25 37 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 45 25 36 35 25 37 38 25 36 35|"; content:"|2e 53 74 61 72 74 52 65 6d 6f 74 65 44 65 73 6b 74 6f 70|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024347; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_06_02, malware_family Exploit_Kit_Terror, updated_at 2017_06_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS SUSPICIOUS DNS Request for Grey Advertising Often Leading to EK"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|roughted|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:trojan-activity; sid:2024349; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_05, malware_family Malvertising, malware_family RoughTed, performance_impact Low, updated_at 2017_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Request for Grey Advertising Often Leading to EK"; flow:established,to_server; content:"GET"; http_method; content:"/?&tid="; http_uri; fast_pattern; content:"&red="; http_uri; distance:0; content:"&abt="; http_uri; distance:0; content:"&v="; http_uri; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:trojan-activity; sid:2024350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_05, malware_family Malvertising, malware_family RoughTed, performance_impact Moderate, updated_at 2017_06_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data; content:"|4a694270626e525562314e30636968685a4752794b|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B642"; flow:established,from_server; file_data; content:"|596761573530564739546448496f5957526b6369|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024354; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B643"; flow:established,from_server; file_data; content:"|6d49476c7564465276553352794b47466b5a484970|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M2 B641"; flow:established,from_server; file_data; content:"|496d784a62477873496a6f69646d6c7964485668624842796233526c5933|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024356; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M2 B642"; flow:established,from_server; file_data; content:"|4a735357787362434936496e5a70636e523159577877636d39305a574e30|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024357; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M2 B643"; flow:established,from_server; file_data; content:"|6962456c73624777694f694a3261584a306457467363484a766447566a64|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M3 B641"; flow:established,from_server; file_data; content:"|593268796479677a4d6a63324e79|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M3 B642"; flow:established,from_server; file_data; content:"|6a61484a334b444d794e7a59334b|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M3 B643"; flow:established,from_server; file_data; content:"|4e6f636e636f4d7a49334e6a6370|";pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/";  metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M4 B641"; flow:established,from_server; file_data; content:"|657949784e7a51784e6949364e4441344d44597a4e6977694d5463304f5459694f6a51774f4441324d7a5973496a45334e6a4d78496a6f304d4467304e7a51344c4349784e7a59304d43|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M4 B642"; flow:established,from_server; file_data; content:"|73694d5463304d5459694f6a51774f4441324d7a5973496a45334e446b32496a6f304d4467774e6a4d324c4349784e7a597a4d5349364e4441344e4463304f4377694d5463324e444169|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 08 2017"; flow:to_server,established; content:"POST"; http_method; content:"id="; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; content:"formimage"; nocase; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024579; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_07, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (warning.mp3) Jan 24 2017"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"warning.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024365; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_06_08, malware_family Tech_Support_Scam, performance_impact Moderate, updated_at 2017_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bingo EK Payload Download"; flow:established,to_server; urilen:116; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{114}$/U"; content:"WinHttp.WinHttpRequest.5"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024367; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Bingo, signature_severity Major, created_at 2017_06_08, malware_family Exploit_Kit, performance_impact Low, updated_at 2017_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Poste Italiane Phish Jun 08 2017"; flow:to_server,established; content:"POST"; http_method; content:"/foo-autenticazione.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"pass"; nocase; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024370; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_06_09, updated_at 2017_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"agencia="; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha_eletronica="; nocase; distance:0; http_client_body; fast_pattern; content:"&senha_cartao="; nocase; distance:0; http_client_body; content:"&celular="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_06_09, updated_at 2017_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful BBVA Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"cuenta="; depth:7; nocase; http_client_body; fast_pattern; content:"&cuenta="; nocase; distance:0; http_client_body; content:"&nvoWizard="; nocase; distance:0; http_client_body; content:"&domain="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024372; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_06_09, updated_at 2017_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"AppleSession"; http_cookie; content:"Cookie|3a 20|AppleSession"; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024374; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_06_09, updated_at 2017_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Generic Credit Card Information in HTTP POST - Possible Successful Phish Jun 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnum="; depth:5; nocase; http_client_body; content:"&exp="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&pin="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_06_12, updated_at 2017_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nemucod JS Downloader June 12 2017"; flow:established,to_server; pcre:"/\/[A-Za-z0-9]{5,7}\?+[A-Za-z0-9]{6,12}=[A-Za-z0-9]{6,12}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; http_header; depth:29; content:"Firefox/51.0"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag WS_JS_Downloader, signature_severity Major, created_at 2017_06_13, malware_family Nemucod, performance_impact Low, updated_at 2017_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017"; flow:established,to_server; urilen:>90; content:"/?"; http_uri; depth:2; content:"=x"; fast_pattern; http_uri; pcre:"/=x[HX3][^&]Q[cdM][^&]{3}[ab]R/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_06_13, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_06_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible iCloud Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>iCloud</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024385; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Docs</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024386; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Docusign Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Docusign</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024387; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Meet Google Drive - One Place For All Your Files</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024388; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Alibaba Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Alibaba&nbsp|3b|Manufacturer&nbsp|3b|Directory"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024389; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; content:!"Server|3a 20|YTS"; http_header; file_data; content:"<title>Yahoo - login"; fast_pattern; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024390; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"your PayPal account"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:log\s*in|sign\s*in)/i"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024391; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Excel Online Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Excel Online"; nocase; content:!"Training"; nocase; within:25; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024392; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_07_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Free Mobile Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Free Mobile - Bienvenue dans votre Espace"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024393; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AOL Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>AOL Mail|3a 20|Simple, Free, Fun</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024394; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web Access</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024395; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web App</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024396; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Facebook Help Center Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Facebook Help Center</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024397; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; content:!"Server|3a 20|YTS"; http_header; file_data; content:"<title>Yahoo! Mail"; fast_pattern; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024398; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Adobe PDF Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe PDF</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024399; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible DHL Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024400; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Adobe ID Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>Sign In - Adobe ID</TITLE>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024401; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Welcome to Facebook</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024402; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox Business</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024403; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_16, updated_at 2017_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,from_server; file_data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_19, performance_impact Low, updated_at 2017_06_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Broken/Filtered Payload Download Jun 19 2017"; flow:established,from_server; content:"Content-Length|3a 20|8|0d 0a|"; http_header; fast_pattern; file_data; content:"|6e 6f 62 69 6e 72 65 74|"; within:8; isdataat:!1,relative; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_19, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_06_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Amazon Phish Landing Jun 22 2017"; flow:to_client,established; content:"200"; http_stat_code; file_data; content:"Amazon Sign In</title>"; nocase; content:"account is connected with Amazon"; distance:0; nocase; content:"name=|22|signin|22 20|method=|22|post|22 20|novalidate action=|22 22|"; nocase; distance:0; content:"type=|22|password|22 20|id=|22|ap_password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024422; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2018_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Watering Hole Redirect Inject Jun 28 2017"; flow:established,from_server; file_data; content:"REMOTE_URL"; content:"C_TIMEOUT"; distance:0; content:"apply_payload"; distance:0; fast_pattern; content:"execute_request"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024431; rev:1; metadata:deployment Perimeter, signature_severity Major, created_at 2017_06_28, performance_impact Low, updated_at 2017_06_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Jun 28 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data;content:"<title>"; content:"|26 23|x50|3b 26 23|x61|3b 26 23|x79|3b 26 23|x50|3b 26 23|x61|3b 26 23|x6C|3b|"; fast_pattern:16,20; within:50; content:"</title>"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025660; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_28, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET CURRENT_EVENTS Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern:only; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024434; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_29, performance_impact Low, updated_at 2017_06_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Mobile Phishing Landing M2"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"|26 23|67|3b 26 23|104|3b 26 23|97|3b 26 23|115|3b 26 23|101|3b 26 23|32|3b 26 23|66|3b 26 23|97|3b 26 23|110|3b 26 23|107|3b|"; within:70; fast_pattern:34,20; content:"</title>"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025691; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_05, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"b2="; depth:3; nocase; http_client_body; content:"&b1="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024580; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_07_06, updated_at 2017_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"; flow:to_server,established; content:".hta"; fast_pattern:only; http_uri; pcre:"/\.hta(?:[?&]|$)/Ui"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; metadata: former_category CURRENT_EVENTS; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2024449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, created_at 2017_07_07, updated_at 2017_07_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Phone Scam M2 Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"microsoft official support"; nocase; within:50; fast_pattern:6,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024444; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Phone Scam M1 Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"security error 0x00759b"; nocase; within:50; fast_pattern:3,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024445; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Phone Scam M3 Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"virus warning alert"; nocase; within:50; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024446; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Tech Support Phone Scam Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"official apple support"; nocase; within:50; fast_pattern:2,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024447; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Phone Scam M4 Jul 07 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"windows official support"; nocase; within:50; fast_pattern:4,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024448; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_07_07, updated_at 2017_07_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Blockchain title over non SSL Jul 10 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; content:"bitcoin wallet - blockchain"; nocase; within:50; fast_pattern:7,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024450; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_10, updated_at 2017_07_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"id="; depth:3; nocase; http_client_body; content:"&pd="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024581; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_10, updated_at 2017_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"facebook email security"; within:40; nocase; fast_pattern:3,20; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024451; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_10, updated_at 2017_07_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Capitech Internet Banking Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Capitec Internet Banking</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024453; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_11, updated_at 2017_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 11 2017"; flow:to_server,established; content:"POST"; http_method; content:"IDToken"; depth:7; nocase; http_client_body; content:"&IDToken"; nocase; http_client_body; distance:0; fast_pattern; content:"&IDToken"; nocase; http_client_body; distance:0; content:"&IDToken"; nocase; http_client_body; distance:0; content:"&IDToken"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024582; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_11, updated_at 2017_08_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic 107 Phish Jul 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"-login.id-107sbtd9cbhsbt"; nocase; http_header; fast_pattern:4,20; pcre:"/^Host\x3a\x20[^\r\n]+\-login\.id\-107sbtd9cbhsbt[^\r]+$/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024463; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_07_12, updated_at 2017_10_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Generic 107 Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"login"; nocase; distance:0; content:"107sbtd9cbhsbt"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024464; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_12, updated_at 2017_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish (set) Jul 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"username="; depth:9; http_client_body; nocase; fast_pattern; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025021; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_17, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M1 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025022; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_17, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M2 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"access1="; depth:8; nocase; http_client_body; fast_pattern; content:"&next.x="; nocase; distance:0; http_client_body; content:"&next.y="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025023; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_17, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M3 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"access2="; depth:8; nocase; http_client_body; fast_pattern; content:"&formimage1.x="; nocase; distance:0; http_client_body; content:"&formimage1.y="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025024; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_17, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M4 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"email="; depth:6; nocase; http_client_body; content:"&emailpass="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025025; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_17, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Scam Landing Jul 19 2017"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"function getSystemInfo"; nocase; distance:0; content:"OnChatTextKeyDown"; nocase; distance:0; fast_pattern; content:"function scrollcheck"; nocase; distance:0; content:"function callconv"; nocase; distance:0; content:"function istyping"; nocase; distance:0; content:"function dochat"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024480; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_18, updated_at 2017_07_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject July 25 2017"; flow:established,from_server; file_data; content:"var a=a|7c 7c|window.event|3b|doOpen|28 22|http"; nocase; pcre:"/^s?\x3a\x2f\x2f[^\x22\x27]+\/\?[A-Za-z0-9]{5,6}(?:=[^&\x22\x27]+)?[\x22\x27]\x29\x3bsetCookie\(\x22popundr\x22,1,864e5\)\}/Ri"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_07_25, malware_family EITest, performance_impact Low, updated_at 2017_07_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS EITest Keitaro Evil Redirect Leading to SocENG July 25 2017"; flow:established,to_server; content:"/?nbVykj"; pcre:"/\/\?nbVykj$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024494; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_07_25, malware_family EITest, performance_impact Low, updated_at 2017_07_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload M1 Aug 01 2017"; flow:established,to_client; file_data; content:"|73 29 88 ff e0 d1 0e 74|"; within:8; metadata: former_category CURRENT_EVENTS; reference:md5,263a2cf88f340b2a755db749be1371ea; classtype:trojan-activity; sid:2024507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RigEK, signature_severity Major, created_at 2017_08_01, malware_family RIG, updated_at 2017_08_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nemucod JS Downloader Aug 01 2017"; flow:established,to_server; pcre:"/\/[A-Za-z0-9]{5,9}\?+[A-Za-z0-9]{6,12}=[A-Za-z0-9]{6,12}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; http_header; depth:29; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; http_header; fast_pattern:30,20; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; metadata: former_category CURRENT_EVENTS; reference:md5,cb558b04216e0e7a9c936945ebee6611; classtype:trojan-activity; sid:2024508; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_01, malware_family Nemucod, updated_at 2017_08_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing M1 Aug 05 2017"; flow:established,from_server; file_data; content:"|5b 30 5d 5b 22 41 22 2b|"; content:"|29 2b 22 58 22 2b 22 4f 22 2b|"; distance:0; fast_pattern; content:"|72 65 74 75 72 6e 20 28 22 22 2b|"; content:"|29 2b 22 41 74 22 5d|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024514; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Magnitude, signature_severity Major, created_at 2017_08_07, malware_family Exploit_Kit, performance_impact Low, updated_at 2017_08_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing M2 Aug 05 2017"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 4f 62 6a 65 63 74 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Rsi"; content:"|45 78 65 63 75 74 65 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Ri"; content:"|52 65 44 69 6d|"; content:"|50 72 65 73 65 72 76 65|"; content:"|55 6e 45 73 63 61 70 65|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024515; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Magnitude, signature_severity Major, created_at 2017_08_07, malware_family Exploit_Kit, performance_impact Low, updated_at 2017_08_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Aug 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"1login="; depth:7; nocase; http_client_body; fast_pattern; content:"&login="; nocase; distance:0; http_client_body; content:"&Domain="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024532; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_10, updated_at 2017_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBk"; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024534; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_11, updated_at 2017_08_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"EAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZ"; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024535; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_11, updated_at 2017_08_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"hAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAG"; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024536; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_11, updated_at 2017_08_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"System.Management.Automation.AmsiUtils"; fast_pattern; nocase; content:"amsiInitFailed"; nocase; content:"setvalue"; nocase; content:"$null"; nocase; distance:0; content:"$true"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_11, updated_at 2017_08_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Veil Powershell Encoder B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"KAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_11, updated_at 2017_08_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Veil Powershell Encoder B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"gALAAkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAK"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_11, updated_at 2017_08_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Veil Powershell Encoder B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"oACwAJAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnAC"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_11, updated_at 2017_08_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"PASSWORD NOT MATCHED"; nocase; depth:20; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_11, updated_at 2017_08_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Verify Email Error Message M2 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"ERROR! PLEASE CLICK BACK"; nocase; depth:24; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024542; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, created_at 2017_08_11, updated_at 2017_08_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish M1 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"_csrf="; depth:6; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&rememberProfile="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&showTryPasswordlessButton="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024544; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_14, updated_at 2017_08_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish M2 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"address_1="; depth:10; nocase; http_client_body; fast_pattern; content:"&address_2="; nocase; distance:0; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&state="; nocase; distance:0; http_client_body; content:"&postal="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&number_1="; nocase; distance:0; http_client_body; content:"&number_2="; nocase; distance:0; http_client_body; content:"&number_3="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_14, updated_at 2017_08_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish M3 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"country="; depth:8; nocase; http_client_body; content:"&cc_holder="; nocase; distance:0; http_client_body; content:"&cc_number="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate_month="; nocase; distance:0; http_client_body; content:"&expdate_year="; nocase; distance:0; http_client_body; content:"&cvv2_number="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024546; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_14, updated_at 2017_08_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Scriptlet Invoking Powershell Likely Malicious"; flow:established,from_server; file_data; content:"WScript.shell"; nocase; fast_pattern:only;  content:"ActiveXObject"; nocase; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; distance:0; pcre:"/^.{1,1000}p(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?o(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?w(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?r(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?s(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?h(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l/Rsi"; metadata: former_category CURRENT_EVENTS; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024549; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PowerShell, signature_severity Major, created_at 2017_08_15, malware_family PowerShell, performance_impact Low, updated_at 2017_08_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M1"; flow:established,to_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:".sct"; http_uri; nocase; fast_pattern:only; pcre:"/\.sct$/Ui"; metadata: former_category CURRENT_EVENTS; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024550; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PowerShell_Downloader, signature_severity Major, created_at 2017_08_15, malware_family PowerShell, performance_impact Low, updated_at 2017_08_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|text/scriptlet"; http_header; nocase; fast_pattern:only; metadata: former_category CURRENT_EVENTS; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024551; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PowerShell_Downloader, signature_severity Major, created_at 2017_08_15, malware_family PowerShell, updated_at 2017_08_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M3"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Disposition|3a 20|"; nocase; http_header; content:".sct"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\.sct[\x22\x27\s\r\n]/Hmi"; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PowerShell_Downloader, signature_severity Major, created_at 2017_08_15, malware_family PowerShell, updated_at 2017_08_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024553; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PowerShell_Downloader, signature_severity Major, created_at 2017_08_15, malware_family PowerShell, updated_at 2017_08_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible YapiKredi Bank (TR) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Bireysel|20 c4 b0|nternet|20 c5 9e|ubesi|20 7c 20|Yap|c4 b1 20|Kredi</title>"; fast_pattern:only; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024583; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Internet, tag Phishing, signature_severity Minor, created_at 2017_08_16, updated_at 2017_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Aug 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&cn1="; nocase; distance:0; http_client_body; content:"&cn2="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024586; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_17, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Aug 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"cc="; depth:3; nocase; http_client_body; content:"&pin="; nocase; distance:0; http_client_body; content:"&ccin="; nocase; distance:0; http_client_body; fast_pattern; content:"&mmn="; nocase; distance:0; http_client_body; content:"&ssn1="; nocase; distance:0; http_client_body; content:"&ssn2="; nocase; distance:0; http_client_body; content:"&ssn3="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_17, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Interac Phish Aug 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"fiId="; depth:5; nocase; http_client_body; content:"&cuId="; nocase; distance:0; http_client_body; content:"&hiddenFiLabel="; nocase; distance:0; http_client_body; content:"&hiddenCuLabel="; nocase; distance:0; http_client_body; content:"&isMobileBrowser="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&paymentRefNum="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024599; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_18, updated_at 2017_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) Aug 21 2017"; flow:to_server,established; content:"GET"; http_method; content:"&UserName="; http_uri; nocase; content:"&Password="; nocase; distance:0; http_uri; fast_pattern; content:!"absolutdata.com|0d 0a|"; http_header; content:!"absolutresearch.com|0d 0a|"; http_header; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025026; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_18, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Maldoc Downloader Aug 18 2017"; flow:established,to_server; content:"/s.php?id="; http_uri; depth:10; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/s\.php\?id=[a-z0-9]{2,6}$/U"; metadata: former_category CURRENT_EVENTS; reference:md5,5285f1adfc0013fa86218a7d76c0016d; classtype:trojan-activity; sid:2024600; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2017_08_21, malware_family Maldoc, performance_impact Low, updated_at 2017_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"xxx="; depth:4; nocase; http_client_body; content:"&yyy="; nocase; http_client_body; fast_pattern;  distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025027; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_21, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<package"; nocase; distance:0; content:"<component"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PowerShell, signature_severity Major, created_at 2017_08_22, malware_family PowerShell_Downloader, performance_impact Low, updated_at 2017_08_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hancitor/Tordal Document Request"; flow:established,to_server; content:"GET"; http_method; content:".php?d="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Cookie"; pcre:"/\.php\?d=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; flowbits:set,ET.Hancitor; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_22, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, updated_at 2017_08_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hancitor/Tordal Document Inbound"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/msword|3b|"; http_header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; content:".doc"; distance:0; http_header; file_data; content:"|d0 cf 11 e0|"; depth:4; fast_pattern; flowbits:isset,ET.Hancitor; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024605; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_22, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, updated_at 2017_08_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M1"; flow:established,to_server; urilen:>41; content:".php"; offset:38; depth:4; http_uri; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/[a-zA-Z0-9]{12}\.php(?:\?[^&=]+=(?:[a-zA-Z0-9]{8}|0(?:189|037)|flash|2(?:551|419)|6332))?$/U"; flowbits:set,ET.DisDain.EK;  classtype:trojan-activity; sid:2024606; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M2"; flow:established,to_server; urilen:34; content:"/test.mp3"; offset:25; depth:9; http_uri; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/test\.mp3$/U"; flowbits:set,ET.DisDain.EK;  classtype:trojan-activity; sid:2024607; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Payload Aug 23 2017"; flow:established,from_server; file_data; content:"|30 26 e2 3d 9d f5 5b 16|"; within:8; flowbits:set,ET.DisDain.EK; classtype:trojan-activity; sid:2024608; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Flash Exploit M1 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"CWS"; within:3; classtype:trojan-activity; sid:2024609; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Flash Exploit M2 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"ZWS"; within:3; classtype:trojan-activity; sid:2024610; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Flash Exploit M3 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"FWS"; within:3; classtype:trojan-activity; sid:2024611; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Landing Aug 23 2017"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"document.write("; content:"w6UKpvNSUQKuCVmSVlTLELdj"; distance:0;within:75; flowbits:isset,ET.DisDain.EK;  classtype:trojan-activity; sid:2024612; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 25 2017"; flow:to_server,established; content:"POST"; http_method; content:"e="; depth:2; nocase; http_client_body; content:"&p="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_08_25, updated_at 2017_08_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Poloniex Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://poloniex.com"; http_header; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024617; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_28, updated_at 2017_08_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Exmo Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://exmo.com"; http_header; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_28, updated_at 2017_08_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Paxful Cryptocurrency Wallet Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://paxful.com"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_29, updated_at 2017_08_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>NatWest Online Banking</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_08_30, updated_at 2017_08_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Pin and Password - NWOLB</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024623; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_08_30, updated_at 2017_08_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Security Details - NWOLB</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024624; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_08_30, updated_at 2017_08_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 31 2017"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; content:"csrfmiddlewaretoken="; nocase; http_uri; distance:0; content:"username="; nocase; http_uri; content:"&password="; nocase; http_uri; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024638; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Bitstamp Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://www.bitstamp.net"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024639; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful LocalBitcoins Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://localbitcoins.com"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024640; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe - Update Adobe Flash Player</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024643; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player Update</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024644; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe Flash Player</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024645; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player|20 7c 20|Free Download</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024646; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe Flash Player Update</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024647; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player is outdated</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024648; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>flash player might be outdated</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_08_31, updated_at 2017_08_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HEX Payload DL with MSXMLHTP (Observed in Locky campaign)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"4d"; nocase; within:2; pcre:"/^\s*5a\s*90\s*00\s*03\s*00\s*00\s*00/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024650; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_31, performance_impact Significant, updated_at 2017_09_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Verify Email</title>"; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024656; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_09_01, updated_at 2017_09_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Dropbox Phish (Locky) Sep 01 2017"; flow:to_server,established; content:"POST"; http_method; content:"is_xhr="; depth:7; nocase; http_client_body; content:"current_email"; nocase; distance:0; http_client_body; content:"&email_sig="; nocase; distance:0; http_client_body; content:"&login_sd="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; content:"&remember_me="; nocase; distance:0; http_client_body; content:"&specter_login_tm="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024657; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_09_01, updated_at 2017_09_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Rip Sep 05 2017"; flow:established,from_server; file_data; content:"iddq"; fast_pattern:only; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27]iddqd?\s*=/Rsi"; flowbits:set,ET.RIGEKExploit; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_05, malware_family RIG, performance_impact Moderate, updated_at 2017_09_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Rip Sep 05 2017 M2"; flow:established,from_server; file_data; content:"iddq"; fast_pattern:only; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=]*\s*=EB02EB05E8F9FFFFFF/Rsi"; flowbits:set,ET.RIGEKExploit; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_05, malware_family RIG, performance_impact Moderate, updated_at 2017_09_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"triggerBug"; nocase; fast_pattern; pcre:"/^\s*(?:\x28|\%28)/Rs"; content:"exploit"; nocase; pcre:"/^\s*(?:\x28|\%28)o/Rs"; content:"intToStr"; nocase; pcre:"/^\s*(?:\x28|\%28)x/Rs"; content:"strToInt"; nocase; pcre:"/^\s*(?:\x28|\%28)s/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024676; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit HFS Actor"; flow:established,from_server; content:"Server|3a 20|HFS"; http_header; file_data; content:"triggerBug"; nocase; fast_pattern; content:"exploit"; nocase; content:"intToStr"; nocase; content:"strToInt"; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024677; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Locky VB/JS Loader Download Sep 08 2017"; flow:established,from_server; content:!"Cookie|3a|"; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 70 61 64 64 69 6e 67 3a 35 70 78 20 31 30 70 78 3b 22 3e 59 6f 75 72|"; nocase; within:100; fast_pattern:53,20; pcre:"/^[a-z0-9!\x22#$%&'()*+,.\/\x3a\x3b<=>?@\[\] ^_`{|}~\s-]+?downloading\.?\s*Please wait\x2e*<\/div\>\s*<iframe src\s*=\s*[\x22\x27]http\:\/\/[^\x22\x27]+\.php[\x22\x27]\s*style\s*=\s*[\x22\x27]display\x3a\s*none\x3b\s*[\x22\x27]>\s*<\/iframe\>\s*$/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024678; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, malware_family Locky, performance_impact Low, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Scam Sep 08 2017"; flow:established,to_client; file_data; content:"background-color|3a|#CE3426|3b|"; nocase; fast_pattern:5,20; content:"=window[|22|eval|22|](|22|eval|22|)|3b|"; nocase; distance:0; content:"charCodeAt"; distance:0; content:"fromCharCode"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_08, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK encrypted payload Sept 11 (1)"; flow:established,to_client; file_data; content:"|8d b1 8a d0 36 8d 5d bf|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024691; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_09_11, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HoeflerText Chrome Popup DriveBy Download Attempt 2"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font was not found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"To install |22|HoeflerText|22| font for your PC"; distance:0; nocase; content:"Download the .js"; distance:0; nocase; content:".attr('href',"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; metadata: former_category CURRENT_EVENTS; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:trojan-activity; sid:2024700; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_12, performance_impact Low, updated_at 2017_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern:only; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:attempted-admin; sid:2024702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_13, performance_impact Low, updated_at 2017_09_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M1 Sep 14 2017"; flow:to_client,established; content:"200"; http_stat_code; content:"connect.sid"; http_cookie; file_data; content:"<title>Manage your Apple ID</title>"; nocase; fast_pattern:7,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024703; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_09_14, updated_at 2017_09_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M2 Sep 14 2017"; flow:to_client,established; content:"200"; http_stat_code; content:"connect.sid"; http_cookie; file_data; content:"mainController as mainCtrl"; nocase; content:"mainCtrl.username"; nocase; distance:0; content:"mainCtrl.password"; nocase; distance:0; content:"mainCtrl.submitCreds"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024704; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_09_14, updated_at 2017_09_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M3 Sep 14 2017"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/javascript"; http_header; file_data; content:"this.submitCreds"; nocase; fast_pattern; content:"username|3a 20|this.username"; nocase; distance:0; content:"password|3a 20|this.password"; nocase; distance:0; content:"apple.com"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024705; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_09_14, updated_at 2017_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Websocket Credential Phish Sep 15 2017"; flow:to_server,established; content:"GET"; content:"&transport=websocket&sid="; http_uri; fast_pattern; content:"Sec-WebSocket-Version|3a 20|13|0d 0a|"; http_header; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate"; http_header; content:"Sec-WebSocket-Key|3a 20|"; http_header; content:"connect.sid="; http_cookie; content:"io="; http_cookie; content:"Upgrade|3a 20|websocket"; http_header; content:"origin|3a 20|"; pcre:"/^[^\r\n]+(?:s(?:e(?:rvic|cur)e|c(?:otia|ure)|antander|ign\-?in|napchat)|c(?:h(?:eck(?:out)?|a(?:in|se))|ustomer|onfirm|loud)|p(?:ay(?:pa[il]|ment)|(?:hon|ost)e|rivacy)|i(?:n(?:terac|sta)|cloud|phone|tunes)|re(?:solution|covery|fund|port|dir)|a(?:pp(?:id|le)|ccount|mazon)|n(?:otification|etflix|terac)|l(?:o(?:cked|gin)|imited)|(?:etransf|twitt|ord)er|d(?:ocusign|ropbox)|f(?:acebook|orgot)|veri(?:tas|f)|upd(?:ate|t)|yahoo|bofa|hmrc)/Ri"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_09_14, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern:only; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:attempted-admin; sid:2024706; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_15, performance_impact Low, updated_at 2017_09_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Apple Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Manage your Apple ID</title>"; fast_pattern:7,20; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024707; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_09_15, updated_at 2017_09_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Possible Coinhive Javascript Cryptocurrency Mining"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; fast_pattern; content:"|55 04 03|"; distance:0; content:"coin-hive"; within:50; nocase;  pcre:!"/#http:\/\/cert.*coinhive/i"; metadata: former_category CURRENT_EVENTS; reference:url,coin-hive.com; classtype:policy-violation; sid:2024720; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_18, updated_at 2017_10_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoinHive In-Browser Miner Detected"; flow:established,from_server; file_data; content:"coinhive.min.js"; nocase; fast_pattern; content:"start"; nocase; distance:0; content:"script"; content:"var"; distance:0; pcre:"/^\s*(?P<var>[a-zA-Z0-9]{3,20})\s*=\s*new\s*CoinHive\s*\.\s*[^\(]+\(\s*[\x22\x27][A-Za-z0-9]+\s*[\x22\x27]\s*(?:\x2c\s*\x7b\s*\w+\x3a\s*\d\.\d\x7d)?\)\s*\x3b\s+(?P=var)\s*\.\s*start/Ri"; metadata: former_category CURRENT_EVENTS; classtype:policy-violation; sid:2024721; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_18, performance_impact Moderate, updated_at 2018_05_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Sep 19 2017"; flow:to_server,established; content:"POST"; http_method; content:"pass="; depth:5; nocase; fast_pattern; http_client_body; content:"&formimage1.x="; nocase; http_client_body; distance:0; content:"&formimage1.y="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_09_19, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2017-8759 Soap File DL Over FTP"; flow:established,from_server;  content:"process.start"; nocase; fast_pattern:only; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; metadata: former_category CURRENT_EVENTS; metadata: former_category CURRENT_EVENTS; classtype:attempted-admin; sid:2024729; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Critical, created_at 2017_09_20, performance_impact Low, updated_at 2017_09_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"MSIE 7.0"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_26, malware_family Locky, performance_impact Low, updated_at 2017_10_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox/54.0"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_26, malware_family Locky, performance_impact Low, updated_at 2017_10_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Raiffeisen Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Raiffeisen ELBA-internet</title>"; fast_pattern:19,20; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_09_27, updated_at 2017_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) Sep 28 2017"; flow:to_server,established; content:"POST"; http_method; content:"number"; depth:6; nocase; http_client_body; content:"&number"; nocase; distance:0; http_client_body; content:"&number"; nocase; distance:0; http_client_body; content:"&number"; nocase; distance:0; http_client_body; content:"&number"; nocase; distance:0; http_client_body; content:"&FormsButton"; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025029; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_09_28, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish M1 Sep 29 2017"; flow:to_server,established; content:"POST"; http_method; content:"agg="; depth:4; nocase; http_client_body; content:"&acc="; nocase; distance:0; http_client_body; content:"&ss"; nocase; distance:0; http_client_body; content:"&proceguir="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_09_29, updated_at 2017_09_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish M2 Sep 29 2017"; flow:to_server,established; content:"POST"; http_method; content:"telefone="; depth:9; nocase; http_client_body; content:"&senha"; nocase; distance:0; http_client_body; content:"&proceguir="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_09_29, updated_at 2017_09_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish M3 Sep 29 2017"; flow:to_server,established; content:"POST"; http_method; content:"cvv="; depth:4; nocase; http_client_body; content:"&proceguir="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_09_29, updated_at 2017_09_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Scotiabank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Sign in to Scotiabank"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024795; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_03, updated_at 2017_10_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Desjardins Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Log on|20 7c 20|Desjardins"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024796; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_03, updated_at 2017_10_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CIBC Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>CIBC</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024797; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_03, updated_at 2017_10_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible BMO Bank of Montreal Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>BMO Bank of Montreal Online Banking</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024798; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_03, updated_at 2017_10_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phishing Landing Oct 04 2017"; flow:established,to_client; file_data; content:"|0d 0a 54 68 65 6d 65 20 4e 61 6d 65 3a 20|"; within:100; content:"|0d 0a 41 75 74 68 6f 72 3a 20 4d 4b 28 72 6a 29|"; within:100; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024799; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_04, updated_at 2018_03_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M1 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&s6="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024800; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_04, updated_at 2017_10_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M3 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"as_cpf="; depth:7; nocase; http_client_body; content:"&as_pass="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&as_continue="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024801; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_04, updated_at 2017_10_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M2 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"ag_ct="; depth:6; nocase; http_client_body; content:"&ct_ct="; nocase; distance:0; http_client_body; content:"&us_user="; nocase; distance:0; http_client_body; content:"&us_pant="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&btn_now="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024802; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_04, updated_at 2017_10_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Log in to Facebook"; nocase; within:100; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024807; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_05, updated_at 2017_10_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Observed DNS Query to Browser Coinminer (crypto-loot[.]com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|crypto-loot|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024828; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_10_09, malware_family CoinMiner, performance_impact Moderate, updated_at 2017_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Credit Card Information Phish Oct 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"expm="; nocase; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025030; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_10, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; content:"GET"; http_method; content:"paypal.it"; http_header; fast_pattern; content:!"paypal.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.it[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024834; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_10, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"paypal.it"; http_header; fast_pattern; content:!"paypal.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.it[^\r\n]{20,}\r\n/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024835; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_10, updated_at 2017_10_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Office 365 Phish Oct 10 2017 (set)"; flow:to_server,established; content:"POST"; http_method; content:"Password1="; depth:10; nocase; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025031; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_10, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS DOC Download from commonly abused file share site"; flow:to_server,established; content:".doc"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024836; rev:2; metadata:created_at 2017_10_11, updated_at 2017_10_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Ziraat Bankasi (TK) Phish M1 Oct 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"rdLng="; nocase; http_client_body; fast_pattern; content:"&tc="; nocase; distance:0; http_client_body; content:"&sms"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024838; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_12, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Ziraat Bankasi (TK) Phish M2 Oct 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"rdLng="; nocase; http_client_body; fast_pattern; content:"&tc="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024839; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_12, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam Landing M1 Oct 13 2017"; flow:established,to_client; file_data; content:"<title>Windows Defender</title>"; nocase; fast_pattern; content:"background-color|3a 20|#659e1d"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024841; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2017_10_13, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Secure Docs</title>"; fast_pattern; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024842; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_13, updated_at 2017_10_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Oct 16 2016"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm="; nocase; http_header; content:"Error"; http_header; nocase; distance:0; fast_pattern; content:"-"; distance:0; http_header; pcre:"/^WWW-Authenticate\x3a\x20Basic\x20realm=[\x22\x27][^\r\n]*Error[^\r\n]*-/Hmi"; classtype:trojan-activity; sid:2024844; rev:2; metadata:created_at 2017_10_16, updated_at 2017_10_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Oct 16 2016"; flow:from_server,established;file_data; content:"Windows Defender Alert"; nocase; fast_pattern; content:"Virus Detected"; nocase; distance:0; content:"Reset Your Computer"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:trojan-activity; sid:2024845; rev:1; metadata:created_at 2017_10_16, updated_at 2017_10_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Oct 16 2017"; flow:to_server,established; content:"POST"; http_method; content:"_csrf="; depth:6; nocase; http_client_body; content:"&locale.x="; nocase; distance:0; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024846; rev:2; metadata:created_at 2017_10_16, updated_at 2017_10_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal (FR) Phish Oct 16 2017"; flow:to_server,established; content:"POST"; http_method; content:"mail="; depth:5; nocase; http_client_body; content:"&mdp="; nocase; distance:0; http_client_body; content:"&toppl="; nocase; distance:0; http_client_body; fast_pattern; content:"Paypal"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024847; rev:1; metadata:created_at 2017_10_16, updated_at 2017_10_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HMRC Phish Oct 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"name="; depth:5; nocase; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&ccname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ccn"; nocase; distance:0; http_client_body; content:"&ccexp="; nocase; distance:0; http_client_body; content:"&secode="; nocase; distance:0; http_client_body; content:"&sort"; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_18, updated_at 2018_02_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B641 Oct 19 2017"; flow:established,from_server; file_data; content:"U3RhcnQtUHJvY2Vzc"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Locky, performance_impact Low, updated_at 2017_10_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B642 Oct 19 2017"; flow:established,from_server; file_data; content:"N0YXJ0LVByb2Nlc3"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Locky, performance_impact Low, updated_at 2017_10_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B643 Oct 19 2017"; flow:established,from_server; file_data; content:"TdGFydC1Qcm9jZXNz"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024880; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Locky, performance_impact Low, updated_at 2017_10_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B644W Oct 19 2017"; flow:established,from_server; file_data; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024881; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Locky, performance_impact Low, updated_at 2017_10_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024882; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Locky, performance_impact Low, updated_at 2017_10_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Locky, performance_impact Low, updated_at 2017_10_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chalbhai Phishing Landing Oct 23 2017"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"name=chalbhai"; fast_pattern; nocase; content:"method=post"; nocase; within:50; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025655; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_23, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Generic AES Phish M1 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern:40,20; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024997; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_24, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Generic AES Phish M2 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024998; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_10_24, updated_at 2017_11_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Qtloader encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|1a 3d d0 28 82 1a 6f 08|"; depth:8; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, performance_impact Low, updated_at 2017_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Qtloader encrypted check-in Oct 19 M1"; flow:established,to_server; content:"|2c 45 32 4d f1 38 55|"; depth:7; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024908; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, performance_impact Low, updated_at 2017_12_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Qtloader encrypted check-in response Oct 19 (1)"; flow:established,to_client; file_data; content:"|0c 3c|"; depth:2; content:"|04 a3|"; distance:1; within:2; metadata: former_category CURRENT_EVENTS; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024909; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, performance_impact Low, updated_at 2017_10_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible BadRabbit Driveby Download M1 Oct 24 2017"; flow:established,from_server; file_data; content:"InjectionString"; fast_pattern; content:"setRequestHeader"; nocase; pcre:"/^\s*\(\s*[\x22\x27]Content\-Type/Ri"; content:"onreadystatechange"; nocase; distance:0; content:"readyState"; nocase; distance:0; pcre:"/^\s*==\s*4/Ri"; content:"status"; nocase; distance:0; pcre:"/^\s*==\s*200/Ri"; content:"navigator"; nocase; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase;  pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase;  pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; metadata: former_category CURRENT_EVENTS; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024911; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_and_Server, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2017_10_24, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible BadRabbit Driveby Download M2 Oct 24 2017"; flow:established,from_server; file_data; content:"Msxml2.XMLHTTP.6.0"; fast_pattern; content:"InjectionString"; nocase; distance:0; content:"hasOwnProperty"; nocase; distance:0; content:"navigator"; nocase; distance:0; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"!!document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; metadata: former_category CURRENT_EVENTS; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; classtype:trojan-activity; sid:2024912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2017_10_24, updated_at 2017_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26 2017"; flow:to_server,established; content:"POST"; http_method; content:"lg="; depth:3; nocase; fast_pattern; http_client_body; content:"&pw="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025032; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_26, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible BACKSWING JS Framework POST Observed"; flow:established,from_server; content:"200"; http_stat_code; content:"Access-Control-Allow-Methods|3a 20|POST"; http_header; content:"Content-Type|3a 20|application/json"; http_header; file_data; content:"|7b 22|InjectionType|22 3a|"; depth:17; fast_pattern; content:"|22|InjectionString|22 3a 22|"; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024932; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_10_26, updated_at 2017_10_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) Oct 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"o1="; depth:3; nocase; http_client_body; content:"&o2="; nocase; distance:0; http_client_body; fast_pattern; content:"&o3="; nocase; distance:0; http_client_body; content:"&o4="; nocase; distance:0; http_client_body; content:"&o5="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025033; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_10_30, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS 401TRG Successful Multi-Email Phish - Observed in Docusign/Dropbox/Onedrive/Gdrive Nov 02 2017"; flow:to_server, established; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"pasuma"; nocase; http_client_body; depth:100; fast_pattern; content:"name"; nocase; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024942; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_11_02, updated_at 2017_11_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Raiffeisen Phishing Domain Nov 03 2017"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|banking|0a|raiffeisen|02|at"; nocase; distance:0; fast_pattern; byte_test:1,!=,0,0,relative; pcre:"/^.[a-z]*?[0-9]{3,9}.[a-z]{2,4}/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024943; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_11_03, updated_at 2017_11_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Sparkasse Phishing Domain Nov 03 2017"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|netbanking|09|sparkasse|02|at"; nocase; distance:0; fast_pattern; byte_test:1,!=,0,0,relative; pcre:"/^.[a-z]*?[0-9]{3,9}.[a-z]{2,4}/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024944; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_11_03, updated_at 2017_11_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SOCENG Fake Update/Installer ForceDL Template Nov 03 2017"; flow:established,from_server; file_data; content:"addDownloadHint"; nocase; pcre:"/^\s*\x28\s*[\x22\x27][^\x22\x27]*[\x22\x27]\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Rsi"; content:"doDownload(force)"; nocase; content:"userConversion(true)"; nocase; distance:0; content:"trigger_dl"; nocase; pcre:"/^\s*\(\s*force\s*\?\s*true\s*\x3a\s*false\s*,\s*\d+\s*,\s*\d+\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Ri"; classtype:trojan-activity; sid:2024945; rev:2; metadata:created_at 2017_11_03, updated_at 2017_11_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS BankAustria Phishing Domain Nov 03 2017"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|online|0b|bankaustria|02|at"; nocase; distance:0; fast_pattern; byte_test:1,!=,0,0,relative; pcre:"/^.[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024946; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_11_03, updated_at 2017_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Raiffeisen Phish Nov 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"banking.raiffeisen.at."; http_header; fast_pattern; pcre:"/^Host\x3a\x20banking\.raiffeisen\.at\.[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024947; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_11_03, updated_at 2017_11_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Sparkasse Phish Nov 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"netbanking.sparkasse.at."; http_header; fast_pattern; pcre:"/^Host\x3a\x20netbanking\.sparkasse\.at\.[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024948; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_11_03, updated_at 2017_11_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful BankAustria Phish Nov 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"online.bankaustria.at."; http_header; fast_pattern; pcre:"/^Host\x3a\x20online\.bankaustria\.at\.[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}$/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024949; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_11_03, updated_at 2017_11_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"|20|-|20|paypal"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:s(?:e(?:nd money, pay online or set up a merchant|cure) account|uspicious (?:transaction |activities))|con(?:firm card security information|to limitato)|(?:profile updat|mot de pass)e|login)\s*-\s*paypal\s*<\/title>/i"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2024970; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_11_07, updated_at 2017_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish Nov 09 2017 (set)"; flow:to_server,established; content:"POST"; http_method; content:"usr="; depth:4; nocase; http_client_body; content:"&psw="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025034; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_11_09, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing Nov 10 2017"; flow:established,to_client; file_data; content:"<label class=|22|MobMenHol"; nocase; fast_pattern; content:"<span class=|22|MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_11_10, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SocEng Fake Font Download Template Nov 14 2017"; flow:established,from_server; file_data; content:"|63 6c 69 63 6b 5f 75 70 64|"; nocase; content:"|46 6f 6e 74 20 50 61 63 6b|"; nocase; content:"|2e 6a 73 20 66 69 6c 65 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 70 72 6f 63 65 73 73 2e|"; nocase; metadata: former_category CURRENT_EVENTS; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; classtype:trojan-activity; sid:2024985; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_14, malware_family SocEng, performance_impact Low, updated_at 2017_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"x1="; depth:3; nocase; fast_pattern; http_client_body; content:"&x2="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025013; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_11_20, updated_at 2017_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2017-12-03"; flow:to_server,established; content:"POST"; http_method; content:"emailphone="; depth:11; nocase; fast_pattern; http_client_body; content:"&emailphone2="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025099; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_03, updated_at 2017_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Credentials Sent to Suspicious TLD via HTTP GET"; flow:to_server,established; content:"GET"; http_method; content:"user"; http_uri; nocase; content:"pass"; http_uri; distance:0; nocase; fast_pattern; pcre:"/\.(?:ga|gq|cf|ml|gdn|tk)$/Hmi"; flowbits:set,ET.eduphish; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025113; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_04, updated_at 2017_12_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful EDU Phish 2017-12-04"; flow:established,to_client; flowbits:isset,ET.eduphish; content:"302"; http_stat_code; content:"|0d 0a|Location|3a 20|"; nocase; pcre:"/^[^\r\n]+\.edu/Ri"; content:"Content-Length|3a 20|0|0d 0a|"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025114; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_04, updated_at 2017_12_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2017-12-04"; flow:established,to_server; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&2="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025115; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_04, updated_at 2017_12_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title"; nocase; content:"About Copyright|20 7c 20|Facebook Help Center"; within:100; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025137; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_06, updated_at 2017_12_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MyEtherWallet Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"MyEtherWallet.com"; within:30; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025140; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_06, updated_at 2017_12_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Shutdown Phishing Landing 2017-12-11"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>"; nocase; depth:300; content:"Secure Email Server|20 3a 3a|"; fast_pattern; nocase; within:100; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025678; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_11, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Fake JS Lib Inject"; flow:established,from_server; file_data; content:".min.php"; nocase; pcre:"/^(?P<q>[\x22\x27])\+(?P=q)\?(?P=q)\+(?P=q)/R"; content:"default_keyword="; within:2500; fast_pattern; content:"<"; within:2500; content:!"/script>"; within:8; pcre:"/^[\x22\x27+\s]*\/[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[\x22\x27+\s]*>/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025151; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_12_15, performance_impact Low, updated_at 2017_12_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Fedex Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>FEDEX|20 7c 20|Tracking</TITLE>"; fast_pattern; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025158; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_20, updated_at 2017_12_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|48 61 6c 6b 62 61 6e 6b 20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025159; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_20, updated_at 2017_12_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Ziraat Bank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|20 48 6f c5 9f 67 65 6c 64 69 6e 69 7a 20 7c 20 5a 69 72 61 61 74 20 42 61 6e 6b 61 73 c4 b1|"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025160; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_20, updated_at 2017_12_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Financial Phish Landing 2017-12-21"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"jQuery(function($)"; nocase; fast_pattern; content:"#dob"; nocase; distance:0; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#ssn"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#sortcode"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025663; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_21, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2017-12-26"; flow:established,to_client; file_data; content:"&Rho|3b|ay&Rho|3b|aI</title>"; within:200; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025173; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_12_26, updated_at 2017_12_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Yobit Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&psw1="; nocase; distance:0; http_client_body; content:"&psw2="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025174; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_28, updated_at 2017_12_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HitBTC Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; content:"POST"; http_method; content:"__csrf__="; depth:9; nocase; http_client_body; content:"&utc_offset_hours="; nocase; distance:0; http_client_body; fast_pattern; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025175; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_28, updated_at 2017_12_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Liqui Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; content:"POST"; http_method; content:"login_type%5Bemail%5D="; depth:22; nocase; http_client_body; content:"&login_type%5Bpassword%5D="; nocase; distance:0; http_client_body; content:"&login_type%5BtwoFactorKey%5D="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025176; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_28, updated_at 2017_12_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2018-01-02"; flow:to_server,established; content:"POST"; http_method; content:"id="; depth:3; nocase; fast_pattern; http_client_body; content:"&pw="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025180; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_02, updated_at 2018_01_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-03"; flow:from_server,established; file_data; content:"L&#959|3b|g|20|in|20|t&#959|3b 20|y&#959|3b|ur|20|&Rho|3b|ay&Rho|3b|aI|20|acc&#959|3b|unt"; nocase; depth:300; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025181; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_03, updated_at 2018_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:trojan-activity; sid:2025186; rev:1; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_01_04, malware_family CoinMiner, performance_impact Low, updated_at 2018_01_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing 2018-01-10"; flow:from_server,established; file_data; content:"<title>Security Warning"; nocase; fast_pattern; content:"background-color:#d70000"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025197; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2018_01_10, updated_at 2018_01_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Phishing Landing 2018-01-12"; flow:from_server,established; file_data; content:"var ListEntries"; nocase; content:"|27 2e 2a 66 75 63 6b 2e 2a 27 2c|"; within:50; content:"|27 2e 2a 70 75 73 73 79 2e 2a 27 2c|"; distance:0; content:"|27 2e 2a 6e 69 63 65 2e 2a 74 72 79 2e 2a 27|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025685; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_12, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Dropbox"; nocase; within:25; content:"Select Your Email Provider"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025206; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Chase"; nocase; within:25; content:"WYSIWYG Web Builder"; nocase; distance:0; content:"folling information about yourself"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025207; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office 365 Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"background-color|3a 20|rgb(235, 60, 0)"; fast_pattern; nocase; within:200; content:"$Config={|22|scid|22 3a|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; content:"<title"; nocase; distance:0; content:"Sign in to your account"; nocase; within:50; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025208; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title>Chase"; nocase; fast_pattern; content:"googlebot|22 20|content=|22|noindex"; nocase; distance:0; content:"function unhideBody()"; nocase; distance:0; content:"type=|22|password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025210; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bank of America Phishing Landing 2018-01-18 M1"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; within:300; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025211; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bank of America Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Confirm Your Account"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025212; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>chase online - confirm</title>"; fast_pattern; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025213; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-18 M1"; flow:established,to_client; file_data; content:"|73 63 72 69 70 74 3a 20 6e 6f 64 65 2c 20 74 65 6d 70 6c 61 74 65 3a 20 20 2c 20 64 61 74 65 3a 20 4a 75 6c 20 33|"; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025214; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; content:"<form action=|22|webscr.php?cmd=_"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025215; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Malicious Chrome Extension Domain Request (change-request .info in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0e|change-request|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025216; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, performance_impact Low, updated_at 2018_01_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Malicious Chrome Extension Domain Request (nyoogle .info in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|nyoogle|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025217; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, performance_impact Low, updated_at 2018_01_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Malicious Chrome Extension Domain Request (stickies .pro in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|stickies|03|pro|00|"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025218; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, performance_impact Low, updated_at 2018_03_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Malicious Chrome Extension Domain Request (lite-bookmarks .info in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0e|lite-bookmarks|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025219; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, performance_impact Low, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Questionnaire Phishing Landing 2018-01-19"; flow:established,to_client; file_data; content:"<title>Questionnaire</title>"; nocase; fast_pattern; content:"assets/css/theDocs.all.min.css"; nocase; distance:0; content:"<h3>DOCUMENT MANAGEMENT SYSTEM"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025226; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_19, updated_at 2018_01_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Verification/Upgrade Phishing Landing 2018-01-22"; flow:established,to_client; file_data; content:"<title>Email Verification</title>"; nocase; fast_pattern; content:"Sign in to upgrade your mailbox"; nocase; distance:0; content:"Mail Admin"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025229; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_22, updated_at 2018_01_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Server Mobile Security Settings Phishing Landing 2018-01-22"; flow:established,to_client; file_data; file_data; content:"<html>|0d 0a 0d 0a|<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|document.write"; within:100; nocase; content:"3c%68%65%61%64%3e%0d%0a%0d%0a%3c%74%69%74%6c%65%3e%45%6d%61%69%6c%20%53%65%72%76%65%72"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|login|22 20|value=|22|"; nocase; distance:0; content:"User ID|3a 20|<font face=|22|verdana|22 20|size=|22|2|22 20|color=|22|#000000|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025232; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_22, updated_at 2018_01_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>&#68|3b|&#114|3b|&#111|3b|&#112|3b|&#98|3b|&#111|3b|&#120|3b|</title>"; nocase; within:300; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025233; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_22, updated_at 2018_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Compromised Wordpress - Generic Phishing Landing 2018-01-22"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; depth:4; http_uri; content:"?cmd=login_submit&id="; http_uri; nocase; distance:0; fast_pattern; content:"&session="; http_uri; nocase; distance:64; within:9; pcre:"/&session=[a-f0-9]{64}$/Ui";  metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025236; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_22, updated_at 2018_01_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blocked Incoming Emails Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Retrieval Error</title>"; nocase; fast_pattern; content:"onload=|22|populate()"; nocase; distance:0; content:"<input id=|22|Password|22 20|name=|22|Password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025242; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_22, updated_at 2018_01_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ABSA Online Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"setTimeout(function(){top.window.location"; nocase; fast_pattern; content:"<title"; nocase; within:150; content:"Absa Online"; nocase; within:50; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025243; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_23, updated_at 2018_01_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS AT&T Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>AT&amp|3b|T - Login</title>"; nocase; fast_pattern; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22 20 20|focus=|22|userid|22 20|name=|22|LoginForm|22 20|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025244; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_23, updated_at 2018_01_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; content:"Login with Facebook"; nocase; distance:0; content:"Hosted on free web hosting 000webhost.com"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025245; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_23, updated_at 2018_01_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS LCL Banque et Assurance (FR) Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title"; nocase; content:"La Banque Postale|20 e2 80 93 20|La Banque Postale"; fast_pattern; within:80; nocase; content:"background-color|3a 20|#FFFFFF|3b|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025246; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_23, updated_at 2018_01_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"security is our top priority"; nocase; content:"Use us wherever you pay"; fast_pattern; nocase; distance:0; content:"onsubmit=|22|return checkform(this)|3b 22|"; nocase; distance:0; content:"function checkform"; nocase; distance:0; content:"style.backgroundColor=|22|#FF6A6A|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025247; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_24, updated_at 2018_01_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Multi-Email Popupwnd Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"function popupwnd(url, "; fast_pattern; nocase; content:"var popupwindow = this.open(url"; nocase; distance:0; content:"your email provider"; nocase; distance:0; content:"'no','no','no','no','no'"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025248; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_24, updated_at 2018_01_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Multi-Email Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title"; nocase; content:"View Document"; nocase; within:30; content:"<a href=|22|eciffo365.php"; nocase; fast_pattern; distance:0; content:"<a href=|22|kooltuo.php"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025249; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_24, updated_at 2018_01_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office 365 Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; fast_pattern; content:"function LoginErrors(){this.userNameFormatError"; nocase; within:300; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025250; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_24, updated_at 2018_01_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title>&#37038|3b|&#20214|3b|&#35774|3b|&#32622|3b 20 7c 20|&#30005|3b|&#23376|3b|&#37038|3b|&#20214|3b|&#21319|3b|&#32423|3b|</title>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025255; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_26, updated_at 2018_01_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Halkbank|20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|"; within:50; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025258; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Smail Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"...|7c|1|7c|Smail Code|7c|1|7c|..."; fast_pattern; nocase; content:"ALTER ANYTHING BELOW THIS LINE"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025259; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing 2018-01-29 M1"; flow:established,to_client; file_data; content:"Apple ID|20 3a|"; within:100; content:"<title>Apple (Switzerland)"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025260; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing 2018-01-29 M2"; flow:established,to_client; file_data; content:"background|3a 20|#3baee7|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3baee7, #08c)"; nocase; distance:0; content:"text-shadow|3a 20|1px 1px 3px #666666"; nocase; distance:0; content:"background|3a 20|#3cb0fd|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3cb0fd, #3498db)"; nocase; distance:0; content:".dark {"; nocase; distance:0; content:"color|3a 20|#525252|3b|"; nocase; distance:0; content:".dark-select {"; nocase; distance:0; content:"background|3a 20|#DFDFDF url('down-arrow.png')"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025261; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"Dear <b id=|22|accessreturn|22|>User</b>,"; nocase; fast_pattern; content:"<b>Ticket|20 3a 20|#"; nocase; distance:0; content:"<b>For This Reason|20 3a 20|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025262; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office 365 Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; content:"Office 365"; nocase; within:25; content:"function LoginErrors(){this.userNameFormatError"; fast_pattern; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025263; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Onedrive Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; nocase; content:"OneDrive Online Security"; nocase; within:50; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025264; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Smartsheet Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title>Log In|20 7c 20|Smartsheet</title>"; nocase; fast_pattern; content:"<form action="; nocase; distance:0; content:".php|22 20|class=|22|clsJspOuterForm|22 20|id="; nocase; distance:0; content:"method=|22|POST|22 20|name=|22|ctlForm|22|>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025265; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impots.gouv.fr Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Particulier|20 7c 20|impots.gouv.fr"; nocase; within:50; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025268; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_30, updated_at 2018_01_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Turbotax Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title>My TurboTax"; nocase; fast_pattern; content:"Login to your MyTurboTax account to start"; nocase; distance:0; content:"User ID"; nocase; distance:0; content:"Email Password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025269; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_30, updated_at 2018_01_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bank of America Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Bank of America|20 7c 20|Online Banking"; nocase; within:40; fast_pattern; content:"CONTENT=|22|Unrecognized computer"; nocase; distance:0; content:"SiteKey Challenge Questions"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025270; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_30, updated_at 2018_01_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Capital One Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Online Banking - Capital One 360</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025271; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_30, updated_at 2018_01_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GrandSoft EK IE Exploit Jan 30 2018"; flow:established,from_server; file_data; content:"|3d 20 22 2c|&h|22|"; nocase; fast_pattern:only; content:"4d"; nocase; content:"5a"; nocase; within:20; content:"responseBody"; nocase; content:"Dim|20|"; nocase; content:"Dim|20|"; nocase; distance:0; content:"Win32_OperatingSystem"; nocase; classtype:trojan-activity; sid:2025272; rev:1; metadata:created_at 2018_01_30, updated_at 2018_01_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Verizon Wireless Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:200; content:"<title"; nocase; distance:0; content:"Sign in"; nocase; within:10; content:"verizonwireless.com"; nocase; within:100; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025274; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_30, updated_at 2018_01_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"P&#97|3b|yP&#97|3b|l"; nocase; within:35; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025276; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_31, updated_at 2018_01_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple iTunes Phishing Landing (DE) 2018-01-31"; flow:established,to_client; file_data; content:"<ISONLINE VALUE=TRUE></ISONLINE>"; nocase; within:200; content:"<title>iTunes - Stornierungsformular"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025277; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_31, updated_at 2018_01_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Verification Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:50; fast_pattern; content:"your mailbox"; nocase; distance:0; content:"email password"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025278; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_31, updated_at 2018_01_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hellion Postmaster Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"/hellion/postmaster.png"; fast_pattern; nocase; content:"/hellion/logos.png"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025279; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_31, updated_at 2018_01_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Roundcube Multi-Brand Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"FILES/jstz.min.js?s="; nocase; fast_pattern; content:"rcube_webmail()"; nocase; distance:0; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025280; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_31, updated_at 2018_01_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cloned Website Phishing Landing - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)(?:https://(?:w(?:ww(?:\.(?:(?:bankofamerica|paypal|ups|wellsfargo)\.com|a(?:dobecloud\.com|mazon\.co\.jp)|tax\.service\.gov\.uk|cibc\.mobi)|1\.royalbank\.com)|ebmail\.(?:i(?:llinois|ndstate)\.ed|optusnet\.com\.a)u)|(?:s(?:i(?:tekey\.bankofamerica|gnin\.ebay)|ecure(?:\.bankofamerica|05c\.chase))|login\.(?:(?:microsoftonlin|liv)e|verizonwireless|alibaba)|my\.screenname\.aol)\.com|(?:(?:ex(?:change\.(?:louisvill|purdu)|mail\.oregonstat)e|owa\.uaa\.alaska)\.ed|ib\.nab\.com\.a)u|voscomptesenligne\.labanquepostale\.fr|auth\.centurylink\.net)|/logon/logon/chaseOnline|#www\.kucoin\.com)/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025281; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_31, updated_at 2018_02_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cloned Website Phishing Landing - Mirrored Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- Mirrored from "; pcre:"/^(?:www(?:1\.masterconsultas\.com\.ar|\.linkedin\.com)|(?:tools\.google|facebook)\.com|cfspart\.impots\.gouv\.fr)/Ri"; content:"by HTTrack Website Copier/"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025282; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_31, updated_at 2018_01_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live Login Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Sign In</title>"; nocase; content:"Outlook.com is a free, personal email service from Microsoft."; nocase; within:150; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025284; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_01, updated_at 2018_02_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TSB Bank / Lloyds Bank Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Online Personal Verification"; nocase; within:100; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025285; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_01, updated_at 2018_02_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online|c2 ae 20|Verification</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025286; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_01, updated_at 2018_02_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Cloned .EDU Website Phishing Landing 2018-02-02"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)https?:\/\/[^/]+\.edu\//Rsi"; content:"<form"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025290; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_01, updated_at 2018_02_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M1"; flow:established,to_client; file_data; content:"<title>Wells Fargo BANK</title>"; fast_pattern; content:"Access Your Accounts</div>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025292; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M2"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"Online &amp|3b 20|Mobile Security"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025293; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M3"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"View Your Accounts</h1>"; nocase; distance:0; content:"disableSubmitsCollectUserPrefs"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025294; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M4"; flow:established,to_client; file_data; content:"antiClickjack.parentNode.removeChild"; within:1000; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025295; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M5"; flow:established,to_client; file_data; content:"<title>Wells Fargo  - Update Your Identification</title>"; nocase; fast_pattern; content:"../css js/passwordReset.css"; within:200; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025296; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M6"; flow:established,to_client; file_data; content:"Online Banking Identity Verification Process</TITLE>"; within:300; content:"name=KONICHIWA1"; within:250; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025297; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M7"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online&reg|3b 20|Enrollment</title>"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025298; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M8"; flow:established,to_client; file_data; content:"<head><!-- WFB 3.4 -->"; within:300; fast_pattern; content:"var bundle|3b|(function(){function a(b){var c=|22 22 3b|for(var d=0,e=b.length|3b|d<e|3b|++d){var f=b.charCodeAt(d)|3b|c+=f>=55296?b[d]|3a|String.fromCharCode"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025299; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M9"; flow:established,to_client; file_data; content:"<title>Wells Fargo - Security Upgrade</title>"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025300; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-02 M10"; flow:established,to_client; file_data; content:"<title>Wells Fargo Email Verification"; nocase; fast_pattern; content:"input[type=email], input[type=password]"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025301; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Banque Populaire Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:".logo_banque"; nocase; content:",.authentif p.num_carte"; nocase; fast_pattern; content:"<title"; content:"Authentification"; nocase; within:20; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025306; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_05, updated_at 2018_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"PayPaI</title>"; nocase; fast_pattern; content:"application-name content=PayPaI>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025307; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_05, updated_at 2018_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Antibots Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<?php|0d 0a|include|20 22|antibots.php|22 3b 0d 0a|?>"; within:100; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025308; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_05, updated_at 2018_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Upgrade Payment Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"ONE MORE STEP"; content:"<title"; nocase; distance:0; content:"Enter Your Credit"; nocase; within:25; content:"UPGRADE PAYMENT"; distance:0; content:"fbCreditCard"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025309; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_05, updated_at 2018_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Upgrade Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Settings|20 7c 20|Email"; nocase; within:40; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025310; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_05, updated_at 2018_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yahoo Account Verification Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Yahoo! Account Verification"; nocase; within:40; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025311; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_05, updated_at 2018_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google/Adobe Shared Document Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"sign in"; nocase; within:25; content:"MM_validateForm(|27|password|27 2c 27 27 2c 27|R|27 2c 27|mail|27 2c 27 27 2c 27|RisEmail|27 2c 27|phone|27 2c 27 27 2c 27|NisNum|27|)"; nocase; distance:0; fast_pattern:55,20; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025312; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_05, updated_at 2018_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Orange Phishing Landing 2018-02-05 (FR)"; flow:established,to_client; file_data; content:"<title"; content:"pour continuer, identifiez-vous"; nocase; within:50; fast_pattern; content:"index_fichiers/authuser"; nocase; distance:0; content:"title=|22|site orange.fr"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025313; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_05, updated_at 2018_02_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office 365 Phishing Landing 2018-02-06"; flow:established,to_client; file_data; content:"content=|22|Connecting to PDSA"; nocase; within:600; content:"<title>Sign In</title>"; nocase; distance:0; content:"function LoginErrors(){this.userNameFormatError"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025316; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_06, updated_at 2018_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ebay Phishing Landing 2018-02-07"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|signin.eby.de."; http_header; pcre:"/^Host\x3a\x20signin\.eby\.de\.[a-z0-9]{15}\./Hmi"; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025321; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_07, updated_at 2018_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Google|20 7c 20|Drive , Safe"; nocase; fast_pattern; content:"your email provider"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025322; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_07, updated_at 2018_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>DropBox Buisness</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025323; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_07, updated_at 2018_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Apple - Login"; nocase; content:"href=|22|incorrect_files/"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025324; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_07, updated_at 2018_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"background-color|3a 20|#ffffff|3b|border|3a 20|1px solid #d0d4d9|3b|box-shadow|3a 20|4px 4px 4px #d0d4d9|3b|"; nocase; content:"id=|22|wk|22 20|name=|22|wk|22 20|method=|22|post|22|"; nocase; distance:0; fast_pattern; content:"Sign In To View"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025325; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_07, updated_at 2018_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Outlook Web App Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Sign in</title>"; nocase; content:"border|3a 20|1px solid #848484|3b|"; nocase; distance:0; content:"background-color|3a 20|#fff3c0|3b|"; nocase; distance:0; content:"left|3a|389px|3b 20|top|3a|0px|3b 20|width|3a|507px|3b 20|height|3a|474px|3b 20|z-index|3a|0"; nocase; distance:0; content:"<input name=|22|userid|22|"; nocase; distance:0; content:"<input name=|22|formtext2|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025326; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_07, updated_at 2018_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox/OneDrive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Place For All Your Files"; within:60; nocase; content:"function popupwnd(url, toolbar"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025327; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_07, updated_at 2018_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon"; nocase; fast_pattern; content:"<!--POH-->"; nocase; distance:0; content:"function AllowNoDups()"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025328; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_07, updated_at 2018_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Verification Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Admin|20 7c 20|Upgrade|3b|</title>"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025329; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_07, updated_at 2018_02_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic .EDU Phish (Legit Set)"; flow:to_server,established; content:".edu|0d 0a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.edu\r\n/Hmi";  flowbits:set,ET.realEDUrequest; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:not-suspicious; sid:2025333; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_02_09, updated_at 2018_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ASB Bank Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|id=|22|login|22 20|autocomplete=|22|off|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025334; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_09, updated_at 2018_02_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS LinkedIn Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In to LinkedIn|20 7c 20|LinkedIn"; nocase; within:40; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025335; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_09, updated_at 2018_02_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ASB Bank Phishing Landing 2018-02-09 M2"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|https://online.asb.co.nz/auth/img/logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|autocomplete=|22|off|22 20|aria-autocomplete=|22|none|22|>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025336; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_09, updated_at 2018_02_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online</title>"; nocase; fast_pattern; content:"View Your Accounts"; nocase; distance:0; content:"placeholder=|22|Personal ID"; nocase; distance:0; content:"Connection Secured"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025337; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_09, updated_at 2018_02_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS LinkedIn Phishing Landing 2018-02-09 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In|20 7c 20|LinkedIn"; nocase; within:40; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025338; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_09, updated_at 2018_02_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; fast_pattern; content:"We didn't recognize your email address or phone number"; nocase; distance:0; content:"theForm.pass.value.length"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025339; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_09, updated_at 2018_02_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Revalidation Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Re-Validate Your Mailbox</title>"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025340; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_09, updated_at 2018_02_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"hackgallo10k.png"; within:500; nocase; fast_pattern; content:"Facebook application"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025341; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_10, updated_at 2018_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OneDrive Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive Cloud Document"; nocase; within:40; fast_pattern; content:"function popupwnd(url,"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025342; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_10, updated_at 2018_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo"; nocase; distance:0; content:"if(user.length<6){alert("; nocase; distance:0; content:"if(pass.length<6){alert("; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025343; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_10, updated_at 2018_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Feb 12"; flow:from_server,established; file_data; content:"|57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 41 6c 65 72 74 20 3a 20 5a 65 75 73 20 56 69 72 75 73 20 44 65 74 65 63 74 65 64 20 49 6e 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 20 21 21 3c 2f 68 31 3e|"; fast_pattern; nocase; content:"|3e 50 6c 65 61 73 65 20 44 6f 20 4e 6f 74 20 53 68 75 74 20 44 6f 77 6e 20 6f 72 20 52 65 73 65 74 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 2e 3c 2f 68 33 3e|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025345; rev:1; metadata:created_at 2018_02_12, updated_at 2018_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook Application"; nocase; within:30; fast_pattern; content:"placeholder=|22|Password"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025347; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_13, updated_at 2018_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook"; nocase; within:20; content:"k7LsZ6Kzebp.css"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_13, updated_at 2018_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS LinkedIn Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn"; nocase; fast_pattern; content:"<title>Sign Up</title>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025349; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_13, updated_at 2018_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Capital One Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"ng-app=|22|signInControllerApp|22|"; nocase; within:100; content:"<title>Sign In</title>"; nocase; distance:0; content:"href=|22|index_fichiers/favicon.ico"; nocase; distance:0; content:"usabilla_live_button_container"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025350; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_13, updated_at 2018_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Verification"; nocase; within:40; fast_pattern; content:"account was suspended"; nocase; distance:0; content:"enable verification process"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025351; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_13, updated_at 2018_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Capital One Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Validate Your Card Information"; nocase; within:50; fast_pattern; content:"</capitaloneheader>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025352; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_13, updated_at 2018_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Email Validation Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"function validateForm()"; nocase; content:"email.match(/fuck"; nocase; distance:0; content:"email.match(/asshole"; nocase; distance:0; content:"email.match(/dickhead"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025353; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_13, updated_at 2018_02_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2018-02-13"; flow:to_server,established; content:"POST"; http_method; content:"id="; nocase; depth:3; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&pas="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025354; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_13, updated_at 2018_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title"; nocase; content:"dropbox"; nocase; within:10; content:"text/css|22|>.hny-htirfw"; nocase; fast_pattern; within:100; content:"class=|22|psw_error"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025355; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_14, updated_at 2018_02_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Linkedin Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn</title>"; nocase; content:"function MM_validateForm()"; nocase; distance:0; content:"#a11y-content"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025356; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_14, updated_at 2018_02_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Account Recovery Information</title>"; nocase; fast_pattern; content:"<title>Account Recovery Information</title>"; nocase; distance:0; content:"facebook account has been disabled"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025357; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_14, updated_at 2018_02_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Wells Fargo Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025360; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_15, updated_at 2018_02_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sparkasse Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Online...... - Berliner....</title>"; nocase; fast_pattern; content:"berliner-sparkasse.de"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025361; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_15, updated_at 2018_02_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Dropbox</title>"; within:300; nocase; fast_pattern; content:"featuredcontentglider.init({"; nocase; distance:0; content:"#yregbnr #yregbnrti #yregbnrtii"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025362; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_15, updated_at 2018_02_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"images/fbgiftscards.jpg"; within:100; fast_pattern; content:"CavalryLogger="; nocase; distance:0; content:"Facebook</title>"; nocase; content:"function Form1_Validator"; nocase; distance:0; content:"var alertsay"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025363; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_15, updated_at 2018_02_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Docs Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign in - Google Accounts"; nocase; within:30; fast_pattern; content:"input[type=email]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025364; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_15, updated_at 2018_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; content:"Dropbox Verification"; within:30; nocase; fast_pattern; content:"PhoneVerificationChallenge"; nocase; distance:0; content:"RecoveryEmailChallenge"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025365; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_15, updated_at 2018_02_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon</title><!--"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025366; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_15, updated_at 2018_02_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Square Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"/* VODKA */"; fast_pattern; content:"<form action=|22|--WEBBOT-SELF--"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025367; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_15, updated_at 2018_02_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Generic Multi-Account Phish 2018-02-16"; flowbits:isset,ET.genericphish; file_data; content:"<input id=|22|login-username|22 20|name=|22|username|22 20|value=|22|"; nocase; content:"<input name=|22|password|22 20|value="; nocase; distance:0; content:"autocomplete=|22|current-password|22|"; nocase; distance:0; content:"Wrong password. Try again or click Forgot password"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025368; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_02_16, updated_at 2018_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spotify Phishing Landing 2018-02-19"; flow:established,to_client; file_data; content:"<title>Login - Spotify</title>"; nocase; fast_pattern; content:"LOGIN WITH FACEBOOK"; nocase; distance:0; content:"spotify.com"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025369; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_18, updated_at 2018_02_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Smartermail Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; content:"SmarterMail"; nocase; within:20; fast_pattern; content:"<form method=|22|post|22 20|action=|22|login.php|22 20|id=|22|aspnetForm|22|>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025371; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_20, updated_at 2018_02_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS USAA Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; nocase; content:"USAA / Welcome to USAA"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|POST|22 20|id=|22|Logon|22 20|name=|22|Logon|22 20|class=|22|yuimenubaritemlabel|22|>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_20, updated_at 2018_02_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yahoo Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title>Securite utilisateur</title>"; nocase; fast_pattern; content:"<title>S&eacute|3b|curite Yahoo</title>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025373; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_20, updated_at 2018_02_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Deepend Research] BestaBid FakeFlash Redirect"; content:"302"; http_stat_code; content:"Location"; nocase; http_header; content:"/?pcl="; nocase; http_header; content:".&cid="; fast_pattern; nocase; http_header; distance:40; pcre:"/^Location\x3a\x20[^\r\n]+\/\?pcl=(?:[a-zA-Z0-9_-]{86}|[a-zA-Z0-9_-]{43})\x2e{1,2}&cid=/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,www.deependresearch.org/2018/02/yaff-yet-another-fake-flash-campaign.html; classtype:bad-unknown; sid:2025374; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag FakeFlash, signature_severity Major, created_at 2018_02_21, updated_at 2018_02_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo Sign On to Unlock Your Accounts"; nocase; within:50; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025377; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_22, updated_at 2018_02_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office 365 Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In"; nocase; within:15; content:"Validate"; nocase; within:20; content:"personal Microsoft account"; fast_pattern; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025378; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_22, updated_at 2018_02_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upgrade Advantage Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo1.png"; nocase; fast_pattern; content:"method=|22|post|22 20|action=|22|post.php"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025379; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_22, updated_at 2018_02_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Please confirm your identity"; fast_pattern; within:50; nocase; content:"For security reasons"; nocase; distance:0; content:".php|22 20|novalidate=|22 22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025380; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_22, updated_at 2018_02_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Craigslist Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"craigslist - account log in"; nocase; fast_pattern; within:30; content:".php|22 20|method=|22|POST|22|>"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025394; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_26, updated_at 2018_02_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Credit Mutuel de Bretagne (FR) Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Cr|c3 a9|dit Mutuel de Bretagne"; nocase; distance:0; within:40; fast_pattern; content:"<form method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_26, updated_at 2018_02_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Mobile Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title>Login</title>"; nocase; content:"mbasic.facebook.com"; nocase; distance:0; content:"name=|22|username|22 20|autocomplete=|22|off|22 20|placeholder=|22|E-mail|22|"; nocase; distance:0; fast_pattern; content:"name=|22|password|22 20|autocomplete=|22|off|22 20|placeholder=|22|Password|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025396; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_26, updated_at 2018_02_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Update Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo.png"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; nocase; distance:0; content:"<input name=|22|email|22 20|type=|22|hidden|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025397; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_26, updated_at 2018_02_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Amazon Phishing Landing (DE) 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Amazon.de - Kontofreischaltung"; nocase; within:40; fast_pattern; content:"$(|22|#browser_info|22|).val(client.getBrowser"; nocase; distance:0; content:"$(|22|#os_info|22|).val(client.getOS()"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025398; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_26, updated_at 2018_02_26;)

#alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"ET CURRENT_EVENTS CERTEGO Possible JScript Coming Over SMB v2"; flow:established,from_server; content:"|FE|SMB"; offset:4; depth:8; content:"|08 00|"; distance:8; within:10; content:"var"; distance:48; fast_pattern; content:"="; distance:0; isdataat:2,relative; metadata: former_category CURRENT_EVENTS; reference:url,twitter.com/SettiDavide89/status/970965983228723201; reference:url,www.certego.net/it/news/quant-url/; classtype:trojan-activity; sid:2025409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_06, performance_impact Moderate, updated_at 2018_03_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OneDrive Phishing Landing 2018-03-08"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"function popupwnd(url"; nocase; distance:0; content:"'no','no','no','no','no','no'"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025410; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_08, updated_at 2018_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) 2018-03-12"; flow:established,to_server; content:"POST"; http_method; content:"user="; depth:5; nocase; http_client_body; content:"&psw="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025417; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_12, updated_at 2018_03_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chalbhai Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"document.forms[|22|chalbhai|22|][|22|password|22|]"; nocase; fast_pattern:17,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025418; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_12, updated_at 2018_03_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful O2 Phish 2018-03-12"; flow:established,to_server; flowbits:isset,ET.genericphish; content:"POST"; http_method; content:"sendTo="; depth:7; nocase; http_client_body; content:"www.o2.co.uk"; nocase; distance:0; http_client_body; content:"&fu="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025419; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_03_12, updated_at 2018_03_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Wells Fargo Phish 2018-03-12"; flow:established,to_server; content:"POST"; http_method; content:"save-username="; depth:14; nocase; http_client_body; content:"&origin=cob&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&LOB="; nocase; distance:0; http_client_body; content:"&loginMode="; nocase; distance:0; http_client_body; content:"&serviceType="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&origination="; nocase; distance:0; http_client_body; content:"&TPB="; nocase; distance:0; http_client_body; content:"&msgId="; nocase; distance:0; http_client_body; content:"&platform="; nocase; distance:0; http_client_body; content:"&alternatesignon="; nocase; distance:0; http_client_body; content:"&destination="; nocase; distance:0; http_client_body; content:"&j_username="; nocase; distance:0; http_client_body; content:"&j_password="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025420; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_03_12, updated_at 2018_03_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upgrade Email Account Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Secure Login|20 7c 20|E-Mail Administrator"; within:40; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025421; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_12, updated_at 2018_03_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Retrieve Pending Emails Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Retrieve Pending Emails"; within:30; nocase; fast_pattern; content:"receive any pending mails on server after login"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025422; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_12, updated_at 2018_03_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Ourtime Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"ourtime.com - the 50+ single network"; nocase; within:40; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025423; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_12, updated_at 2018_03_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) 2018-03-13"; flow:established,to_server; content:"POST"; http_method; content:"o1="; depth:3; nocase; http_client_body; content:"&o2="; nocase; distance:0; http_client_body; content:"&o3="; nocase; distance:0; http_client_body; content:"&o4="; nocase; distance:0; http_client_body; content:"&o5="; nocase; distance:0; http_client_body; content:"&o6="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025425; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_13, updated_at 2018_03_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS  -> $HOME_NET any (msg:"ET CURRENT_EVENTS [PTsecurity] Grandsoft EK Payload"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|96 08 FA EC DE C0 22 84 66 58 4A BC 2E|";  fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,www.malware-traffic-analysis.net/2018/03/15/index3.html; classtype:trojan-activity; sid:2025437; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_21, malware_family GrandSoft_EK, updated_at 2018_03_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Reader Phishing Landing 2018-03-27"; flow:established,to_client; file_data; content:"<title>Adobe|d0 92 c2 ae 20|PDF Reader|d0 92 c2 ae 20|Xl</title>"; fast_pattern; nocase; content:"this file is protected by adobe"; nocase; distance:0; content:"confirm your email to access this document"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onsubmit=|22|MM_validateForm(&#39|3b|email&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|RisEmail&#39|3b|,&#39|3b|password&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|R&#39|3b|)"; nocase; distance:0; content:"view pdf document"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025442; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_27, updated_at 2018_03_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS IRS Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>internal revenue service</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"last 4 of ssn"; nocase; distance:0; content:"if ($('#email').val() == '')"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025443; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_28, updated_at 2018_03_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<TITLE>Chase Online - Logon</TITLE>"; nocase; fast_pattern; content:"name=started action=logon.php?lob=rbglogon method=post"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025447; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_28, updated_at 2018_03_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impots Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>impots.gouv.fr</title>"; nocase; fast_pattern; content:".php|22|"; nocase; distance:0; content:"name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025448; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_28, updated_at 2018_03_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Comcast/Xfinity Phishing Landing 2018-03-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; fast_pattern; within:300; content:")https://"; within:15; pcre:"/^[^/]+(?:xfinity|comcast)\.(?:com|net)/Ri"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025450; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_03_30, updated_at 2018_03_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>wells,fargo sign on to view your accounts</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025473; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DHL Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>|7c 20|tracking system</title>"; nocase; content:"DHL%20_%20Tracking%20System_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025474; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>chase online - account update</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"onsubmit=|22|javascript|3a|return webform_onsubmit()|3b 22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025475; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS [eSentire] Docusign Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"DocuSlgn"; nocase; distance:0; within:10; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025476; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_06_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS s0m3 Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"href=|22|s0m3/"; nocase; content:"href=|22|s0m3/"; nocase; distance:0; content:"src=|22|s0m3/"; nocase; distance:0;  content:"src=|22|s0m3/"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025477; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>resolution center - paypal</title>"; nocase; content:"href=|22|resolutioncenter_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025478; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title id=|22|pagetitle|22|>facebook - log in or sign up</title>"; nocase; content:"<form id=|22|login_form|22 20|action=|22|post.php|22 20|method=|22|post|22 20|onsubmit=|22|return window.event"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025479; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OneDrive Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>share file|20 7c 20|one drive</title>"; nocase; content:"file is waiting"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onedrive protected file"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025480; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>apple - my apple id</title>"; nocase; content:"method=|22|post|22|"; nocase; distance:0; content:"id=|22|donnee"; nocase; distance:0; fast_pattern; content:"name=|22|donnee"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025481; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Post.ch Cloned Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:300; content:"https://account.post.ch"; nocase; within:30; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025482; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_09, updated_at 2018_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing 2018-04-14"; flow:established,to_client; file_data; content:"method=|22|post|22|"; nocase; content:"javascript|3a|popupwnd(|22|gmail"; nocase; distance:0; fast_pattern; content:"javascript|3a|popupwnd(|22|outlook"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|aol"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|yahoo"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025502; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Halkbank Phish M1 2018-04-16"; flow:established,to_server; content:"POST"; http_method; content:"tc="; depth:3; nocase; http_client_body; content:"&sms="; nocase; distance:0; http_client_body; fast_pattern; content:"&LoginType="; nocase; distance:0; http_client_body; content:"&CustomerType="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025503; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Halkbank Phish M2 2018-04-16"; flow:established,to_server; content:"POST"; http_method; content:"FakeCustomerName="; depth:17; nocase; http_client_body; fast_pattern; content:"&LoginType="; nocase; distance:0; http_client_body; content:"&CustomerType="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025504; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Facebook Phish 2018-04-16"; flow:established,to_server; content:"POST"; http_method; content:".php?confirmation"; fast_pattern; http_uri; nocase; isdataat:!1,relative; content:"email="; depth:6; nocase; http_client_body; content:"&pass_input="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025505; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful DenizBank Phish 2018-04-16"; flow:established,to_server; content:"POST"; http_method; content:"&tc="; nocase; http_client_body; content:"&sms="; nocase; distance:0; http_client_body; content:"&login_kullaniciadi="; nocase; distance:0; http_client_body; content:"&login_kullaniciadi="; nocase; distance:0; http_client_body; content:"&login_kullaniciadi="; nocase; distance:0; http_client_body; content:"&login_kullaniciadi="; nocase; distance:0; http_client_body; fast_pattern; content:"&login_parola_card="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025506; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) 2018-04-17"; flow:established,to_server; content:"POST"; http_method; content:"ui="; depth:3; nocase; http_client_body; content:"&pw="; nocase; distance:0; http_client_body; fast_pattern; pcre:"/^ui=[^&]+&pw=/Pi"; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025513; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_17, updated_at 2018_04_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mail Verification Phishing Landing 2018-04-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:20; fast_pattern; content:"img src=|22|files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|passwd|22|"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025514; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_18, updated_at 2018_04_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF Cloud Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign In - PDF Cloud"; nocase; fast_pattern; content:"href=|22|index_files/adobe.css"; nocase; distance:0; content:"Sign in with your email address to view or download attachment"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025515; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_19, updated_at 2018_04_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bank of America Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Bank of America|20 7c 20|Online Banking|20 7c 20|Sign In|20 7c 20|Online ID"; nocase; fast_pattern; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"href=|22|css/Untitled1.css"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025516; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_19, updated_at 2018_04_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox 000webhost Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Dropbox"; nocase; content:"method=|22|POST|22|"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; fast_pattern; content:"powered-by-000webhost"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025517; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_19, updated_at 2018_04_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Centurylink Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>centurylink"; nocase; content:"href=|22|centurylink|25|20_|25|20login_files/"; nocase; fast_pattern; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025523; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MyADP Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Login to MyADP"; nocase; fast_pattern; content:"href=|22|AD/"; nocase; distance:0; content:"src=|22|AD/"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Account Phishing Landing M1 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your Microsoft account"; nocase; content:"<!-- /ko -->"; nocase; distance:0; fast_pattern; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025525; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Account Phishing Landing M2 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"<form name=|22|ff|22|"; nocase; distance:0; fast_pattern; content:"method=|22|POST|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025526; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Popupwnd Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"function popupwnd(url,"; fast_pattern; nocase; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:",'no','no','no','no','no','no'"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Comcast/Xfinity Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>sign in to xfinity"; nocase; content:"src=|22|comcast_files/"; nocase; distance:0; fast_pattern; content:"src=|22|comcast_files/"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025528; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS LCL Banque Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>lcl banque"; nocase; content:"src=|22|./lcl_files/"; nocase; distance:0; fast_pattern; content:"src=|22|./lcl_files/"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025529; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Outlook Web App Phishing Landing 2018-04-26"; flow:established,to_client; content:"200"; http_stat_code; content:"X-Powered-By|3a 20|PHP"; nocase; http_header; file_data; content:"<title"; nocase; content:"Outlook Web App"; nocase; within:30; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025532; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_04_26, updated_at 2018_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET CURRENT_EVENTS Observed Coin-Hive In Browser Mining Domain (coin-hive .com in TLS SNI)"; flow:established,to_server; content:"|00 00 0d|coin-hive.com|00|"; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025535; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_04_26, malware_family CoinMiner, performance_impact Moderate, updated_at 2018_04_26;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Observed Malicious SSL Cert (Coin-Hive In Browser Mining)"; flow:established,to_client; content:"|55 04 03|"; content:"|0f|*.coin-hive.com"; distance:1; within:16; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025536; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_04_26, malware_family CoinMiner, performance_impact Moderate, updated_at 2018_04_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bank of America Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"bank of america"; nocase; within:30; content:"<form name=|22|b0a|22|"; nocase; distance:0; fast_pattern; content:".php?session=$pmd$pmd|22 20|method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025549; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_01, updated_at 2018_05_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OneDrive Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive"; nocase; within:25; content:"function popupwnd(url"; nocase; distance:0; content:"choose your email provider"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; fast_pattern; content:"'no','no','no','no','no','no'"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025550; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_01, updated_at 2018_05_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Docusign Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title> DocuSlgn </title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025551; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_01, updated_at 2018_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2018-05-02"; flow:to_server,established; content:"POST"; http_method; content:"eml="; nocase; http_client_body; depth:4; content:"|25|40"; distance:0; http_client_body; content:"&pw="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_02, updated_at 2018_05_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"|23 20 4e 65 77 20 53 63 61 6d 61 20 4e 65 74 66 6c 69 78 20 32 30 31 38 20 42 79 20 58 2d 59 61 63 20 23|"; within:500; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_02, updated_at 2018_05_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Log in to your PayPal"; nocase; within:40; content:"PayPaI.|20 7c 20|All rights reserved."; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025556; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_02, updated_at 2018_05_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS [PTsecurity] Possible Malicious (HTA-VBS-PowerShell) obfuscated command"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<?xml"; depth:5; content:"|22|JScript|22|><![CDATA[ eval("; within:500; fast_pattern; pcre:"/%comSpec%\s\/c\s(?:(?:\\x50)|(?:\\x70)|[Pp])\^?(?:(?:\\x4f)|(?:\\x5f)|[Oo])\^?(?:(?:\\x57)|(?:\\x77)|[Ww])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x52)|(?:\\x72)|[Rr])\^?(?:(?:\\x53)|(?:\\x73)|[Ss])\^?(?:(?:\\x48)|(?:\\x68)|[Hh])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x2e)|\.)\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x58)|(?:\\x78)|[Xx])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?\s/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025558; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_03, updated_at 2018_05_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS IRS Phishing Landing 2018-05-07"; flow:established,to_client; file_data; content:"<title>mytax portal</title>"; nocase; fast_pattern; content:"id=|22|form1|22 20|name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"name=|22|pww|22 20|type=|22|password|22 20|id=|22|pww|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025561; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_07, updated_at 2018_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful IRS Phish 2018-05-07"; flow:established,to_server; content:"POST"; http_method; content:"email="; depth:6; nocase; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"&pww="; nocase; distance:0; http_client_body; fast_pattern; content:"&image.x="; nocase; distance:0; http_client_body; content:"&image.y="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025562; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_05_07, updated_at 2018_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible TSB Bank Phishing Landing 2018-05-07"; flow:established,to_server; content:"GET"; http_method; content:"tsb.co.uk.personal.logon.login.jsp."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+tsb\.co\.uk\.personal\.logon\.login\.jsp\.[a-z0-9.]{50,}/Hmi";  metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_07, updated_at 2018_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful TSB Bank Phish 2018-05-07"; flow:established,to_server; content:"POST"; http_method; content:"tsb.co.uk.personal.logon.login.jsp."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+tsb\.co\.uk\.personal\.logon\.login\.jsp\.[a-z0-9.]{50,}/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025564; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_05_07, updated_at 2018_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; content:"POST"; http_method; content:"us="; depth:3; nocase; http_client_body; content:"&ps="; nocase; distance:0; http_client_body; fast_pattern; content:!"&"; distance:0; http_client_body; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_08, updated_at 2018_05_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; content:"POST"; http_method; content:"us1="; depth:4; nocase; http_client_body; content:"&ps1="; nocase; distance:0; http_client_body; fast_pattern; content:!"&"; distance:0; http_client_body; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025566; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_08, updated_at 2018_05_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"content=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; content:"name=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; distance:0; content:"class=|22 48 46 5f 4a 61 63 6b 73 6f 4e 5f|"; nocase; distance:0; content:"class=|22 42 79 5f 48 61 73 73 61 6e 5f 46 61 72 74 6f 75 74 22|"; nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025568; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_09, updated_at 2018_05_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 77 69 7a 22|"; nocase; distance:0; content:"class=|22 68 61 73 73 61 6e 22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025569; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_09, updated_at 2018_05_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6c 6f 67 69 6e 5f 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 6e 73 69 74 22|"; nocase; distance:0; content:"class=|22 74 39 61 79 61 64 22|"; nocase; distance:0; content:"class=|22 74 73 61 6e 61 22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025570; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_09, updated_at 2018_05_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 69 6d 67 5f 76 69 63 74 69 6d 65 22|"; nocase; fast_pattern; content:"class=|22 6e 61 6d 65 5f 76 69 63 74 69 6d 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 5f 61 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 6d 69 61 5f 6b 68 61 6c 69 66 61 22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025571; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_09, updated_at 2018_05_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"<!--|20 41 6e 4f 5f 6f 6e 69 73 6d 61 20|-->"; nocase; fast_pattern; content:"name=|22 41 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 41 6e 6f 6e 69 73 6d 61|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025572; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_09, updated_at 2018_05_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 61 2d 6e 2d 6f 2d 6e 2d 69 2d 73 2d 6d 2d 61 22|"; nocase; fast_pattern; content:"id=|22 62 6f 74 64 6b 68 6f 6c 22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025573; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_09, updated_at 2018_05_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Chalbhai (Multibrand) Phishing Landing 2018-05-10"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; fast_pattern; content:"bodyElems"; distance:0; pcre:"/^\s*=\s*document\s*\.\s*getElementsByTagName\s*\(\s*[\x22\x27]body[\x22\x27]/Ri"; content:"bodyElems[0]"; distance:0; pcre:"/^\s*\.\s*style\s*\.\s*visibility\s*=\s*[\x22\x27]visible[\x22\x27]/Ri"; content:"style=|22|visibility:hidden|22 20|onload=|22|unhideBody()|22|"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position|3a|absolute|3b 20|overflow|3a|hidden|3b 20|left|3a|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025653; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_10, updated_at 2018_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish 2018-05-16 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; content:"POST"; http_method; content:"userid="; depth:7; nocase; http_client_body; content:"&pwd="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025579; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_05_16, updated_at 2018_05_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Observed Malicious SSL Cert (Coinhive URL Shortener)"; flow:established,to_client; content:"|55 04 03|"; content:"|07|cnhv.co"; distance:1; within:8; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2018/05/cryptomining-through-disguised-url-shorteners.html; classtype:trojan-activity; sid:2025582; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_05_22, malware_family CoinMiner, performance_impact Moderate, updated_at 2018_05_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2018-05-31"; flow:to_server,established; content:"POST"; http_method; content:"username="; depth:9; nocase; http_client_body; content:"&psw="; nocase; http_client_body; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_05_31, updated_at 2018_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2018-06-11"; flow:to_server,established; content:"POST"; http_method; content:"gate="; depth:5; nocase; fast_pattern; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"&push="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025588; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_06_11, updated_at 2018_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2018-06-14"; flow:to_server,established; content:"POST"; http_method; content:"email="; depth:6; nocase; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"&psw="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025591; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_13, updated_at 2018_06_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Paypal Phish Kit Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|2e 2e 2e 2e 21 5b 31 5d 20 53 2f 4d 2f 41 2f 49 2f 4c 2f 4d 2f 41 2f 58 21 2e 2e 2e 2e|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025592; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_14, updated_at 2018_06_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Santander Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|3c 21 2d 2d 20 54 55 44 4f 20 2d 2d 3e|"; content:"|3c 21 2d 2d 20 46 45 49 58 41 4e 44 4f 20 54 55 44 4f 20 2d 2d 3e|"; distance:0; fast_pattern; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025607; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Santander Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|3c 21 2d 2d 20 63 6f 72 70 6f 20 67 65 72 61 6c 20 2d 2d 3e|"; content:"|3c 21 2d 2d 20 66 65 78 61 6e 64 6f 20 63 6f 72 70 6f 20 67 65 72 61 6c 20 2d 2d 3e|"; nocase; distance:0; fast_pattern:8,20; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025608; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>Sign in to your Microsoft account"; nocase; content:"|3c 21 2d 2d 20 20 2d 2d 3e|"; distance:0; content:"|3c 21 2d 2d 20 2f 6b 6f 20 2d 2d 3e|"; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025609; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Online Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"function popupwnd(url,"; nocase; content:"CLICK ON YOUR EMAIL PROVIDER BELOW"; nocase; distance:0; content:"javascript|3a|popupwnd("; nocase; distance:0; content:"|3c 21 2d 2d 4d 6f 64 65 64 20 42 79 20 41 6e 74 68 72 61 78 2d 2d 3e|"; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025610; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Banque et Assurances Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>Banque et Assurances"; nocase; content:"|3c 21 2d 2d 20 2f 20 4e 44 37 20 45 4e 43 4f 44 41 47 45 20 44 45 53 49 47 4e 20 26 20 58 53 41 4d 20 4a 53 20 45 4e 43 4f 44 41 47 45 20 2f 20 2d 2d 3e|"; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS iTunes Connect Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>iTunes Connect"; nocase; content:"|3c 21 2d 2d 20 50 48 4f 45 4e 21 58 20 2d 2d 3e|"; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|3c 21 2d 2d 20 20 20 53 63 61 6d 20 4d 61 64 65 20 42 79 20 74 68 65 20 6b 69 6e 67|"; fast_pattern; content:"<title>Bienvenue sur Facebook"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025613; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Account Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>sign in to your account"; nocase; fast_pattern; content:"src=|22|https|3a|//secure.aadcdn.microsoftonline-p.com/"; nocase; distance:0; content:"src=|22|files/"; nocase; distance:0; content:"href=|22|files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|2f 67 2d 7a 31 31 38 2e 63 73 73|"; content:"|2f 62 2d 7a 31 31 38 2e 63 73 73|"; distance:0; content:"|63 6c 61 73 73 3d 22 48 65 61 64 65 72 5a 31 31 38|"; distance:0; content:"|63 6c 61 73 73 3d 22 47 2d 46 69 65 6c 64 73 5a 31 31 38|"; distance:0; fast_pattern; content:"|63 6c 61 73 73 3d 22 46 69 65 6c 64 73 5a 31 31 38|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025615; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Assurance Maladie Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"href=|22|ficherss/"; nocase; content:"<title>Compte ameli - mon espace personnel"; nocase; distance:0; content:"src=|22|ficherss/"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025616; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"src=|22|2Sign|25|20in|25|20-|25|20Adobe|25|20ID_files/"; nocase; fast_pattern; content:"href=|22|2Sign|25|20in|25|20-|25|20Adobe|25|20ID_files/"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025617; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Capital One Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"background|3a|url(Logon_Files/"; nocase; fast_pattern; content:"href=|22|Logon_Files/"; nocase; distance:0; content:"<title>Capitalone"; nocase; distance:0; content:"href=|22|Logon_Files/"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS US Bank Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"href=|22|index|25|5D_files/"; nocase; content:"src=|22|index|25|5D_files/"; nocase; distance:0; fast_pattern; content:"<title>PersonalID Step"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025619; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS American Express Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>American Express"; nocase; content:"href=|22|./index_files/"; nocase; distance:0; fast_pattern; content:"src=|22|./index_files/"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HM Revenue Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>HM Revenue"; nocase; content:"href=|22|file/"; nocase; distance:0; fast_pattern; content:"<h1>Tax Refund"; nocase; distance:0; content:"<!-- DEVELOPMENT ONLY -->"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Phishing Kit Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|7c 20 7c 5c 2f 7c 20 7c 20 2f 20 5f 5f 7c 20 5f 5f 2f 20 5f 20 5c 20 27 5f 5f 7c 20 20 5c 5f 5f 5f 20 5c 7c 20 27 5f 20 5c 7c 20 7c 20 7c 20 7c|"; content:"|68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 30 30 37 4d 72 53 70 79|"; distance:0; fast_pattern:13,20; content:"|73 72 63 3d 22 4a 73 5f 53 70 79 2f|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office 365 Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<meta name=|22|generator|22 20|content=|22|WYSIWYG|22|"; nocase; content:"<link href=|22|Untitled1.css|22|"; nocase; distance:0; fast_pattern; content:"<div id=|22|wb_Image1|22 20|style=|22|position|3a|absolute|3b|left|3a|"; nocase; distance:0; content:"<div id=|22|wb_Form1|22 20|style=|22|position|3a|absolute|3b|left|3a|"; nocase; distance:0; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|password|22 20|id=|22|Editbox2|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025623; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS [eSentire] Wells Fargo Phishing Landing 2018-06-20"; flow:established,to_client; file_data; content:"<title>Wells Fargo |3a| Banking|2c|"; nocase; fast_pattern; content:"content=|22|WELLS FARGO BANK|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025624; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_25, updated_at 2018_06_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS [eSentire] OneDrive Phishing Landing 2018-06-15"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"Select with email provider below"; nocase; distance:0; content:"Login with Office 365"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025625; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_25, updated_at 2018_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS [eSentire] Successful Generic Phish 2018-06-15"; flow:to_server,established; flowbits:isset,ET.genericphish; content:"accessToFile="; nocase; http_header; fast_pattern; content:"&fileAccess="; nocase; http_header; distance:0; content:"&encryptedCookie="; nocase; http_header; distance:0; content:"&connecting="; nocase; http_header; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_06_25, updated_at 2018_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS [eSentire] Successful Personalized Phish 2018-06-15"; flow:to_server,established; content:"GET"; http_method; content:".php?email="; nocase; http_uri; content:"&password="; nocase; http_uri; distance:0; content:"accessToFile="; nocase; http_header; fast_pattern; content:"&fileAccess="; nocase; http_header; distance:0; content:"&encryptedCookie="; nocase; http_header; distance:0; content:"&connecting="; nocase; http_header; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_06_25, updated_at 2018_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish 2018-06-27 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025630; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_27, updated_at 2018_06_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) 2018-06-29"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; content:"POST"; http_method; content:"em="; depth:3; nocase; http_client_body; content:"&ps="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025632; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_06_29, updated_at 2018_06_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS [eSentire] Fake Flash Update 2018-07-09"; flow:established,to_client; file_data; content:"<title>Critical error!"; nocase; fast_pattern; content:"Your player version"; nocase; distance:0; content:"has a critical vulnerability"; nocase; distance:0; content:"FlashPlayer.exe"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025647; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_10, performance_impact Moderate, updated_at 2018_07_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS [eSentire] Adobe Phishing Landing 2018-07-04"; flow:from_server,established; content:"<title>PDF Online"; nocase; fast_pattern; content:"Please Enter Your receiving Email Address"; nocase; distance:0; content:"method=|22|post|22|"; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025648; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_07_10, performance_impact Moderate, updated_at 2018_07_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bank of America Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>Bank of America"; nocase; content:"// the field has a value it's a spam bot";  nocase; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Software Update Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>Adobe - Update"; nocase; fast_pattern; content:"href=|22|flashfiles/"; nocase; distance:0; content:"src=|22|flashfiles/"; nocase; distance:0; content:"function getUrl(url)"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,www.malware-traffic-analysis.net/2018/07/05/index.html; classtype:trojan-activity; sid:2025715; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Scam Landing 2018-07-18"; flow:established,to_client; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|Microsoft has detected suspicious activity"; http_header; fast_pattern:53,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025831; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Major, created_at 2018_07_18, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Badoo Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Sign in to Badoo</title>"; fast_pattern; content:"<label for=|22|emaill"; distance:0; pcre:"/^\d{5,20}\x22/R"; content:"<label for=|22|password"; pcre:"/^\d{5,20}\x22/R"; content:">Password</label>"; distance:0; within:40; content:">Sign me in!</span>"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025870; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phish, signature_severity Minor, created_at 2018_07_19, performance_impact Low, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GitLab Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Sign in|20 c2 b7 20|GitLab</title>"; fast_pattern; content:"|20|action=|22|login.php|22 20|"; distance:0; content:"|20|name=|22|username|22 20|"; distance:0; content:"type=|22|password|22|"; distance:0; content:"|20|name=|22|password|22 20|"; distance:0; within:17; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025871; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phish, signature_severity Minor, created_at 2018_07_19, performance_impact Low, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake 404 With Hidden Login Form"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"<title>404 Not Found</title>"; fast_pattern:3,20; depth:28; content:"background-color|3a 23|fff|3b|"; distance:0; content:"<form method=post>"; distance:0; content:"input type=password"; distance:0; within:50; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025872; rev:2; metadata:attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2018_07_19, performance_impact Low, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Github Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"form action=|22|login.php|22|"; content:"<h1>Sign in to GitHub</h1>"; distance:0; fast_pattern; content:"<input type=|22|text|22 20|name=|22|username|22|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025873; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phish, signature_severity Major, created_at 2018_07_19, performance_impact Low, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Twitter Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Login to Twitter</title>"; content:"form action=|22|login.php|22|"; distance:0; content:"|20 20 20 20 20 20|name=|22|usernameOrEmail|22 0a|"; distance:0; fast_pattern:9,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025874; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phish, signature_severity Minor, created_at 2018_07_19, performance_impact Low, updated_at 2018_07_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2018-07-19"; flow:to_server,established; content:"POST"; http_method; content:"user="; depth:5; nocase; http_client_body; content:"&pswd="; nocase; http_client_body; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025863; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_07_19, updated_at 2018_07_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) 2018-07-19"; flow:established,to_server; content:"POST"; http_method; content:"email="; depth:6; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&pw="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025864; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_07_19, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"<title>Netflix</title>"; content:"meta content=|22|watch movies"; distance:0; content:"meta content=|22|Watch Netflix movies"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025875; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phish, signature_severity Minor, created_at 2018_07_20, performance_impact Low, updated_at 2018_07_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS LinkedIn Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"class=|22|ie ie6 lte9 lte8 lte7 os-linux|22|>"; content:"<title>LinkedIn|26 23|58|3b 20|Log In or Sign Up</title>"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025876; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phish, signature_severity Minor, created_at 2018_07_20, performance_impact Low, updated_at 2018_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Volexity – JS Sniffer Data Theft Beacon Detected"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"=WyJ1cmw"; http_uri; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,www.volexity.com/blog/2018/07/19/js-sniffer-e-commerce-data-theft-made-easy/; classtype:trojan-activity; sid:2025880; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_07_23, performance_impact Low, updated_at 2018_07_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JS Sniffer Framework Sending to CnC"; flow:established,to_server; content:"GET"; http_method; content:".php?image_id="; http_uri; fast_pattern; content:"Accept"; http_header; content:"Accept-"; http_header; content:!"Referer"; http_header; pcre:"/\.php\?image_id=(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ui"; metadata: former_category CURRENT_EVENTS; reference:url,www.volexity.com/blog/2018/07/19/js-sniffer-e-commerce-data-theft-made-easy/; classtype:trojan-activity; sid:2025881; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_07_23, performance_impact Low, updated_at 2018_07_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS [eSentire] DHL Phish Landing July 24 2018"; flow:established,to_client; file_data; content:"<TITLE>Tracking made easy"; nocase; content:"Login to Continue Tracking your Package"; nocase; distance:0; content:"Sign In With Your Correct Email and Password To Review Package Information"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025886; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_24, updated_at 2018_07_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS [eSentire] Successful 163 Webmail Phish 2018-07-25"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/json"; http_header; file_data; content:"{|22|user_id|22|:|22|"; nocase; within:20; content:"|22|,|22|ip|22|:|22|"; nocase; within:15; content:"|22|,|22|add_time|22|:|22|"; nocase; distance:0; content:".163.com|5c 2f 22 2c 22|code|22 3a 22|ok|22|}"; nocase; distance:0; isdataat:!1,relative; fast_pattern; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025893; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2018_07_25, updated_at 2018_07_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"Microsoft Windows Notification"; nocase; fast_pattern; content:"<audio autoplay=autoplay loop id=audio>"; nocase; distance:0; content:".mp3 type=audio/mpeg"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025908; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2018_07_26, updated_at 2018_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"href=|22|./files/alert.css"; nocase; content:"<audio autoplay=|22|autoplay|22 20|loop=|22|"; nocase; fast_pattern; distance:0; content:".mp3|22 20|type=|22|audio/mpeg"; nocase; distance:0; content:"Internet Security Alert"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2018_07_26, updated_at 2018_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"<title>Windows Defender"; nocase; fast_pattern; content:"<audio id=|22|play|22 20|loop="; nocase; distance:0; content:".mp3|22 20|type=|22|audio/mpeg"; nocase; distance:0; content:"Windows Defender Alert"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025910; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Tech_Support_Scam, signature_severity Minor, created_at 2018_07_26, updated_at 2018_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Underminer EK IE Exploit"; flow:established,to_client; file_data; content:"IE=EmulateIE9"; nocase; content:"</head"; nocase; within:200; content:"<body"; nocase; within:200; content:"<script"; nocase; within:200; content:"!!window.ActiveXObject"; nocase; within:200; content:"try"; within:200; content:"parent.parent.setLocalStoreUserData"; nocase; distance:0; pcre:"/^\s*\([\x22\x27][A-F0-9a-f]{32}[\x22\x27]\s*\)\s*\x3b\s*}\s*catch\s*\(e\)\s*\{\s*\}\s*\}\s*<\/script>\s*<\/body>/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025911; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Underminer_EK, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Underminer EK Flash Exploit"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"<param"; nocase; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]flashvars)[^>]*? value\s*=\s*[\x22\x27]url=https?\x3a[^\x22\x27]*?\.wasm/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025914; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Underminer_EK, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Underminer EK Flash Check"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"setcallbackfunction"; nocase; content:"<param"; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]movie)[^>]*? value\s*=\s*[\x22\x27]+\+(?P<var>[\w_-]+)\+[^>]+\/>\s*[\x22\x27]+\+(?P<var2>[\w_-]+)\+(?=.+?\b(?P=var)\s*\>\=\s*23\s*&&\s*(?P=var)<\=\s*28\b)(?=.+?\b(?P=var)\s*\>\=\s*17\s*&&\s*(?P=var)<\=\s*18\b)(?=.+?\b(?P=var)\s*\>\=\s*11\s*&&\s*(?P=var)<\=\s*16\b).+?,\s*?(?P=var2)\s*\(\s*\)\s*\)\s*\:(?P=var)\s*\>\=\s*\d/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025915; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Underminer_EK, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Malvertising Redirect to EK M1"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip|0d 0a|"; http_header; file_data; content:"<script "; content:"new Date()).getTime()|3b|"; nocase; distance:0; content:".php?JBOSSESSION="; distance:0; fast_pattern; content:"window.location.href="; distance:0; content:"<script "; pcre:"/^\s*type\s*=\s*[\x22\x27]\s*text\/javascript\s*[\x22\x27]\s*>\s+var\s*(?P<timestamp>[A-Za-z0-9]{1,25})\s*=\s*\(new\sDate\(\)\)\.getTime\(\)\;\s+(?P<url>[A-Za-z0-9]{1,25})\s*=\s*[\x22\x27]\s*[^\r\n]+\.php\?JBOSSESSION=\s*[\x22\x27]\s+(?P<urlvar2>[A-Za-z0-9]{1,25})\s*=\s*(?P=url)\s*\+\s*(?P=timestamp)\s+window\.location\.href\s*=\s*(?P=urlvar2)\s+/Rsi"; content:"</script>"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025912; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Underminer EK Landing"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip|0d 0a|"; http_header; file_data; content:"position|3a 20|absolute|3b 20|left|3a 20|-"; fast_pattern; nocase; content:"if(!!window.ActiveXObject && typeof("; nocase; within:200; content:"if(!!window.ActiveXObject && typeof("; distance:0; pcre:"/^[^\r\n]+\s*\)\s*\!==\s*[\x22\x27]undefined[\x22\x27]\s*\)\{\s+var\s+(?P<var>[A-Za-z0-9]{1,25})\s*=\s*[^\.]+\.getElementById\s*\([\x22\x2][^\x22\x27]+[\x22\x27]\s*\)\s*\x3b\s+(?P=var)\s*\.\s*elements\[[\x22\x27][^\x22\x27]+[\x22\x27]\]\.value\s*=\s*[0-9]{1,15}\s*\;/Rsi"; content:"src="; distance:0; pcre:"/^\s*[\x22\x27][^\r\n]+\/[a-z0-9]{20,40}\.js[\x22\x27]\s*>\s*<\/script>\s*<\/body>/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025916; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_27;)

#alert tcp $EXTERNAL_NET !6666:7000 -> $HOME_NET any (msg:"ET DELETED IRC Name response on non-standard port"; flow: to_client,established; dsize:<128; content:"|3a|"; depth:1; content:" 302 "; content:"=+"; content:"@"; reference:url,doc.emergingthreats.net/bin/view/Main/2000346; classtype:trojan-activity; sid:2000346; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any 6667 (msg:"ET DELETED Likely Botnet Activity"; flow:to_server,established; content:"PRIVMSG|20|"; depth:8; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001620; classtype:string-detect; sid:2001620; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adobe 0day Shovelware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a|"; http_header; nocase; content:"/ppp/listdir.php?dir="; nocase; http_uri; pcre:"/\/[a-z]{2}\/[a-z]{4}01\/ppp\/listdir\.php\?dir=/Ui"; reference:url,isc.sans.org/diary.html?storyid=7747; reference:url,doc.emergingthreats.net/2010496; classtype:trojan-activity; sid:2010496; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Macromedia Flash Player In Windows XP Remote Arbitrary Code Execution CLSID Access Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D27CDB6E-AE6D-11cf-96B8-444553540000/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19710; reference:url,www.kb.cert.org/vuls/id/204889; reference:url,www.microsoft.com/technet/security/advisory/979267.mspx; reference:url,doc.emergingthreats.net/2010666; classtype:attempted-user; sid:2010666; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Flash 0Day Exploit Attempt"; flow:established,from_server; content:"CWS|09|"; content:"|BA D5 19 5D 86 67 D5 8E 7F BC D0 3C 6E D8 E2 17 16 E8 3A 9F CF 59 B8 7B F6|"; distance:16; reference:url,www.exploit-db.com/exploits/13787/; reference:url,doc.emergingthreats.net/2011672; classtype:misc-attack; sid:2011672; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV AntivirusDoktor2009 User-Agent (768)"; flow:established,to_server; content:"User-Agent|3a| 768"; http_header; reference:url,doc.emergingthreats.net/2010682; classtype:trojan-activity; sid:2010682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV AntivirusDoktor2009 User-Agent (657)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| 657"; http_header; reference:url,doc.emergingthreats.net/2010683; classtype:trojan-activity; sid:2010683; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (ads-t.ru)"; flow:established,from_server; file_data; content:"<script src=http|3a|//www.ads-t.ru/ads.js>"; nocase; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010032; classtype:trojan-activity; sid:2010032; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (bannert.ru)"; flow:established,from_server; file_data; content:"<script src=http|3a|//www.bannert.ru/ads.js>"; nocase; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010033; classtype:trojan-activity; sid:2010033; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (bannerdriven.ru)"; flow:established,from_server; file_data; content:"<script src=http|3a|//www.bannerdriven.ru/ads.js>"; nocase; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010034; classtype:trojan-activity; sid:2010034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED WU Malicious Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"WU_Details_"; within:50; pcre:"/filename\s*=\s*"WU_Details_.....\.zip/m"; reference:url,doc.emergingthreats.net/2010376; classtype:trojan-activity; sid:2010376; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp ![66.220.157.64/26,66.220.157.16/29,66.220.157.48/28,66.220.157.24/29,66.220.144.128/27,66.220.157.128/27,66.220.144.160/29,66.220.157.160/29,66.220.144.168/29,66.220.157.168/29] any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (1)"; flow:established,to_server; content:"facebook.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; content:"Facebook_"; within:50; pcre:"/filename=.*facebook.*\.(rar|exe|zip)/i"; reference:url,doc.emergingthreats.net/2010497; reference:url,postmaster.facebook.com/outbound; classtype:trojan-activity; sid:2010497; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (2)"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Facebook"; pcre:"/filename=\x22Facebook_(Password|Support|Document)_[A-Z0-9]{4,7}\.zip\x22/m"; reference:url,doc.emergingthreats.net/2010498; classtype:trojan-activity; sid:2010498; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED MySpace Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"MySpace"; within:50; pcre:"/filename\s*=\s*MySpace_document_[0-9]{5}\.zip/m"; reference:url,doc.emergingthreats.net/2010629; classtype:trojan-activity; sid:2010629; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp !152.0.0.0/16 any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound"; flow:established,to_server; content:"ups.com"; nocase; fast_pattern; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; pcre:"/filename\s*?=[^\n]*?(UPS|United Parcel Service)[^\n]*?\.(rar|exe|zip)/im"; classtype:trojan-activity; sid:2010644; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 2"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"UPS_INVOICE_NR"; within:50; pcre:"/filename=\x22UPS_INVOICE_NR\.[0-9]{4}-[0-9]{6}\.zip\x22/mi"; reference:url,doc.emergingthreats.net/201150; classtype:trojan-activity; sid:2011150; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 3"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_LABEL_NR."; nocase; within:50; pcre:"/filename=\x22UPS_LABEL_NR\.[A-Z]+_[0-9]{4}-\d+\.ZIP\x22/i"; reference:url,doc.emergingthreats.net/2011151; classtype:trojan-activity; sid:2011151; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake Anti-Virus Download Inst_58s6.exe"; flow:established,to_server; content:"/Inst_58s6.exe"; nocase; http_uri; reference:url,cyveillanceblog.com/general-cyberintel/malware-google-search-results; reference:url,doc.emergingthreats.net/2010339; classtype:trojan-activity; sid:2010339; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download ASetup_2009.exe variant"; flow:established,to_server; content:"GET"; nocase; http_method; content:"Setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; content:!"|0d 0a|Referer|3a| "; nocase; http_header; pcre:"/\/[A-Z]Setup_[0-9]{4}\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010901; classtype:trojan-activity; sid:2010901; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Download with Cookie WinSec"; flow:established,to_server; content:"/down.php?c="; nocase; http_uri; content:"WinSec"; nocase; http_cookie; reference:url,www.virustotal.com/analisis/6b5ff522ddf418a5cca87ebd924736774c1a58a9b51bb44ee72dac01f0db317a-1278686791; reference:url,doc.emergingthreats.net/2011178; classtype:trojan-activity; sid:2011178; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely FAKEAV scanner page encountered - i1000000.gif"; flow:established,to_server; content:"/i1000000.gif"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011760; classtype:bad-unknown; sid:2011760; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download Setup_103s1 or Setup_207 variant"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; content:!"|0d 0a|Referer|3a| "; nocase; http_header; pcre:"/\/Setup_[0-9]{3}([A-Z][0-9])?\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010867; classtype:trojan-activity; sid:2010867; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hostile domain, NeoSploit FakeAV google.analytics.com.*.info"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|0d 0a|Host|3a| google.analytics.com."; nocase; http_header; content:".info|0d 0a|"; http_header; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage#-#-topic=3781.0; reference:url,doc.emergingthreats.net/2010866; classtype:trojan-activity; sid:2010866; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iPhone Bot iKee.B Contacting C&C"; flow:to_server,established; content:"/xml/p.php?id="; http_uri; nocase; pcre:"/\/xml\/p\.php\?id=\d{2,}/Ui"; reference:url,mtc.sri.com/iPhone/; reference:url,doc.emergingthreats.net/2010551; classtype:trojan-activity; sid:2010551; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JAVA pack200-zip-exploit attempt"; flow:to_client; content:"e.pack.gz"; content:"|0d 0a|Content-Encoding|3a| pack200-gzip"; within:55; reference:url,isc.sans.org/diary.html?storyid=6805&rss; reference:url,doc.emergingthreats.net/2009665; classtype:attempted-user; sid:2009665; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Java JAR PROPFIND via DAV possible alternative JVM exploit"; flow:established,to_server; content:"PROPFIND"; http_method; content:".jar"; nocase; http_uri; content:"User-Agent|3a| Microsoft-WebDAV-MiniRedir"; nocase; http_header; content:!"Referer|3a| "; http_header; reference:url,blogs.zdnet.com/security/?p=6082; reference:url,doc.emergingthreats.net/2011009; classtype:bad-unknown; sid:2011009; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows Shortcut LNK File Automatic File Execution Attempt Via WebDAV"; flow:established,to_client; file_data; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; content:"<D|3A|locktype><D|3A|write/></D|3A|locktype>"; nocase; distance:0; content:"<D|3A|getcontenttype>shortcut</D|3A|getcontenttype>"; nocase; distance:0; reference:url,support.microsoft.com/kb/2286198; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:cve,2010-2568; reference:url,doc.emergingthreats.net/2011239; classtype:attempted-user; sid:2011239; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt"; flow:established,to_client; file_data; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|exclusive/></D|3A|lockscope>"; nocase; distance:0; content:"</D|3A|lockentry>"; nocase; distance:0; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:cve,2010-2568; classtype:attempted-user; sid:2011270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DELETED MSSQL sp_replwritetovarbin - potential memory overwrite case 2"; flow:to_server,established; content:"sp_replwritetovarbin"; nocase; fast_pattern:only; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008910; classtype:attempted-user; sid:2008910; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft DirectShow ActiveX Exploit Attempt"; flow:to_client,established; file_data; content:"clsid"; nocase; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; distance:0; content:"omybro"; nocase; distance:0; content:"logo.gif"; nocase; distance:0; reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009491; classtype:web-application-attack; sid:2009491; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Likely MSVIDCTL.dll exploit in transit"; flow:to_client,established; content:"|00 03 00 00 11 20 34|"; content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009493; classtype:trojan-activity; sid:2009493; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Vulnerable Microsoft Video ActiveX CLSID access (43)"; flow:to_client,established; file_data; content:"clsid"; nocase; content:"F9769A06-7ACA-4E39-9CFB-97BB35F0E77E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9769A06-7ACA-4E39-9CFB-97BB35F0E77E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009612; classtype:web-application-attack; sid:2009612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hidden iframe Served by nginx - Likely Hostile Code"; flow:established,to_client; content:"Server|3a| nginx"; nocase; http_header; content:"<iframe src="; nocase; content:"style=|22|visibility|3a|hidden|3b 22| width=|22|1|22| height=|22|1|22|></iframe>"; nocase; reference:url,doc.emergingthreats.net/2011714; classtype:bad-unknown; sid:2011714; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING Adobe Exploited Check-In"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?&&reader_version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2011715; classtype:trojan-activity; sid:2011715; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Malvertising drive by kit encountered - bmb cookie"; flow:established,to_client; content:"HTTP/1"; depth:6; content:"bmb="; nocase; http_cookie; reference:url,doc.emergingthreats.net/2011222; classtype:bad-unknown; sid:2011222; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malvertising drive by kit collecting browser info"; flow:established,to_server; content:"/plugins.php?p=appName"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011224; classtype:bad-unknown; sid:2011224; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting drive by - /x/?src="; flow:established,to_server; content:"/x/?src="; http_uri; nocase; content:"&o=o"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011230; classtype:bad-unknown; sid:2011230; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting redirect to drive by - .php?c=cust"; flow:established,to_server; content:".php?c=cust"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011231; classtype:bad-unknown; sid:2011231; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Rogue Antivirus Download - ws.zip"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install/ws.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010052; classtype:trojan-activity; sid:2010052; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely FakeRean Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer/InstallerClean.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010053; classtype:trojan-activity; sid:2010053; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec/197.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010056; classtype:trojan-activity; sid:2010056; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Fake Antivirus Download installpv.exe"; flow:established,to_server; content:"GET"; http_method; content:"/installpv.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010057; classtype:trojan-activity; sid:2010057; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Unknown Trojan Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/softwarefortubeview.40009.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010058; classtype:trojan-activity; sid:2010058; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Soft_21.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010060; classtype:trojan-activity; sid:2010060; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; content:"ts/in.cgi?pepsi"; nocase; http_uri; pcre:"/ts\/in\.cgi\?pepsi\d+/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010222; classtype:bad-unknown; sid:2010222; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Malware Download flash-HQ-plugin exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"flash-"; http_uri; nocase; content:"-plugin"; http_uri; nocase; content:".exe"; nocase; http_uri; pcre:"/flash-[A-Z0-9]+-plugin\.[A-Z0-9]+\.exe/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010440; classtype:bad-unknown; sid:2010440; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; content:"/ssp/files/annonce.pdf"; nocase; http_uri; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010444; classtype:bad-unknown; sid:2010444; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; content:"/ssp/loadjavad.php"; nocase; http_uri; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010446; classtype:bad-unknown; sid:2010446; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; content:"/download/IAInstall.exe"; nocase; http_uri; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010447; classtype:bad-unknown; sid:2010447; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; content:"/globaldirectory/updatetool.exe"; nocase; http_uri; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010448; classtype:bad-unknown; sid:2010448; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, exploit redirect"; flow:established,to_server; content:"/fkzd/2.htm"; nocase; http_uri; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010449; classtype:bad-unknown; sid:2010449; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (annonce.pdf)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ssp/files/annonce.pdf"; nocase; http_uri; pcre:"/\/ssp\/files\/annonce\.pdf$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010532; classtype:trojan-activity; sid:2010532; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (loadjavad.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ssp/loadjavad.php"; nocase; http_uri; pcre:"/\/ssp\/loadjavad\.php$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010534; classtype:trojan-activity; sid:2010534; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl - wywg executable download Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/wywg/"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/wywg\/[a-z0-9]{2,5}\/[a-z0-9]+\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010716; classtype:trojan-activity; sid:2010716; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Unknown Malware Download Attempt"; flow:established,to_server; content:"/installer/Installer"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/\d+\/installer\/Installer(Clean)?\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010796; classtype:bad-unknown; sid:2010796; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NACHA/Zeus Phishing Executable Download Attempt"; flow:established,to_server; content:"GET"; http_method; content:"nacha.org."; nocase; http_header; content:".exe"; nocase; http_uri; pcre:"/\x0d\x0aHost\: (www\.)?nacha\.org\./i"; reference:url,garwarner.blogspot.com/2009/11/newest-zeus-nacha-electronic-payments.html; reference:url,doc.emergingthreats.net/2010342; classtype:trojan-activity; sid:2010342; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav)"; flow:established,to_server; content:"/kav"; nocase; http_uri; content:"accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; http_header; content:"content-type|3a| application/x-java-archive|0d 0a|"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; content:"User-Agent|3a| Mozilla"; nocase; http_header; content:" Java/"; nocase; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010870; classtype:trojan-activity; sid:2010870; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (nte)"; flow:established,to_server; content:"/nte/"; nocase; http_uri; content:"accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; http_header; content:"content-type|3a| application/x-java-archive|0d 0a|"; nocase; http_header; content:!"Referer|3a| "; nocase; content:"User-Agent|3a| Mozilla"; nocase; http_header; content:" Java/"; nocase; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010871; classtype:trojan-activity; sid:2010871; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Fake AV Related CSS Download"; flow:established,from_server; file_data; content:"#hello_nod32_guys_how_u_doing"; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2011670; classtype:trojan-activity; sid:2011670; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Pinkslipbot Trojan Downloader"; flow:to_server,established; content:"/jl/jloader.pl?"; nocase; http_uri; content:"&it=2"; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&n="; nocase; http_uri; pcre:"/\x26n\x3d[a-z]{5}\d{4}/U"; reference:url,doc.emergingthreats.net/2010742; classtype:trojan-activity; sid:2010742; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Serving PDF - Possible hostile content (PDF)"; flow:established,from_server; content:"Server|3a| nginx"; http_header; file_data; content:"%PDF-"; within:300; threshold:type limit, seconds 60, count 10, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2009076; classtype:bad-unknown; sid:2009076; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Psyb0t Code Download"; flow:established,to_server; content:"/udhcpc.env"; nocase; http_uri; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009170; classtype:trojan-activity; sid:2009170; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Psyb0t Bot Nick"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK [NIP]-"; fast_pattern:only; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009171; classtype:trojan-activity; sid:2009171; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED New Malware Information Post"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Pragma|3a| no-cache"; http_header; content:"|C9 78 C7 02 69 06 7E 34 78 17|"; fast_pattern; reference:url,doc.emergingthreats.net/2009092; classtype:trojan-activity; sid:2009092; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN SEO HTTP REFERER landing capture rewrite, likely Fake AV"; flow:established,to_server; content:"GET"; http_method; content:"Referer|3a| "; http_header; content:"search?"; nocase; fast_pattern; http_header; content:"q="; nocase; http_header; content:".com"; nocase; http_uri; pcre:"/\/[a-z]+\/[a-z0-9]{120,}\/[a-z0-9]+\/.+\.com$/U"; reference:url,doc.emergingthreats.net/2011066; classtype:trojan-activity; sid:2011066; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"content-type|3a| "; nocase; http_header; content:" image/png"; nocase; http_header; file_data; content:"<iframe"; nocase; pcre:"/content-type\x3a\s+image\/png/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; classtype:web-application-attack; sid:2008315; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ASPROX Infected Site - ngg.js Request"; flow:established,to_server; content:"/ngg.js"; nocase; http_uri; content:!"nextgen-gallery"; nocase; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; classtype:trojan-activity; sid:2008373; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:!"nextgen-gallery"; nocase; within:15; content:"/ngg.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008387; reference:url,infosec20.blogspot.com/2008/07/asprox-payload-morphed.html; classtype:trojan-activity; sid:2008387; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)"; flow:established,from_server; file_data; content:"<script src=http|3a|//"; nocase; content:"/b.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008388; classtype:trojan-activity; sid:2008388; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; classtype:trojan-activity; sid:2011680; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unnamed - kuaiche.com related"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config/fgun_install_"; http_uri; content:"User-Agent|3a| NSI SDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008359; classtype:trojan-activity; sid:2008359; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Unknown Keepalive out"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; fast_pattern:only; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:set,ET.unknownkeepaliveup; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2008779; classtype:unknown; sid:2008779; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; fast_pattern:only; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; classtype:unknown; sid:2008780; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Executable requested from /wp-content/languages"; flow:established,to_server; content:"/wp-content/languages/"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,www.malewareurl.com; reference:url,doc.emergingthreats.net/2011220; classtype:trojan-activity; sid:2011220; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av-i386-daily.zip)"; flow:established,to_server; content:"av_base/av-i386-daily.zip"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010568; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/pay.php)"; flow:established,to_server; content:"av_base/pay.php"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010566; classtype:trojan-activity; sid:2010566; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/ip.php)"; flow:established,to_server; content:"av_base/ip.php"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; classtype:trojan-activity; sid:2010567; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/us01d/in.php"; nocase; http_uri; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; classtype:trojan-activity; sid:2010729; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 1"; flow:established,to_server; content:"GET"; http_method; content:"/perce/"; nocase; http_uri; content:"/qwerce.gif"; nocase; http_uri; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; classtype:trojan-activity; sid:2010231; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 2"; flow:established,to_server; content:"GET"; http_method; content:"/werber/"; nocase; http_uri; content:"/217.gif"; nocase; http_uri; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010232; classtype:trojan-activity; sid:2010232; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 3"; flow:established,to_server; content:"GET"; http_method; content:"/item/"; nocase; http_uri; content:"/titem.gif"; nocase; http_uri; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010233; classtype:trojan-activity; sid:2010233; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1"; flow:established,to_server; content:"POST"; http_method; content:"/senm.php?data="; nocase; http_uri; content:"data="; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,doc.emergingthreats.net/2010234; classtype:trojan-activity; sid:2010234; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 2"; flow:established,to_server; content:"POST"; http_method; content:"/perce/"; nocase; http_uri; content:"/qwerce.gif"; nocase; http_uri; content:"data="; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010235; classtype:trojan-activity; sid:2010235; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 3"; flow:established,to_server; content:"POST"; http_method; content:"/werber/"; nocase; http_uri; content:"/217.gif"; nocase; http_uri; content:"data="; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010236; classtype:trojan-activity; sid:2010236; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 4"; flow:established,to_server; content:"POST"; http_method; content:"/item/"; nocase; http_uri; content:"/titem.gif"; nocase; http_uri; content:"data="; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010237; classtype:trojan-activity; sid:2010237; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 5"; flow:established,to_server; content:"POST"; http_method; content:"/report.php?data="; nocase; http_uri; content:"data="; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010238; classtype:trojan-activity; sid:2010238; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6"; flow:established,to_server; content:"POST"; http_method; content:"/arrows/"; nocase; http_uri; content:"/arrow_up.gif"; nocase; http_uri; content:"data="; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959; reference:url,doc.emergingthreats.net/2010239; classtype:trojan-activity; sid:2010239; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED HELO Non-Displayable Characters MailEnable Denial of Service"; flow:established,to_server; content:"HELO "; nocase; depth:60; pcre:"/^[^\n]*[\x00-\x08\x0e-\x1f]/R"; reference:cve,2006-3277; reference:bugtraq,18630; reference:url,doc.emergingthreats.net/bin/view/Main/2002998; classtype:attempted-dos; sid:2002998; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010488; classtype:attempted-dos; sid:2010488; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010489; classtype:attempted-dos; sid:2010489; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET DELETED SSL Bomb DoS Attempt"; flow:to_server,established; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2000016; classtype:attempted-dos; sid:2000016; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Slowloris Tool HTTP/Proxy Denial Of Service Attempt"; flow:to_server,established; content:"GET /"; depth:5; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| Trident/4.0"; http_header; threshold: type threshold, track by_src, count 100, seconds 30; reference:url,isc.sans.org/diary.html?storyid=6601; reference:url,www.packetstormsecurity.com/filedesc/slowloris.pl.txt.html; reference:url,doc.emergingthreats.net/2009413; classtype:attempted-dos; sid:2009413; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET DELETED MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; classtype:web-application-attack; sid:2002791; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco %u IDS evasion"; flow: to_server,established; content:"%u002F"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000012; classtype:attempted-dos; sid:2000012; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco IOS HTTP server DoS"; flow: to_server,established; content:"/TEST?/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000013; classtype:attempted-dos; sid:2000013; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco IOS HTTP DoS"; flow: to_server,established; content:"/error?/"; http_uri; nocase; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000009; classtype:attempted-dos; sid:2000009; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/jmx-console/HtmlAdaptor"; nocase; http_uri; flowbits:set,cmars.jboss; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; classtype:attempted-admin; sid:2003064; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; content:"/error.php?"; nocase; http_uri; content:"err="; nocase; http_uri; content:"_SERVER[REMOTE_ADDR]="; nocase; http_uri; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2002703; classtype:web-application-attack; sid:2002703; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED libPNG - Possible NULL-pointer crash in png_handle_iCCP"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,0,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001190; classtype:misc-activity; sid:2001190; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED libPNG - Height exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001192; classtype:misc-activity; sid:2001192; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET DELETED NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; distance:110; within:5; content:"|F6387A76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002187; classtype:attempted-admin; sid:2002187; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DELETED NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; distance:110; within:5; content:"|F6387A76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002188; classtype:attempted-admin; sid:2002188; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; file_data; content:"BM";  depth:2; byte_test:8,=,0,4,relative; metadata: former_category EXPLOIT; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002802; classtype:attempted-user; sid:2002802; rev:10; metadata:created_at 2010_07_30, updated_at 2017_09_28;)

#alert udp any any -> $HOME_NET 139 (msg:"ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008695; classtype:attempted-admin; sid:2008695; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> $HOME_NET 445 (msg:"ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008711; classtype:attempted-admin; sid:2008711; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> $HOME_NET 139 (msg:"ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008716; classtype:attempted-admin; sid:2008716; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET DELETED EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000381; classtype:attempted-dos; sid:2000381; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"ET DELETED Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002389; classtype:successful-recon-limited; sid:2002389; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET DELETED Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002390; classtype:misc-attack; sid:2002390; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2)"; content:"|83 eb fc e2 f4|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010408; classtype:shellcode-detect; sid:2010408; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010422; classtype:shellcode-detect; sid:2010422; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CAN-2005-0399 Gif Vuln via http"; flow: from_server,established; content:"GIF89a"; content:"|21 ff 0b|NETSCAPE2.0"; byte_test:1,!=,3,0,relative; reference:cve,2005-0399; reference:url,doc.emergingthreats.net/bin/view/Main/2001807; classtype:attempted-admin; sid:2001807; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; content:".jsp?"; nocase; http_uri; content:"JSESSIONID="; nocase; http_uri; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; classtype:attempted-admin; sid:2009216; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Java field reflector call java.lang.reflect.field"; flow:from_server,established; content:"java/lang/reflect/Field"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002785; classtype:trojan-activity; sid:2002785; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Javascript unsafe applet call"; flow:from_server,established; content: "sun.misc.Unsafe"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002786; classtype:trojan-activity; sid:2002786; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Javascript Securitymanager class applet call"; flow:from_server,established; content: "java.lang.SecurityManager"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002787; classtype:trojan-activity; sid:2002787; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - all versions"; flow:established,from_server; flowbits:isnotset,emerging_wmf_http; content:"HTTP"; depth:4; nocase; flowbits:set,emerging_wmf_http; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002743; classtype:unknown; sid:2002743; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 3"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002741; classtype:unknown; sid:2002741; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 1"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl_v1; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002757; classtype:unknown; sid:2002757; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 1"; flow:established; flowbits:isset,emerging_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002758; classtype:attempted-user; sid:2002758; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 3"; flow:established; flowbits:isset,emerging_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002742; classtype:attempted-user; sid:2002742; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blizzard Downloader"; flow: established,to_server; content: "User-Agent|3a| Blizzard Downloader"; nocase; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002855; classtype:policy-violation; sid:2002855; rev:8; metadata:created_at 2010_07_30, updated_at 2016_04_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Update Engine"; flow: to_server,established; content:"GET"; http_method; content:"Host|3a|"; http_header; content:".180solutions.com"; http_header; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; reference:url,doc.emergingthreats.net/bin/view/Main/2000930; classtype:trojan-activity; sid:2000930; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (tracked event reported)"; flow: to_server,established; content:"/TrackedEvent.aspx?"; nocase; http_uri; content:"eid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001397; classtype:trojan-activity; sid:2001397; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (action url reported)"; flow: to_server,established; content:"/actionurls/ActionUrl"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001399; classtype:trojan-activity; sid:2001399; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware Reporting"; flow: to_server,established; content:"/showme.aspx?"; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; classtype:trojan-activity; sid:2001400; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Activity"; flow:to_server,established; content:"/banman/banman.asp?ZoneID="; nocase; http_uri; content:"&Task="; nocase; http_uri; content:"&X="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003170; classtype:trojan-activity; sid:2003170; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Post"; flow:to_server,established; content:"/te.aspx?ver="; nocase; http_uri; pcre:"/ver=[v\d]+/Ui"; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; reference:url,doc.emergingthreats.net/bin/view/Main/2007607; classtype:trojan-activity; sid:2007607; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000327; classtype:trojan-activity; sid:2000327; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 2020search Update Engine"; flow: to_server,established; content:"POST"; nocase; http_method; content:"srng/reg.php HTTP"; content:"|0d0a|Host|3a|"; http_header; content:"2020search.com"; http_header; content:"IpAddr="; nocase; http_client_body; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; classtype:trojan-activity; sid:2000934; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?fixtool="; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; content:"/promo/affiframe.jsp?Pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; classtype:trojan-activity; sid:2002353; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Advertising.com Reporting Data"; flow:  to_server,established;  content:"/site="; http_uri; content:"/mnum="; http_uri; content:"/bins="; http_uri; content:"/rich="; http_uri; content:"/logs="; http_uri; content:"/betr="; http_uri;   reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002304; classtype:policy-violation; sid:2002304; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adwave Agent Access"; flow: to_server,established; content:"/search_404.aspx?aff="; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; classtype:policy-violation; sid:2001318; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".ak-networks.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001529; classtype:trojan-activity; sid:2001529; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Start"; flow: to_server,established; content:"/pm/start.asp"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000906; classtype:policy-violation; sid:2000906; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Data Submission"; flow: to_server,established; content:"/backoffice.net/stats/Add.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000598; classtype:policy-violation; sid:2000598; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Settings Download"; flow: to_server,established; content:"/pointsmanager/settings.cab?"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000907; classtype:policy-violation; sid:2000907; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; content:"/stat.php?machine_id={"; nocase; http_uri; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; classtype:trojan-activity; sid:2007886; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Borlander Adware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?t="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&n="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; classtype:bad-unknown; sid:2008736; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Bravesentry.com/Protectwin.com Fake Antispyware Reporting"; flow:established,to_server; content:"/download.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; fast_pattern; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003542; classtype:trojan-activity; sid:2003542; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Browseraid.com Agent Reporting Data"; flow: to_server,established; content:"/perl/ads.pl"; nocase; http_uri; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; classtype:trojan-activity; sid:2001266; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Browseraid.com Agent Updating"; flow: to_server,established; content:"/perl/uptodate.pl"; nocase; http_uri; content:"uptodate.browseraid.com"; nocase; http_header; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; classtype:trojan-activity; sid:2001304; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".c4tdownload.com"; http_header; nocase; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001531; classtype:trojan-activity; sid:2001531; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CWS Related Installer"; flow:established,to_server; content:"/image_tracker.php?l="; http_uri; fast_pattern:only; content:"&x="; http_uri; content:"&deptid="; distance:0; http_uri; content:"&page"; distance:0; http_uri; content:"&unique="; distance:0; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002932; classtype:trojan-activity; sid:2002932; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Cnzz.com/Baidu Related Spyware Stat Reporting"; flow:established,to_server; content:"/stat.php?id="; nocase; http_uri; content:"&web_id="; nocase; http_uri; content:"Host|3a|"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:url,vil.nai.com/vil/content/v_140364.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003607; classtype:trojan-activity; sid:2003607; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"google.vc"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; classtype:trojan-activity; sid:2002765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"fesexy.net"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002768; classtype:trojan-activity; sid:2002768; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; http_uri; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001455; classtype:policy-violation; sid:2001455; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows executable sent when remote host claims to send image, Win32"; flow: established,from_server; content:"Content-Type|3a| image"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001684; classtype:trojan-activity; sid:2001684; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any !20 -> $HOME_NET !25 (msg:"ET DELETED Possible Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; within: 12; reference:url,doc.emergingthreats.net/bin/view/Main/2001685; classtype:trojan-activity; sid:2001685; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send Javascript"; flow:established,from_server; content:"Content-Type|3a| application/"; http_header; content:"javascript|0d 0a|"; within:14; fast_pattern; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; classtype:trojan-activity; sid:2008367; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CrazyWinnings.com Activity"; flow: established,to_server; content:"/scripts/protect.php?promo=promo"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; classtype:trojan-activity; sid:2001733; rev:7; metadata:created_at 2010_07_30, updated_at 2016_09_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; reference:url,doc.emergingthreats.net/bin/view/Main/2001222; classtype:trojan-activity; sid:2001222; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; content:"/install_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; classtype:trojan-activity; sid:2006425; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; content:"/access_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; classtype:trojan-activity; sid:2006426; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED E2give Related Downloading IeBHOs.dll"; flow: to_server,established; content:"/downloads/IeBHOs.dll"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; classtype:trojan-activity; sid:2001415; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Evidencenuker.com Fake AV Updating"; flow:established,to_server; content:"/products/evidencenuker/update.php?version="; nocase; http_uri; reference:url,www.evidencenuker.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003568; classtype:trojan-activity; sid:2003568; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Featured-Results.com Agent Reporting Data"; flow: to_server,established; content:"action=any"; nocase; http_uri; content:"country="; nocase; http_uri; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001293; classtype:trojan-activity; sid:2001293; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Findwhat.com Spyware (sendtracker)"; flow: to_server,established; content:"/bin/findwhat.dll?sendtracker&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; classtype:trojan-activity; sid:2003580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FlashPoint Agent Retrieving New Code"; flow: to_server,established; content:"/ftxmon.php?"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000905; classtype:trojan-activity; sid:2000905; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts|3b|"; nocase; fast_pattern:only; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay|3b|"; nocase; http_header; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001043; classtype:policy-violation; sid:2001043; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gator Checkin"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; classtype:policy-violation; sid:2000595; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gator/Clarian Spyware Posting Data"; flow: to_server,established; content:"/gs_med"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; classtype:trojan-activity; sid:2003575; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; nocase; http_stat_msg; content:"Content-Type|3a| qvod_update"; nocase; http_header; content:"|5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; reference:url,doc.emergingthreats.net/2009597; classtype:trojan-activity; sid:2009597; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Probing or Announcing UDP";  reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000900; classtype:trojan-activity; sid:2000900; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000901; classtype:trojan-activity; sid:2000901; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001015; classtype:trojan-activity; sid:2001015; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http|3a|//"; nocase; content:"|3a|3531/.pkt"; nocase; within: 20; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001679; classtype:trojan-activity; sid:2001679; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent|3a|"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001654; classtype:trojan-activity; sid:2001654; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater.net Spyware Checkin"; flow:established,to_server; content:"/popsetarray.php?&country="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002094; classtype:trojan-activity; sid:2002094; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; classtype:trojan-activity; sid:2001508; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Metarewards Disclaimer Access"; flow: to_server,established; content:"/www.metareward.com/mailimg/disclaimer/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; classtype:policy-violation; sid:2002309; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mindset Interactive Ad Retrieval"; flow: to_server,established; uricontent:"/mindset5"; nocase; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000594; classtype:trojan-activity; sid:2000594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED My Search Bar Install"; flow: to_server,established; content:"/mysetup.exe"; nocase; http_uri; fast_pattern:only; reference:url,www.2-spyware.com/parasite-my-search-bar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001040; classtype:trojan-activity; sid:2001040; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MyWay Spyware Posting Activity Report - Dell Related"; flow:to_server,established; content:"/script/bzDellHpData.js?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003621; classtype:trojan-activity; sid:2003621; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Pacimedia Spyware 2"; flow: to_server,established; content:"/xml/check.php?"; nocase; http_uri; content:"u="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002194; classtype:policy-violation; sid:2002194; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PeopleOnPage Install"; flow: to_server,established; content:"/install/pop"; nocase; http_uri; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001445; classtype:policy-violation; sid:2001445; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PeopleOnPage Ping"; flow: to_server,established; content:"Host|3a| srv.peopleonpage.com"; nocase; http_header; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001446; classtype:policy-violation; sid:2001446; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Popuptraffic.com Bot Reporting"; flow: to_server,established; content:"/scripts/click.php?"; nocase; http_uri; content:"hid="; http_uri; reference:url,popuptraffic.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000577; classtype:policy-violation; sid:2000577; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; content:"/?action="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&pc_id="; nocase; http_uri; content:"&abbr="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003548; classtype:trojan-activity; sid:2003548; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000024; classtype:trojan-activity; sid:2000024; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Rdxrp.com Traffic (Generic)"; flow: to_server,established; content:"/rdxr"; nocase; http_uri; content:".dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001312; classtype:trojan-activity; sid:2001312; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Searchmeup Spyware Install (toolbar)"; flow: to_server,established; content:"/dkprogs/toolbar.txt"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001473; classtype:trojan-activity; sid:2001473; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".searchmiracle.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; classtype:trojan-activity; sid:2001532; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"a1="; nocase; http_uri; content:"&a2="; nocase; http_uri; content:"&a3="; nocase; http_uri; content:"Windows"; nocase; http_uri; content:"&a4=Build"; nocase; http_uri; content:"&a5="; nocase; http_uri; content:"&table="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; classtype:trojan-activity; sid:2007842; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET !21:587 -> any any (msg:"ET DELETED Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; reference:url,doc.emergingthreats.net/bin/view/Main/2001815; classtype:non-standard-protocol; sid:2001815; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Spambot getting new exe url"; flow:established,to_server; content:"404.txt"; nocase; http_uri; content:"404"; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; classtype:trojan-activity; sid:2002989; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Speedera Agent"; flow: to_server,established; content:"/io/downloads"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; classtype:trojan-activity; sid:2001320; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Spylog.ru Related Spyware Checkin"; flow:established,to_server; content:"/cnt?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&rn="; nocase; http_uri; content:"&c="; nocase; http_uri; content:"&tl="; nocase; http_uri; content:"&ls="; nocase; http_uri; content:"&ln="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&j="; nocase; http_uri; content:"&wh="; nocase; http_uri; content:"&px="; nocase; http_uri; content:"&sl="; nocase; http_uri; content:"&r="; nocase; http_uri; content:"&fr="; nocase; http_uri; content:"&pg="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007649; classtype:trojan-activity; sid:2007649; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; content:"/updatestats/all_files"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001523; classtype:policy-violation; sid:2001523; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Statblaster Code Download"; flow: to_server,established; content:"/updatestats/"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001524; classtype:policy-violation; sid:2001524; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; content:"/pr.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; classtype:trojan-activity; sid:2001486; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Theinstalls.com Trojan Download"; flow:established,to_server; content:"/files/programs/"; http_uri; content:"|0d 0a|Host|3a| "; http_header; content:"theinstalls.com|0d 0a|"; http_header; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; classtype:trojan-activity; sid:2007798; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Downloader.Time2Pay.AQ"; flow:established,to_server; content:"/progs_traff/"; nocase; http_uri; reference:url,research.sunbelt-software.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003034; classtype:trojan-activity; sid:2003034; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST";  nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]*\;\ +y=[0-9]/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000306; classtype:trojan-activity; sid:2000306; rev:26; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000307; classtype:trojan-activity; sid:2000307; rev:25; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST"; nocase; http_method; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; http_header; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000308; classtype:trojan-activity; sid:2000308; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug"; flow: to_server,established; content:"WxAlertIsapi"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001235; classtype:misc-activity; sid:2001235; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; http_method; content:"Host|3a|"; nocase; http_header; content:"wxbug.com"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002364; classtype:misc-activity; sid:2002364; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; nocase; http_uri; content:"?ZipCode="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003421; classtype:trojan-activity; sid:2003421; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; nocase; http_uri; content:"?ZipCode="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003423; classtype:trojan-activity; sid:2003423; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug Vista Gadget Activity"; flow:established,to_server; content:"/Command/VistaGadget_v"; nocase; http_uri; content:"UserId="; nocase; http_uri; content:"&AppVersion="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003534; classtype:trojan-activity; sid:2003534; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Websearch.com Cab Download"; flow: to_server,established; content:"/Dnl/T_"; nocase; http_uri; pcre:"/\/\S+\.cab/Ui"; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; classtype:trojan-activity; sid:2003242; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weird on the Web /180 Solutions Update"; flow: to_server,established; content:"/notifier/updates"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; classtype:trojan-activity; sid:2002041; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2001443; classtype:policy-violation; sid:2001443; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Winreanimator.com Fake AV Install Attempt"; flow:established,to_server; content:"/inst.php?wmid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&s="; nocase; http_uri; reference:url,www.winreanimator.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007865; classtype:trojan-activity; sid:2007865; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Winsoftware.com Spyware Activity"; flow: to_server,established; content:"/?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri; content:"&appid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; classtype:trojan-activity; sid:2003471; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; content:"/img1big.gif"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000336; classtype:trojan-activity; sid:2000336; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; content:"/cgi-bin/yes.pl"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000337; classtype:trojan-activity; sid:2000337; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED YourSiteBar Data Submision"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?version="; nocase; http_uri; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001698; classtype:trojan-activity; sid:2001698; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iframebiz - adv***.php"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adv"; nocase; http_uri; pcre:"/adv\d+\.php/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002707; classtype:trojan-activity; sid:2002707; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; depth:6; threshold: type limit, track by_dst, count 1 , seconds 600; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000340; classtype:policy-violation; sid:2000340; rev:11; metadata:created_at 2010_07_30, updated_at 2016_09_12;)

#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Edonkey Connect Reply and Server List"; dsize:>200; content:"|e3 0b|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003313; classtype:policy-violation; sid:2003313; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; classtype:policy-violation; sid:2003317; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Edonkey Search Results"; dsize:>21; content:"|e3 99|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003320; classtype:policy-violation; sid:2003320; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot help message"; flow: from_server,established; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; fast_pattern:only; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000338; classtype:trojan-activity; sid:2000338; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot offered files advertisement"; flow: from_server,established; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; fast_pattern:only; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000339; classtype:trojan-activity; sid:2000339; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED KazaaClient P2P Traffic"; flow: established; content:"Agent|3a| KazaaClient"; nocase; reference:url,www.kazaa.com/us/index.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001812; classtype:policy-violation; sid:2001812; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg:"ET DELETED UDP traffic - Likely Limewire"; threshold: type threshold,track by_src,count 40, seconds 300; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001841; classtype:policy-violation; sid:2001841; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"ET DELETED Soulseek traffic (1)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001185; classtype:policy-violation; sid:2001185; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"ET DELETED Soulseek traffic (2)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001186; classtype:policy-violation; sid:2001186; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED eMule KAD Network Hello Request (2)"; dsize:27; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; classtype:policy-violation; sid:2009971; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Akamai Redswoosh CLIOnlineManager Connection Detected"; flow:established,to_server; content:"PUT "; depth:4; nocase; content:"|0d 0a|User-Agent|3a|"; content:"rswin_3725.dll"; within:30; nocase; reference:url,doc.emergingthreats.net/2011275; classtype:policy-violation; sid:2011275; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET DELETED Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; reference:url,doc.emergingthreats.net/2010815; classtype:misc-activity; sid:2010815; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED NE EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000423; classtype:misc-activity; sid:2000423; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LX EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"LX"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000424; classtype:misc-activity; sid:2000424; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED NE EXE Windows 3.x file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program requires Microsoft Windows."; isdataat: 10,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000425; classtype:misc-activity; sid:2000425; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download (2)"; flow:established,to_client; file_data; content:"MZ"; within:2; isdataat:76,relative; content:"Windows Program"; distance:0; isdataat:10,relative; content:"PE"; distance:0; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2010869; classtype:policy-violation; sid:2010869; rev:5; metadata:created_at 2010_07_30, updated_at 2017_11_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE Install Windows file download"; flow:established; content:"MZ"; isdataat:76,relative; content:"This program must be "; distance:0; isdataat:140,relative; content:"PE"; distance:0; metadata: former_category INFO; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000427; classtype:policy-violation; sid:2000427; rev:15; metadata:created_at 2010_07_30, updated_at 2017_11_01;)

#alert ip [102.0.0.0/7,104.0.0.0/8,106.0.0.0/8,179.0.0.0/8,185.0.0.0/8] any -> $HOME_NET any (msg:"ET DELETED Reserved IP Space Traffic - Bogon Nets 2"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002750; classtype:bad-unknown; sid:2002750; rev:27; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip [192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"ET DELETED Reserved IP Space Traffic - Bogon Nets 3"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002751; classtype:bad-unknown; sid:2002751; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Restricted Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002410; classtype:policy-violation; sid:2002410; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Confidential Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002411; classtype:policy-violation; sid:2002411; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Top Secret Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002412; classtype:policy-violation; sid:2002412; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002413; classtype:policy-violation; sid:2002413; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002414; classtype:policy-violation; sid:2002414; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002415; classtype:policy-violation; sid:2002415; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002416; classtype:policy-violation; sid:2002416; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002417; classtype:policy-violation; sid:2002417; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002418; classtype:policy-violation; sid:2002418; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002419; classtype:policy-violation; sid:2002419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002420; classtype:policy-violation; sid:2002420; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002421; classtype:policy-violation; sid:2002421; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002422; classtype:policy-violation; sid:2002422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002423; classtype:policy-violation; sid:2002423; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002424; classtype:policy-violation; sid:2002424; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002425; classtype:policy-violation; sid:2002425; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002426; classtype:policy-violation; sid:2002426; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002427; classtype:policy-violation; sid:2002427; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002428; classtype:policy-violation; sid:2002428; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002429; classtype:policy-violation; sid:2002429; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002430; classtype:policy-violation; sid:2002430; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002431; classtype:policy-violation; sid:2002431; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002432; classtype:policy-violation; sid:2002432; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret IMCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(IMCON|IMC)[\s\w,/-]*(?=//(X1|MR))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002433; classtype:policy-violation; sid:2002433; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002434; classtype:policy-violation; sid:2002434; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002435; classtype:policy-violation; sid:2002435; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002436; classtype:policy-violation; sid:2002436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002437; classtype:policy-violation; sid:2002437; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FGI"; flow:to_server,established; content:"Subject|3A|"; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002438; classtype:policy-violation; sid:2002438; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FOUO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002439; classtype:policy-violation; sid:2002439; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002440; classtype:policy-violation; sid:2002440; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002441; classtype:policy-violation; sid:2002441; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002442; classtype:policy-violation; sid:2002442; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002443; classtype:policy-violation; sid:2002443; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002444; classtype:policy-violation; sid:2002444; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002445; classtype:policy-violation; sid:2002445; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002446; classtype:policy-violation; sid:2002446; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002447; classtype:policy-violation; sid:2002447; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002448; classtype:policy-violation; sid:2002448; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002449; classtype:policy-violation; sid:2002449; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002450; classtype:policy-violation; sid:2002450; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002451; classtype:policy-violation; sid:2002451; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002452; classtype:policy-violation; sid:2002452; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US SAMI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002453; classtype:policy-violation; sid:2002453; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002454; classtype:policy-violation; sid:2002454; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002455; classtype:policy-violation; sid:2002455; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002456; classtype:policy-violation; sid:2002456; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret STOP"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002457; classtype:policy-violation; sid:2002457; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Private"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002458; classtype:policy-violation; sid:2002458; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002459; classtype:policy-violation; sid:2002459; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP|//)\Wsecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002461; classtype:policy-violation; sid:2002461; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Top Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002462; classtype:policy-violation; sid:2002462; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sealed"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002463; classtype:policy-violation; sid:2002463; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002464; classtype:policy-violation; sid:2002464; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Proprietary"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002465; classtype:policy-violation; sid:2002465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Protected"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002466; classtype:policy-violation; sid:2002466; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002467; classtype:policy-violation; sid:2002467; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Internal Use Only"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002468; classtype:policy-violation; sid:2002468; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Date of Birth"; flow:to_server,established; content:"Subject|3A|"; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002469; classtype:policy-violation; sid:2002469; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP HCPCS Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002470; classtype:policy-violation; sid:2002470; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ICD-10 Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002471; classtype:policy-violation; sid:2002471; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP FDA NDC Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002472; classtype:policy-violation; sid:2002472; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ADA Procedure Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002473; classtype:policy-violation; sid:2002473; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP DSM-IV Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002474; classtype:policy-violation; sid:2002474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP AMA CPT Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002475; classtype:policy-violation; sid:2002475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit Card, JCB"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002477; classtype:policy-violation; sid:2002477; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Password"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002483; classtype:policy-violation; sid:2002483; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Appraisal"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002484; classtype:policy-violation; sid:2002484; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Account Balance"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002485; classtype:policy-violation; sid:2002485; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Payment History"; flow:to_server,established; content:"Subject|3A|"; content:"payment history"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002486; classtype:policy-violation; sid:2002486; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Annual Income"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002487; classtype:policy-violation; sid:2002487; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002488; classtype:policy-violation; sid:2002488; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Transaction History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002489; classtype:policy-violation; sid:2002489; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Customer List"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002490; classtype:policy-violation; sid:2002490; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002495; classtype:policy-violation; sid:2002495; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002496; classtype:policy-violation; sid:2002496; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002497; classtype:policy-violation; sid:2002497; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002498; classtype:policy-violation; sid:2002498; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002499; classtype:policy-violation; sid:2002499; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002500; classtype:policy-violation; sid:2002500; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002501; classtype:policy-violation; sid:2002501; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002502; classtype:policy-violation; sid:2002502; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002503; classtype:policy-violation; sid:2002503; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002504; classtype:policy-violation; sid:2002504; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002505; classtype:policy-violation; sid:2002505; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002506; classtype:policy-violation; sid:2002506; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002507; classtype:policy-violation; sid:2002507; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002508; classtype:policy-violation; sid:2002508; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002509; classtype:policy-violation; sid:2002509; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret REL TO"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002510; classtype:policy-violation; sid:2002510; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002511; classtype:policy-violation; sid:2002511; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002512; classtype:policy-violation; sid:2002512; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret COMINT"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002513; classtype:policy-violation; sid:2002513; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002514; classtype:policy-violation; sid:2002514; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002515; classtype:policy-violation; sid:2002515; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002516; classtype:policy-violation; sid:2002516; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret COMSEC"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002517; classtype:policy-violation; sid:2002517; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002519; classtype:policy-violation; sid:2002519; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002521; classtype:policy-violation; sid:2002521; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002523; classtype:policy-violation; sid:2002523; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002524; classtype:policy-violation; sid:2002524; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002525; classtype:policy-violation; sid:2002525; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002526; classtype:policy-violation; sid:2002526; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002704; classtype:policy-violation; sid:2002704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002528; classtype:policy-violation; sid:2002528; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002530; classtype:policy-violation; sid:2002530; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002531; classtype:policy-violation; sid:2002531; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002532; classtype:policy-violation; sid:2002532; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002534; classtype:policy-violation; sid:2002534; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002535; classtype:policy-violation; sid:2002535; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002537; classtype:policy-violation; sid:2002537; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002538; classtype:policy-violation; sid:2002538; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002539; classtype:policy-violation; sid:2002539; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002541; classtype:policy-violation; sid:2002541; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002542; classtype:policy-violation; sid:2002542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002543; classtype:policy-violation; sid:2002543; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002544; classtype:policy-violation; sid:2002544; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002546; classtype:policy-violation; sid:2002546; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002547; classtype:policy-violation; sid:2002547; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002548; classtype:policy-violation; sid:2002548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002549; classtype:policy-violation; sid:2002549; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002550; classtype:policy-violation; sid:2002550; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002551; classtype:policy-violation; sid:2002551; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002552; classtype:policy-violation; sid:2002552; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002553; classtype:policy-violation; sid:2002553; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002554; classtype:policy-violation; sid:2002554; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002555; classtype:policy-violation; sid:2002555; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002556; classtype:policy-violation; sid:2002556; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002557; classtype:policy-violation; sid:2002557; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002558; classtype:policy-violation; sid:2002558; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002559; classtype:policy-violation; sid:2002559; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002561; classtype:policy-violation; sid:2002561; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002567; classtype:policy-violation; sid:2002567; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002568; classtype:policy-violation; sid:2002568; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002569; classtype:policy-violation; sid:2002569; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002570; classtype:policy-violation; sid:2002570; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002571; classtype:policy-violation; sid:2002571; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002572; classtype:policy-violation; sid:2002572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002573; classtype:policy-violation; sid:2002573; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002574; classtype:policy-violation; sid:2002574; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002575; classtype:policy-violation; sid:2002575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002576; classtype:policy-violation; sid:2002576; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002577; classtype:policy-violation; sid:2002577; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002578; classtype:policy-violation; sid:2002578; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002579; classtype:policy-violation; sid:2002579; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002580; classtype:policy-violation; sid:2002580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002581; classtype:policy-violation; sid:2002581; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002582; classtype:policy-violation; sid:2002582; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002583; classtype:policy-violation; sid:2002583; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002584; classtype:policy-violation; sid:2002584; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002585; classtype:policy-violation; sid:2002585; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002586; classtype:policy-violation; sid:2002586; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002587; classtype:policy-violation; sid:2002587; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002588; classtype:policy-violation; sid:2002588; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002589; classtype:policy-violation; sid:2002589; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002591; classtype:policy-violation; sid:2002591; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002592; classtype:policy-violation; sid:2002592; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret COMINT"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002593; classtype:policy-violation; sid:2002593; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002594; classtype:policy-violation; sid:2002594; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002595; classtype:policy-violation; sid:2002595; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002596; classtype:policy-violation; sid:2002596; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002599; classtype:policy-violation; sid:2002599; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002601; classtype:policy-violation; sid:2002601; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret TK"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002602; classtype:policy-violation; sid:2002602; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002603; classtype:policy-violation; sid:2002603; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002604; classtype:policy-violation; sid:2002604; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002605; classtype:policy-violation; sid:2002605; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002606; classtype:policy-violation; sid:2002606; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret NOFORN"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002607; classtype:policy-violation; sid:2002607; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002608; classtype:policy-violation; sid:2002608; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002609; classtype:policy-violation; sid:2002609; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret ORCON"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002610; classtype:policy-violation; sid:2002610; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002611; classtype:policy-violation; sid:2002611; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002612; classtype:policy-violation; sid:2002612; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002613; classtype:policy-violation; sid:2002613; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002615; classtype:policy-violation; sid:2002615; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002616; classtype:policy-violation; sid:2002616; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002618; classtype:policy-violation; sid:2002618; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002619; classtype:policy-violation; sid:2002619; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002620; classtype:policy-violation; sid:2002620; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret SPECAT"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002621; classtype:policy-violation; sid:2002621; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002622; classtype:policy-violation; sid:2002622; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002623; classtype:policy-violation; sid:2002623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002624; classtype:policy-violation; sid:2002624; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002625; classtype:policy-violation; sid:2002625; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Secret"; flow:to_server,established; pcre:"/(?<!TOP|//)\Wsecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/2002626; classtype:policy-violation; sid:2002626; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/2002627; classtype:policy-violation; sid:2002627; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002628; classtype:policy-violation; sid:2002628; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002629; classtype:policy-violation; sid:2002629; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002630; classtype:policy-violation; sid:2002630; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002631; classtype:policy-violation; sid:2002631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/2002632; classtype:policy-violation; sid:2002632; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/2002633; classtype:policy-violation; sid:2002633; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/2002634; classtype:policy-violation; sid:2002634; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/2002635; classtype:policy-violation; sid:2002635; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/2002636; classtype:policy-violation; sid:2002636; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/2002637; classtype:policy-violation; sid:2002637; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/2002638; classtype:policy-violation; sid:2002638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/2002639; classtype:policy-violation; sid:2002639; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/2002640; classtype:policy-violation; sid:2002640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/2002642; classtype:policy-violation; sid:2002642; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/2002648; classtype:policy-violation; sid:2002648; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002649; classtype:policy-violation; sid:2002649; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002650; classtype:policy-violation; sid:2002650; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/2002651; classtype:policy-violation; sid:2002651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002652; classtype:policy-violation; sid:2002652; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002653; classtype:policy-violation; sid:2002653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002654; classtype:policy-violation; sid:2002654; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002655; classtype:policy-violation; sid:2002655; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Megaupload file download service access"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a| "; http_header; content:"megaupload.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2009301; classtype:policy-violation; sid:2009301; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Set flow on bmp file get"; flow:established,to_server; content:"GET"; http_method; content:".bmp"; http_uri; content:".bmp HTTP/1."; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type|3a| application|2f|octet-stream"; http_header; content:!"BM"; content:!"|00 00 00 00|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED offers.e-centives.com Coupon Printer"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; YourApp\; AK\; Windows 95)|0d 0a|"; nocase; reference:url,offers.e-centives.com; reference:url,doc.emergingthreats.net/2010338; classtype:policy-violation; sid:2010338; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] $HTTP_PORTS (msg:"ET DELETED facebook activity"; flow:established,to_server; threshold: type both, track by_dst, count 2, seconds 120; reference:url,compnetworking.about.com/od/traceipaddresses/f/facebook-ip-address.htm; reference:url,doc.emergingthreats.net/2010952; classtype:policy-violation; sid:2010952; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible docs.google.com Activity"; flow:established,to_server; content:"WRITELY_SID"; nocase; reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003122; classtype:policy-violation; sid:2003122; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"ET DELETED GotoMyPC Polling Client"; flow: established; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/2000309; classtype:policy-violation; sid:2000309; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp 66.151.158.177 8200 -> $HOME_NET any (msg:"ET DELETED GotoMyPC poll.gotomypc.com Server Response to Polling Client OK"; flow: established,from_server; content:"cnt=0"; nocase; depth: 40; content:"eventid="; nocase; depth: 40; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/2002022; classtype:policy-violation; sid:2002022; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail gtalk"; flow:established; pcre:"/\[\[\d{1,3}\,\[\\\"\w\\\"\,\\\".+@gmail.com.+\\\"\,\\\"/i"; reference:url,doc.emergingthreats.net/2003092; classtype:policy-violation; sid:2003092; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hotmail Compose Message Submit"; flow:to_server,established; content:"POST"; http_method; content:"mail.live.com"; nocase; http_header; content:"SendMessageLight.aspx"; http_uri; reference:url,doc.emergingthreats.net/2008241; classtype:policy-violation; sid:2008241; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MSN Game Loading"; flow:established,to_server; content:"|6D 73 6E 67 61 6D 65 2E 61 73 70 78|"; depth:90; reference:url,doc.emergingthreats.net/2002312; classtype:policy-violation; sid:2002312; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MSN User-Agent Activity"; flow:established,to_server; content:"User-Agent|3a| MSMSGS"; http_header; nocase; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009376; classtype:policy-violation; sid:2009376; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"ET DELETED Yahoo Chat Signin Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|550|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007066; classtype:policy-violation; sid:2007066; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo Chat Signin Success Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|85|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007067; classtype:policy-violation; sid:2007067; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 5050 <> $HOME_NET any (msg:"ET DELETED Yahoo Chat Activity Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007068; classtype:policy-violation; sid:2007068; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 5050 <> $HOME_NET any (msg:"ET DELETED Yahoo Chat Activity Inside Webmail (2)"; flow:established,to_server; content:"<Ymsg Command=|22|"; depth:15; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007069; classtype:policy-violation; sid:2007069; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (simple rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; reference:url,doc.emergingthreats.net/2003096; classtype:misc-activity; sid:2003096; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (complex rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; content:"QIAAQKAAQMAAQOAAQAAgQCAgQEAgQGAgQIAgQKAgQMAgQOAgQABAQCBAQEBAQGBAQIBAQKBA"; content:"QMBAQOBAQABgQCBgQEBgQGBgQIBgQKBgQMBgQOBgQACAQCCAQECAQGCAQICAQKCAQMCAQOCA"; content:"QACgQCCgQECgQGCgQICgQKCgQMCgQOCgQADAQCDAQEDAQGDAQIDAQKDAQMDAQODAQADgQCDg"; content:"QEDgQGDgQIDgQKDgQMDgQODgQAAAgCAAgEAAgGAAgIAAgKAAgMAAgOAAgAAggCAggEAggGAg"; content:"gIAggKAggMAggOAggABAgCBAgEBAgGBAgIBAgKBAgMBAgOBAgABggCBggEBggGBggIBggKBg"; content:"gMBggOBggACAgCCAgECAgGCAgICAgKCAgMCAgOCAgACggCCggECggGCggICggKCggMCggOCg"; content:"gADAgCDAgEDAgGDAgIDAgKDAgMDAgODAgADggCDggEDggGDggIDggKDggMDggODggAAAwCAA"; content:"wEAAwGAAwIAAwKAAwMAAwOAAwAAgwCAgwEAgwGAgwIAgwKAgwMAgwOAgwABAwCBAwEBAwGBA"; content:"wIBAwKBAwMBAwOBAwABgwCBgwEBgwGBgwIBgwKBgwMBgwOBgwACAwCCAwECAwGCAwICAwKCA"; content:"wMCAwOCAwACgwCCgwECgwGCgwICgwKCgwMCgwOCgwADAwCDAwEDAwGDAwIDAwKDAwP/78KCg"; reference:url,doc.emergingthreats.net/2003097; classtype:misc-activity; sid:2003097; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (3)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"R0lGODlh"; depth:575; content:"AOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBgAACAACCA"; content:"AECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDAAEDAAGDAAIDA"; reference:url,doc.emergingthreats.net/2003120; classtype:misc-activity; sid:2003120; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (agtray)"; flow: to_server,established; uricontent:"/pr/agtray.txt"; nocase; reference:url,doc.emergingthreats.net/2000569; classtype:policy-violation; sid:2000569; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (autray)"; flow: to_server,established; uricontent:"/pr/autray.txt"; nocase; reference:url,doc.emergingthreats.net/2000570; classtype:policy-violation; sid:2000570; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Majestic-12 Spider Bot User-Agent (MJ12bot)"; flow:to_server,established; content:"User-Agent|3a| MJ12bot"; http_header; reference:url,www.majestic12.co.uk/; reference:url,doc.emergingthreats.net/2003409; classtype:trojan-activity; sid:2003409; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Majestic-12 Spider Bot User-Agent Inbound (MJ12bot)"; flow:to_server,established; content:"User-Agent|3a| MJ12bot"; http_header; reference:url,www.majestic12.co.uk/; reference:url,doc.emergingthreats.net/2007762; classtype:trojan-activity; sid:2007762; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Metacafe.com family filter off"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a| www.metacafe.com"; http_header; fast_pattern:6,16; content:"submit=Continue+-+I%27m+over+18"; reference:url,doc.emergingthreats.net/2006367; classtype:policy-violation; sid:2006367; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Rapidshare download unauthd image post"; flow:to_server,established; content:"POST"; http_method; content:"/files/"; nocase; http_uri; content:"Host|3a|"; nocase; http_header; content:"rapidshare.com"; nocase; http_header; content:"&accesscode="; nocase; content:"&actionstring=Download"; nocase; within:50; reference:url,en.wikipedia.org/wiki/RapidShare; reference:url,doc.emergingthreats.net/2006368; classtype:policy-violation; sid:2006368; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Metasploit Framework Update"; flow:from_server,established; content:"http|3A|//certificates.godaddy.com/repository"; content: "metasploit.com"; fast_pattern; distance:0; reference:url,www.metasploit.com/framework/; reference:url,www.ethicalhacker.net/content/view/29/24/; reference:url,doc.emergingthreats.net/2008418; classtype:misc-activity; sid:2008418; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Archive Download"; content:"GET /sploits/milw0rm.tar.bz2"; depth:60; flow:to_server,established; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2008524; classtype:misc-activity; sid:2008524; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> 76.74.9.19 $HTTP_PORTS (msg:"ET DELETED Packetstormsecurity Exploits Of The Month Download"; content:"GET /"; uricontent:"-exploits.tgz"; depth:70; flow:to_server,established; reference:url,www.packetstormsecurity.org; reference:url,doc.emergingthreats.net/2008525; classtype:misc-activity; sid:2008525; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Launch Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/exploit.php?id="; nocase; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2009586; classtype:misc-activity; sid:2009586; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Netvacy.com Anonymizing Proxy Access"; flow:established,to_server; content:"Host|3a| www.netvacy.com"; http_header; reference:url,doc.emergingthreats.net/2003453; classtype:policy-violation; sid:2003453; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Server in use - Often Hostile Traffic"; flow:established,from_server; content:"Server|3a| nginx"; nocase; http_header; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008054; classtype:bad-unknown; sid:2008054; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"Server|3a| nginx|0d 0a|"; nocase; http_header; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Server with modified version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"Server|3a| nginx/"; nocase; http_header; pcre:"/Server\: nginx/[a-zA-Z]/i"; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008065; classtype:bad-unknown; sid:2008065; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg:"ET DELETED PCMesh Anonymous Proxy client connect"; flow: from_client,established; content:"http|3a|//www.pcmesh.com|3a|80/ip-check.cgi"; depth:37; offset:4; reference:url,doc.emergingthreats.net/2003040; classtype:policy-violation; sid:2003040; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg:"ET DELETED Anonymous Proxy Traffic from Inside"; flow: from_client,established; flags:*AP,12; content:"GET http|3a|//"; depth:11; content:"HTTP/1.0"; within:50; reference:url,doc.emergingthreats.net/2003069; classtype:policy-violation; sid:2003069; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hex Obfuscated arguments.callee Javascript Method in PDF Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"|61|"; distance:0; content:"|72|"; distance:1; within:2; content:"|67|"; distance:1; within:2; content:"|75|"; distance:1; within:2; content:"|6d|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|6e|"; distance:1; within:2; content:"|74|"; distance:1; within:2; content:"|73|"; distance:1; within:2; content:"|2e|"; distance:1; within:2; content:"|63|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|65|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2010879; classtype:misc-activity; sid:2010879; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Hex Obfuscation of Javascript Declaration Within PDF File - Likely Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"|2f|"; distance:0; content:"|4a|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|76|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|73|"; distance:1; within:2; content:"|63|"; distance:1; within:2; content:"|72|"; distance:1; within:2; content:"|69|"; content:"|70|"; distance:1; within:2; content:"|74|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2010880; classtype:misc-activity; sid:2010880; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED .pdf File Possibly Containing Basic Hex Obfuscation"; flow:established,from_server; content:"PDF-"; depth:300; pcre:"/PDF-.+[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F]/si"; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010884; classtype:misc-activity; sid:2010884; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHP Anonymizing/Evasion Proxy In Use"; flow: to_server,established; content:"GET"; http_method; content:"/index.php?q="; nocase; http_uri; pcre:"/index\.php\?q=(uggc|jjj|http|www|aHR0c|d3d3)/Ui"; reference:url,sourceforge.net/projects/php-proxy/; reference:url,doc.emergingthreats.net/2006410; classtype:policy-violation; sid:2006410; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Prospero Chat Session in Progress"; flow: established,to_server; content:"PCHAT2 "; offset: 0; depth: 7; content:"v='"; nocase; offset: 8; depth: 400; content:"jv='"; nocase; offset: 8; depth: 400; content:"u='"; nocase; offset: 8; depth: 400; reference:url,www.prospero.com/technology.htm; reference:url,doc.emergingthreats.net/2001989; classtype:policy-violation; sid:2001989; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Set flow on rar file get"; flow:established,to_server; content:"GET"; http_method; content:".rar"; http_uri; content:".rar HTTP/1."; flowbits:set,ET.rar_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2008781; classtype:trojan-activity; sid:2008781; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - Rar Requested but not received"; flow:established,from_server; flowbits:isset,ET.rar_seen; flowbits:unset,ET.rar_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:!"|0d 0a 0d 0a 52 61 72 21 1A 07|"; depth:300; reference:url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008783; classtype:trojan-activity; sid:2008783; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Real.com Game Arcade Install (User agent)"; flow: established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+ARCADE_BUNDLE_DOWNLOADER/i"; reference:url,doc.emergingthreats.net/2003045; classtype:policy-violation; sid:2003045; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Real.com Game Arcade Install"; flow: established,to_server; content:"/gameconsole/bundlescripts/"; reference:url,doc.emergingthreats.net/2003046; classtype:policy-violation; sid:2003046; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED TLS/SSL Server Hello Done on Unusual Port"; flowbits:isset,BS.SSL.Server.Key; flow:established; content:"|16 03 01|"; content:"|0e|"; within:6; flowbits:set,BS.SSL.Server.Hello.Done; flowbits:noalert; reference:url,doc.emergingthreats.net/2003016; classtype:unusual-client-port-connection; sid:2003016; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED TLS/SSL Server Hello Done on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Server.Key; flow:established; content:"|16 03 00|"; content:"|0e|"; within:6; flowbits:set,BS.SSL.Server.Hello.Done; flowbits:noalert; reference:url,doc.emergingthreats.net/2003017; classtype:unusual-client-port-connection; sid:2003017; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Skype VOIP Reporting Install"; flow: to_server,established; content:"/ui/"; nocase; http_uri; content:"/installed"; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001596; classtype:policy-violation; sid:2001596; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Likely Binary in HTTP by Type Flowbit"; flow:established,from_server; content:"HTTP/1"; depth:6; content:"Content-Type|3a| application/"; nocase; http_header; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2007670; classtype:not-suspicious; sid:2007670; rev:9; metadata:created_at 2010_07_30, updated_at 2017_11_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Download Request"; flow:established,to_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 08 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008771; classtype:trojan-activity; sid:2008771; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET DELETED Unknown Trojan P2P Data Download"; flow:established,from_server; dsize:>1000; content:"|00 00 00|"; depth:5; offset:2; content:"|00 01 01 00 00 05 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008770; classtype:trojan-activity; sid:2008770; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Request"; flow:established,to_server; dsize:<60; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 03 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008772; classtype:trojan-activity; sid:2008772; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Twitter Status Update"; flow:to_server,established; content:"POST"; http_method; content:"/status/update"; http_uri; content:"twitter.com"; nocase; content:"authenticity_token="; nocase; content:"status="; nocase; reference:url,twitter.com; reference:url,doc.emergingthreats.net/2010797; classtype:policy-violation; sid:2010797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; classtype:policy-violation; sid:2008533; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] 443 (msg:"ET DELETED MyWebEx Server Traffic"; flow: to_server,established; dsize: <50; content:"|17|"; offset: 0; depth: 1; threshold: type limit,track by_src, count 1, seconds 360; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001712; classtype:policy-violation; sid:2001712; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS (msg:"ET DELETED MyWebEx Installation"; flow: to_server,established; content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 1, seconds 30; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001713; classtype:policy-violation; sid:2001713; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp [208.8.81.0/24,64.68.96.0/19] 443 -> $HOME_NET any (msg:"ET DELETED MyWebEx Incoming Connection"; flow: to_client,established; content:"|16 03|"; offset: 0; depth: 2; content:"Comodo"; nocase; depth: 240; content:"accessanywhere.com"; nocase; offset: 592; depth: 48; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001714; classtype:policy-violation; sid:2001714; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase;  reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Inbox View"; flow:to_server,established; content:"/ym/ShowFolder"; http_uri; nocase; content:"rb=Inbox"; nocase; reference:url,doc.emergingthreats.net/2000041; classtype:policy-violation; sid:2000041; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message View"; flow:to_server,established; content:"/ym/ShowLetter"; nocase; http_uri; content:"MsgId"; nocase; reference:url,doc.emergingthreats.net/2000042; classtype:policy-violation; sid:2000042; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Compose Open"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000043; classtype:policy-violation; sid:2000043; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; reference:url,doc.emergingthreats.net/2000045; classtype:policy-violation; sid:2000045; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail Inbox Access"; flow:to_server,established; content:"/gmail?view=tl&search=inbox&start="; http_uri; nocase; reference:url,doc.emergingthreats.net/2001424; classtype:policy-violation; sid:2001424; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail File Send"; flow:to_server,established; content:"Content-Disposition|3a| form-data|3b| name=|22|msgbody|22|"; nocase; http_client_body; content:"name=|22|form-data|3b| file0|22 3b| filename=|22|"; nocase; http_client_body; reference:url,doc.emergingthreats.net/2001425; classtype:policy-violation; sid:2001425; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail Message Send"; flow: to_server,established; content:"Content-Disposition|3A| form-data|3b| name=|22|to|22|"; nocase; http_header; content:"Content-Disposition|3A| form-data|3b| name=|22|msgbody|22|"; nocase; http_header; reference:url,doc.emergingthreats.net/2001426; classtype:policy-violation; sid:2001426; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| "; nocase; http_header; content:"|3b 20|Windows NT 6.1|3b 20|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.microsoft.com/windows/windows-7/default.aspx; reference:url,doc.emergingthreats.net/2010228; classtype:policy-violation; sid:2010228; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET DELETED Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Crewbox Proxy Scan"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"crewbox.by.ru/crew/"; nocase; http_uri; reference:url,doc.emergingthreats.net/2003156; classtype:attempted-recon; sid:2003156; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; id: 1; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 2"; id: 2; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001610; classtype:misc-activity; sid:2001610; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 3"; id: 3; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001611; classtype:misc-activity; sid:2001611; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; classtype:attempted-recon; sid:2008536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED OWASP Joomla Vulnerability Scanner Detected"; flow:established,to_server; content:"HEAD"; http_method; content:"/joomla/"; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (Windows\; U\; Windows NT 5.2\; en-US\; rv|3a|1.9.0.3) Gecko/2008092417 Firefox/3.0.3"; pcre:"/(/joomla/admin|/joomla/administrator|/joomla/manage|/joomla/administration)/U"; threshold: type threshold, track by_dst, count 4, seconds 15; reference:url,www.owasp.org/index.php/Category%3aOWASP_Joomla_Vulnerability_Scanner_Project; reference:url,doc.emergingthreats.net/2009837; classtype:attempted-recon; sid:2009837; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED SQLCheck Database Scan Detected"; flow:to_server,established; content:"%20FROM%20customers"; fast_pattern:only; content:"User-Agent|3a| Lynx/2.8.6rel.4 libwww-FM/2.14"; http_header; threshold: type threshold, track by_dst, count 10, seconds 20; reference:url,wiki.remote-exploit.org/backtrack/wiki/SQLcheck; reference:url,doc.emergingthreats.net/2009478; classtype:attempted-recon; sid:2009478; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET DELETED LibSSH Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tomcat Successful default credential login from external source"; flow:from_server,established; content:"HTTP/1."; depth:7; content:"200"; http_stat_code; content:"OK"; http_stat_msg; reference:url,tomcat.apache.org; classtype:successful-admin; sid:2009219; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Alexa Search Toolbar User-Agent (Alexa Toolbar)"; flow: to_server,established; content:" Alexa Toolbar|3b|"; http_header; reference:url,www.spywareguide.com/product_show.php?id=418; reference:url,doc.emergingthreats.net/2002166; classtype:trojan-activity; sid:2002166; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Traffic User-Agent (Peer Points)"; flow: established,to_server; content:"Peer Points"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2001640; classtype:policy-violation; sid:2001640; rev:28; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED User-Agent (BlueSky)"; flow:to_server,established; content:"User-Agent|3a| BlueSky"; http_header; reference:url,doc.emergingthreats.net/2011084; classtype:trojan-activity; sid:2011084; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Browseraid.com User-Agent (Browser Adv)"; flow: to_server,established; content:"Browser Adv"; http_header; fast_pattern:only; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/2001295; classtype:trojan-activity; sid:2001295; rev:27; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Casalemedia.com Related User Agent (0 0 ...)"; flow: established,to_server; content:"User-Agent|3a| 0|3a|0|3a|"; http_header; pcre:"/\x0d\x0aUser-Agent\: 0\:0\:[^\n]{120}/H"; reference:url,doc.emergingthreats.net/2007647; classtype:trojan-activity; sid:2007647; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED User-Agent (GM Login)"; flow:to_server,established; content:"User-Agent|3a| GM Login|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011273; classtype:trojan-activity; sid:2011273; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AskSearch Toolbar Spyware User-Agent (AskTBar)"; flow:to_server,established; content:"|3b| AskTb"; http_header; pcre:"/User-Agent\x3a[^\n]+AskTB/iH"; reference:url,doc.emergingthreats.net/2003494; classtype:policy-violation; sid:2003494; rev:22; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HSN.com Toolbar Spyware User-Agent (HSN)"; flow:to_server,established; content:"User-Agent|3a| "; nocase; http_header; content:"HSN"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+HSN/iH"; reference:url,doc.emergingthreats.net/2003495; classtype:trojan-activity; sid:2003495; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unidentified Spyware User Agent (0 0 + 128 chars)"; flow:established,to_server; content:"User-Agent|3a| 0|3a|0|3a|"; nocase; http_header; pcre:"/User-Agent\: 0\:0\:[^\x0a|\x0d]{128}/H"; reference:url,doc.emergingthreats.net/2007615; classtype:trojan-activity; sid:2007615; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; content:" MyApp|0d 0a|"; http_header; fast_pattern:only; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001492; classtype:trojan-activity; sid:2001492; rev:43; metadata:created_at 2010_07_30, updated_at 2016_12_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent Maxthon"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Maxthon"; http_header; fast_pattern:56,19; reference:url,doc.emergingthreats.net/2011118; classtype:trojan-activity; sid:2011118; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED User-Agent (MSIE XPSP2)"; flow:to_server,established; content:"MSIE XPSP2"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2003200; classtype:trojan-activity; sid:2003200; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED OneStep Adware related User Agent (x)"; flow:established,to_server; content:"User-Agent|3a| x|0d 0a|"; nocase; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; classtype:trojan-activity; sid:2009987; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Spyaxe Spyware User-Agent (spyaxe)"; flow:to_server,established; content:" spyaxe "; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2002807; classtype:trojan-activity; sid:2002807; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent (ld)"; flow:to_server,established; content:"User-Agent|3a| ld|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008342; classtype:trojan-activity; sid:2008342; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent (DownloadNetFile)"; flow:to_server,established; content:"User-Agent|3a| DownloadNetFile|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008344; classtype:trojan-activity; sid:2008344; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent Detected (Windows+NT)"; flow:established,to_server; content:"User-Agent|3a| Windows+NT"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008600; classtype:trojan-activity; sid:2008600; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent Detected (DigitAl56K/6.3)"; flow:established,to_server; content:"User-Agent|3a| DigitAl56K/"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008659; classtype:trojan-activity; sid:2008659; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Internet Antivirus Pro)"; flow:established,to_server; content:"User-Agent|3a| Internet Antivirus Pro|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009440; classtype:trojan-activity; sid:2009440; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (ClickAdsByIE)"; flow:established,to_server; content:"User-Agent|3a| ClickAdsByIE"; http_header; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009456; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PinBall Corp. Related suspicious activity"; flow:established,to_server; content:"User-Agent|3a| PinBallCorp-BSAI"; http_header; reference:url,doc.emergingthreats.net/2009908; classtype:trojan-activity; sid:2009908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent WebUpdate"; flow:established,to_server; content:"User-Agent|3a| WebUpdate|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010600; classtype:trojan-activity; sid:2010600; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango-Hotbar User-Agent (zb-hb)"; flow:to_server,established; content:"zb-hb-"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+zb-hb-/iH"; reference:url,doc.emergingthreats.net/2003223; classtype:trojan-activity; sid:2003223; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango-Hotbar User-Agent (zbu-hb-)"; flow:to_server,established; content:"zbu-hb-"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+zbu-hb-/iH"; reference:url,doc.emergingthreats.net/2003305; classtype:trojan-activity; sid:2003305; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Spamblockerutility.com-Hotbar User Agent (sbu-hb-)"; flow:to_server,established; content:"sbu-hb-"; http_header; pcre:"/User-Agent\:[^\n]+sbu-hb-/iH"; reference:url,doc.emergingthreats.net/2003363; classtype:trojan-activity; sid:2003363; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Wild Tangent Agent User-Agent (WildTangent)"; flow: to_server,established; content:"WildTangent"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Wildtangent/iH"; reference:url,doc.emergingthreats.net/2001639; classtype:trojan-activity; sid:2001639; rev:31; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent (asp2009)"; flow: established, to_server; content:"User-Agent|3a| asp2009|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=6cad864a439da7bbd6f1cec941cca72b; reference:url,doc.emergingthreats.net/2010136; classtype:trojan-activity; sid:2010136; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; http_header; reference:url,doc.emergingthreats.net/2002695; classtype:trojan-activity; sid:2002695; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; fast_pattern:only; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001765; classtype:misc-activity; sid:2001765; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM Worm Copied to Startup Folder"; flow: established; content:"|77 00 69 00 6B 00 2E 00 65 00 78 00 65 00 00 00|"; fast_pattern:only; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001766; classtype:misc-activity; sid:2001766; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Mytob.X clam SMTP Inbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; fast_pattern; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; reference:url,doc.emergingthreats.net/2002892; classtype:trojan-activity; sid:2002892; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Mytob.X clam SMTP Outbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; fast_pattern; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; reference:url,doc.emergingthreats.net/2002893; classtype:trojan-activity; sid:2002893; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED W32.Nugache SMTP Inbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; fast_pattern; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002894; classtype:trojan-activity; sid:2002894; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED W32.Nugache SMTP Outbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; fast_pattern; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002895; classtype:trojan-activity; sid:2002895; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE CLET polymorphic payload"; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; classtype:shellcode-detect; sid:2003117; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE ADMutate polymorphic payload"; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; classtype:shellcode-detect; sid:2003119; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET DELETED Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; classtype:trojan-activity; sid:2001547; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; classtype:trojan-activity; sid:2001726; rev:10; metadata:tag Banking_Trojan, created_at 2010_07_30, malware_family Bancos, updated_at 2018_04_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent|3a| p4r4z1t3v3"; http_header; nocase; reference:url,doc.emergingthreats.net/2003638; classtype:trojan-activity; sid:2003638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject|3a 20 3a 20|ZOMBIE"; nocase; content:"X-Library|3a| Indy 9.00.10"; nocase; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; classtype:trojan-activity; sid:2003041; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET"; http_method; content:"nsi_install.php?"; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"&inst_result="; http_uri; content:"&id="; nocase; http_uri; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; classtype:trojan-activity; sid:2009548; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Agent.END"; flow:to_server,established; content:"GET"; http_method; content:"idcomp="; http_uri; content:"&load1="; http_uri; content:"&hist=downloaded_user_"; http_uri; content:"MyValue="; http_uri; pcre:"/MyValue=[a-f0-9]{32}/Ui"; reference:url,doc.emergingthreats.net/2010243; classtype:trojan-activity; sid:2010243; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Armitage Exploit Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bof.php"; http_uri; reference:url,doc.emergingthreats.net/2009032; classtype:trojan-activity; sid:2009032; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Armitage Loader Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/lds.php"; http_uri; reference:url,doc.emergingthreats.net/2009036; classtype:trojan-activity; sid:2009036; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Banker.OT Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"praquem="; http_client_body; fast_pattern;  content:"&titulo="; http_client_body; content:"&texto="; http_client_body; reference:url,doc.emergingthreats.net/2007823; classtype:trojan-activity; sid:2007823; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Banker.OT Checkin (2 packet)"; flow:established,to_server; content:"praquem="; depth:8; content:"&titulo="; content:"&texto="; reference:url,doc.emergingthreats.net/2008491; classtype:trojan-activity; sid:2008491; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Banker.maf SMTP Checkin (Not in the Control...)"; flow:established,to_server; content:"|0a|X-Mailer|3a| Microsoft CDO for Windows 2000"; content:"|0d 0a|_-=|7c| Not in the Control System 6.0 |7c|=-_|0d 0a|.|0d 0a|"; distance:0; reference:url,doc.emergingthreats.net/2008033; classtype:trojan-activity; sid:2008033; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Banker Trojan CnC Server Ping"; flow:established,from_server; dsize:<100; content:"PING|7c|"; reference:url,doc.emergingthreats.net/2009864; classtype:trojan-activity; sid:2009864; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Banload iLLBrain Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_uri; content:"/iLL"; http_uri; content:".xxx"; http_uri; reference:url,doc.emergingthreats.net/2008328; classtype:trojan-activity; sid:2008328; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bifrose Connect to Controller (variant 2)"; flow:established,to_server; dsize:<220; content:"|d2 00 00 9b|"; depth:4; reference:url,doc.emergingthreats.net/2008532; classtype:trojan-activity; sid:2008532; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 81 -> $EXTERNAL_NET any (msg:"ET DELETED Bifrose Response from victim"; flow:established,from_server; dsize:13; content:"|09 00 00 00 9a|"; depth:5; content:"|74|"; distance:7; within:8; reference:url,doc.emergingthreats.net/2009797; classtype:trojan-activity; sid:2009797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blink.com related Backdoor Checkin"; flow:established,to_server; content:"/?vn="; nocase; http_uri; content:"&partner="; nocase; http_uri; content:"&ptag="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&se="; nocase; http_uri; content:"&au="; nocase; flowbits:set,ET.blink.get; reference:url,doc.emergingthreats.net/2007805; classtype:trojan-activity; sid:2007805; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blink.com related Upgrade Command Given"; flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging|3a| This is an important download|0d 0a|Location|3a| http|3a|//"; reference:url,doc.emergingthreats.net/2007806; classtype:trojan-activity; sid:2007806; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008103; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008107; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008108; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008110; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 (msg:"ET DELETED Bofra Victim Accessing Reactor Page"; flow: from_client,established; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; reference:url,doc.emergingthreats.net/2001430; classtype:trojan-activity; sid:2001430; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Bredavi Checkin"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; http_uri; nocase; reference:url,doc.emergingthreats.net/2010791; classtype:trojan-activity; sid:2010791; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Buzus FTP Log Upload"; flow:established,to_server; dsize:100<>500; content:"|20 20 20 20|"; depth:4; content:"************CD-Key Pack************"; distance:0; content:"Microsoft Windows Product ID CD Key\: "; distance:0; reference:url,doc.emergingthreats.net/2008750; classtype:trojan-activity; sid:2008750; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Buzus Posting Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/fdsupdate"; nocase; http_uri; content:"|0d 0a 0d 0a|PUTF"; reference:url,doc.emergingthreats.net/2010064; classtype:trojan-activity; sid:2010064; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Clod/Sereki Communication with C&C"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&cnt="; http_uri; nocase; pcre:"/\.php\?id=\d+_[0-9a-f]{8}-[0-9a-f]+-[0-9a-f]{8}&cnt=/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010289; classtype:trojan-activity; sid:2010289; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Clod/Sereki Checkin with C&C (noalert)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/chck.dat"; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.clod1; flowbits:noalert; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010290; classtype:trojan-activity; sid:2010290; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Clod/Sereki Checkin Response"; flow:established,from_server; dsize:<350; content:"|0d 0a 0d 0a|!chckOK!"; nocase; flowbits:isset,ET.clod1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010291; classtype:trojan-activity; sid:2010291; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> 67.15.94.80 $HTTP_PORTS (msg:"ET DELETED Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; content:"/GeoIP.dat.gz"; http_uri; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2008802; classtype:trojan-activity; sid:2008802; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoreFlooder.Q Data Posting"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/upload"; nocase; http_uri; content:"file="; nocase; http_uri; content:"&id="; http_uri; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008352; classtype:trojan-activity; sid:2008352; rev:8; metadata:created_at 2010_07_30, updated_at 2017_01_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Delf HTTP Post Checkin (1)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"Content-type|3a| image/gif"; http_header; content:"x|da|"; http_client_body; depth:2; content:"|0d 0a|Content-type|3a| image/gif|0d 0a 0d 0a|x|da|"; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007867; classtype:trojan-activity; sid:2007867; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Packet 1"; flowbits:isnotset,ET.unk.1; flow:established,to_server; dsize:<200; content:"|8e 00 d0 00|"; depth:4; flowbits:set,ET.unk.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008006; classtype:trojan-activity; sid:2008006; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Delf CnC Channel Packet 1 reply"; flowbits:isset,ET.unk.1; flow:established,from_server; dsize:<15; content:"|05 00 00 00|"; depth:4; flowbits:set,ET.unk.2; reference:url,doc.emergingthreats.net/2008007; classtype:trojan-activity; sid:2008007; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Checkin Replies"; flowbits:isset,ET.unk.2; flow:established,to_server; dsize:<20; content:"|09 00 00 00|"; depth:4; reference:url,doc.emergingthreats.net/2008008; classtype:trojan-activity; sid:2008008; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; fast_pattern:30,20; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Downloader (Win32.Doneltart) Checkin - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?open="; nocase; http_uri; content:"&myid="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009814; classtype:trojan-activity; sid:2009814; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zhelatin Variant Checkin"; flow:established,to_server; content:"/adload.php?a1="; nocase; http_uri; content:"a3="; nocase; http_uri; content:"&a4="; nocase; http_uri; content:"&a5="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; reference:url,doc.emergingthreats.net/2003408; classtype:trojan-activity; sid:2003408; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Downloader.Win32.Small.hkp Checkin via HTTP"; flow:established,to_server; dsize:96; content:"GET /"; depth:5; pcre:"/^[^\r\n]*\/[0-9a-f]{78}\sHTTP/Ri"; reference:url,doc.emergingthreats.net/2007755; classtype:trojan-activity; sid:2007755; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Browser HiJacker/Infostealer Stat file"; flow:established,to_server; content:"|5B00|u|00|p|00|d|00|a|00|t|00|e|005D|"; nocase; content:"v|00|e|00|r|00|="; nocase; reference:url,doc.emergingthreats.net/2007777; classtype:trojan-activity; sid:2007777; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)"; flow:established,to_server; content:"User-Agent|3a| cv_v"; http_header; nocase; reference:url,doc.emergingthreats.net/2007926; classtype:trojan-activity; sid:2007926; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Common Downloader Trojan Checkin"; flow:established,to_server; content:".php?pid="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"&amd="; nocase; http_uri; content:"&win64="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007975; classtype:trojan-activity; sid:2007975; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Downloader URL Pattern (/loader/setup.php)"; flow:established,to_server; content:"/loader/setup.php?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008076; classtype:trojan-activity; sid:2008076; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Downloader.pgp Checkin"; flow:established,to_server; content:"?id="; http_uri; content:"&e="; http_uri; content:"&err="; http_uri;content:"&c="; http_uri; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008492; classtype:trojan-activity; sid:2008492; rev:3; metadata:created_at 2010_07_30, updated_at 2017_05_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Emo/Downloader.vr Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&rs="; http_uri; content:"&n="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008546; reference:url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50; classtype:trojan-activity; sid:2008546; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Dropper HTTP Bot grabbing config"; flow: to_server,established; content:".txt"; nocase; http_uri; fast_pattern; content:"Pragma|3a| no-cache"; http_header; content:"User-Agent|3a| "; http_header; pcre:"/User-Agent\x3a \d{6}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2008664; classtype:trojan-activity; sid:2008664; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP|3a|"; depth:100; content:"??IP|3a|"; distance:0; content:"????|3a|"; distance:0; pcre:"/IP\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Downloader Generic - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?mode="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&ltime="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009803; classtype:trojan-activity; sid:2009803; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan Downloader Win32/Small.CBA download"; flow:established,to_server; content:"popjs.asp?uid="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&c="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.CBA&ThreatID=-2147372177; reference:url,doc.emergingthreats.net/2010569; classtype:trojan-activity; sid:2010569; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET [1024:7989,7991:] -> $HOME_NET any (msg:"ET DELETED Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007920; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Dropper Checkin (2)"; flow:established,to_server; content:"POST / HTTP/1.1|0d 0a|"; depth:17; content:!"User-Agent|3a| "; http_header; nocase; content:"updater_version="; http_client_body; nocase; content:"&updater_lang="; http_client_body; nocase; content:"&action_type=log"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2010830; classtype:trojan-activity; sid:2010830; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely EXE Cryptor Packed Binary - Likely Malware"; flow:from_server,established; content:"|4D 5A|"; content:"|2E 70 61 63 6B 65 64|"; within: 447; reference:url,bits.packetninjas.org; reference:url,doc.emergingthreats.net/2008557; classtype:trojan-activity; sid:2008557; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Emo/Downloader.uxk checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&id="; http_uri; content:"&rs="; http_uri; fast_pattern; content:"&cc="; http_uri; reference:url,doc.emergingthreats.net/2008452; classtype:trojan-activity; sid:2008452; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin Initial Packet"; flow:established,to_server; dsize:<100; content:"|00 00 00 00 00 00|WindowsXP|00 00 00|"; flowbits:set,ET.emogen1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008269; classtype:trojan-activity; sid:2008269; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin CnC Keepalive"; flow:established,to_server; flowbits:isset,ET.emogen1; dsize:4; content:"test"; reference:url,doc.emergingthreats.net/2008270; classtype:trojan-activity; sid:2008270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010594; classtype:trojan-activity; sid:2010594; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeAV Served To Client"; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:"ds=1"; nocase; http_cookie; reference:url,doc.emergingthreats.net/2011221; classtype:trojan-activity; sid:2011221; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Feral Checkin via HTTP"; flow:established,to_server; content:"?ucid="; nocase; http_uri; content:"&wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007286; classtype:trojan-activity; sid:2007286; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; content:".php?"; http_uri; content:"uid="; http_uri; content:"&gid="; http_uri; content:"&cid="; http_uri; content:"&rid="; http_uri; fast_pattern; content:"&sid="; http_uri; reference:url,doc.emergingthreats.net/2008143; classtype:trojan-activity; sid:2008143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Trojan Checkin"; flow: to_server,established; content:"GET"; nocase; http_method; content: ".asp?mac="; nocase; http_uri; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/iU"; content: "&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009412; classtype:trojan-activity; sid:2009412; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?aid="; nocase; http_uri; content:"&pid="; http_uri; content:"&kind="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009826; classtype:trojan-activity; sid:2009826; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; content:"|00 00 00|"; within:5; dsize:<180; flowbits:set,ET.ghost; reference:url,doc.emergingthreats.net/2008888; classtype:trojan-activity; sid:2008888; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2010_07_30, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Server Response"; flowbits:isset,ET.ghost; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; reference:url,doc.emergingthreats.net/2008889; classtype:trojan-activity; sid:2008889; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2010_07_30, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Trojan CnC"; flow:established,to_server; content:"Gh0st"; depth:5; flowbits:set,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010859; classtype:trojan-activity; sid:2010859; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2010_07_30, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Trojan CnC Response"; flow:established,from_server; content:"Gh0st"; depth:5; flowbits:isset,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010860; classtype:trojan-activity; sid:2010860; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2010_07_30, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001959; classtype:trojan-activity; sid:2001959; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001960; classtype:trojan-activity; sid:2001960; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001961; classtype:trojan-activity; sid:2001961; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001962; classtype:trojan-activity; sid:2001962; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001963; classtype:trojan-activity; sid:2001963; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001964; classtype:trojan-activity; sid:2001964; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001965; classtype:trojan-activity; sid:2001965; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Hupigon CnC init (variant abb)"; flow:established,to_server; dsize:4; flowbits:isnotset,ET.hupa.init; flowbits:noalert; content:"|00 00 00 00|"; flowbits:set,ET.hupa.init; reference:url,doc.emergingthreats.net/2008041; classtype:trojan-activity; sid:2008041; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128 (msg:"ET DELETED Likely Hupigon Post to Controller"; flow:established,to_server; content:"POST /+"; depth:7; flowbits:noalert; flowbits:set,ET.Hupinit1; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008389; classtype:trojan-activity; sid:2008389; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET DELETED Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008390; classtype:trojan-activity; sid:2008390; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Possible Hupigon Connect"; flow:established,from_server; flowbits:set,ET.Hupinit2; dsize:<28; content:"HTTP/1.0 200 "; depth:13; flowbits:noalert; reference:url,doc.emergingthreats.net/2009290; classtype:trojan-activity; sid:2009290; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 3128:9000 -> $HOME_NET any (msg:"ET DELETED Hupigon CnC Client Status"; flow:established,to_server; flowbits:isset,ET.Hupinit2; dsize:<6; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009291; classtype:trojan-activity; sid:2009291; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Hupigon CnC Server Response"; flow:established,from_server; flowbits:isset,ET.Hupinit2; dsize:3; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009292; classtype:trojan-activity; sid:2009292; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert icmp any any -> any any (msg:"ET DELETED ICMP Banking Trojan sending encrypted stolen data"; dsize:>64; itype:8; icode:0; content:"|08|"; depth:1; byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; reference:url,doc.emergingthreats.net/2003073; classtype:trojan-activity; sid:2003073; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IRC channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002385; classtype:trojan-activity; sid:2002385; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED perlb0t/w0rmb0t Response (Case 1)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; reference:url,doc.emergingthreats.net/2006910; classtype:trojan-activity; sid:2006910; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED perlb0t/w0rmb0t Response (Case 3)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02|"; content:"|02|"; within: 32; pcre:"/\x3A\x02(Alvo dos Pacotes|Conectando-se em|M.dia de envio|Tempo.*|Total .*)\x02/i"; reference:url,doc.emergingthreats.net/2006912; classtype:trojan-activity; sid:2006912; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED B0tN3t IRCbotnet"; flow:from_server,established; content:"|3a|"; offset:0; depth:1; content:"B0tN3t"; within:32; nocase; flowbits:set,irc.start; flowbits:set,is_proto_irc; reference:url,en.wikipedia.org/wiki/Botnet; reference:url,doc.emergingthreats.net/2007672; classtype:misc-activity; sid:2007672; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kaiten IRCbotnet login"; flow:to_server,established; content:"NICK|20|"; depth:5; content:"USER|20|"; within:32; content:"localhost|20|localhost|20 3A|"; within:32; pcre:"/NICK\x20\S+\x0AUSER\x20\S+localhost\x20localhost\x20\x3A/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007621; classtype:trojan-activity; sid:2007621; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Kaiten IRCbotnet Response"; flow:established; flowbits:isset,irc.start; content:"NOTICE|20|"; content:"|20 3A|"; within:32; pcre:"/\x20\x3A(Receiving\x20file.\x0A|Saved\x20as\x20|Spoofs\x3A\x20|Kaiten\x20wa\x20goraku|Current\x20status\x20is\x3a\x20|Removed\x20all\x20spoofs|Packeting\x20|Panning\x20|Tsunami\x20heading\x20for\x20|Unknowing\x20|Killing\x20pid\x20)/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007622; classtype:trojan-activity; sid:2007622; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> $HOME_NET any (msg:"ET DELETED Kaiten IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20 21|"; pcre:"/PRIVMSG\x20\x21\S+\x20(TSUNAMI\x20|PAN\x20|UDP\x20|UNKNOWN\x20|GETSPOOFS|SPOOFS\x20)/i"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007623; classtype:trojan-activity; sid:2007623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Pitbull IRCbotnet Response"; flow:established; content:"PRIVMSG|20|"; content:"|3A|"; within:32; content:"4"; within:5; content:"12"; within:5; content:"|3a|"; within:5; pcre:"/\x3a.4\x7c.12.\x3a.4/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007624; classtype:trojan-activity; sid:2007624; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> $HOME_NET any (msg:"ET DELETED Pitbull IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20|"; pcre:"/PRIVMSG.*@(portscan|nmap|back|udpflood|tcpflood|httpflood|linuxhelp|rfi|system|milw0rm|logcleaner|sendmail|join|part|help)/i";  reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007625; classtype:trojan-activity; sid:2007625; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Pitbull IRCbotnet Fetch"; flow:to_server,established; content:"Accept|3a20|*/*|0d0a|User-Agent|3a20|Mozilla/5.0|0d0a|"; http_header; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007626; classtype:trojan-activity; sid:2007626; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Inject.BV Trojan User Agent Detected (faserx)"; flow:established,to_server; content:"User-Agent|3a| faser"; http_header; nocase; reference:url,doc.emergingthreats.net/2003637; classtype:trojan-activity; sid:2003637; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Injecter Checkin"; flow:established,to_server; content:"GET"; http_method; content:"mod="; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/2008349; classtype:trojan-activity; sid:2008349; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1030 (msg:"ET DELETED Ipbill.com Related Dialer Trojan Checkin"; flow:established,to_server; dsize:7; content:"|0a|"; offset:6; pcre:"/\d\d\d\d\d\d\x0a/"; flowbits:set,ET.ipbill1; reference:url,doc.emergingthreats.net/2008730; classtype:trojan-activity; sid:2008730; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1030 -> $HOME_NET any (msg:"ET DELETED Ipbill.com Related Dialer Trojan Server Response"; flow:established,from_server; dsize:<20; content:"|0a 5b 27|"; offset:2; depth:5; content:"|27 5d 0a|"; distance:0; flowbits:isset,ET.ipbill1; reference:url,doc.emergingthreats.net/2008731; classtype:trojan-activity; sid:2008731; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Juicopotomous to Controller"; flow:established,to_server; dsize:1; content:"|7c|"; flowbits:set,ET.unknown.setup; flowbits:noalert; reference:url,doc.emergingthreats.net/2008245; classtype:trojan-activity; sid:2008245; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Juicopotomous ack from Controller"; flowbits:isset,ET.unknown.setup; flow:established,from_server; dsize:<50; content:"|7d 27|"; depth:2; flowbits:set,ET.unknown.replied; reference:url,doc.emergingthreats.net/2008246; classtype:trojan-activity; sid:2008246; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Juicopotomous ack to Controller"; flowbits:isset,ET.unknown.replied; flow:established,to_server; dsize:<50; content:"|7e 27|"; depth:2; reference:url,doc.emergingthreats.net/2008247; classtype:trojan-activity; sid:2008247; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Worm.Win32.Koobface.C User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/5.01"; content:"Gecko/2005"; fast_pattern; within:50; content:"Firefox/3"; distance:5; reference:url,doc.emergingthreats.net/2008848; classtype:trojan-activity; sid:2008848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Krunchy/BZub HTTP Checkin/Update"; flow:established,to_server; content:".php?action="; http_uri; content:"&guid="; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007775; classtype:trojan-activity; sid:2007775; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Ligats/DR.Ilomo Agent Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"o="; http_client_body; depth:2; content:"&s=000"; http_client_body; reference:url,doc.emergingthreats.net/2008740; classtype:trojan-activity; sid:2008740; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET DELETED Looked.P/Gamania/Delf #108/! Style CnC Checkin"; flow:established,to_server; dsize:6; content:"#1"; depth:2; content:"/!"; distance:2; within:2; pcre:"/^\x23\d\d\d\x2f\x21/"; reference:url,doc.emergingthreats.net/bin/view/Main/Win32Looked; classtype:trojan-activity; sid:2008219; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ld/mat"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_client_body; depth:3; content:"&hit="; http_client_body; reference:url,doc.emergingthreats.net/2007747; classtype:trojan-activity; sid:2007747; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mac User-Agent Typo Likely Hostile/Trojan Infection"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Macintosh|3b|"; http_header; content:"(KHTML, like Geco,"; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2008954; classtype:trojan-activity; sid:2008954; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"/scr5.php"; nocase; http_uri; pcre:"/\/scr5\.php\?p=\d+&id=\d/Ui"; reference:url,isc.sans.org/diary.php?storyid=722; reference:url,doc.emergingthreats.net/2002387; classtype:trojan-activity; sid:2002387; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mitglieder Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"p="; http_uri;content:"&id="; http_uri; content:"User-Agent|3a| personal"; http_header; nocase; reference:url,doc.emergingthreats.net/2008346; classtype:trojan-activity; sid:2008346; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; http_method; content:"ACCEPT|3A|"; nocase; within:300; content:"POST|2C|"; fast_pattern; nocase; within:100; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; reference:url,doc.emergingthreats.net/2007748; classtype:trojan-activity; sid:2007748; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Nine Ball Infection Ping Outbound"; icode:0; itype:8; dsize:32; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; reference:url,doc.emergingthreats.net/2011185; classtype:trojan-activity; sid:2011185; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nine Ball Infection Posting Data"; flow:established,to_server; content:"POST /"; depth:6; content:"/gate/"; distance:0; content:".php"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:"AAAAAAAACI"; distance:67; within:10; reference:url,www.martinsecurity.net/page/3; reference:url,doc.emergingthreats.net/2011187; classtype:trojan-activity; sid:2011187; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot related infection - Unique HTTP get request"; flow:established,to_server; content:".dll|0d 0a|e|20|HTTP/1.1"; rawbytes; content:!"User-Agent|3a|"; nocase; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003432; classtype:trojan-activity; sid:2003432; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot Checkin"; flow:established,to_server; content:"POST "; rawbytes; depth:5; uricontent:"/script.php?"; content:!"User-Agent|3a|"; nocase; pcre:"/\/script\.php?\d{8}/Ui"; content:"Kernel|3a|"; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003433; classtype:trojan-activity; sid:2003433; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nulprot Checkin Response"; flow:established,from_server;  content:"200";  http_stat_code;  content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type|3a20|binary";  http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Prg Trojan v0.1 Binary In Transit"; flow:to_client,established; content:"MZ"; content:"|1D B9 F2 75 62 85 5A 4F 15 48 52 1D 50 90 41 89 37 9F FF 94 CE A6 3E 63 35 AB 29 6B 30 43 2F 45 46 B0 E1 C2 11 7F 0C 55 0F C7|"; depth:128; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003184; classtype:trojan-activity; sid:2003184; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Prg Trojan v0.2 Binary In Transit"; flow:to_client,established; content:"MZ"; content:"|13 B9 F2 75 62 85 5A 4F 15 48 19 1D 10 4F 0D 5B 04 5B 04 60 CE 5F 00 67 F5 AE 25 6B 20 41 23 B3|"; depth:128; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003185; classtype:trojan-activity; sid:2003185; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Prg Trojan v0.3 Binary In Transit"; flow:to_client,established; content:"MZ"; content:"| 5E 7D 66 7D 28 40 19 88 5F 8C 13 50 15 59 08 58 3C 97 00 9B 33 A5 F9 AF 39 68 F0 9F 27 AF E9 A8 25 B7 18 B6 15 7F 0E B6 1A|"; depth:128; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003186; classtype:trojan-activity; sid:2003186; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Banker Infostealer/PRG POST on High Port"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"|2E|php|3F|2="; nocase; content:"|26|n="; nocase; content:"|26|v="; nocase; content:"|26|i="; nocase; content:"|26|sp="; nocase; content:"|26|lcp="; nocase; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2008326; classtype:trojan-activity; sid:2008326; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PWS-LDPinch Reporting User Activity"; flow:established,to_server; content:".php?ut="; nocase; http_uri; content:"&idr="; nocase; http_uri; content:"&lang="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002812; classtype:trojan-activity; sid:2002812; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PWS-LDPinch posting data (2)"; flow:established,to_server; dsize:>400; content:"POST / HTTP/1.1"; depth:15; content:!"User-Agent|3a| BDNC"; http_header; content:"a="; http_client_body; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; fast_pattern; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (4)"; flow:established,to_server; content:"a="; offset:0; depth:2; content:"&b=Pinch"; nocase; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008061; classtype:trojan-activity; sid:2008061; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (8)"; flow:established,to_server; content:"/view.php"; nocase; http_uri; content:"a="; content:"&b=Passes"; distance:0; content:"&d=Pass"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008091; classtype:trojan-activity; sid:2008091; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (9)"; flow:established,to_server; dsize:>1000; content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body; reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET DELETED LDPinch Checkin on Port 82"; flow:established,to_server; content:".php"; nocase; content:"a="; content:"&b=Pinch"; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008354; classtype:trojan-activity; sid:2008354; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin Flowbit set"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; nocase; http_uri; content:"application|2F|x-www-form-urlencoded|0D 0A|"; http_header; flowbits:set,ET.PINCH; flowbits:noalert; reference:url,doc.emergingthreats.net/2008468; classtype:trojan-activity; sid:2008468; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin v2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; fast_pattern; nocase; http_uri; content:"application|2F|x-www-form-urlencoded|0D 0A|"; http_header;  content:"a="; depth:2; http_client_body; nocase; content:"b="; http_client_body; nocase; content:"d="; http_client_body; nocase; content:"c="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008469; classtype:trojan-activity; sid:2008469; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Password Stealer Checkin URL Detected"; flow:established,to_server; content:"method=get"; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006384; classtype:trojan-activity; sid:2006384; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 897 (msg:"ET DELETED Backdoor PcClient.CAK.Pakes POST on non-http Port"; flow:established,to_server; content:"POST "; nocase; depth:5; content:".jsp"; nocase; within:50; pcre:"/\/\d{8,}\/\d{4,}\/\d{4,}\.jsp/"; reference:url,doc.emergingthreats.net/2009093; classtype:trojan-activity; sid:2009093; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Parite.B GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| gomtour"; http_header; reference:url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B; reference:url,www.pctools.com/mrc/infections/id/Virus.Parite.B/; reference:url,www.threatexpert.com/threats/w32-parite-b.html; reference:url,doc.emergingthreats.net/2009454; classtype:trojan-activity; sid:2009454; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2010_07_30, malware_family Parite, updated_at 2017_07_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Password Stealer Reporting - ?a=%NN&b="; flow:to_server,established; content:"POST"; http_method; nocase; content:"a=%"; http_raw_uri; content:"&b="; http_uri; pcre:"/a=\%[0-9a-fA-F]{2}\&b/Ii"; reference:url,doc.emergingthreats.net/2009082; classtype:trojan-activity; sid:2009082; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http|3a|//"; depth:12; content:"C|3a|\\"; distance:0; nocase; content:".exe|00 00|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phoenix Exploit Kit malware payload download"; flow:established,to_server; content:".php?deserialize="; http_uri; reference:url,doc.emergingthreats.net/2011183; classtype:trojan-activity; sid:2011183; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001919; classtype:trojan-activity; sid:2001919; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001921; classtype:trojan-activity; sid:2001921; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED QQPass Related User-Agent Infection Checkin (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\: App\d/Hmi"; reference:url,doc.emergingthreats.net/2007569; classtype:trojan-activity; sid:2007569; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET DELETED Generic Raider Obfuscated VBScript"; flow:established; content:"execute"; content:"|22 22 22 22 22 3A|"; offset:8; content:"function"; nocase; pcre:"/\x22\x3A(\w)\x3D\x22execute\s+\x22{5}\x3A.*\x3Aexecute\s*\x28\s*\1\s*\x29\x3Aend\s+function\x3A/s"; reference:url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1; reference:url,doc.emergingthreats.net/2008278; classtype:trojan-activity; sid:2008278; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET DELETED Ranky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; reference:url,www.iss.net/threats/W32.Trojan.Ranky.FV.html; classtype:trojan-activity; sid:2002728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Trojan Web Update"; flow:to_server,established; content:"/new_array2.php?speed="; nocase; http_uri; reference:url,www.sophos.com/security/analyses/w32salityu.html; reference:url,doc.emergingthreats.net/2003424; classtype:trojan-activity; sid:2003424; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Virus User Agent Detected (SPM_ID=)"; flow:established,to_server; content:"User-Agent|3a| SPM_ID="; nocase; http_header; reference:url,doc.emergingthreats.net/2003651; classtype:trojan-activity; sid:2003651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sinowal/Mebroot/Torpig Client POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"|0d 0a|Connection|3a| close|0d 0a 0d 0a a9 3a d4 31 4b 84|"; fast_pattern; reference:url,doc.emergingthreats.net/2008520; classtype:trojan-activity; sid:2008520; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan peer exchange"; flow:established,to_server; content:"|01|hs5p|0000|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003138; classtype:trojan-activity; sid:2003138; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any 25 -> any any (msg:"ET DELETED SpamThru trojan SMTP test successful"; flow:established,to_client; dsize:6; content:"XSMTPX"; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003139; classtype:trojan-activity; sid:2003139; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan update request"; flow:established,to_server; content:"|01|hs5p|0001|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003140; classtype:trojan-activity; sid:2003140; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV DLL request"; flow:established,to_server; content:"|01|hs5p|0007|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003141; classtype:trojan-activity; sid:2003141; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam template request"; flow:established,to_server; content:"|01|hs5p|0004|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003142; classtype:trojan-activity; sid:2003142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam run report"; flow:established,to_server; content:"|01|hs5p|0005|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003143; classtype:trojan-activity; sid:2003143; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV scan report"; flow:established,to_server; content:"|01|hs5p|0008|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003144; classtype:trojan-activity; sid:2003144; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Bot Checkin"; flow:established,to_server; content:".php?guid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&stat="; nocase; http_uri; content:"&cpu="; nocase; http_uri; content:"&ccrc="; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0; reference:url,doc.emergingthreats.net/2010789; classtype:trojan-activity; sid:2010789; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; content:!"|00|server."; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007711; classtype:trojan-activity; sid:2007711; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007634; classtype:trojan-activity; sid:2007634; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007635; classtype:trojan-activity; sid:2007635; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007636; classtype:trojan-activity; sid:2007636; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007637; classtype:trojan-activity; sid:2007637; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED Storm Controller Response to Drone via tcp"; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007641; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a0|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007702; classtype:trojan-activity; sid:2007702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED System.Poser HTTP Checkin"; flow:established,to_server; content:"/check.php?c="; nocase; http_uri; fast_pattern; content:"&v="; nocase; http_uri; content:"User-Agent|3a| Microsoft BITS"; http_header; reference:url,doc.emergingthreats.net/2008035; classtype:trojan-activity; sid:2008035; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test Start port 8888"; flow:established,to_server; dsize:25; content:"GET /test_link HTTP/1.0|0d 0a|"; reference:url,doc.emergingthreats.net/2008435; classtype:trojan-activity; sid:2008435; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test port 8888"; flow:established,to_server; dsize:>1000; content:"Data|3a| |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:35; reference:url,doc.emergingthreats.net/2008436; classtype:trojan-activity; sid:2008436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Checkin port 8888"; flow:established,to_server; content:"/stat?uptime="; content:"&downlink="; distance:0; content:"&uplink="; distance:0; content:"&id="; distance:0; reference:url,doc.emergingthreats.net/2008437; classtype:trojan-activity; sid:2008437; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Tibs Download"; flow:established,to_server; content:"/dl.php?code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002960; classtype:trojan-activity; sid:2002960; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Tibs Code Download"; flow:established,to_server; content:"/sred2.exe"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002962; classtype:trojan-activity; sid:2002962; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot Spam Download"; flow:established,to_server; content:"/synctl/getmail.fcgi?"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2002965; classtype:trojan-activity; sid:2002965; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot (often Tibs) Post-Infection Checkin"; flow:established,to_server; uricontent:"/access.php?"; nocase; uricontent:"w="; nocase; uricontent:"&a="; nocase; content:"|0d 0a|Host|3a| "; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; content:!"|0d 0a|User-Agent|3a| "; reference:url,doc.emergingthreats.net/2008174; classtype:trojan-activity; sid:2008174; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED TinyPE Binary - Possibly Hostile"; flow:from_server,established; content:"MZ"; content:"PE|00 00|"; within:20; reference:url,www.phreedom.org/solar/code/tinype/; reference:url,www.packetninjas.net/blog/2008/11/20/ids-signature-for-extremely-small-portable-executable-files.html; reference:url,doc.emergingthreats.net/2008576; classtype:trojan-activity; sid:2008576; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?o="; http_uri; fast_pattern; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 4C 24 00 8B 44 24 02 59 59 C3 E8 ED FF FF FF 25 00 00 00 FF 33 C9 3D 00 00 00 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003094; classtype:trojan-activity; sid:2003094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED (UPX) VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 27 00 C1 FB B5 D5 35 02 E2 C3 D1 66 25 32 BD 83 7F B7 4E 3D 06 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003095; classtype:trojan-activity; sid:2003095; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Torpig Ping-Pong Keepalives Outbound"; flow:to_server; dsize:<20; content:"PONG |3a|"; depth:6; reference:url,doc.emergingthreats.net/2010824; classtype:trojan-activity; sid:2010824; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Torpig Ping-Pong Keepalives Inbound"; flow:from_server; dsize:<20; content:"PING |3a|"; depth:6; reference:url,doc.emergingthreats.net/2010825; classtype:trojan-activity; sid:2010825; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig Initial CnC Connect on port 8392"; flow:established,to_server; dsize:4; content:"|00 00 78 e3|"; flowbits:set,ET.torpig.init; reference:url,doc.emergingthreats.net/2010826; classtype:trojan-activity; sid:2010826; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig CnC Connect on port 8392"; flowbits:isset,ET.torpig.init; flow:established,to_server; content:"|00 00|"; depth:2; content:"|00 00 00|"; distance:2; within:5; flowbits:set,ET.torpig.fosure; reference:url,doc.emergingthreats.net/2010827; classtype:trojan-activity; sid:2010827; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC IP Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 00 0d|"; reference:url,doc.emergingthreats.net/2010828; classtype:trojan-activity; sid:2010828; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 01 6f|"; reference:url,doc.emergingthreats.net/2010829; classtype:trojan-activity; sid:2010829; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; nocase; depth:3; http_method; content:!"Referer|3a| "; http_header; nocase; uricontent:"trest1"; fast_pattern; nocase; content:"User-Agent|3a| "; http_header; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; classtype:trojan-activity; sid:2010596; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"ET DELETED TroDjan 2.0 Infection Report"; flow:established,to_server; dsize:<60; content:"Windows NT "; depth:11; reference:url,doc.emergingthreats.net/2008587; classtype:trojan-activity; sid:2008587; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1802 -> $HOME_NET any (msg:"ET DELETED TroDjan 2.0 FTP Channel Open Command"; flow:established,to_server; dsize:7; content:"ftpopen"; reference:url,doc.emergingthreats.net/2008588; classtype:trojan-activity; sid:2008588; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007578; classtype:trojan-activity; sid:2007578; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007579; classtype:trojan-activity; sid:2007579; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007580; classtype:trojan-activity; sid:2007580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007581; classtype:trojan-activity; sid:2007581; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 9295 (msg:"ET DELETED Troxen GetSpeed Request"; flow:established,to_server; content:"GetSpeed |0d 0a|"; depth:11; reference:url,www.threatexpert.com/report.aspx?md5=af89d15930fe59dcb621069abc83cc66; reference:url,doc.emergingthreats.net/2011233; classtype:trojan-activity; sid:2011233; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Lighty Variant or UltimateDefender POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2008784; classtype:trojan-activity; sid:2008784; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.StartPage activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; reference:url,doc.emergingthreats.net/2011228; classtype:trojan-activity; sid:2011228; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic Checkin"; flow:established,to_server; dsize:<20; content:"|3a 20|"; offset:2; depth:6; content:"|20 7c 20|"; within:10; reference:url,doc.emergingthreats.net/2007962; classtype:trojan-activity; sid:2007962; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007963; classtype:trojan-activity; sid:2007963; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Server Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007964; classtype:trojan-activity; sid:2007964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XY)"; flow:established,to_server; dsize:<20; content:"XY|3a|2|7c|212"; offset:0; depth:9; reference:url,doc.emergingthreats.net/2007970; classtype:trojan-activity; sid:2007970; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (FYWL)"; flow:established,to_server; dsize:11; content:"FYWL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008223; classtype:trojan-activity; sid:2008223; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XYLL)"; flow:established,to_server; dsize:11; content:"XYLL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008224; classtype:trojan-activity; sid:2008224; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend/Ceckno C&C Traffic - Checkin"; flow:established,to_server; dsize:<30; content:"VERSONEXc|3a|2|7c|212|7c|"; depth:16; reference:url,doc.emergingthreats.net/2008254; classtype:trojan-activity; sid:2008254; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Beizhu/Womble/Vipdataend Checking in with Controller"; flow:established,to_server; dsize:<70; content:"|3a|Windows"; depth:11; offset:2; content:"|7c|212("; distance:0; within:15; reference:url,doc.emergingthreats.net/2008334; classtype:trojan-activity; sid:2008334; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (variant 3)"; flow:established,to_server; dsize:<42; content:"|3a|Windows "; depth:11; offset:2; reference:url,doc.emergingthreats.net/2009037; classtype:trojan-activity; sid:2009037; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Vundo.dam http Checkin after infection"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007572; classtype:trojan-activity; sid:2007572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Warezov/Stration Challenge"; flow:established,to_server; dsize:1; content:"|38|"; flowbits:noalert; flowbits:set,BEposs.warezov.challenge; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003175; classtype:not-suspicious; sid:2003175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Warezov/Stration Challenge Response"; flowbits:isset,BEposs.warezov.challenge; flow:established,from_server; dsize:4; content:"|00 00 00 00|"; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003176; classtype:trojan-activity; sid:2003176; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Warezov/Stration Data Post to Controller (pr2.cgi)"; flow:established,to_server; content:"/cgi-bin/pr2.cgi"; http_uri; pcre:"/\/cgi-bin\/pr2\.cgi\?[a-zA-Z0-9]{172}/Ui"; reference:url,doc.emergingthreats.net/2006414; classtype:trojan-activity; sid:2006414; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008055; classtype:trojan-activity; sid:2008055; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008056; classtype:trojan-activity; sid:2008056; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008057; classtype:trojan-activity; sid:2008057; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC port 443"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008058; classtype:trojan-activity; sid:2008058; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008059; classtype:trojan-activity; sid:2008059; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response port 443"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008060; classtype:trojan-activity; sid:2008060; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Proxy.Win32.Wopla.ag Check-In"; flow:established,to_server; dsize:12; content:"|0a 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/2007603; classtype:trojan-activity; sid:2007603; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WindowsEnterpriseSuite FakeAV Dynamic User-Agent"; flow:established,to_server; content:"User-Agent|3a| We"; content:!"User-Agent|3a| Webmin|0d 0a|"; http_header; pcre:"/User-Agent\x3a We[a-z0-9]{4}\x0d\x0a/H"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010262; classtype:trojan-activity; sid:2010262; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Winspywareprotect.com Fake AV/Anti-Spyware Secondary Checkin"; flow:established,to_server; content:"/stat.php?func=scanfinished&id="; http_uri; reference:url,doc.emergingthreats.net/2008251; classtype:trojan-activity; sid:2008251; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED XPantivirus2008 Download"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"XPantivirus20"; nocase; http_uri; pcre:"/XPantivirus20\d{2}_v\d{6}\.exe/Ui"; reference:url,www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page4.html; reference:url,seo.mhvt.net/blog/?p=390; reference:url,virscan.org/report/a61cd44fc387188da2ee3fbdeda10782.html; reference:url,doc.emergingthreats.net/2008516; classtype:trojan-activity; sid:2008516; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Xorer.ez HTTP Checkin to CnC"; flow:established,to_server; content:"/qq.html?username="; nocase; http_uri; content:"&zhaosp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008081; classtype:trojan-activity; sid:2008081; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zapchast Bot User-Agent"; flow:established,to_server; content:"User-Agent|3a| MJ12bot/"; http_header; reference:url,www.majestic12.co.uk/bot.php; reference:url,doc.emergingthreats.net/2007781; classtype:trojan-activity; sid:2007781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot/Zeus C&C Access"; flow:to_server,established; content:"in.php?m=home"; http_uri; reference:url,doc.emergingthreats.net/2009175; classtype:trojan-activity; sid:2009175; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot/Zeus Dropper Infection - /check"; flow:established,to_server; uricontent:"/check"; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; content:"Cache-Control|3a| no-cache|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009212; classtype:trojan-activity; sid:2009212; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus Bot Request to CnC"; flow:established,to_server; uricontent:".bin"; content:"GET"; depth:3; http_method; content:".bin HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; content:!"|0d 0a|Referer|3a|"; nocase; reference:url,doc.emergingthreats.net/2010861; classtype:trojan-activity; sid:2010861; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:9; metadata:created_at 2010_07_30, updated_at 2017_09_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible"; http_header; content:"|3b| UA"; http_header; fast_pattern; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?inst_result="; http_uri; content:"&hwid="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d; reference:url,doc.emergingthreats.net/2009305; classtype:trojan-activity; sid:2009305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Zonebac.D"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"cid="; nocase; http_uri;content:"&aid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&fw="; nocase; http_uri; content:"&v="; nocase; http_uri;content:"&m="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008682; classtype:trojan-activity; sid:2008682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1345 (msg:"ET DELETED AIM Bot Outbound Control Channel Open and Login"; flow: to_server,established; content:"PASS "; nocase; content:"|0d 0a|NICK "; fast_pattern; nocase; distance:0; content:"|0d 0a|USER "; nocase; distance:0; pcre:"/^.*?\s\d\s\d\s\:\S/Ri"; reference:url,doc.emergingthreats.net/2001910; classtype:trojan-activity; sid:2001910; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any $HTTP_PORTS (msg:"ET DELETED Allaple Unique HTTP Request - Possibly part of DDOS"; flow:established,to_server; content:"GET /  HTTP/1.1|0d 0a|"; rawbytes; depth:20; threshold:type both, count 1, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2003484; reference:url,isc.sans.org/diary.html?storyid=2451; classtype:trojan-activity; sid:2003484; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Beagle User Agent Detected"; flow: to_server,established; dsize:<150; content:"User-Agent|3a| beagle_beagle"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html; reference:url,doc.emergingthreats.net/2001269; classtype:trojan-activity; sid:2001269; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CIA Trojan download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2001233; classtype:trojan-activity; sid:2001233; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Worm.Win32.Evolmi Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/cgi-bin/v.pl|3f 5f|"; nocase; http_uri; reference:url,doc.emergingthreats.net/2008846; classtype:trojan-activity; sid:2008846; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any 445 (msg:"ET DELETED Korgo.P offering executable"; flow: to_server,established; content:"|FF|SMB"; depth: 10; content:"|58|http"; content:".exe"; nocase; within: 36; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001337; classtype:trojan-activity; sid:2001337; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Korgo.P binary upload"; flow: to_server,established; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; fast_pattern; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001338; classtype:trojan-activity; sid:2001338; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.U Reporting"; flow: to_server,established; content:"/index.php?id="; nocase; http_uri; content:"cnt="; http_uri; nocase; content:"&scn="; nocase; http_uri; content:"&inf="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; reference:url,doc.emergingthreats.net/2003070; classtype:trojan-activity; sid:2003070; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.P Reporting"; flow: to_server,established; content:"/index.php?id="; nocase; http_uri; content:"?cnt="; nocase; http_uri; content:"?scn="; nocase; http_uri; content:"?inf="; nocase; http_uri; content:"?ver="; nocase; http_uri; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2008192; classtype:trojan-activity; sid:2008192; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit php"; flow: established; content:"X-MMS-IM-"; depth:153; fast_pattern; content:"http"; nocase; content:".php"; nocase; reference:url,doc.emergingthreats.net/2002322; classtype:misc-activity; sid:2002322; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit exe"; flow: established; content:"X-MMS-IM-"; depth:153; fast_pattern; content:"http"; nocase; content:".exe"; nocase; reference:url,doc.emergingthreats.net/2002323; classtype:misc-activity; sid:2002323; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit pif"; flow: established; content:"X-MMS-IM-"; depth:153; fast_pattern; content:"http"; nocase; content:".pif"; nocase; reference:url,doc.emergingthreats.net/2002324; classtype:misc-activity; sid:2002324; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32.kelvir.HI"; flow: established; content:"X-MMS-IM-"; depth:153; fast_pattern; content:"search.php?data="; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.hi.html; reference:url,doc.emergingthreats.net/2002325; classtype:misc-activity; sid:2002325; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Outbound W32.Novarg.A worm"; flow: established; content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; within: 20; distance: 2; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; within: 40; distance: 16; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; fast_pattern; content:"ACAAADg"; within: 30; distance: 16; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html; reference:url,doc.emergingthreats.net/2001273; classtype:trojan-activity; sid:2001273; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED HTTP RBOT Challenge/Response Authentication"; flow: to_server,established; content:"Host|3A 20|"; nocase; content:"|3A 20|Negotiate|20|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; reference:url,doc.emergingthreats.net/2001985; classtype:trojan-activity; sid:2001985; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.a"; flow: established; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001057; classtype:misc-activity; sid:2001057; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.b"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001056; classtype:misc-activity; sid:2001056; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any 5554 (msg:"ET DELETED Sasser FTP Traffic"; flow: to_server,established; content:"up.exe"; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000040; classtype:misc-activity; sid:2000040; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any 9996 (msg:"ET DELETED Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; fast_pattern; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000047; classtype:misc-activity; sid:2000047; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 5554 (msg:"ET DELETED Sasser FTP exploit attempt"; flow: to_server,established; dsize: >150; content:"PORT "; depth: 5; reference:url,www.lurhq.com/dabber.html; reference:url,doc.emergingthreats.net/2001548; classtype:attempted-admin; sid:2001548; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"ET DELETED Singworm MSN message Outbound"; flow:established; content:"Here are the new smiles for MSN, they are incredible!"; fast_pattern:only; reference:url,doc.emergingthreats.net/2007605; classtype:trojan-activity; sid:2007605; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"ET DELETED Singworm MSN message Inbound"; flow:established; content:"Here are the new smiles for MSN, they are incredible!"; fast_pattern:only; reference:url,doc.emergingthreats.net/2007606; classtype:trojan-activity; sid:2007606; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FathFTP ActiveX Control RasIsConnected Method Buffer Overflow Attempt"; flow:to_client,established; flowbits:isset,etpro.clsid.detected; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"RasIsConnected"; nocase; distance:0; reference:url,exploit-db.com/exploits/14269/; reference:url,doc.emergingthreats.net/2011252; classtype:web-application-attack; sid:2011252; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Foxit PDF Reader Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"Launch"; nocase; distance:0; isdataat:600,relative; content:!"|0A|"; within:600; content:"NewWindow true"; nocase; distance:600; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0837; reference:url,doc.emergingthreats.net/2010876; classtype:attempted-user; sid:2010876; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method"; flow:to_client,established; file_data; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"WriteOFXDataFile"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/5416; reference:url,doc.emergingthreats.net/2008126; classtype:web-application-attack; sid:2008126; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID"; flow:from_server,established; file_data; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; distance:0; content:".KeyFrame|28|"; nocase; distance:0; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; reference:url,doc.emergingthreats.net/2003104; classtype:attempted-user; sid:2003104; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 1)"; flow:established,from_server; pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-11D0-BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-00A0C911CE86|33D9A761-90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/i"; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002171; classtype:web-application-attack; sid:2002171; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 2)"; flow:established,from_server; pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-11D1-B944-00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-BEEE-4442-804E-409D6C4515E9|3050F391-98B5-11CF-BB82-00AA00BDCE0B|8EE42293-C315-11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-00AA0051FE20|510A4910-7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-7F1C-11CE-BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-00AA0051FE20|D99F7670-7F1A-11CE-BE57-00AA0051FE20/i"; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002172; classtype:web-application-attack; sid:2002172; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 3)"; flow:established,from_server; pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-D367-11D1-8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3|ECABB0BF-7F19-11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-0000F875AE17|67DCC487-AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-343A-11D0-AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-00E0291F3959|CC7BFB43-F175-11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/i"; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002173; classtype:web-application-attack; sid:2002173; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Internet Explorer Vulnerable CLSID (Msdds.dll)"; flow:established,from_server; file_data; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; distance:0; reference:url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php; reference:url,doc.emergingthreats.net/2002308; classtype:web-application-attack; sid:2002308; rev:51; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object MS05-052 (group 1)"; flow:established,from_server; pcre:"/BC5F1E51-5110-11D1-AFF5-006097C9A284|F27CE930-4CA3-11D1-AFF2-006097C9A284|3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D|ECABAFC2-7F19-11D2-978E-0000F8757E2A|283807B8-2C60-11D0-A31D-00AA00B92C03|250770F3-6AF2-11CF-A915-008029E31FCD|D24D4453-1F01-11D1-8E63-006097D2DF48|03CB9467-FD9D-42A8-82F9-8615B4223E6E|598EBA02-B49A-11D2-A1C1-00609778EA66|8FE7E181-BB96-11D2-A1CB-00609778EA66|4CFB5280-800B-4367-848F-5A13EBF27F1D|B3E0E785-BD78-4366-9560-B7DABE2723BE|208DD6A3-E12B-4755-9607-2E39EF84CFC5/i"; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002491; classtype:web-application-attack; sid:2002491; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object MS05-052 (group 2)"; flow:established,from_server; pcre:"/4FAAB301-CEF6-477C-9F58-F601039E9B78|6CBE0382-A879-4D2A-8EC3-1F2A43611BA8|F117831B-C052-11D1-B1C0-00C04FC2F3EF|3050F667-98B5-11CF-BB82-00AA00BDCE0B|1AA06BA1-0E88-11D1-8391-00C04FBD7C09|F28D867A-DDB1-11D3-B8E8-00A0C981AEEB|6B7F1602-D44C-11D0-A7D9-AE3D17000000|7007ACCF-3202-11D1-AAD2-00805FC1270E|992CFFA0-F557-101A-88EC-00DD010CCC48|00020420-0000-0000-C000-000000000046|0006F02A-0000-0000-C000-000000000046|ABBA001B-3075-11D6-88A4-00B0D0200F88|CE292861-FC88-11D0-9E69-00C04FD7C15B/i"; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002492; classtype:web-application-attack; sid:2002492; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object MS05-052 (group 3)"; flow:established,from_server; pcre:"/6E227101-F799-11CF-9227-00AA00A1EB95|7057E952-BD1B-11D1-8919-00C04FC2C836|7007ACC7-3202-11D1-AAD2-00805FC1270E|4622AD11-FF23-11D0-8D34-00A0C90F2719|98CB4060-D3E7-42A1-8D65-949D34EBFE14|47C6C527-6204-4F91-849D-66E234DEE015|35CEC8A3-2BE6-11D2-8773-92E220524153|730F6CDC-2C86-11D2-8773-92E220524153|2C10A98F-D64F-43B4-BED6-DD0E1BF2074C|6F9F3481-84DD-4B14-B09C-6B4288ECCDE8|8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC|F0975AFE-5C7F-11D2-8B74-00104B2AFB41/i"; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002493; classtype:web-application-attack; sid:2002493; rev:81; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft XML Core Services DTD Cross Domain Information Disclosure object"; flow:to_client,established; content:"Msxml2.DOMDocument.3.0"; nocase; content:"loadXML"; distance:0; nocase; content:"parseError.srcText"; distance:0; nocase; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; reference:url,doc.emergingthreats.net/2008886; classtype:web-application-attack; sid:2008886; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Opera User-Agent Flowbit Set"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| Opera/"; nocase; flowbits:set,ET.opera.useragent.request; flowbits:noalert; reference:url,doc.emergingthreats.net/2010873; classtype:not-suspicious; sid:2010873; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Opera Web Browser Content-Length Buffer Overflow Attempt"; flowbits:isset,ET.opera.useragent.request; flow:established,to_client; content:"Content-Length|3A|"; nocase; http_header; isdataat:3000,relative; content:!"|0A|"; within:3000; content:"Location|3A| chrome|3A|//"; fast_pattern; nocase; http_header; distance:3000; reference:url,www.securityfocus.com/bid/38519; reference:url,doc.emergingthreats.net/2010874; classtype:attempted-user; sid:2010874; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa CaSpEr RFI Scan"; flow:established,to_server; content:"User-Agent|3a| MaMa CaSpEr|0D 0A|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED osCommerce vulnerable web application extras update.php exists"; flow:to_client,established; content:"Select an SQL file to install"; fast_pattern:only; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002863; classtype:attempted-recon; sid:2002863; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Exploit Suspected PHP Injection Attack (name=)"; flow:to_server,established; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"name="; fast_pattern; nocase; http_uri; pcre:"/name=(https?|ftps?|php)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2001621; classtype:web-application-attack; sid:2001621; rev:36; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED PHP remote file include exploit attempt"; flow: to_server,established; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"cmd="; fast_pattern; nocase; http_uri; pcre:"/=(https?|ftps?|php)\:\/.{0,100}cmd=/Ui"; reference:url,doc.emergingthreats.net/2001810; classtype:attempted-admin; sid:2001810; rev:29; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED PacketShaper DoS attempt"; flow:to_server,established; content:"/rpttop.htm"; http_uri; pcre:"/MEAS\.TYPE=(?!(link|class)&)/U"; reference:url,doc.emergingthreats.net/2004449; classtype:denial-of-service; sid:2004449; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED PHP Remote File Inclusion (monster list http)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"http"; nocase; http_uri;  pcre:"/\.php.+?(?:c(?:(?:onfi|f)g|alendar)|p(?:a(?:ge|th)|rog)|l(?:ang(uage)?|ib)|f(?:older|ile|ad)|d(?:omain|ir|f)|s(?:ettings|bp)|a(?:genda|uth)|i(?:con|ncl|d)|n(?:ame|ews)|r(?:oot|f)|gallery|type|ext|mod|[a-z](\[.*\])+?)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; reference:url,doc.emergingthreats.net/2002997; classtype:web-application-attack; sid:2002997; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED RSA Web Auth Exploit Attempt - Long URL"; flow:to_server,established; content:"/WebID/IISWebAgentIF.dll"; http_uri; content:"?Redirect?"; nocase; http_uri; pcre:"/url=.{8000}/iU"; reference:url,secunia.com/advisories/17281; reference:url,www.metasploit.com/projects/Framework/modules/exploits/rsa_iiswebagent_redirect.pm; reference:url,doc.emergingthreats.net/2002660; reference:url,doc.emergingthreats.net/2002660; classtype:web-application-activity; sid:2002660; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; pcre:"/^HTTP\x2f1\.[01] 200/"; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; classtype:web-application-attack; sid:2009954; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit ie0604)"; flow:established,to_server; content:"ie0604.cgi?exploit"; nocase; http_uri; reference:url,doc.emergingthreats.net/2002870; classtype:web-application-attack; sid:2002870; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (bug ie0604)"; flow:established,to_server; uricontent:"ie0604.cgi?bug="; nocase; reference:url,doc.emergingthreats.net/2002871; classtype:web-application-attack; sid:2002871; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit1 ie0601)"; flow:established,to_server; content:"ie0601.cgi?exploit"; nocase; http_uri; reference:url,doc.emergingthreats.net/2002869; classtype:web-application-attack; sid:2002869; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (ie0606)"; flow:established,to_server; content:"ie0606.cgi?"; nocase; http_uri; reference:url,doc.emergingthreats.net/2002937; classtype:web-application-attack; sid:2002937; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker RootLauncher"; flow:established,to_server; content:"rleadmin.cgi?getexe="; nocase; http_uri; reference:url,doc.emergingthreats.net/2003063; classtype:web-application-attack; sid:2003063; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007504; classtype:web-application-attack; sid:2007504; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007505; classtype:web-application-attack; sid:2007505; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007506; classtype:web-application-attack; sid:2007506; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007507; classtype:web-application-attack; sid:2007507; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007508; classtype:web-application-attack; sid:2007508; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007509; classtype:web-application-attack; sid:2007509; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Community Link Pro Login.CGI Remote Command Execution Attempt"; flow:to_server,established; content:"/login.cgi?"; nocase; http_uri; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14097; reference:url,doc.emergingthreats.net/2002067; classtype:web-application-attack; sid:2002067; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006718; classtype:web-application-attack; sid:2006718; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006719; classtype:web-application-attack; sid:2006719; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006720; classtype:web-application-attack; sid:2006720; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006721; classtype:web-application-attack; sid:2006721; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006722; classtype:web-application-attack; sid:2006722; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006723; classtype:web-application-attack; sid:2006723; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006724; classtype:web-application-attack; sid:2006724; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006725; classtype:web-application-attack; sid:2006725; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006726; classtype:web-application-attack; sid:2006726; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006727; classtype:web-application-attack; sid:2006727; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006728; classtype:web-application-attack; sid:2006728; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006729; classtype:web-application-attack; sid:2006729; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007024; classtype:web-application-attack; sid:2007024; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id UNION SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007025; classtype:web-application-attack; sid:2007025; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id INSERT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007026; classtype:web-application-attack; sid:2007026; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id DELETE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007027; classtype:web-application-attack; sid:2007027; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id ASCII"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007028; classtype:web-application-attack; sid:2007028; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007029; classtype:web-application-attack; sid:2007029; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005366; classtype:web-application-attack; sid:2005366; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005367; classtype:web-application-attack; sid:2005367; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005368; classtype:web-application-attack; sid:2005368; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005369; classtype:web-application-attack; sid:2005369; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005370; classtype:web-application-attack; sid:2005370; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005371; classtype:web-application-attack; sid:2005371; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004146; classtype:web-application-attack; sid:2004146; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004148; classtype:web-application-attack; sid:2004148; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004149; classtype:web-application-attack; sid:2004149; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004150; classtype:web-application-attack; sid:2004150; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004151; classtype:web-application-attack; sid:2004151; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004730; classtype:web-application-attack; sid:2004730; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004731; classtype:web-application-attack; sid:2004731; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004732; classtype:web-application-attack; sid:2004732; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004733; classtype:web-application-attack; sid:2004733; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004734; classtype:web-application-attack; sid:2004734; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004735; classtype:web-application-attack; sid:2004735; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED phpbb Session Cookie"; flow: established; content:"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D"; nocase; reference:url,www.waraxe.us/ftopict-555.html; reference:url,doc.emergingthreats.net/2001762; classtype:web-application-attack; sid:2001762; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible PHP-Calendar configfile Remote .PHP File Inclusion Arbitrary Code Execution Attempt"; flow:established,to_server; uricontent:"/php-calendar-1.1/update"; nocase; uricontent:"configfile="; nocase; content:".php"; nocase; pcre:"/\x2Fphp-calendar-1.1\x2Fupdate(08|10)\x2Ephp(\x3F|.*(\x26|\x3B))configfile=[^\x26\x3B]*[^a-zA-Z0-9_]/Ui"; reference:url,securitytracker.com/alerts/2009/Dec/1023375.html; reference:cve,2009-3702; reference:url,doc.emergingthreats.net/2010531; classtype:web-application-attack; sid:2010531; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 1"; flow:to_server,established; uricontent:"/posting.php"; content:"color="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009679; classtype:web-application-attack; sid:2009679; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 2"; flow:to_server,established; uricontent:"/posting.php"; content:"size="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009680; classtype:web-application-attack; sid:2009680; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 3"; flow:to_server,established; uricontent:"/posting.php"; content:"color="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009681; classtype:web-application-attack; sid:2009681; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 4"; flow:to_server,established; uricontent:"/posting.php"; content:"size="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009682; classtype:web-application-attack; sid:2009682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 5"; flow:to_server,established; uricontent:"/posting.php"; content:"color="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009683; classtype:web-application-attack; sid:2009683; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 6"; flow:to_server,established; uricontent:"/posting.php"; content:"size="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009684; classtype:web-application-attack; sid:2009684; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED TxtBlog index.php m Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?m="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32498; reference:url,milw0rm.com/exploits/7241; reference:url,doc.emergingthreats.net/2008923; classtype:web-application-attack; sid:2008923; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/visualizza.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008824; classtype:web-application-attack; sid:2008824; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Way Of The Warrior crea.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"crea.php?"; nocase; uricontent:"plancia="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008825; classtype:web-application-attack; sid:2008825; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005865; classtype:web-application-attack; sid:2005865; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005866; classtype:web-application-attack; sid:2005866; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005867; classtype:web-application-attack; sid:2005867; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005868; classtype:web-application-attack; sid:2005868; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005869; classtype:web-application-attack; sid:2005869; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005870; classtype:web-application-attack; sid:2005870; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:2100251; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:2100229; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:2100221; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:2100228; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:2100222; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"GPL DELETED Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:2101855; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"GPL DELETED Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:2101856; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"GPL DELETED Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:2101854; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL DELETED Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:2100225; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL DELETED Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:2100226; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL DELETED TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:2100238; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"GPL DELETED Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:2100224; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101752; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101393; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED dildo"; flow:to_client,established; content:"dildo"; nocase; classtype:policy-violation; sid:2101781; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED nipple clamp"; flow:to_client,established; content:"nipple"; nocase; content:"clamp"; nocase; classtype:policy-violation; sid:2101782; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED oral sex"; flow:to_client,established; content:"oral sex"; nocase; classtype:policy-violation; sid:2101783; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED raw sex"; flow:to_client,established; content:"raw sex"; nocase; classtype:policy-violation; sid:2101786; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2102589; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102438; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102439; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102440; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A| -"; http_header; fast_pattern:only; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:11; metadata:created_at 2010_09_23, updated_at 2016_05_04;)

#alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"GPL DELETED sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:2100655; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL DELETED Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2102450; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"GPL DELETED IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:2101790; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"GPL DELETED Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:2103063; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"GPL DELETED FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:2101935; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"GPL DELETED FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:2101934; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL DELETED qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2100290; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL DELETED Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:2100291; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"GPL DELETED netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:2100110; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:2101930; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102664; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101377; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt with brace"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL DELETED gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:2101812; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL DELETED CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2102583; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"GPL DELETED Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:2101636; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL DELETED MS Remote Desktop non-encrypted session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2102418; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL DELETED MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; within:6; distance:2; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:2101448; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"GPL DELETED RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2102335; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"GPL DELETED distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:2103061; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"GPL DELETED iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:2101604; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL DELETED WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:2103017; rev:8; metadata:created_at 2010_09_23, updated_at 2016_06_14;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"GPL DELETED Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; fast_pattern:only; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:2101132; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:2101906; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101953; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101955; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DELETED EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:2100303; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"GPL DELETED SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:2100304; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL DELETED cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:2100320; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL DELETED nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; reference:nessus,10753; classtype:web-application-activity; sid:2101518; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101869; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl arbitrary file read attempt"; flow:to_server,established; content:"/story.pl"; http_uri; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101868; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"GPL DELETED CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:2101858; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"GPL DELETED answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:2101946; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"GPL DELETED answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:2101947; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"GPL DELETED HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:2100510; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:2100558; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:2101629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:2100559; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2102038; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:Cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2102034; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2102089; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SAP WAS syscmd access"; flow:to_server,established; content:"/sap/bc/BSp/sap/menu/frameset.htm"; http_uri; nocase; content:"sap-syscmd"; http_uri; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:2100183; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; http_uri; nocase; classtype:web-application-activity; sid:2101372; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:2101727; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; reference:bugtraq,550; classtype:attempted-recon; sid:2100915; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102157; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:2101002; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; http_header; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102597; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:2101744; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED Tomcat SnoopServlet servlet access"; flow:established,to_server; content:"/examples/servlet/SnoopServlet"; http_uri; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:2101830; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED Tomcat TroubleShooter servlet access"; flow:established,to_server; content:"/examples/servlet/TroubleShooter"; http_uri; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:2101829; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; content:"/servlet/"; http_uri; content:"/org.apache."; http_uri; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:2101827; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:2101060; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:2101061; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:2101058; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; nocase; classtype:web-application-activity; sid:2101978; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:2101069; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; nocase; classtype:web-application-activity; sid:2101977; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101739; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101740; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:2101887; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2103059; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"GPL DELETED Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102598; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102710; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102716; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102726; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102794; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102787; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102803; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100702; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100708; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100697; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100698; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100703; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100696; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100700; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100674; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100682; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100706; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100699; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100707; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100675; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100705; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100704; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100701; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"GPL DELETED Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:2103064; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"GPL DELETED successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:2101810; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"GPL DELETED successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:2101811; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"GPL DELETED eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2102586; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL DELETED IRC nick change"; flow:to_server,established; content:"NICK "; depth:5; fast_pattern; classtype:policy-violation; sid:2100542; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp any any -> 212.146.0.34 1963 (msg:"GPL DELETED TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:2101929; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL DELETED status GHBN format string attack"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:2101890; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"GPL DELETED DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101980; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"GPL DELETED DeepThroat 3.1 Connection attempt 3150"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101981; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"GPL DELETED win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:2101853; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"GPL DELETED DeepThroat 3.1 Connection attempt 4120"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101983; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"GPL DELETED xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2102040; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD UDP pid request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101954; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD UDP version request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:2101956; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DELETED EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:2100314; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; classtype:attempted-admin; sid:2101282; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED mountd UDP unmountall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2102023; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED network-status-monitor mon-callback request UDP"; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102037; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:2101911; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"GPL DELETED DeepThroat 3.1 Server Response 3150"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101982; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"GPL DELETED DeepThroat 3.1 Server Response 4120"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101984; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"GPL DELETED xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2102041; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"GPL DELETED xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2102042; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/admin/device_admin.php?"; nocase; uricontent:"cs_base_path="; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; classtype:web-application-attack; sid:2011556; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Client requesting fake scanner page /scan/?key="; flow:established,to_server; content:"/scan/?key="; http_uri; classtype:bad-unknown; sid:2011545; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; classtype:bad-unknown; sid:2011546; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED PDF Name Representation Obfuscation of JBIG2Decode, Very Likely Memory Corruption Attempt"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"JBIG2Decode"; within:11; content:"#"; within:31; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^JBIG2Decode](J|#4A)(B|#42)(I|#49)(G|#47)(2|#32)(D|#44)(e|#65)(c|#63)(o|#6F)(d|#64)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; reference:url,blog.didierstevens.com/2009/03/01/quickpost-jbig2decode-signatures/; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:2011534; rev:7; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Phoenix Exploit Kit - PROPFIND AVI"; flow:established,to_server; content:"PROPFIND"; http_method; content:".avi"; http_uri; classtype:trojan-activity; sid:2011513; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phoenix Exploit Kit - tmp/flash.swf"; flow:established,to_server; content:"tmp/flash.swf"; http_uri; classtype:trojan-activity; sid:2011514; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phoenix Exploit Kit - collab.pdf"; flow:established,to_server; content:"collab.pdf"; http_uri; classtype:trojan-activity; sid:2011515; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Eleonore - landing page"; flow:established,to_client; content:"{display|3A|none}</style><a class="; classtype:bad-unknown; sid:2011510; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED String Replace in PDF File, Likely Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:".replace|28|"; nocase; reference:url,www.w3schools.com/jsref/jsref_replace.asp; classtype:bad-unknown; sid:2011504; rev:3; metadata:created_at 2010_09_27, updated_at 2016_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Phoenix landing page - valium"; flow:established,to_client; content:"var string = val+|22|ium|22|\;"; classtype:bad-unknown; sid:2011486; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV client requesting fake scanner page"; flow:established,to_server; content:"/?p=p"; http_uri; content:".co.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2011373; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY phoenix exploit kit landing page"; flow:established,to_client; content:"dev.s.AdgredY"; content:"tmp/des.jar"; content:".php?deserialize"; classtype:bad-unknown; sid:2011369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY bredolab - hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; content:"<div style=\"visibility|3a| hidden|3b|\"><"; depth:120; classtype:bad-unknown; sid:2011307; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to media.fastclick.net.* host"; flow:established,to_server; content:"Host|3a| media.fastclick.net."; http_header; classtype:bad-unknown; sid:2011302; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to js.zedo.com.* host"; flow:established,to_server; content:"Host|3a| js.zedo.com."; http_header; classtype:bad-unknown; sid:2011303; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to view.ads.* host"; flow:established,to_server; content:"Host|3a| view.ads."; http_header; classtype:bad-unknown; sid:2011304; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to adnet.media.* host"; flow:established,to_server; content:"Host|3a| adnet.media."; http_header; classtype:bad-unknown; sid:2011305; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to adfarm.mediaplex.com.* host"; flow:established,to_server; content:"Host|3a| adfarm.mediaplex.com."; http_header; classtype:bad-unknown; sid:2011306; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9; metadata:created_at 2010_09_28, updated_at 2016_12_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Games.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Games.jar"; http_uri; classtype:policy-violation; sid:2011324; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Notes1.pdf Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Notes1.pdf"; http_uri; classtype:policy-violation; sid:2011325; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NewGames.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; uricontent:"/NewGames.jar"; classtype:policy-violation; sid:2011326; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Fragus - landing page delivered"; flow:established,to_client; content:"|0d 0a 0d 0a|var CRYPT={signature|3a|"; classtype:bad-unknown; sid:2011330; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Variant Checkin Activity"; flow:established,to_server; content:"/sm.php?pizda"; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:url,www.threatexpert.com/report.aspx?md5=f39d0a669ad98b95370a4f525d7d79ec; classtype:trojan-activity; sid:2011335; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHARMSPAM image requested layout viagra_super_active.jpg"; flow:established,to_server; uricontent:"layout"; content:"viagra_super_active.jpg"; http_uri; classtype:bad-unknown; sid:2011339; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp any $HTTP_PORTS -> any any (msg:"ET DELETED Malvertising DRIVEBY Fragus Admin Panel Delivered To Client"; flow:established,to_client; content:"<head>|0D 0A 09 09|<title>Fragus</title>"; classtype:bad-unknown; sid:2011342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED POST to /x48/x58/ Possible Zeus Version 3 Command and Control Server Traffic"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/x48/x58/"; http_uri; nocase; content:".php"; http_uri; nocase; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011344; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Zeus Version 3 Infection Posting Banking HTTP Log to Command and Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/get_dr.php?"; http_uri; nocase; content:"https|3A|//"; nocase; pcre:"/\x2Fget\x5Fdr\x2Ephp\x3F(e|ini)\x3D/Ui"; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011345; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Driveby bredolab server response contains .ru 8080/index.php?"; flow:established,to_client; content:".ru|3a|8080/index.php?"; classtype:bad-unknown; sid:2011351; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby bredolab jquery.jxx"; flow:established,to_server; content:"/jquery.jxx?v="; http_uri; classtype:bad-unknown; sid:2011353; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby bredolab request to a .ru 8080 URI"; flow:established,to_server; content:".ru|3a|8080|0D 0A|"; fast_pattern:only; classtype:bad-unknown; sid:2011354; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET DELETED Yoyo-DDoS Bot Unknown Command From CnC Server"; flow:established,from_server; dsize:124; content:"|C1 00 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011401; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Trojan Downloader Request Observed"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&x="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&n="; http_uri; nocase; reference:url,www.threatexpert.com/report.aspx?md5=3dd8193692b62a875985349b67da38c6; reference:url,www.threatexpert.com/report.aspx?md5=6c9ad4d06f72edcd2b301d66b25ad101; reference:url,www.threatexpert.com/report.aspx?md5=91fa03240b5a59853d0dad708055a7a8; classtype:trojan-activity; sid:2011415; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Trojan FakeAV Downloader"; flow:established,to_server; content:".php?id="; http_uri; content:"&os="; http_uri; content:"&n="; http_uri; classtype:trojan-activity; sid:2011416; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING Hidden iframe Redirecting to SEO Driveby Site"; flow:established,to_client; content:"width=\"1\" height=\"1\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\" scrolling=\"no\" allowtransparency=\"true\"></iframe>"; fast_pattern:only; classtype:bad-unknown; sid:2011417; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV redirecting to fake scanner page - /?777"; flow:established,to_server; content:"/?777"; http_uri; classtype:bad-unknown; sid:2011421; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Attempt to Create MSSQL SOAP/HTTP Endpoint in URI to Allow for Operating System Interaction"; flow:established,to_server; content:"CREATE"; http_uri; nocase; content:"ENDPOINT"; http_uri; nocase; pcre:"/CREATE.+ENDPOINT/Ui"; reference:url,msdn.microsoft.com/en-us/library/ms345123.aspx; classtype:web-application-attack; sid:2011425; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING trafficbiztds.com - client requesting redirect to exploit kit"; flow:established,to_server; content:"/tds/in.cgi?"; http_uri; depth:12; classtype:bad-unknown; sid:2011468; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit"; flow:established,to_client; content:"domain=trafficbiztds.com"; http_cookie; content:!"google.com"; http_header; classtype:bad-unknown; sid:2011469; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to exploit kit (unoeuro server)"; flow:established,to_client; content:"=|5b 22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; content:"|0d 0a|Serverxi|3a| Apache/Unoeuro (Unix) - Secured|0d 0a|"; classtype:bad-unknown; sid:2011479; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz/Rohimafo Proxy Registration"; flow:established,to_server; content:"/socks.php?name="; nocase; http_uri; content:"&port="; nocase; http_uri; pcre:"/\/socks\.php\?name=[^&]+&port=\d{1,5}$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011792; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Shiz or Rohimafo config download"; flow: established,to_client; content:"|21|config"; nocase; content:"|21|load"; nocase; content:"|2e|php|3f|id|3d|1|26|magic|3d|"; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011521; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz or Rohimafo config loaded"; flow: established,to_server; content:"knock.php"; nocase; http_uri; content:"=seller-"; nocase; http_uri; content:"load|5f|success"; nocase; content:!"User-Agent"; http_header; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011522; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Knok.php Shiz or Rohimafo Host Information Submission to CnC Server"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/knok.php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011524; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Checkin"; flow:established,to_server; content:"getfile.php?r="; http_uri; content:"&p="; http_uri; pcre:"/php\?r=\d+&p=/U"; classtype:trojan-activity; sid:2011474; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby Bredolab - client requesting java exploit"; flow:established,to_server; content:"/Notes1.pdf"; depth:11; http_uri; classtype:bad-unknown; sid:2011795; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_10_09, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Driveby Bredolab - landing page"; flow:established,to_client; content:"Server|3a| nginx"; http_header; content:"<div style=|22|visibility|3a| hidden|3b||22|><"; depth:120; classtype:bad-unknown; sid:2011796; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_10_09, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to eleonore exploit kit"; flow:established,to_client; content:"SL_"; http_cookie; content:"_0000="; http_cookie; classtype:bad-unknown; sid:2011810; rev:1; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ZeuS http client library detected"; flow:established,to_server; content:"GET "; depth:4; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0d 0a|User-Agent|3a| "; classtype:trojan-activity; sid:2011811; rev:2; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SEO Exploit Kit - client exploited by SMB"; flow:established,to_server; content:".php?exp=SMB"; http_uri; classtype:bad-unknown; sid:2011814; rev:3; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SEO Exploit Kit - client exploited by Acrobat"; flow:established,to_server; content:".php?exp=PDF"; http_uri; classtype:bad-unknown; sid:2011815; rev:2; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC"; flow:established,to_server; content:"POST"; http_method; content:".php HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|User-Agent|3a| Mozilla"; fast_pattern; content:"|0d 0a|Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:!"Content-Type|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011816; rev:13; metadata:created_at 2010_10_14, updated_at 2010_10_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus GET Request to CnC"; flow:established,to_server; content:"GET"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; distance:0; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:trojan-activity; sid:2011817; rev:2; metadata:created_at 2010_10_14, updated_at 2010_10_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus http client library detected"; flow:established,to_server; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0D 0A|User-Agent|3a| "; http_header; classtype:trojan-activity; sid:2011818; rev:3; metadata:created_at 2010_10_14, updated_at 2010_10_14;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Pre Projects E-Smart Cart login.asp Arbitrary SQL Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/embadmin/login.asp"; http_uri; nocase; content:"%27"; depth:300; reference:url,juniper-federal.org/security/auto/vulnerabilities/vuln37418.html; reference:url,exploit-db.com/exploits/14376; classtype:web-application-attack; sid:2011826; rev:2; metadata:created_at 2010_10_18, updated_at 2010_10_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Feodo Banking Trojan Receiving Configuration File"; flow:established,from_server; content:"ibanking-services.com"; nocase; content:"webcash"; nocase; distance:0; content:"/wires/"; nocase; content:"amazon.com"; nocase; distance:0; content:"EncryptPassword"; fast_pattern; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; classtype:trojan-activity; sid:2011863; rev:4; metadata:created_at 2010_10_28, updated_at 2010_10_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious HTTP GET to JPG with query string"; flow:established,to_server; content:"GET"; nocase; http_method; content:".jpg?"; nocase; http_uri; isdataat:15,relative; classtype:trojan-activity; sid:2011873; rev:2; metadata:created_at 2010_10_29, updated_at 2010_10_29;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED HP Data Protector Media Operations SignInName Parameter Overflow"; flow:established,to_server; content:"/4daction/wHandleURLs/handleSignIn|3F|sess|3D|"; http_uri; content:"Referer|3A 20|"; nocase; http_header; content:"SignInName|3D|"; nocase; isdataat:1000; reference:url,elotrolad0.blogspot.com/2010/10/hp-data-protector-media-operations-611_23.html; reference:url,securitytracker.com/id?1024634; classtype:attempted-user; sid:2011889; rev:5; metadata:created_at 2010_11_02, updated_at 2010_11_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential TDSS HTTP Library GET"; flow:established,to_server; content:"=="; http_uri; content:"GET"; http_method; content:"|20|HTTP/1.1|0d 0a|Accept-Language|3a 20|"; fast_pattern; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|Cache-Control|3a 20|no-cache"; distance:0; content:!"|0d 0a|Accept|3a 20|";content:!"Referer|3a 20|"; classtype:trojan-activity; sid:2011890; rev:7; metadata:created_at 2010_11_03, updated_at 2010_11_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby leads to exploits aaitsol1/networks.php"; flow:established,to_server; content:"GET"; http_method; content:"~aaitsol1/networks.php"; nocase; http_uri; classtype:bad-unknown; sid:2011895; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_08, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ZBot sp107fb/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"sp107fb/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011896; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED vb exploits / trojan vietshow"; flow:established,to_server; content:"GET"; http_method; content:"~vietshow/"; nocase; http_uri; classtype:bad-unknown; sid:2011897; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Rogue antivirus downloader x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; flow:established,to_server; content:"GET"; http_method; content:"x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; nocase; http_uri; classtype:bad-unknown; sid:2011898; rev:1; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan perflogger ~duydati/inst_PCvw.exe"; flow:established,to_server; content:"GET"; http_method; content:"~duydati/inst_PCvw.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011899; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojandropper dunik!rts xxx/download7/21/install_flash_player.exe"; flow:established,to_server; content:"GET"; http_method; content:"xxx/download7/21/install_flash_player.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011900; rev:1; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hacked server to exploits ~rio1/admin/login.php"; flow:established,to_server; content:"GET"; http_method; content:"~rio1/admin/login.php"; nocase; http_uri; classtype:bad-unknown; sid:2011901; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phishing ~mbscom/moneybookers/app/login/login.html"; flow:established,to_server; content:"GET"; http_method; content:"~mbscom/moneybookers/app/login/login.html"; nocase; http_uri; classtype:bad-unknown; sid:2011902; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2010_11_08, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iframe Phoenix Exploit & ZBot vt073pd/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"vt073pd/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011903; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED fast flux rogue antivirus download.php?id=2004"; flow:established,to_server; content:"GET"; http_method; nocase; content:"download.php?id=2004"; nocase; http_uri; classtype:bad-unknown; sid:2011904; rev:3; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED exploit kit x/index.php?s=dexc"; flow:established,to_server; content:"GET"; http_method; content:"x/index.php?s=dexc"; nocase; http_uri; classtype:bad-unknown; sid:2011905; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED exploit kit x/l.php?s=dexc"; flow:established,to_server; content:"GET"; http_method; content:"x/l.php?s=dexc"; nocase; http_uri; classtype:bad-unknown; sid:2011907; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED exploit kit x/exe.php?x=mdac"; flow:established,to_server; content:"GET"; http_method; content:"exe.php?x=mdac"; nocase; http_uri; classtype:bad-unknown; sid:2011908; rev:3; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED trojan renos Flash.HD.exe"; flow:established,to_server; content:"GET"; http_method; content:"Flash.HD.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011909; rev:2; metadata:created_at 2010_11_08, updated_at 2010_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SEO/Malvertising Executable Landing exe2.php"; flow:established,to_server; uricontent:"/exe2.php?wm_id=acc"; classtype:trojan-activity; sid:2011916; rev:3; metadata:created_at 2010_11_09, updated_at 2010_11_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - JavaScript Redirection To FakeAV Binary"; flow:established,to_client; file_data; content:"<script type=|22|text/javascript|22|>"; nocase; content:"location.assign|28|"; nocase; within:17; classtype:bad-unknown; sid:2011918; rev:5; metadata:created_at 2010_11_09, updated_at 2010_11_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - packupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=packupdate"; http_header; classtype:trojan-activity; sid:2011919; rev:3; metadata:created_at 2010_11_09, updated_at 2010_11_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FAKEAV CryptMEN - 302 Redirect"; flow:established,from_server; content:"Cookie|3a| Hello-friend="; http_header; classtype:bad-unknown; sid:2011920; rev:4; metadata:created_at 2010_11_11, updated_at 2010_11_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FAKEAV CryptMEN inst.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; http_header; content:"inst.exe"; fast_pattern; http_header; classtype:trojan-activity; sid:2011923; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By SMB/JavaWebStart"; flow:established,to_server; content:"loadsmb.php"; http_uri; classtype:trojan-activity; sid:2011951; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By PDF"; flow:established,to_server; content:"loadlibtiff.php"; http_uri; classtype:trojan-activity; sid:2011952; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious jjar.jar"; flow:established,to_server; content:"/files/jjar.jar"; http_uri; classtype:bad-unknown; sid:2011953; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadjjar.php"; flow:established,to_server; content:"loadjjar.php"; http_uri; classtype:bad-unknown; sid:2011954; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious lib.pdf"; flow:established,to_server; content:"/files/lib.pdf"; http_uri; classtype:bad-unknown; sid:2011955; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadpeers.php"; flow:established,to_server; content:"loadpeers.php"; http_uri; classtype:bad-unknown; sid:2011956; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Landing Page Encountered"; flow:established,to_client; file_data; content:"<script src=|27|src.js|27|></script><script src=|27|dest.js|27|></script><script>var "; depth:73; classtype:bad-unknown; sid:2011957; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript desttable"; flow:established,to_client; file_data; content:"var desttable=|27|"; depth:15; classtype:bad-unknown; sid:2011958; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript srctable"; flow:established,to_client; file_data; content:"var srctable=|27|"; depth:14; classtype:bad-unknown; sid:2011959; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by"; flow:established,to_client; file_data; content:"document.write|28|unescape|28 22|%3Ciframe src=|22 3b| content|3a 22|style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011960; rev:4; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by 2"; flow:established,to_client; file_data; content:"document.write|28|unescape|28 22|%3Ciframe src="; distance:0; content:"style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011961; rev:5; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; depth:12; classtype:bad-unknown; sid:2011962; rev:1; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan downloader (AS8514)"; flow:established,to_server; content:"GET"; http_method; content:"/tube/Adobe__Flash__Player.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=1001jimm.ru; classtype:trojan-activity; sid:2011966; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_11_22, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan Banker (AS33182)"; flow:established,to_server; content:"GET"; http_method; content:"/update/html2.exe.bak"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=allmobilefashion.com; classtype:trojan-activity; sid:2011968; rev:2; metadata:created_at 2010_11_22, updated_at 2010_11_22;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED FedEX Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|FedEX_"; nocase; classtype:trojan-activity; sid:2011979; rev:3; metadata:created_at 2010_11_24, updated_at 2016_05_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious executable download possible Ircbrute Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/imagFaceBook.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=egyboys.net; classtype:bad-unknown; sid:2011980; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious executable download possible Eleonore Exploit Pack / Trojan Brebolab"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/QuickTime_Update_KB673901.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=media-download-kb572810.biz; classtype:bad-unknown; sid:2011981; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious executable download possible Fast Flux Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/av-scanner.48370.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=mediafilesonline.net; classtype:bad-unknown; sid:2011983; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus MalvRem"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/MalvRem_"; nocase; http_uri; pcre:"/MalvRem_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011984; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus avdistr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/avdistr_"; nocase; http_uri; pcre:"/avdistr_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011985; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus RunAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/RunAV_"; nocase; http_uri; pcre:"/RunAV_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011986; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious executable download possible Rogue AV (installer.xxxx.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer."; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/installer\.\d{4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=scripttoscan.co.cc; classtype:bad-unknown; sid:2011990; rev:3; metadata:created_at 2010_12_01, updated_at 2010_12_01;)

#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:3; metadata:created_at 2010_12_02, updated_at 2010_12_02;)

#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED ProFTPD Backdoor outbound Request Sent"; flow:established,to_server; content:"GET /AB"; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011993; rev:2; metadata:created_at 2010_12_02, updated_at 2010_12_02;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Android Use-After-Free Remote Code Execution on Webkit"; flow:to_client,established; content:".appendChild"; content:"-parseFloat("; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/15548/; classtype:web-application-attack; sid:2012046; rev:2; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Publisher Array Indexing Memory Corruption SET"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; content:"MSPublisher"; flowbits:set,ms.publisher.file; flowbits:noalert; reference:cve,2010-3995; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; classtype:attempted-user; sid:2012519; rev:4; metadata:created_at 2010_12_15, updated_at 2010_12_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Bozvanovna Zeus Campaign Config File URL"; flow:established,to_server; content:"000"; http_uri; content:".so"; http_uri; nocase; fast_pattern; pcre:"/\/000[a-z][0-9]{3}\x2Eso/Ui"; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012081; rev:3; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Bozvanovna Zeus Campaign Binary File URL"; flow:established,to_server; content:"000"; fast_pattern; http_uri; content:".exe"; http_uri; nocase; pcre:"/\/000[a-z][0-9]{3}\x2Eexe/Ui"; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012082; rev:2; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Bozvanovna Zeus Campaign SSL Certificate"; flow:established,to_client; content:"www.bozvanovna.com"; fast_pattern:only; nocase; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012083; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2010_12_22, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:2; metadata:created_at 2010_12_23, updated_at 2016_09_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"%PDF-"; depth:300; nocase; content:"/U3D/Length 172"; distance:0; pcre:"/\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012121; rev:1; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 999 (msg:"ET DELETED p2pshare.org Malware Related Activity"; flow:to_server,established; content:"GET "; depth:4; content:"|0d 0a|Host|3A| p2pshare.org|3A|999"; classtype:trojan-activity; sid:2012132; rev:7; metadata:created_at 2011_01_04, updated_at 2011_01_04;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Malware Related Numerical .co Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02co\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012144; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded"; flow:to_client,established; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; pcre:"/@\x00i\x00m\x00p\x00o\x00r\x00t\x00\x20.{4,20}[^\x00\w\s.]/sG"; metadata: former_category WEB_CLIENT; reference:cve,CVE-2010-3971; reference:url,breakingpointsystems.com/community/blog/ie-vulnerability/; reference:bid,45246; classtype:attempted-admin; sid:2012149; rev:5; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Web_Client_Attacks, tag Metasploit, signature_severity Critical, created_at 2011_01_05, updated_at 2018_04_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt"; flow:established,to_client; content:"%PDF-"; nocase; depth:300; content:"doc.printSeps"; nocase; distance:0; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2012156; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshares.org Related Malware"; flow:to_server,established; content:"GET "; depth:4; content:"Host|3A| p2pshares.org|3A|"; classtype:trojan-activity; sid:2012177; rev:6; metadata:created_at 2011_01_12, updated_at 2011_01_12;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent|3A| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:3; metadata:created_at 2011_01_14, updated_at 2011_01_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Serving EXE/DLL File Often Malware Related"; flow:established,to_client; content:"Server|3a| nginx"; nocase; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode."; distance:0; isdataat:10,relative; content:"PE"; distance:0; classtype:misc-activity; sid:2012195; rev:2; metadata:created_at 2011_01_17, updated_at 2011_01_17;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server greenter.ru"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|greenter|02|ru"; nocase; distance:0; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:trojan-activity; sid:2012202; rev:2; metadata:created_at 2011_01_18, updated_at 2011_01_18;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server globdomain.ru"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0A|globdomain|02|ru"; nocase; distance:0; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:trojan-activity; sid:2012203; rev:2; metadata:created_at 2011_01_18, updated_at 2011_01_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Twitter Worm Attack"; flow:to_server,established; content:"m28sx.html"; http_uri; nocase; reference:url,threatpost.com/en_us/blogs/twitter-worm-uses-google-url-shortener-spread-scareware-012011; classtype:misc-attack; sid:2012207; rev:3; metadata:created_at 2011_01_20, updated_at 2011_01_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED m28sx twitter worm redirect access"; flow:established,to_server; content:"/undo/red.php"; http_uri; content:"Host|3a| gdfgdfgdgdfgdfg.in.ua"; nocase; http_header; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012209; rev:2; metadata:created_at 2011_01_21, updated_at 2011_01_21;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Twitter m28sx Worm"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"gdfgdfgdgdfgdfg|02|in|02|ua"; nocase; distance:0; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012210; rev:2; metadata:created_at 2011_01_21, updated_at 2011_01_21;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22|"; nocase; within:100; classtype:trojan-activity; sid:2012235; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Unknown Web Backdoor Keep-Alive"; flow:established,to_server; content:"POST /bbs/info.asp "; depth:19; dsize:<170; classtype:trojan-activity; sid:2012250; rev:2; metadata:created_at 2011_02_01, updated_at 2011_02_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Google Android Device HTTP Request"; flow:established,to_server; content:"|3B 20|Android|20|"; http_header; classtype:policy-violation; sid:2012251; rev:7; metadata:created_at 2011_02_02, updated_at 2011_02_02;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Post Express Inbound SPAM (possible Spyeye)"; flow:established,to_server; content:"Content-Disposition|3A|attachment|3b|"; nocase; content:"filename=|22|Post_Express_Label_"; nocase; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012275; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity to document.doc"; flow:established,to_server; content:"/forum/document.doc"; http_uri; content:"!Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012280; rev:1; metadata:created_at 2011_02_03, updated_at 2011_02_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download request"; flow:established,to_server; content:"/forum/load.php?file="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012281; rev:1; metadata:created_at 2011_02_03, updated_at 2011_02_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download confirmed success"; flow:established,to_server; content:"/load.php?file="; http_uri; content:"&luck="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012282; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection check-in"; flow:established,to_server; content:"/inst.php?id="; http_uri; content:"&lang="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012283; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH|3b|"; http_uri; content:"loc=100|3b|"; http_uri; content:"target=_blank|3b|"; http_uri; content:"grp|3d 5b|group|5d 3b|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:3; metadata:created_at 2011_02_04, updated_at 2011_02_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Base64 Encoded FTP Commands (21 > o&echo user 1 1 >> o &echo get)"; flow:established,from_server; content:"MjEgPiBvJmVjaG8gdXNlciAxIDEgPj4gbyAmZWNobyBnZXQgUm"; fast_pattern; classtype:attempted-user; sid:2012291; rev:1; metadata:created_at 2011_02_04, updated_at 2011_02_04;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Base64 Encoded FTP Commands Upload (21 > o&echo user 1 1 >> o &echo get)"; flow:established,to_server; content:"MjEgPiBvJmVjaG8gdXNlciAxIDEgPj4gbyAmZWNobyBnZXQgUm"; fast_pattern; classtype:attempted-user; sid:2012292; rev:2; metadata:created_at 2011_02_04, updated_at 2011_02_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Banker.AAD CnC Communication"; flow:established,to_server; content:"filename=|22|C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; content:"Content-Type|3A| C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; metadata: former_category TROJAN; reference:url,www.threatexpert.com/report.aspx?md5=8556aec7ff96824e2da9d1b948ed7029; classtype:trojan-activity; sid:2012300; rev:1; metadata:created_at 2011_02_06, updated_at 2017_03_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Trojan dropper Wlock.A (AS1680)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/pornoplayer.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=pworldxxx.info; classtype:trojan-activity; sid:2012301; rev:4; metadata:created_at 2011_02_07, updated_at 2011_02_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake AV Scan (AS31252)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/powersecure_2005-19_ibr8.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=scan.dpowerprotection.com; classtype:trojan-activity; sid:2012302; rev:2; metadata:created_at 2011_02_07, updated_at 2011_02_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32.SillyP2P Checkin"; flow:to_server,established; content:"GET"; http_method; content:"csi?v="; http_uri; content:"&s=webhp&action=&e=0&ei="; http_uri; content:"&expi="; http_uri; content:"&imc="; http_uri; content:"&imn="; http_uri; content:"&imp="; http_uri; content:"&rt=xjsls"; http_uri; reference:url,www.securehomenetwork.blogspot.com/2011/02/anonleaks-continues-relationship-with.html; reference:url,www.threatexpert.com/report.aspx?md5=a7e1388c38c1fed12785bc335f95b15d; classtype:trojan-activity; sid:2012311; rev:3; metadata:created_at 2011_02_14, updated_at 2011_02_14;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent|3a| Win32"; http_header; classtype:trojan-activity; sid:2012316; rev:2; metadata:created_at 2011_02_17, updated_at 2011_02_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a *.rr.nu domain"; flow:established,to_server; content:".rr.nu|0D 0A|"; http_header; classtype:bad-unknown; sid:2012330; rev:4; metadata:created_at 2011_02_18, updated_at 2011_02_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious Advertizing URL in.cgi/antibot_hash"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"ab_iframe="; nocase; http_uri; content:"ab_badtraffic="; nocase; http_uri; content:"antibot_hash="; nocase; http_uri; content:"ur="; nocase; http_uri; content:"HTTP_REFERER="; nocase; http_uri; classtype:bad-unknown; sid:2012323; rev:2; metadata:created_at 2011_02_21, updated_at 2011_02_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Fast Flux Trojan Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/SecurIns_194.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=microantivirus5.com; classtype:bad-unknown; sid:2012332; rev:2; metadata:created_at 2011_02_22, updated_at 2011_02_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2012385; rev:2; metadata:created_at 2011_02_27, updated_at 2011_02_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2012401; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_02_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] $HTTP_PORTS (msg:"ET DELETED Facebook URL Redirect Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/track.php?"; nocase; http_uri; content:"r="; nocase; http_uri; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079577.html; classtype:trojan-activity; sid:2012402; rev:5; metadata:created_at 2011_02_28, updated_at 2011_02_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Rogue Antivirus FakePAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/firefox_update_2011.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=76.76.102.214; classtype:trojan-activity; sid:2012403; rev:2; metadata:created_at 2011_03_01, updated_at 2011_03_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET DELETED Unknown Malware Keepalive"; flow:established,to_server; content:"keepalive"; nocase; depth:9; pcre:"/keepalive([0-9]{4}|\x7c[0-9]{4})/i"; threshold: type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2012409; rev:3; metadata:created_at 2011_03_02, updated_at 2011_03_02;)

#alert tcp $HOME_NET any -> 184.105.245.17 8080 (msg:"ET DELETED DroidDream Android Trojan info upload"; flow:to_server,established; content:"/GMServer/GMServlet"; http_uri; reference:url,androguard.blogspot.com/2011/03/droiddream.html; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=79&blogId=1; reference:url,blog.mylookout.com/2011/03/android-malware-droiddream-how-it-works/; reference:url,countermeasures.trendmicro.eu/google-android-rooted-backdoored-infected/; classtype:trojan-activity; sid:2012410; rev:2; metadata:created_at 2011_03_03, updated_at 2011_03_03;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2; metadata:created_at 2011_03_08, updated_at 2011_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Fast Flux Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/Setup_2004.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=spyremover-k3.com; classtype:trojan-activity; sid:2012447; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android Trojan HongTouTou Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/index.aspx?im="; http_uri; nocase; content:"|0d 0a|User-Agent|3a| Apache-HttpClient"; http_header; reference:url,blog.netqin.com/en/?p=451; classtype:trojan-activity; sid:2012450; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible JKDDOS download b.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/b.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012466; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeAV campaign related JavaScript eval document obfuscation"; flow:established,from_server; content:"|20|=|20|eval('docu'+'men'+'t')|3b 0d 0a 0d 0a|"; classtype:trojan-activity; sid:2012495; rev:2; metadata:created_at 2011_03_14, updated_at 2011_03_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hiloti loader receiving payload URL"; flow:established,from_server; file_data; content:"20|0d 0a|http|3a|//"; within:11; classtype:trojan-activity; sid:2012515; rev:3; metadata:created_at 2011_03_16, updated_at 2011_03_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fake Google Toolbar User-Agent"; flow:established,to_server; content:"|3b| GTB0.0|3b| "; http_header; classtype:trojan-activity; sid:2012516; rev:1; metadata:created_at 2011_03_16, updated_at 2011_03_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/trusteer.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012537; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/games/pdf"; nocase; http_uri; content:"php?f=7"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=poleoa.net; classtype:trojan-activity; sid:2012538; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer.0042.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012539; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Win32 Backdoor Poison"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/salvando-usb.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=arteencueros.com; classtype:trojan-activity; sid:2012540; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012576; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012578; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UPDATE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012580; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012582; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RiskTool.Win32.WFPDisabler Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/go.asp?"; nocase; http_uri; content:"svid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"tpages="; nocase; http_uri; content:"ttimes="; nocase; http_uri; content:"tzone="; nocase; http_uri; content:"tcolor="; nocase; http_uri; content:"vpage="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=c81be1cf10d9578803dab8c1bc62ccfa; classtype:web-application-attack; sid:2012588; rev:3; metadata:created_at 2011_03_28, updated_at 2011_03_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Dropper.Win32.Mudrop.asj Reporting"; flow:established,to_server; content:"GET"; http_uri; content:"/sa.aspx?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"refe="; nocase; http_uri; content:"location="; nocase; http_uri; content:"language="; nocase; http_uri; content:"ua="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=0398af3218eb6f21195d701a0b001445; classtype:trojan-activity; sid:2012589; rev:3; metadata:created_at 2011_03_28, updated_at 2011_03_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EICAR test file with MZ header double-stacking AV evasion technique"; flow:established,from_server; content:"|24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49|"; fast_pattern:only; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode"; reference:url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2012591; rev:4; metadata:created_at 2011_03_28, updated_at 2011_03_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Java Exploit Attempt applet via file URI"; flow:established,from_server;content:"applet|20|"; nocase; content:"codebase"; nocase; distance:0; content:"|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"|5c|java|5c|jre6|5c|lib|5c|ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012608; rev:6; metadata:created_at 2011_03_30, updated_at 2011_03_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyeEye Trojan Request file=grabbers"; flow:established,to_server; content:".php?file="; nocase; http_uri; content:"grabber"; distance: 0; http_uri; classtype:trojan-activity; sid:2012613; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED .dll Request Without User-Agent Likely Malware"; flow:established,to_server; content:".dll"; nocase; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:trojan-activity; sid:2012618; rev:1; metadata:created_at 2011_03_31, updated_at 2011_03_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Dropper Checkin with NSISDL/1.2 User-Agent"; flow:established,to_server; content:".php?id="; http_uri; content:"User-Agent|3a 20|NSISDL/1.2 (Mozilla)"; http_header; classtype:trojan-activity; sid:2012626; rev:3; metadata:created_at 2011_04_04, updated_at 2011_04_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Content-Type image/jpeg with DOS MZ header set likely 2nd stage download"; flow:established,from_server; content:"Content-Type|3a 20|image/jpeg|0d 0a|"; content:"MZ"; distance:0; content:"This program cannot be run in DOS mode"; fast_pattern; distance:0; classtype:trojan-activity; sid:2012633; rev:2; metadata:created_at 2011_04_05, updated_at 2011_04_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Content-Type image/jpeg with Win32 MZ header set likely 2nd stage download"; flow:established,from_server; content:"Content-Type|3a 20|image/jpeg|0d 0a|"; content:"MZ"; distance:0; content:"This program must be run under Win"; fast_pattern; distance:0; classtype:trojan-activity; sid:2012634; rev:2; metadata:created_at 2011_04_05, updated_at 2011_04_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET [3366,8081] (msg:"ET DELETED Trojan-Clicker.Win32.Agent.qqf Checkin"; flow:to_server,established; content:"GET "; nocase; depth:4; content:"|2f|sogou"; within:32; pcre:"/\x2fsogou(config)?\x2f/"; reference:url,www.threatexpert.com/report.aspx?md5=f468778836fd27a2ccca88c99f6dd3e9; classtype:trojan-activity; sid:2012643; rev:3; metadata:created_at 2011_04_06, updated_at 2011_04_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/CazinoSilver Download VegasVIP_setup.exe"; flow:established,to_server; content:"/VegasVIP_setup.exe"; nocase; http_uri; reference:url,ddanchev.blogspot.com/2011/04/dont-play-poker-on-infected-table-part.html; classtype:trojan-activity; sid:2012685; rev:2; metadata:created_at 2011_04_12, updated_at 2011_04_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Blackhole Exploit Pack landing"; flow:established,to_server; content:".php?f="; http_uri; content:!"Cookie|3a|"; http_header; pcre:"/\.php\?f=\d+$/U"; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012688; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_04_14, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Win32.VBKrypt.cugq Checkin"; flow:to_server,established; content:"/bot.php"; http_uri; content:"User-Agent|3A| umbra"; nocase; http_header; reference:url,www.securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,79e24434a74a985e1c64925fd0ac4b28; classtype:trojan-activity; sid:2017348; rev:4; metadata:created_at 2011_04_28, updated_at 2011_04_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Vertex Trojan UA (VERTEXNET)"; flow:to_server,established; content:"User-Agent|3a| VERTEXNET"; http_header; classtype:trojan-activity; sid:2012752; rev:3; metadata:created_at 2011_04_29, updated_at 2011_04_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT Checking for Debugger"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"DebuggerPresent"; nocase; distance:0; pcre:"/(Is|CheckRemote)DebuggerPresent/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012763; rev:6; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"NtQueryInformationProcess"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012764; rev:4; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetStartupInfo"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetStartupInfo"; nocase; fast_pattern:only; reference:url, sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012765; rev:6; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetComputerName"; flow:established,to_client; content:"MZ"; file_data; isdataat:76,relative; distance:0; content:"This program cannot be run in DOS mode."; distance:0; content:"GetComputerName"; nocase; fast_pattern:only; reference:url, sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012766; rev:4; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwSetSystemInformation - Undocumented API Which Can be Used for Rootkit Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSetSystemInformation"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012769; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwWriteVirtualMemory - Undocumented API Which Can be Used for CnC Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSystemDebugControl"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012770; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT SetSfcFileException - Undocumented API Which Can be Used for Disabling Windows File Protections"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"SetSfcFileException"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012771; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueueApcThread - Undocumented API Which Can be Used for Thread Injection/Downloading"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012772; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtResumeThread - Undocumented API Which Can be Used to Resume Thread Injection"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012773; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NoExecuteAddFileOptOutList - Undocumented API to Add Executable to DEP Exception List"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NoExecuteAddFileOptOutList"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012774; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ModifyExecuteProtectionSupport - Undocumented API to Modify DEP"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ModifyExecuteProtectionSupport"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012775; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT LdrLoadDll - Undocumented Low Level API to Load DLL"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"LdrLoadDll"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012776; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NamedPipe"; nocase; fast_pattern:only; pcre:"/(Create|Connect|Peek)NamedPipe/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012778; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT FTP File Interaction"; flow:established,to_client; content:"ftp"; nocase; content:"file"; nocase; within:8; pcre:"/ftp(open|get)file/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012779; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Egypack/1.0 User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent|3a 20|Egypack"; http_header; reference:url,www.vbulletin.com/forum/showthread.php/338741-vBulletin-Footer-SQL-Injection-Hack; classtype:trojan-activity; sid:2012785; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious SEO landing in.cgi with URI HTTP_REFERER"; flow:established,to_server; content:"/in.cgi?"; http_uri; content:"&seoref=http"; http_uri; content:"&parameter=$"; http_uri; content:"&HTTP_REFERER=http"; http_uri; fast_pattern; classtype:bad-unknown; sid:2012796; rev:2; metadata:created_at 2011_05_09, updated_at 2011_05_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible g01pack Exploit Pack Malicious JAR File Request"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; content:"User-Agent|3a|"; nocase; http_header; content:"Java/"; within:200; http_header; pcre:"/\/[0-9a-f]{32}\.jar$/U"; reference:url,blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/; reference:url,community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx; classtype:attempted-user; sid:2012807; rev:3; metadata:created_at 2011_05_15, updated_at 2011_05_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Known Malicious Facebook Javascript"; flow:established,to_client; content:"eval|28|function|28|p,a,c,k,e,"; nocase; content:"replace|28|newRegExp|28|"; nocase; distance:0; content:"SocialGraphManager"; fast_pattern; nocase; distance:0; reference:url,blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/; classtype:bad-unknown; sid:2012812; rev:3; metadata:created_at 2011_05_16, updated_at 2011_05_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:3; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FAKEAV Scanner Landing Page (Initializing Virus Protection System...)"; flow:established,from_server; content:"<span id=|22|loadspan|22|>Initializing Virus Protection System...</span>"; classtype:bad-unknown; sid:2012815; rev:2; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING Malicious Advertizing URL in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; classtype:bad-unknown; sid:2012883; rev:5; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET DELETED Http Client Body contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; http_client_body; classtype:policy-violation; sid:2012889; rev:2; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CPL Trojan Downloader Request"; flow:established,to_server; content:".cpl?|20|HTTP/1.1"; nocase; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2012910; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_06_01, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible TDSS Base64 Encoded Command 1"; flow:established,to_server; content:"Q21kRXhl"; http_uri; classtype:trojan-activity; sid:2012921; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible TDSS Base64 Encoded Command 2"; flow:established,to_server; content:"bWRFeGVj"; http_uri; classtype:trojan-activity; sid:2012922; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible TDSS Base64 Encoded Command 3"; flow:established,to_server; content:"ZEV4ZWN"; http_uri; classtype:trojan-activity; sid:2012923; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; nocase; pcre:"/\.dyndns-(?=(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work))\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2012928; rev:7; metadata:created_at 2011_06_03, updated_at 2011_06_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; http_header; nocase; pcre:"/\.dyndns\.(?=(biz|info|org|tv))\x0d\x0a/iH"; classtype:bad-unknown; sid:2012927; rev:3; metadata:created_at 2011_06_03, updated_at 2011_06_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MacDefender OS X Fake AV Scareware"; flow:established,to_server; content:"GET"; http_method; content:"affid="; http_uri; content:"data="; http_uri; content:"v="; http_uri; content:"User-Agent|3a 20|MacShield"; http_header; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012958; rev:4; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING SL_*_0000 JavaScript redirect"; flow:established,to_client; content:"200"; http_stat_code; content:"SL_"; http_cookie; content:"_0000="; http_cookie; content:"window.location"; classtype:bad-unknown; sid:2013012; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Java User Agent"; flow:established,to_server; content:"User-Agent|3a| Java/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013029; rev:1; metadata:created_at 2011_06_14, updated_at 2011_06_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android.Tonclank Sending Device Information"; flow:established,to_server; content:"/ProtocolGW/instal"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013039; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Client Visiting Sidename.js Injected Website - Malware Related"; flow:established,to_client; content:"/sidename.js\"></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013060; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1064 (msg:"ET DELETED Win32/Fynloski Backdoor Keepalive Message"; flow:established,to_server; content:"KEEPALIVE"; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; reference:url,www.threatexpert.com/report.aspx?md5=baca8170608c189e2911dc4e430c7719; classtype:trojan-activity; sid:2013067; rev:2; metadata:created_at 2011_06_20, updated_at 2011_06_20;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; classtype:web-application-attack; sid:2013068; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_20, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_06_21, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible CVE-2011-2110 Flash Exploit Campaign Log.txt Request"; flow:established,to_server; content:"GET"; http_method; content:"/log.txt"; http_uri; content:"|2E|swf?info=02"; http_header; reference:cve,2011-2110; reference:url,blog.fireeye.com/research/2011/06/old-wine-in-a-new-bottle.html; classtype:trojan-activity; sid:2013113; rev:3; metadata:created_at 2011_06_23, updated_at 2011_06_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.VB.OWR Checkin"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1B 00 01 02 00 1C 00|"; within:19; reference:url,www.threatexpert.com/report.aspx?md5=7684532e7e1d717427f6842e9d5ecd56; reference:url,anubis.iseclab.org/?action=result&task_id=1ac5dbffd86ddd7f49da78a66fbeb6c37&format=txt; classtype:trojan-activity; sid:2013121; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Ponmocup C2 Malware Update before fake JPEG download"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/shopping3.cgi?a="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013179; rev:9; metadata:created_at 2011_07_04, updated_at 2011_07_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Ponmocup C2 Malware Update after fake JPEG download"; flow:established,to_server; content:"/cgi-bin/unshopping3.cgi?b="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013180; rev:9; metadata:created_at 2011_07_04, updated_at 2011_07_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=|5C 22|http|3A|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_07_04, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Client Visiting cssminibar.js Injected Website Malware Related"; flow:established,to_client; content:"/cssminibar.js|22|></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013191; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Generic Trojan Checkin"; flow:established,to_server; content:"unit_id="; http_uri; content:"&uv_id="; http_uri; content:"&uv_new="; http_uri; content:"&url="; http_uri; content:"&charset="; http_uri; content:"&hashval="; http_uri; content:"&app="; http_uri; content:"&lg="; http_uri; classtype:trojan-activity; sid:2013204; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Hooker Checkin Message"; flow:established,to_server; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&sin="; http_uri; classtype:trojan-activity; sid:2013205; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 83 (msg:"ET DELETED W32/Alworo CnC Checkin"; flow:established,to_server; content:".php?userid="; nocase; content:"&time="; nocase; distance:0; content:"&msg="; nocase; distance:0; content:"&ver="; nocase; distance:0; content:"&pauid="; nocase; distance:0; content:"&checkId="; nocase; distance:0; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2; classtype:trojan-activity; sid:2013215; rev:2; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Backdoor.Specfix Checkin"; flow:established,to_server; content:"/AWS"; http_uri; content:".jsp?"; http_uri; content:"x-bigfix-client-string|3A|"; http_header; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062203-3150-99&tabid=2; classtype:trojan-activity; sid:2013218; rev:1; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:2; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:3; metadata:created_at 2011_07_06, updated_at 2016_08_29;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate"; flow:established,from_server; content:"|7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b|"; content:"sef1941@gmail.com"; within:250; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; classtype:misc-activity; sid:2013223; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2011_07_06, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Suspicious *.cu.cc domain"; flow:to_server,established; content:".cu.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013242; rev:2; metadata:created_at 2011_07_08, updated_at 2011_07_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a *.uni.cc domain"; flow:to_server,established; content:".uni.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013248; rev:2; metadata:created_at 2011_07_11, updated_at 2011_07_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body>"; within:500; content:"<script>|0d 0a 09 09 09|"; fast_pattern; within:500; pcre:"/([a-z$+-]{0,4}[0-9.*]+[a-z$+-]{0,4},){24}/R"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013313; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_07_26, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Dictcn Trojan Downloader Update Check to CnC"; flow:established,to_server; content:".php?cid="; http_uri; content:"&version="; http_uri; content:"&lose="; http_uri; content:"&tipsid="; http_uri; content:"&from="; http_uri; classtype:trojan-activity; sid:2013323; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Receiving XML Format Update File From CnC Server"; flow:established,to_client; content:"<dictcn>"; fast_pattern; content:"<update from="; distance:0; content:"method="; distance:0; classtype:trojan-activity; sid:2013324; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Receiving XML Format Node ID File From CnC Server"; flow:established,to_client; content:"<node><id>"; content:"<|2F|id><ip>"; distance:1; within:9; content:"<|2F|type><|2F|node>-->"; distance:0; content:"<node><id>"; distance:0; content:"<|2F|id><ip>"; distance:1; within:9; content:"<|2F|dict>"; distance:0; classtype:trojan-activity; sid:2013325; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Node Server Type"; flow:established,to_client; content:"Server|3A| Dict/"; fast_pattern:only; http_header; classtype:trojan-activity; sid:2013326; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013334; rev:3; metadata:created_at 2011_07_29, updated_at 2011_07_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013335; rev:4; metadata:created_at 2011_07_29, updated_at 2011_07_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan Dropper User-Agent Firefox/3.6.3"; flow:established,to_server; content:"User-Agent|3A| Firefox/3.6.3"; http_header; classtype:trojan-activity; sid:2013341; rev:2; metadata:created_at 2011_08_02, updated_at 2011_08_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 806 (msg:"ET DELETED Backdoor W32/Phanta Checkin"; flow:established,to_server; content:"/do.php?userid="; content:"&time="; distance:0; content:"&msg="; distance:0; content:"&ver="; distance:0; content:"&os="; distance:0; content:"&fy="; distance:0; content:"&pauid="; distance:0; content:"&checkId="; distance:0; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FPopureb.A; reference:url,www.threatexpert.com/report.aspx?md5=0012a0b60572dfa4f42a4325507841d8; classtype:trojan-activity; sid:2013343; rev:1; metadata:created_at 2011_08_02, updated_at 2011_08_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6060 (msg:"ET DELETED Unknown Trojan Checkin to CnC Server"; flow:established,to_server; content:"GET /passport.asp?ID="; depth:21; content:"&fn="; distance:0; content:"&Var="; distance:0; classtype:trojan-activity; sid:2013344; rev:4; metadata:created_at 2011_08_02, updated_at 2011_08_02;)

#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic.KD.291903/Win32.TrojanClicker.Agent.NII Nconfirm Checkin"; flow:to_server,established; content:"/nconfirm.php?rev="; http_uri; content:"&code="; http_uri; content:"&param="; http_uri; content:"&num="; http_uri; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014398; rev:4; metadata:created_at 2011_08_04, updated_at 2017_01_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013363; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_08_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Trojan Checkin 1"; flow:established,to_server; content:"/WebIpc.asp?UID="; http_uri; content:"&NAME="; http_uri; content:"&mode="; http_uri; classtype:trojan-activity; sid:2013370; rev:2; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Trojan Checkin 2"; flow:established,to_server; content:"/link32.asp?SID="; http_uri; content:"&UID="; http_uri; content:"&MID="; http_uri; classtype:trojan-activity; sid:2013371; rev:2; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent FSD - Possible FakeAV Related"; flow:established,to_server; content:"User-Agent|3A 20|FSD|0D 0A|"; http_header; classtype:trojan-activity; sid:2013393; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_08_10, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/TrojanDropper.Agent Checkin"; flow:established,to_server; content:".gif?aid="; http_uri; content:"&lc="; http_uri; content:"&time="; http_uri; content:"&flag="; http_uri; content:"&domain="; http_uri; classtype:trojan-activity; sid:2013402; rev:2; metadata:created_at 2011_08_11, updated_at 2011_08_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent (TheWorld)"; flow:established,to_server; content:"TheWorld"; http_header; pcre:"/User-Agent\x3A[^\n]+TheWorld/H"; reference:url,www.virustotal.com/file-scan/report.html?id=70e502c9b8752da6dc0ff2a41c6975d59090482d2c0758387aca1b5702f96988-1305238279; classtype:trojan-activity; sid:2013403; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_08_11, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 |28|iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013406; rev:5; metadata:created_at 2011_08_12, updated_at 2011_08_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 |28|iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013407; rev:5; metadata:created_at 2011_08_12, updated_at 2011_08_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Trojan CnC"; dsize:2; byte_test:2, >, 1024, 0; threshold:type both, track by_src, count 1000, seconds 300; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fMitglieder; classtype:trojan-activity; sid:2013418; rev:5; metadata:created_at 2011_08_17, updated_at 2011_08_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/UFR POST to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ufr/ufr.php"; http_uri; content:"UFR"; http_client_body; classtype:trojan-activity; sid:2013424; rev:2; metadata:created_at 2011_08_18, updated_at 2011_08_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ"; distance:0; isdataat:80,relative; content:"PE"; distance:0; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013437; rev:1; metadata:created_at 2011_08_19, updated_at 2011_08_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; http_header; nocase; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE"; distance:0; classtype:trojan-activity; sid:2013442; rev:2; metadata:created_at 2011_08_22, updated_at 2011_08_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Rbot User-Agent (tiehttp)"; flow:established,to_server; content:"User-Agent|3A 20|tiehttp"; http_header; classtype:trojan-activity; sid:2013449; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013497; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com 2"; flow:established,from_server; content:"|0c 76 da 9c 91 0c 4e 2c 9e fe 15 d0 58 93 3c 4c|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013501; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2011_08_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Morto Worm Rar Download"; flow:established,to_server; content:"GET /160.rar HTTP"; depth:17; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:trojan-activity; sid:2013517; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d/U"; classtype:trojan-activity; sid:2013520; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto Outbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013531; rev:2; metadata:created_at 2011_09_02, updated_at 2011_09_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:2; metadata:created_at 2011_09_06, updated_at 2011_09_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2011_09_06, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013548; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_08, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013549; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_08, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/\.php\?e=\w+&f=\w+$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category TROJAN; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_08, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet code=|27|buildService.MapYandex.class|27|"; content:".jar"; content:"</applet>"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013553; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_09, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013554; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_09, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby Download Secondary Request 4"; flow:established,to_server; content:"main.php?page="; http_uri; pcre:"/[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2013651; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_13, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; fast_pattern:only; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013652; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013664; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013665; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request"; flow:established,to_server; content:".php?page"; http_uri; pcre:"/^[^?#]+?\.php\?page[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013666; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request"; flow:established,to_server; content:".php?v"; http_uri; pcre:"/\.php\?v[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013667; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; content:"%3D|3b 20|cc2="; http_raw_cookie; content:"%3D|3b 20|cc3="; http_raw_cookie; content:"%3D|3b 20|cc4="; http_raw_cookie; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013695; rev:3; metadata:created_at 2011_09_27, updated_at 2011_09_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; distance:0; content:"code="; distance:0; content:".jar"; distance:0; content:"e00oMDD"; distance:0; fast_pattern; content:"</applet>"; distance:0; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013700; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Spy.Lpxenur Checkin"; flow:established,to_server; content:"/data/mail.js?yaru="; http_uri; classtype:trojan-activity; sid:2013714; rev:1; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Parite CnC Checkin"; flow:established,to_server; content:"?MI="; http_uri; content:"&os="; http_uri; content:"&TE="; http_uri; content:"&TV="; http_uri; content:!"SeaPort/"; http_header; classtype:trojan-activity; sid:2013716; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2011_09_30, malware_family Parite, updated_at 2017_07_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:trojan-activity; sid:2013722; rev:1; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; offset:4; depth:13; classtype:trojan-activity; sid:2013727; rev:1; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET DELETED Zeus P2P CnC"; dsize:72; content:!"|00 00 00|"; offset:5; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; metadata: former_category TROJAN; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013739; rev:11; metadata:created_at 2011_10_05, updated_at 2018_07_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=\d+$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013746; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_10_11, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp 83.236.140.90 any -> $HOME_NET any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013753; rev:4; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

#alert tcp $HOME_NET any -> 83.236.140.90 any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2"; flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013754; rev:4; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3; metadata:created_at 2011_10_19, updated_at 2011_10_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 2"; flow:established,to_server; content:"/2ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013786; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_10_20, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 2"; flow:established,to_server; content:"/1ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_10_20, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request"; flow:established,to_server; content:".php?doit"; http_uri; pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013788; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_10_20, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.PEx.C.91139756616/Win32.Zwangi-BU Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?vn="; http_uri; content:"&partner="; http_uri; content:"&ptag="; http_uri; content:"&cid="; http_uri; content:"&se="; http_uri; content:"&au="; http_uri; content:"&pver="; http_uri; reference:url,threatcenter.crdf.fr/?More&ID=49889&D=CRDF.Win32.Win32.PEx.C.91139756616; reference:md5,2c969afbe71f35571d11e30f1e854b29; reference:url,www.pcsafedoctor.com/Adware/remove-AdWare.Win32.Zwangi.bu.html; classtype:trojan-activity; sid:2013789; rev:2; metadata:created_at 2011_10_21, updated_at 2011_10_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type|3A 20|image/jpeg"; http_header; file_data; content:"|54 48 00 F7 20 10 72 6F 67 52|"; distance:0; content:"|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53|"; fast_pattern; within:50; classtype:trojan-activity; sid:2013796; rev:3; metadata:created_at 2011_10_24, updated_at 2011_10_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown checkin"; flow:established,to_server; content:"POST"; http_method; content:"/c.php"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|3b| |0d 0a|"; http_header; classtype:trojan-activity; sid:2013803; rev:4; metadata:created_at 2011_10_25, updated_at 2011_10_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Redirection to Unknown Exploit Pack"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|"; nocase; reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/; classtype:misc-attack; sid:2013804; rev:3; metadata:created_at 2011_10_25, updated_at 2011_10_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent|3a| test_hInternet"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:2; metadata:created_at 2011_11_03, updated_at 2011_11_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a *.cz.tf domain"; flow:to_server,established; content:".cz.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013836; rev:1; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.(jpg|png|gif|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:4; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 1"; flow:established,to_server; content:"/Google_setup.exe"; http_uri; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:bad-unknown; sid:2013895; rev:3; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 2"; flow:established,to_server; content:"google_setup.exe"; http_uri; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:bad-unknown; sid:2013896; rev:3; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 3"; flow:established,to_server; content:"/FaceBook_Complemento.exe"; http_uri; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:bad-unknown; sid:2013897; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 4"; flow:established,to_server; content:"/YouTube_Setup.exe"; http_uri; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:bad-unknown; sid:2013898; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 5"; flow:established,to_server; content:"/google2.exe"; http_uri; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:bad-unknown; sid:2013899; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ZeuS estatements mailing campaign landing page"; flow:established,to_server; content:"/estatements/stetement_id."; http_uri; pcre:"/\/stetement_id\.\d+\//U"; classtype:trojan-activity; sid:2013908; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED ZeuS estatements fake transaction page flash warning"; flow:established,from_server; content:"&nbsp|3b|Notification of Incompatibility</font></strong></font></td>"; content:">Your version of Macromedia Flash Player is too old to continue. <a href="; classtype:trojan-activity; sid:2013909; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript padded charcodes 25"; flow:established,from_server; content:"75"; depth:500; content:"86"; within:4; content:"74"; within:4; content:"92"; within:4; content:"84"; within:4; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013950; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_11_23, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering PDF Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"%PDF-"; within:5; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:attempted-user; sid:2013960; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_11_23, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"<applet"; nocase; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013961; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_11_23, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013962; rev:7; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_11_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"|0d 0a 09 09|<field qwe=|22|213123|22| name=|22|qwe123|22|"; distance:0; content:"application/x-javascript"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_05, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v1"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; distance:0; content:"|4b 69 64 73 5b 32 38 20 30 20 52 5d 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013991; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v2"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; distance:0; content:"|20 2f 4b 69 64 73 20 5b 31 20 30 20 52 5d 20 2f 54 79 70 65 2f 50 61 67 65 73 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013992; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0|0d 0a|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0a 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; classtype:trojan-activity; sid:2013994; rev:4; metadata:created_at 2011_12_07, updated_at 2011_12_07;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Sykipot C&C www.prettylikeher.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|prettylikeher|03|com"; fast_pattern; distance:0; nocase; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014005; rev:4; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0|0D 0A|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0D 0A|Connection|3a| close|0D 0A 0D 0A|"; http_header; classtype:trojan-activity; sid:2014015; rev:4; metadata:created_at 2011_12_09, updated_at 2011_12_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Kargany Loader Obfuscated Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| "; http_header; nocase; content:"windows-update-"; distance:0; http_header; content:".exe"; distance:0; http_header; file_data; content:!"MZ"; within:2; classtype:trojan-activity; sid:2014019; rev:2; metadata:created_at 2011_12_09, updated_at 2011_12_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Scalaxy exploit kit binary download request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; content:"/"; http_uri; within:3; urilen:37; pcre:"/\/[a-z]\/[0-9]\/[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2014026; rev:2; metadata:created_at 2011_12_12, updated_at 2011_12_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; metadata: former_category CURRENT_EVENTS; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AirOS .css Worm Outbound Propagation Sweep"; flow:established,to_server; content:"/admin.cgi/.gif"; http_uri; pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014041; rev:9; metadata:created_at 2011_12_28, updated_at 2011_12_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED AirOS admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/etc/persistent/.skynet/install&action=cli"; http_uri; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014042; rev:6; metadata:created_at 2011_12_28, updated_at 2011_12_28;)

#alert udp $HOME_NET any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Potential DNS Request from Trojan.DNSChanger infected system"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2014043; rev:2; metadata:created_at 2011_12_28, updated_at 2011_12_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"document.createElement('applet'"; nocase; distance:0; content:"setAttribute('code"; nocase; distance:0; content:"setAttribute('archive"; nocase; distance:0; content:".jar"; nocase; distance:0; content:"document.createElement('param"; nocase; distance:0; content:"setAttribute('name"; nocase; distance:0; content:"setAttribute('value"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,blog.eset.com/2011/12/15/spam-campaign-uses-blackhole-exploit-kit-to-install-spyeye; reference:bid,50218; reference:cve,2011-3544; classtype:attempted-user; sid:2014048; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 3"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 3"; flow:established,to_server; content:"/fdp1.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Likely Flash exploit download request score.swf"; flow:established,to_server; content:"/score.swf"; http_uri; metadata: former_category CURRENT_EVENTS; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent|3a| "; http_header; content:" HTTP/1.1|0d 0a|Host|3a| "; classtype:trojan-activity; sid:2014058; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"|29| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014094; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_01_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; file_data; content:"replace|28 2F|"; nocase; distance:0; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; classtype:bad-unknown; sid:2014098; rev:5; metadata:created_at 2012_01_04, updated_at 2012_01_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; classtype:trojan-activity; sid:2014104; rev:1; metadata:created_at 2012_01_09, updated_at 2012_01_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; content:!"Host|3a 20|update.cooliris.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014106; rev:3; metadata:created_at 2012_01_09, updated_at 2012_01_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2012_01_10, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2012_01_10, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Blackhole - Help and Control Panel Exploit Request"; flow:established,to_server; content:"/cph2.php?c="; http_uri; metadata: former_category CURRENT_EVENTS; reference:url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff; classtype:trojan-activity; sid:2014125; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_01_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Blackhole Likely Flash Exploit Request /field.swf"; flow:established,to_server; content:"/field.swf"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014126; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_01_14, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED W32/Ramnit Initial CnC Connection"; flow:established,to_server; dsize:6; content:"|00 FF FB 00 00 00|"; fast_pattern:only; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:trojan-activity; sid:2014131; rev:3; metadata:created_at 2012_01_17, updated_at 2012_01_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested class.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/class.class"; http_uri; classtype:trojan-activity; sid:2014138; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_01_21, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Esf Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:md5,e6ca06e9b000933567a8604300094a85; classtype:trojan-activity; sid:2014143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2012_01_23, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Eks Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:md5,9a494e7a48436e6defcb44dd6f053b33; classtype:trojan-activity; sid:2014144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2012_01_23, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to_server; content:"/adfp2.php?f="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_01_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_01_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_01_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_01_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Styx Exploit Kit Landing"; flow:established,to_server; urilen:7; content:"/i.html"; http_uri; depth:7; fast_pattern; content:"Referer|3a| "; http_header; content:!"|0d 0a|"; http_header; within:100; content:"|0d 0a|"; distance:0; http_header; classtype:bad-unknown; sid:2014171; rev:6; metadata:created_at 2012_01_31, updated_at 2012_01_31;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; file_data; content:"<applet"; within:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014176; rev:5; metadata:created_at 2012_01_31, updated_at 2012_01_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato|obe|rhino|lib)$/U"; classtype:trojan-activity; sid:2014177; rev:8; metadata:created_at 2012_01_31, updated_at 2012_01_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Malware Checkin Possibly ZeuS"; flow:established,to_server; content:"POST"; http_method; content:"/rssfeed.php"; http_uri; content:"bn1="; http_client_body; content:"&sk1="; http_client_body; reference:url,anubis.iseclab.org/?action=result&task_id=1c19710e150ee00941148dee842a02976; classtype:trojan-activity; sid:2014178; rev:2; metadata:created_at 2012_02_02, updated_at 2012_02_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/BaiduPlayer/BaiduPlayer1.0.21.25.exe"; nocase; http_uri; content:"dl.client.baidu.com"; http_header; nocase; classtype:trojan-activity; sid:2014181; rev:3; metadata:created_at 2012_02_06, updated_at 2012_02_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious getpvstat.php file Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/getpvstat.php"; nocase; http_uri; content:"p="; nocase; http_uri; content:"jss.155game.com"; http_header; nocase; classtype:trojan-activity; sid:2014182; rev:2; metadata:created_at 2012_02_06, updated_at 2012_02_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from_server; content:"<html><body><pre style=|22|visibility|3a|hidden|3b 22|"; fast_pattern:only; pcre:"/(-?\d+\x3a-?\d+\x3a){100}/"; classtype:trojan-activity; sid:2014194; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0D 0A|Cookie|3a| cid="; pcre:"/^\d{4}\r$/Rm"; content:!"mowersdirect.com|0d 0a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2014198; rev:9; metadata:created_at 2012_02_06, updated_at 2017_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater post-auth checkin"; flow:established,to_server; content:"/search6"; http_uri; fast_pattern; content:"?h1="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|Windows NT 5.2)"; http_header; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014214; rev:3; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_|3b| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:trojan-activity; sid:2014220; rev:6; metadata:created_at 2012_02_10, updated_at 2012_02_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET DELETED Unknown HTTP CnC Checkin"; flow:established,to_server; content:"POST "; depth:5; content:".ru|3a|8080|0D 0A|"; fast_pattern; pcre:"/Host\x3a\s[a-z]{16}\.ru/"; classtype:trojan-activity; sid:2014221; rev:2; metadata:created_at 2012_02_13, updated_at 2012_02_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware.iBryte.B Install"; flow:to_server,established; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern:only; content:"event="; http_uri; content:"_id="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,1497c33eede2a81627c097aad762817f; classtype:trojan-activity; sid:2018194; rev:8; metadata:created_at 2012_02_13, updated_at 2012_02_13;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"info."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?info\.(dll|exe)[\x22\x27]?\r?$/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014235; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]*?contacts\.(dll|exe)[\x22\x27]?\r?$/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014236; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - calc.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"calc.exe"; http_header; distance:0; content:"|0d 0a|"; http_header; within:3; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - about.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"about."; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?about\.(dll|exe)[\x22\x27]?\r?$/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014238; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Cridex.B Self Signed SSL Certificate (root@ks310208.kimsufi.com)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"root@ks310208.kimsufi.com"; content:"SomeOrganizationalUnit1"; classtype:trojan-activity; sid:2014240; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_02_18, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Generic - Java Exploit Obfuscated With Allatori"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; classtype:bad-unknown; sid:2014241; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_02_20, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TDS Trojan Stream request /stream?"; flow:established,to_server; urilen:9; content:"/stream?"; http_uri; pcre:"/^\/stream\?\d$/U"; classtype:bad-unknown; sid:2014242; rev:6; metadata:created_at 2012_02_20, updated_at 2012_02_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 2"; flow:established,from_server; content:"<applet"; depth:500; content:"vssMlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_20, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014245; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_20, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:2; metadata:created_at 2012_02_20, updated_at 2012_02_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/DarkComet Second Stage Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/Update/Update.bin"; http_uri; reference:url,blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/; classtype:trojan-activity; sid:2014273; rev:2; metadata:created_at 2012_02_24, updated_at 2012_02_24;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Tax Landing Page with JavaScript Attack"; flow:established,from_server; content:"Please wait, till tax confirmation is ready."; fast_pattern:only; content:"try{"; content:"catch("; metadata: former_category CURRENT_EVENTS; classtype:attempted-admin; sid:2014274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_24, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/jav2.jar"; flow:established,to_server; content:"/content/jav2.jar"; http_uri; classtype:trojan-activity; sid:2014278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_24, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 6"; flow:established,to_server; content:"/data/ap2.php"; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014279; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_24, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 6"; flow:established,to_server; content:"/ap1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_24, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; content:"<applet"; depth:500; content:"Mlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014281; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_24, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Download Secondary Request ?pagpag"; flow:established,to_server; content:".php?pagpag="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_24, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014284; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_24, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Backdoor.Kbot Config Retrieval"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri;  content:"oop="; http_client_body; depth:4; reference:md5,b8ee86e57261fd3fb422a2b20a3c3e09; classtype:trojan-activity; sid:2014291; rev:3; metadata:created_at 2012_02_29, updated_at 2012_02_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED High Probability Blackhole Landing with catch qq"; flow:established,from_server; content:")|3b|}catch(qq"; fast_pattern:only; classtype:bad-unknown; sid:2014294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_29, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript 171 charcodes >= 48"; flow:established,from_server; content:"G<H6>F=7.49B7F"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014298; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_02, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_02, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"readme."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?readme\.(dll|exe)[\x22\x27]?\r?$/Hmi"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014301; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_05, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa"; flow:established,to_server; content:"/searches?q=#pepbyfadxeoa"; fast_pattern; http_uri; content:"Host|3A 20|mobile.twitter.com|0d 0a|"; http_header; reference:url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/; classtype:trojan-activity; sid:2014333; rev:3; metadata:created_at 2012_03_07, updated_at 2012_03_07;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED INBOUND Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_08, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED RevProxy ServerRespone"; flow:established,to_client; dsize:9; content:"|04 00 00 01 01 00 00 00 04|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014349; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED RevProxy ClientPing"; flow:established,to_server; dsize:9; content:"|04 00 00 01 01 00 00 00 05|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014350; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014351; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Banload Trojan Downloader Dropped Binary"; flow:established,to_client; content:"C|00|o|00|m|00|p|00|a|00|n|00|y|00|N|00|a|00|m|00|e|00|"; content:"m|00|i|00|l|00|k|00|"; fast_pattern; within:30; content:"I|00|n|00|t|00|e|00|r|00|n|00|a|00|l|00|N|00|a|00|m|00|e|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; content:"L|00|e|00|g|00|a|00|l|00|C|00|o|00|p|00|y|00|r|00|i|00|g|00|h|00|t|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; reference:md5,31bb4e0d67a5af96d5b5691966e25d73; classtype:trojan-activity; sid:2014367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2012_03_13, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole qwe123 PDF"; flow:established,from_server; file_data; content:"%PDF-1.6"; within:8; content:"|20 28|qwe123"; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014368; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing with prototype catch"; flow:established,from_server; file_data; content:"if(window.document)try{new"; distance:0; content:".prototype}catch("; distance:0; fast_pattern; classtype:bad-unknown; sid:2014369; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2014371; rev:7; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|ru|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x02ru\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014373; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .info CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|04|info|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x04info\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014374; rev:3; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .biz CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|03|biz|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x03biz\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014375; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Cutwail Landing Page WAIT PLEASE"; flow:established,from_server; file_data; content:"<h1>WAIT PLEASE</h1>"; nocase; within:200; classtype:bad-unknown; sid:2014377; rev:1; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cutwail Redirection Page 1"; flow:established,from_server; file_data; content:"document.location="; distance:0; content:".php?"; fast_pattern; within:100; pcre:"/\.php\?[^&]{1,8}=[a-f0-9]{16}[\x22\x27\x3b]/"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014378; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_14, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent|3A 20|Facebook Update/"; http_header; content:"winhttp|3b|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done|3b|"; content:"client=done|3b|"; http_cookie; depth:12; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014412; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; content:"client=done"; http_cookie; depth:11; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole Landing Page applet param window.document"; flow:established,from_server; file_data; content:"<applet"; within:100; content:"<param"; distance:0; content:"window.document"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript dotted quad hostile applet"; flow:established,from_server; content:"<html><body><applet"; fast_pattern; content:"archive="; distance:0; content:"code=";  pcre:"/archive=[^\x3e]+?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; metadata: former_category CURRENT_EVENTS; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014415; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 2 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 02|"; distance:1; within:2; byte_test:2,<,0x06,0,relative,big;  reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014432; rev:9; metadata:created_at 2012_03_23, updated_at 2012_03_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 3 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 03|"; distance:1; within:2; byte_test:3,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014433; rev:10; metadata:created_at 2012_03_23, updated_at 2012_03_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 4 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 04|"; distance:1; within:2; byte_test:4,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014434; rev:10; metadata:created_at 2012_03_23, updated_at 2012_03_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding;  classtype:trojan-activity; sid:2014436; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20;  content:".exe|0d 0a|"; http_header; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014440; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014441; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_29, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - *.php?*=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U";  pcre:"/=.*[a-f].*$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014442; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_29, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit"; flow:from_server,established; flowbits:isset,et.exploitkitlanding; file_data; content:"<applet"; classtype:bad-unknown; sid:2014443; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_29, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Page redirecting to driveby"; flow:from_server,established; file_data; content:"/Home/index.php\" width=1 height=1 scrolling=no></iframe>"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014444; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_29, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Dynamic DNS Exploit Pack Payload"; flow:established,to_server; content:".php"; http_uri; content:"quote="; distance:0; http_uri; content:"tid=";http_uri; content:"fid="; http_uri; flowbits:set,et.exploitkitlanding;  classtype:bad-unknown; sid:2014445; rev:6; metadata:created_at 2012_03_29, updated_at 2012_03_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014457; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_01, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:11; content:"/config.php"; http_uri; fast_pattern; content:"Accept|3A| */*"; http_header; content:"Content-Type|3A| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:trojan-activity; sid:2014460; rev:4; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Likely Blackhole eval haha"; flow:established,from_server; content:"eval(haha"; fast_pattern:only; metadata: former_category CURRENT_EVENTS; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2020604; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Likely Blackhole PDF served from iframe"; flow:established,from_server; content:".pdf|27|/></iframe>"; fast_pattern:only; metadata: former_category CURRENT_EVENTS; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014470; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U";  classtype:bad-unknown; sid:2014521; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_05, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"CWS"; within:3; classtype:bad-unknown; sid:2014527; rev:2; metadata:created_at 2012_04_06, updated_at 2012_04_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Sality.bh Checkin"; flow:to_server,established; content:"/logo.gif?"; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50728)|0d 0a|Host|3a| "; http_header; pcre:"/\x2flogo\x2egif\x3f([0-9a-z]){5}\x3d\d{6,7}/U"; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; reference:md5,c15f4fe2e180150dc511aa64427404c5; classtype:trojan-activity; sid:2018111; rev:2; metadata:created_at 2012_04_09, updated_at 2012_04_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_10, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing .prototype.q catch with split"; flow:established,from_server; content:".prototype.q}catch("; fast_pattern:only; content:".split("; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_10, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014538; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_10, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for Loading prototype catch"; flow:established,from_server; content:">Loading..."; fast_pattern:only; content:").prototype."; content:"}catch("; within:10; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a a known malware domain (sektori. org)"; flow: to_server,established; content:"sektori.org|0D 0A|"; fast_pattern:only; http_header; metadata: former_category TROJAN; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014571; rev:4; metadata:created_at 2012_04_16, updated_at 2018_01_02;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32 Jadtre/Wapomi/Nimnul/Viking.AY ICMP ping"; icode:0; itype:8; dsize:36; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; classtype:trojan-activity; sid:2014595; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Downloader.Win32.Agent.vhvw Checkin MINIASP"; flow:to_server,established; content:".asp?device_t="; http_uri; content:"&key="; http_uri; content:"&device_id="; http_uri; content:"&cv="; http_uri; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,e4a4e2a3b3adaf3a31e34cd2844a3374; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1042762#none; classtype:trojan-activity; sid:2016430; rev:3; metadata:created_at 2012_04_18, updated_at 2018_05_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus js.js"; flow:established,to_server; content:"/js.js"; http_uri; urilen:15; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/js\.js$/U"; classtype:bad-unknown; sid:2014629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_20, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Security Shield payment page request"; flow:established,to_server; content:!"Referer|3a| "; http_header; content:"/payform/?k="; http_uri; classtype:trojan-activity; sid:2014631; rev:3; metadata:created_at 2012_04_23, updated_at 2012_04_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Edu.jar"; flow:established,to_server; content:"/Edu.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014642; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_26, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; distance:0; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_04_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype|3b|}catch("; fast_pattern; content:"substr"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_01, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; file_data; content:"PK"; within:2; pcre:"/=[0-9a-f]{8}\.jar/H"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014664; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_02, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEyeV1.3.48 Data Post to CnC - lol.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/lol.php"; http_uri; content:"data="; depth:5; http_client_body; reference:url,blogs.mcafee.com/mcafee-labs/latest-spyeye-botnet-active-and-cheaper; classtype:trojan-activity; sid:2014669; rev:4; metadata:created_at 2012_05_02, updated_at 2012_05_02;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014666; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_02, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Cal.jar"; flow:established,to_server; content:"/Cal.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_09, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_09, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:!"18,0,0,366|0d 0a|"; distance:0; within:12; http_header; content:!"22,0,0,209|0d 0a|"; distance:0; within:12; http_header; content:"Macintosh"; http_header; pcre:"/^User-Agent\x3a.+?Macintosh/Hm"; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:60; metadata:created_at 2012_05_09, updated_at 2016_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FAKEAV Download a-f0-9 x16 download"; flow:to_server,established; content:"/pr2/"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{16}\/.+?\.(exe|zip)$/U"; classtype:bad-unknown; sid:2014730; rev:7; metadata:created_at 2012_05_10, updated_at 2012_05_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; file_data; content:"|3b|try{prototype|3b|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_11, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Set.jar"; flow:established,to_server; content:"/Set.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014746; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_14, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 14 2012"; flow:from_server,established; content:"try{"; content:"=prototype|3b|}catch("; within:30; classtype:trojan-activity; sid:2014747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_14, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RedKit Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:trojan-activity; sid:2014748; rev:3; metadata:created_at 2012_05_14, updated_at 2012_05_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED probable malicious Glazunov Javascript injection"; flow:established,from_server; content:"|22|,|22|"; content:"|22|)|3b|</script></body>"; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5; metadata:created_at 2012_05_17, updated_at 2012_05_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"><qwe qweqwe="; metadata: former_category CURRENT_EVENTS; reference:url,jsunpack.jeek.org/dec/go?report=4d25f4f01ff5cdbee35a23fcd9e047b69d917b47; classtype:trojan-activity; sid:2014774; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole PDF Payload Request"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014775; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:2; metadata:created_at 2012_05_21, updated_at 2012_05_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| rv|3a|1.9.1) Gecko/20090624 Firefox/3.5|0D 0A|Accept|3a| */*|0D 0A|Host|3a| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5; metadata:created_at 2012_05_21, updated_at 2012_05_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; file_data; content:"getElementById']('qwe')"; distance:0; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=|22|"; within:80; content:"style=|22|display|3A|none|3B 22 3E|"; within:100; isdataat:400,relative; content:!"|20|"; within:400; content:!"pre|3E|"; within:400; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|3C 2F|pre|3E|3Cscript|3E|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]*\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; metadata: former_category CURRENT_EVENTS; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"(asdvsa"; within:80; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014823; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; within:80; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014825; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_05_30, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to b.class"; flow:established,to_server; urilen:10; content:"/b.class"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014824; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to .class file"; flow:established,to_server; content:".class"; http_uri; pcre:"/\/\w{1,2}\/\w{1,2}\.class$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014830; rev:3; metadata:created_at 2012_05_30, updated_at 2016_06_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Loading Gif Inline Image"; flow:established,from_server; content:"background|3a|url(data|3a|image/gif|3b|base64,R0lGODlhEAAQAAAAACH/C05FVFNDQVBFMi4wAwH//"; classtype:trojan-activity; sid:2014842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_01, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; metadata: former_category TROJAN; classtype:trojan-activity; sid:2014843; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_01, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014844; rev:2; metadata:created_at 2012_06_01, updated_at 2012_06_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:trojan-activity; sid:2014845; rev:2; metadata:created_at 2012_06_01, updated_at 2012_06_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:1; metadata:created_at 2012_06_04, updated_at 2012_06_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>|0d 0a|<title>Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014858; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dakotavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dakotavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014859; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dak1otavola1ndos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dak1otavola1ndos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014860; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dako22tavol2andos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|dako22tavol2andos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014861; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d3akotav33olandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|d3akotav33olandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014862; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|d4ak4otavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014863; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_08, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_08, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014888; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and 5digit jar"; flow:established,to_client; content:"<applet"; fast_pattern; content:".jar"; distance:0; pcre:"/\W[0-9]{5}\.jar/"; classtype:trojan-activity; sid:2014894; rev:7; metadata:created_at 2012_06_15, updated_at 2012_06_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_15, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_15, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014909; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_15, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2014916; rev:2; metadata:created_at 2012_06_18, updated_at 2012_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:trojan-activity; sid:2014917; rev:4; metadata:created_at 2012_06_18, updated_at 2012_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; distance:0; within:12; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; fast_pattern:26,20; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_21, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar"; flow:established,to_server;  content:"/Trop.jar"; http_uri; nocase; classtype:trojan-activity; sid:2014937; rev:18; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; metadata: former_category CURRENT_EVENTS; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:2; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:2; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe"; flow:established,to_client; content:"attachment"; http_header; content:".exe"; fast_pattern:only; http_header; pcre:"/[a-z]{9}[0-9]\.exe/H"; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2014968; rev:7; metadata:created_at 2012_06_26, updated_at 2012_06_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=16HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:23<>60; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{16}$/U"; pcre:"/[0-9]{1,16}[a-f]{1,16}[0-9]{1,16}$/U"; classtype:trojan-activity; sid:2014973; rev:17; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_26, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=8HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:15<>52; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{8}$/U"; pcre:"/[0-9]{1,8}[a-f]{1,8}[0-9]{1,8}$/U"; classtype:trojan-activity; sid:2014974; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /Home/index.php"; flow:established,to_server; content:"/Home/index.php"; http_uri; depth:15; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; classtype:trojan-activity; sid:2014975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"<applet"; classtype:trojan-activity; sid:2014977; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; distance:0; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; metadata: former_category CURRENT_EVENTS; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:trojan-activity; sid:2014981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_06_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_02, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_03, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015006; rev:5; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015007; rev:8; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015009; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; distance:0; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015012; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_03, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; distance:0; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015013; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_03, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; file_data; content:"ev|22|+|22|a"; distance:0; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015014; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_03, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data;  content:"=|22|ev|22 3B|"; distance:0; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_05, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; distance:0; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 3"; flow:established,to_client; file_data; content:"=|22|eva|22 3B|"; distance:0; content:"+|22|l|22|"; distance:0; pcre:"/\x2B\x22l\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015027; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; file_data; content:"<applet/code=|22|Rafa.Rafa|22|"; classtype:trojan-activity; sid:2015043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=|22|&#"; isdataat:50,relative; distance:0; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:trojan-activity; sid:2015044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:trojan-activity; sid:2015046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"|3A|8080|0D 0A|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:trojan-activity; sid:2015047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; distance:0; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015048; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_09, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; fast_pattern:only; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"<html><body><script>"; distance:0; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru"; flow:established,to_server; content:"|3a| bdvkpbuldslsapeb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015061; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eilqnjkoytyjuchn.ru"; flow:established,to_server; content:"|3a| eilqnjkoytyjuchn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015062; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru"; flow:established,to_server; content:"|3a| npxsiiwpxqqiihmo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015063; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru"; flow:established,to_server; content:"|3a| qtmyeslmsoxkjbku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015064; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain adbjjkquyyhyqknf.ru"; flow:established,to_server; content:"|3a| adbjjkquyyhyqknf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015065; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru"; flow:established,to_server; content:"|3a| ciqmhuwgvfsxdtrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015066; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mocrafrewsdjztbj.ru"; flow:established,to_server; content:"|3a| mocrafrewsdjztbj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015067; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain otruvbidvikzhlop.ru"; flow:established,to_server; content:"|3a| otruvbidvikzhlop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015068; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yafzvancybuwmnno.ru"; flow:established,to_server; content:"|3a| yafzvancybuwmnno.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015069; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bhujzorkulhkpwob.ru"; flow:established,to_server; content:"|3a| bhujzorkulhkpwob.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015070; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru"; flow:established,to_server; content:"|3a| lohnrnnpvvtxedfl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015071; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru"; flow:established,to_server; content:"|3a| ntvrnrdpyoadopbo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015072; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wakvnkyzkyietkdr.ru"; flow:established,to_server; content:"|3a| wakvnkyzkyietkdr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015073; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru"; flow:established,to_server; content:"|3a| zfyafrjmmajqfvbh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015074; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru"; flow:established,to_server; content:"|3a| jnlkttkruqsdjqlx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015075; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsbppxhgckolsnap.ru"; flow:established,to_server; content:"|3a| lsbppxhgckolsnap.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015076; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vznrahwzgntmfcqk.ru"; flow:established,to_server; content:"|3a| vznrahwzgntmfcqk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015077; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xeeypppxswpquvrf.ru"; flow:established,to_server; content:"|3a| xeeypppxswpquvrf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015078; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru"; flow:established,to_server; content:"|3a| inqgvoeohpcsfxmn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015079; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksgmckchdppqeicu.ru"; flow:established,to_server; content:"|3a| ksgmckchdppqeicu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015080; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uyrorwlibbjeasoq.ru"; flow:established,to_server; content:"|3a| uyrorwlibbjeasoq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015081; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wejungvnykczyjam.ru"; flow:established,to_server; content:"|3a| wejungvnykczyjam.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015082; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru"; flow:established,to_server; content:"|3a| gmvdnpqbblixlgxj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015083; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrkjelzwleadyxsd.ru"; flow:established,to_server; content:"|3a| jrkjelzwleadyxsd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015084; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sywleisrsstsqoic.ru"; flow:established,to_server; content:"|3a| sywleisrsstsqoic.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015085; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain venrfhmthwpqlqge.ru"; flow:established,to_server; content:"|3a| venrfhmthwpqlqge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015086; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fmacqvmqafqwmebl.ru"; flow:established,to_server; content:"|3a| fmacqvmqafqwmebl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015087; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrpgglxvqwjesffr.ru"; flow:established,to_server; content:"|3a| hrpgglxvqwjesffr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015088; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru"; flow:established,to_server; content:"|3a| rxbkqfydlnzopqrn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015089; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdsorylshsxjeawf.ru"; flow:established,to_server; content:"|3a| tdsorylshsxjeawf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015090; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elfxqghdubihhsgd.ru"; flow:established,to_server; content:"|3a| elfxqghdubihhsgd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015091; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru"; flow:established,to_server; content:"|3a| gqtcxunxhyujqjkf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015092; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sdxkjaophbtufumx.ru"; flow:established,to_server; content:"|3a| sdxkjaophbtufumx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015094; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain clkujrjqvexvbmoi.ru"; flow:established,to_server; content:"|3a| clkujrjqvexvbmoi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015095; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru"; flow:established,to_server; content:"|3a| fqyyxagzkrpvxtki.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015096; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owldagkyzrkhqnjo.ru"; flow:established,to_server; content:"|3a| owldagkyzrkhqnjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015097; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rccjvgsgffokiwze.ru"; flow:established,to_server; content:"|3a| rccjvgsgffokiwze.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015098; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain blorcdyiipxcwyxv.ru"; flow:established,to_server; content:"|3a| blorcdyiipxcwyxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015099; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dpewaddpoewiycnj.ru"; flow:established,to_server; content:"|3a| dpewaddpoewiycnj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015100; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nwpykqeizraqthry.ru"; flow:established,to_server; content:"|3a| nwpykqeizraqthry.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015101; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pchgijctfprxhnje.ru"; flow:established,to_server; content:"|3a| pchgijctfprxhnje.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015102; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zisiiogqigzzqqeq.ru"; flow:established,to_server; content:"|3a| zisiiogqigzzqqeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015103; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cpittmwbqtjrjpql.ru"; flow:established,to_server; content:"|3a| cpittmwbqtjrjpql.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015104; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mvuvchtcxxibeubd.ru"; flow:established,to_server; content:"|3a| mvuvchtcxxibeubd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015105; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oblcasnhxbbocpfj.ru"; flow:established,to_server; content:"|3a| oblcasnhxbbocpfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015106; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xixftoplsduqqorx.ru"; flow:established,to_server; content:"|3a| xixftoplsduqqorx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015107; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru"; flow:established,to_server; content:"|3a| bpnqmxkpxxgbdnby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015108; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru"; flow:established,to_server; content:"|3a| kvzstpqmeoxtcwko.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015109; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru"; flow:established,to_server; content:"|3a| nbqypqrjiqxlfvdj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015110; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain whddmvrxufbkkoew.ru"; flow:established,to_server; content:"|3a| whddmvrxufbkkoew.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015111; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ymrhcvphevonympo.ru"; flow:established,to_server; content:"|3a| ymrhcvphevonympo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015112; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jveqgnmjxkocqifr.ru"; flow:established,to_server; content:"|3a| jveqgnmjxkocqifr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015113; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lavvckpordclbduy.ru"; flow:established,to_server; content:"|3a| lavvckpordclbduy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015114; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru"; flow:established,to_server; content:"|3a| vhhzcvbegxbjsxke.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015115; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru"; flow:established,to_server; content:"|3a| xmwettbvtbhvrjuo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015116; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iujniiokeyjbmerc.ru"; flow:established,to_server; content:"|3a| iujniiokeyjbmerc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015117; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kzxrowftdocgyghs.ru"; flow:established,to_server; content:"|3a| kzxrowftdocgyghs.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015118; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gacdiuwnhonuulpe.ru"; flow:established,to_server; content:"|3a| gacdiuwnhonuulpe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015119; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru"; flow:established,to_server; content:"|3a| ifrhgnqeeotnzrmz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015120; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru"; flow:established,to_server; content:"|3a| rmdlgyreitjsjkfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015121; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uqspvdwyltgcyhft.ru"; flow:established,to_server; content:"|3a| uqspvdwyltgcyhft.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015122; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ezfydrexncoidbus.ru"; flow:established,to_server; content:"|3a| ezfydrexncoidbus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015123; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hfveiooumeyrpchg.ru"; flow:established,to_server; content:"|3a| hfveiooumeyrpchg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015124; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlihxnncwioxkdls.ru"; flow:established,to_server; content:"|3a| qlihxnncwioxkdls.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015125; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sqwlonyduvpowdgy.ru"; flow:established,to_server; content:"|3a| sqwlonyduvpowdgy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015126; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dyjvewshptsboygd.ru"; flow:established,to_server; content:"|3a| dyjvewshptsboygd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015127; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain febcbuyswmishvpl.ru"; flow:established,to_server; content:"|3a| febcbuyswmishvpl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015128; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain plmekaayiholtevt.ru"; flow:established,to_server; content:"|3a| plmekaayiholtevt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015129; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru"; flow:established,to_server; content:"|3a| rpckbgrziwbdrmhr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015130; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cyosongjihugkjbg.ru"; flow:established,to_server; content:"|3a| cyosongjihugkjbg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015131; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eefysywrvkgxuqdf.ru"; flow:established,to_server; content:"|3a| eefysywrvkgxuqdf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015132; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru"; flow:established,to_server; content:"|3a| nkrbvqxzfwicmhwb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015133; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qphhsudsmeftdaht.ru"; flow:established,to_server; content:"|3a| qphhsudsmeftdaht.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015134; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axtopsbtntqnfdyk.ru"; flow:established,to_server; content:"|3a| axtopsbtntqnfdyk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015135; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru"; flow:established,to_server; content:"|3a| ddkudnuklgiwtdyw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015136; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mkwwclogcvgeekws.ru"; flow:established,to_server; content:"|3a| mkwwclogcvgeekws.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015137; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain opldkflyvlkywuec.ru"; flow:established,to_server; content:"|3a| opldkflyvlkywuec.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015138; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvxfekhokspfuwqr.ru"; flow:established,to_server; content:"|3a| yvxfekhokspfuwqr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015139; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdprvpxdejpohqpt.ru"; flow:established,to_server; content:"|3a| bdprvpxdejpohqpt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015140; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru"; flow:established,to_server; content:"|3a| ljbvfrsvcevyfhor.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015141; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain noqzuukouyfuyrmd.ru"; flow:established,to_server; content:"|3a| noqzuukouyfuyrmd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015142; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xvcewyydwsmdgaju.ru"; flow:established,to_server; content:"|3a| xvcewyydwsmdgaju.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015143; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zatiscwwtipqlycd.ru"; flow:established,to_server; content:"|3a| zatiscwwtipqlycd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015144; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jjgshrjdcynohyuk.ru"; flow:established,to_server; content:"|3a| jjgshrjdcynohyuk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015145; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mouwwvcwwlilnxub.ru"; flow:established,to_server; content:"|3a| mouwwvcwwlilnxub.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015146; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru"; flow:established,to_server; content:"|3a| vuhaojpwxgsxuitu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015147; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru"; flow:established,to_server; content:"|3a| yayfefhrwawquwcw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015148; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"|3a| iiloishkjwvqldlq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015149; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"|3a| knauycqgsdhgbwjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015150; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"|3a| uumwyzhctrwdsrdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015151; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"|3a| wzbdwenwshfzglwt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015152; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"|3a| hiplksflttfkpsxn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015153; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"|3a| jnfrqmekhoevppvw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015154; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"|3a| ttqtkmthptxvwiku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015155; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"|3a| vygzhvfiuommkqfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015156; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"|3a| fhuidtlqttqxgjvn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015157; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"|3a| imjosxuhbcdonrco.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015158; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"|3a| rtvqcdpbqxgwnrcn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015159; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"|3a| tykvyflnjhbnqpnr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015160; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"|3a| ehyewyqydfpidbdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015161; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"|3a| gmokuosvnbkshdtd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015162; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"|3a| qsbourrdxgxgwepy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015163; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"|3a| sxpskxdgoczvcjgp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015164; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"|3a| dhedppigtpbwrmpc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015165; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"|3a| flthmyjeuhdygshf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015166; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"|3a| osflhkaowydftniw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015167; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"|3a| rxupwhkznihnxzqx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015168; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"|3a| bgjzhlasdrwwnenj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015169; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"|3a| elxegvkalqvkyoxc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015170; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"|3a| nrkhysgoltauclop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015171; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"|3a| pwyloytoagndnrex.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015172; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"|3a| zenquqdskekaudbe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015173; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"|3a| cldcrgtnuwvgnbfd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015174; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"|3a| mroeqjdaukskbgua.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015175; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"|3a| owekhoeuhmdiehrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015176; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"|3a| ydrngsmrdiiyvoiy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015177; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"|3a| bkhyiqitpoxewhmt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015178; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"|3a| krtbityuhlewigfe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015179; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"|3a| nvjgyermzsmynaeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015180; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"|3a| jwkpdxqbemsmclal.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015181; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"|3a| lccwpflcdjrdfjib.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015182; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"|3a| uinyjmxfqinkxbda.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015183; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"|3a| xndfbivuonkxfxrq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015184; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"|3a| hvpmffxpfnlquqxo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015185; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"|3a| kbgsbqjugdqrgtdw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015186; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"|3a| tisubmfvqrgnloxr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015187; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"|3a| vmibswhnpqhqwyih.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015188; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"|3a| gvujhzvjxwptrtdg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015189; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"|3a| iblpdiqdmmsbnuxb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015190; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"|3a| shxrsvasoncjnxpn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015191; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"|3a| ummxjwieppswcnrg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015192; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"|3a| fuyfrockpfclxccd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015193; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"|3a| haqmuqqukywrcxfa.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015194; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"|3a| qhcplcuugevvyham.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015195; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"|3a| tmrtbcienxrbnsjc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015196; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"|3a| dueebwwdllfburag.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015197; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"|3a| fzsirujgdbvabrjm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015198; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"|3a| pghnrmkoeoetfwsm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015199; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"|3a| rlvqmipovrqbmvqd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015200; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"|3a| ctjbmgjudwisgshv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015201; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"|3a| eyxejlabqaytqmjx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015202; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"|3a| ogmjjmqdhlbyabzg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015203; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"|3a| qlbpfyrupyadvjsl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015204; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"|3a| atnwerhvttvbivra.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015205; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"|3a| dydderasilekaegh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015206; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"|3a| mfqfrnqllqcrayiw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015207; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"|3a| pkglwwwmjxokzzfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015208; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"|3a| yrrnrgliojezjctg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015209; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"|3a| bxhzugppnulxghvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015210; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"|3a| lfvcngdbzjrzgyby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015211; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"|3a| nkkijjyioljbfysn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015212; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"|3a| xqwkdyjydkggsppd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015213; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"|3a| axmvnmubgwlmqfrp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015214; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"|3a| keabgwmpzqhpmlng.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015215; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"|3a| mjpflkwqskuqbjnk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015216; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"|3a| vqcicnuhtwhxmtjd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015217; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"|3a| yvqnltydqtpresfu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015218; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"|3a| iefwvulgninlkoxe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015219; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"|3a| ljubdldgqwbarplc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015220; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"|3a| upgghggmbusopaxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015221; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"|3a| wuvjdexaqtmqkvgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015222; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"|3a| hektxucstnbuncix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015223; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"|3a| jiyxdlvawkranmin.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015224; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"|3a| tplczomvebjmhsgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015225; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"|3a| vuaivypissryzhij.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015226; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"|3a| gdoqznfilmtulxxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015227; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"|3a| iiewprjomieydnix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015228; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"|3a| ropypfmcqjjfdiel.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015229; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"|3a| utfenjxpvwtroioi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015230; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"|3a| edtmjcvfnfcbweed.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015231; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"|3a| hhishrpjdixwtctz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015232; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"|3a| qouubrmdxtgnnjvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015233; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"|3a| stkbtccbckhdkbii.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015234; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"|3a| dcyjurmfwhgvyoio.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015235; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"|3a| fhnpjsnknkuvhazm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015236; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"|3a| pozrtgdmhvhvdscn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015237; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"|3a| rsoxjlibxohdcyov.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015238; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"|3a| ccdifvomwhtynpay.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015239; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"|3a| ehsmldxnregnruez.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015240; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"|3a| lsvdxjpwykxxvryd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015241; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"|3a| oxkjnvhjnvnegtyb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015242; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"|3a| xfymtpavzblzbknq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015243; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"|3a| bloxgsfzinxmdspt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015244; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"|3a| ksacasnubklrikdl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015245; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"|3a| mxpgggggukxqteoy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015246; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"|3a| wedkgpdcxlrunbmu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015247; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"|3a| yjsovtnpgbwqcbbd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015248; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"|3a| jrfyaswntteouafv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015249; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"|3a| lwtcxuzbdrsnpqfb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015250; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"|3a| veihxoqukuetxqbn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015251; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"|3a| xiwlnutkxsqxwjge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015252; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"|3a| hrkusbnevtmyisab.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015253; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"|3a| kwyyhhqtwxupnhyu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015254; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"|3a| tdndpphrtyniynvz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015255; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"|3a| wicjgufeimlbmcus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015256; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"|3a| gqortbbbsnksxpmm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015257; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fjgtmicxtlxynlpf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015258; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ppsvcvrcgkllplyn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015259; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ruhctasjmpqbyvhm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015260; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdvkpbuldslsapeb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdvkpbuldslsapeb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015261; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eilqnjkoytyjuchn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eilqnjkoytyjuchn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015262; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|npxsiiwpxqqiihmo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015263; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtmyeslmsoxkjbku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015264; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain adbjjkquyyhyqknf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|adbjjkquyyhyqknf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015265; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ciqmhuwgvfsxdtrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015266; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mocrafrewsdjztbj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mocrafrewsdjztbj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015267; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain otruvbidvikzhlop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|otruvbidvikzhlop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015268; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yafzvancybuwmnno.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yafzvancybuwmnno|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015269; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bhujzorkulhkpwob.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bhujzorkulhkpwob|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015270; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lohnrnnpvvtxedfl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015271; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ntvrnrdpyoadopbo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015272; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wakvnkyzkyietkdr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wakvnkyzkyietkdr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015273; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zfyafrjmmajqfvbh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015274; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnlkttkruqsdjqlx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015275; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsbppxhgckolsnap.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsbppxhgckolsnap|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015276; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vznrahwzgntmfcqk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vznrahwzgntmfcqk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015277; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xeeypppxswpquvrf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xeeypppxswpquvrf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015278; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|inqgvoeohpcsfxmn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015279; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksgmckchdppqeicu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksgmckchdppqeicu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015280; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uyrorwlibbjeasoq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uyrorwlibbjeasoq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015281; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wejungvnykczyjam.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wejungvnykczyjam|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015282; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmvdnpqbblixlgxj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015283; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrkjelzwleadyxsd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrkjelzwleadyxsd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015284; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sywleisrsstsqoic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sywleisrsstsqoic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015285; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain venrfhmthwpqlqge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|venrfhmthwpqlqge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015286; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fmacqvmqafqwmebl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fmacqvmqafqwmebl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015287; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrpgglxvqwjesffr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrpgglxvqwjesffr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015288; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxbkqfydlnzopqrn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015289; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdsorylshsxjeawf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdsorylshsxjeawf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015290; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elfxqghdubihhsgd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elfxqghdubihhsgd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015291; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqtcxunxhyujqjkf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015292; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qxggipnnfmnihkic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qxggipnnfmnihkic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015293; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sdxkjaophbtufumx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sdxkjaophbtufumx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015294; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain clkujrjqvexvbmoi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|clkujrjqvexvbmoi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015295; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fqyyxagzkrpvxtki|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015296; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owldagkyzrkhqnjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owldagkyzrkhqnjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015297; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rccjvgsgffokiwze.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rccjvgsgffokiwze|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015298; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain blorcdyiipxcwyxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|blorcdyiipxcwyxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015299; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dpewaddpoewiycnj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dpewaddpoewiycnj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015300; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nwpykqeizraqthry.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nwpykqeizraqthry|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015301; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pchgijctfprxhnje.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pchgijctfprxhnje|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015302; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zisiiogqigzzqqeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zisiiogqigzzqqeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015303; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cpittmwbqtjrjpql.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cpittmwbqtjrjpql|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015304; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mvuvchtcxxibeubd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mvuvchtcxxibeubd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015305; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oblcasnhxbbocpfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oblcasnhxbbocpfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015306; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xixftoplsduqqorx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xixftoplsduqqorx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015307; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpnqmxkpxxgbdnby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015308; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kvzstpqmeoxtcwko|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015309; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nbqypqrjiqxlfvdj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015310; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain whddmvrxufbkkoew.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|whddmvrxufbkkoew|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015311; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ymrhcvphevonympo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ymrhcvphevonympo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015312; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jveqgnmjxkocqifr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jveqgnmjxkocqifr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015313; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lavvckpordclbduy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lavvckpordclbduy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015314; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vhhzcvbegxbjsxke|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015315; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xmwettbvtbhvrjuo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015316; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iujniiokeyjbmerc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iujniiokeyjbmerc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015317; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kzxrowftdocgyghs.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kzxrowftdocgyghs|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015318; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gacdiuwnhonuulpe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gacdiuwnhonuulpe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015319; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ifrhgnqeeotnzrmz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015320; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rmdlgyreitjsjkfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015321; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uqspvdwyltgcyhft.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uqspvdwyltgcyhft|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015322; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ezfydrexncoidbus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ezfydrexncoidbus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015323; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hfveiooumeyrpchg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hfveiooumeyrpchg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015324; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlihxnncwioxkdls.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlihxnncwioxkdls|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015325; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sqwlonyduvpowdgy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sqwlonyduvpowdgy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015326; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dyjvewshptsboygd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dyjvewshptsboygd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015327; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain febcbuyswmishvpl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|febcbuyswmishvpl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015328; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain plmekaayiholtevt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|plmekaayiholtevt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015329; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rpckbgrziwbdrmhr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015330; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cyosongjihugkjbg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cyosongjihugkjbg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015331; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eefysywrvkgxuqdf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eefysywrvkgxuqdf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015332; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkrbvqxzfwicmhwb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015333; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qphhsudsmeftdaht.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qphhsudsmeftdaht|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015334; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axtopsbtntqnfdyk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axtopsbtntqnfdyk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015335; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ddkudnuklgiwtdyw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015336; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mkwwclogcvgeekws.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mkwwclogcvgeekws|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015337; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain opldkflyvlkywuec.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|opldkflyvlkywuec|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015338; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvxfekhokspfuwqr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvxfekhokspfuwqr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015339; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdprvpxdejpohqpt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdprvpxdejpohqpt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015340; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljbvfrsvcevyfhor|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015341; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain noqzuukouyfuyrmd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|noqzuukouyfuyrmd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015342; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xvcewyydwsmdgaju.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvcewyydwsmdgaju|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015343; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zatiscwwtipqlycd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zatiscwwtipqlycd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015344; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jjgshrjdcynohyuk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jjgshrjdcynohyuk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015345; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mouwwvcwwlilnxub.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mouwwvcwwlilnxub|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015346; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuhaojpwxgsxuitu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015347; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yayfefhrwawquwcw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015348; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiloishkjwvqldlq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015349; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|knauycqgsdhgbwjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015350; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uumwyzhctrwdsrdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015351; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wzbdwenwshfzglwt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015352; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hiplksflttfkpsxn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015353; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnfrqmekhoevppvw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015354; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ttqtkmthptxvwiku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015355; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vygzhvfiuommkqfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015356; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhuidtlqttqxgjvn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015357; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|imjosxuhbcdonrco|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015358; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rtvqcdpbqxgwnrcn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015359; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tykvyflnjhbnqpnr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015360; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehyewyqydfpidbdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015361; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmokuosvnbkshdtd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015362; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qsbourrdxgxgwepy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015363; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sxpskxdgoczvcjgp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015364; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dhedppigtpbwrmpc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015365; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|flthmyjeuhdygshf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015366; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|osflhkaowydftniw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015367; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxupwhkznihnxzqx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015368; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bgjzhlasdrwwnenj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015369; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elxegvkalqvkyoxc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015370; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nrkhysgoltauclop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015371; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pwyloytoagndnrex|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015372; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zenquqdskekaudbe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015373; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cldcrgtnuwvgnbfd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015374; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mroeqjdaukskbgua|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015375; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owekhoeuhmdiehrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015376; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ydrngsmrdiiyvoiy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015377; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bkhyiqitpoxewhmt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015378; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|krtbityuhlewigfe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015379; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nvjgyermzsmynaeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015380; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jwkpdxqbemsmclal|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015381; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lccwpflcdjrdfjib|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015382; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uinyjmxfqinkxbda|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015383; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xndfbivuonkxfxrq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015384; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hvpmffxpfnlquqxo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015385; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kbgsbqjugdqrgtdw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015386; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tisubmfvqrgnloxr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015387; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vmibswhnpqhqwyih|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015388; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gvujhzvjxwptrtdg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015389; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iblpdiqdmmsbnuxb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015390; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|shxrsvasoncjnxpn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015391; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ummxjwieppswcnrg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015392; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fuyfrockpfclxccd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015393; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|haqmuqqukywrcxfa|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015394; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qhcplcuugevvyham|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015395; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmrtbcienxrbnsjc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015396; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dueebwwdllfburag|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015397; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fzsirujgdbvabrjm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015398; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pghnrmkoeoetfwsm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015399; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rlvqmipovrqbmvqd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015400; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ctjbmgjudwisgshv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015401; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eyxejlabqaytqmjx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015402; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ogmjjmqdhlbyabzg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015403; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlbpfyrupyadvjsl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015404; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|atnwerhvttvbivra|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015405; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dydderasilekaegh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015406; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mfqfrnqllqcrayiw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015407; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pkglwwwmjxokzzfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015408; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yrrnrgliojezjctg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015409; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bxhzugppnulxghvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015410; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfvcngdbzjrzgyby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015411; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkkijjyioljbfysn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015412; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xqwkdyjydkggsppd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015413; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axmvnmubgwlmqfrp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015414; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|keabgwmpzqhpmlng|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015415; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mjpflkwqskuqbjnk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015416; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vqcicnuhtwhxmtjd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015417; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvqnltydqtpresfu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015418; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iefwvulgninlkoxe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015419; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljubdldgqwbarplc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015420; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|upgghggmbusopaxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015421; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wuvjdexaqtmqkvgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015422; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hektxucstnbuncix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015423; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jiyxdlvawkranmin|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015424; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tplczomvebjmhsgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015425; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuaivypissryzhij|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015426; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gdoqznfilmtulxxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015427; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiewprjomieydnix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015428; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ropypfmcqjjfdiel|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015429; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|utfenjxpvwtroioi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015430; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|edtmjcvfnfcbweed|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015431; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hhishrpjdixwtctz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015432; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qouubrmdxtgnnjvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015433; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|stkbtccbckhdkbii|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015434; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dcyjurmfwhgvyoio|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015435; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhnpjsnknkuvhazm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015436; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pozrtgdmhvhvdscn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015437; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rsoxjlibxohdcyov|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015438; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ccdifvomwhtynpay|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015439; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehsmldxnregnruez|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015440; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsvdxjpwykxxvryd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015441; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain";  content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oxkjnvhjnvnegtyb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015442; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xfymtpavzblzbknq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015443; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bloxgsfzinxmdspt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015444; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksacasnubklrikdl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015445; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mxpgggggukxqteoy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015446; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wedkgpdcxlrunbmu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015447; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yjsovtnpgbwqcbbd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015448; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrfyaswntteouafv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015449; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lwtcxuzbdrsnpqfb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015450; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|veihxoqukuetxqbn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015451; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xiwlnutkxsqxwjge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015452; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrkusbnevtmyisab|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015453; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kwyyhhqtwxupnhyu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015454; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdndpphrtyniynvz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015455; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain";  content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wicjgufeimlbmcus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015456; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqortbbbsnksxpmm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015457; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"|3a| fjgtmicxtlxynlpf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015461; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"|3a| ppsvcvrcgkllplyn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015462; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"|3a| ruhctasjmpqbyvhm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015463; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015475; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015476; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015486; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_19, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015487; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_19, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015488; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_19, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890|0a|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015501; rev:3; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015509; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; distance:0; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_23, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<|2F|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=|22|"; distance:0; content:"|22|><param/name=|22|"; distance:9; within:15; content:"<|2F|applet><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_23, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012"; flow:established,from_server; file_data; content:"try{eval(|22|p"; fast_pattern; content:"|3b|}catch("; within:30; classtype:trojan-activity; sid:2015525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_25, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015548; rev:10; metadata:created_at 2012_07_31, updated_at 2012_07_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015549; rev:4; metadata:created_at 2012_07_31, updated_at 2012_07_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015558; rev:3; metadata:created_at 2012_08_01, updated_at 2012_08_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:trojan-activity; sid:2015579; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; file_data; content:"=|22|"; isdataat:300,relative; content:"|22|"; within:300; content:"|22|.replace(/"; distance:0; content:"/g.|22 22 29 3B|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; metadata: former_category TROJAN; classtype:trojan-activity; sid:2015581; rev:1; metadata:created_at 2012_08_07, updated_at 2018_05_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; file_data; content:"<h1><b>Please wait a moment. You will be forwarded...<|2F|h1><|2F|b>"; distance:0; classtype:trojan-activity; sid:2015582; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; distance:0; content:"=Math.round|3B|}catch("; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; file_data; content:"|3C|html|3E 3C|body|3E 3C|script|3E|"; within:20; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_08, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_08, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; file_data; content:".replace(/hwehes/g"; fast_pattern:only; classtype:trojan-activity; sid:2015592; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_08, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown .rr.nu Malware landing page"; flow:established,to_server; content:"/sl.php"; http_uri; content:".rr.nu|0D 0A|"; fast_pattern:only; http_header; reference:url,isc.sans.edu/diary.html?storyid=13864; classtype:bad-unknown; sid:2015596; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,|22 22|)|3B|"; within:30; classtype:trojan-activity; sid:2015620; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; file_data; content:"=0|3B|i<document.body.childNodes.length|3B|i++{"; classtype:trojan-activity; sid:2015621; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015622; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:8; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,6,little; pcre:"/^[a-z0-9]{6}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2012_08_15, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:9; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2012_08_15, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"|de ad be ef|"; fast_pattern; distance:0; content:"|00 01 00 00 00|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)

#alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015630; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:trojan-activity; sid:2015648; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_21, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3; metadata:created_at 2012_08_22, updated_at 2012_08_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; file_data; content:"|3c|script"; distance:0; content:"split(|22|"; within:40; content:".join(|22 22|).split(|22 22 29 3b|"; within:50; classtype:trojan-activity; sid:2015651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_23, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; file_data; content:"applet"; distance:0; content:"0xb|3a|0x9|3a|0x9|3a|0x4|3a|0x1f|3a|0x31|3a|0x31|3a|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_23, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; content:"try{"; content:"|3b|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; file_data; content:"PK"; within:2; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:3; metadata:created_at 2012_08_28, updated_at 2012_08_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; file_data; content:"PK"; within:2; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:3; metadata:created_at 2012_08_28, updated_at 2012_08_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015660; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015661; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015662; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:2; metadata:created_at 2012_08_28, updated_at 2012_08_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:2; metadata:created_at 2012_08_28, updated_at 2012_08_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:2; metadata:created_at 2012_08_28, updated_at 2016_04_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern:only; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015670; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_29, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; fast_pattern:only; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:trojan-activity; sid:2015677; rev:4; metadata:created_at 2012_09_06, updated_at 2012_09_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015680; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015681; rev:2; metadata:created_at 2012_09_06, updated_at 2016_09_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; fast_pattern:only; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015692; rev:2; metadata:created_at 2012_09_11, updated_at 2012_09_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015696; rev:3; metadata:created_at 2012_09_11, updated_at 2012_09_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015698; rev:5; metadata:created_at 2012_09_12, updated_at 2012_09_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:trojan-activity; sid:2015699; rev:2; metadata:created_at 2012_09_12, updated_at 2012_09_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015700; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_14, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_14, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015705; rev:3; metadata:created_at 2012_09_17, updated_at 2012_09_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015706; rev:3; metadata:created_at 2012_09_17, updated_at 2012_09_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_17, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015710; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_17, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_19, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf|0d 0a|"; fast_pattern:only; content:"|0d 0a|Set-Cookie|3a 20|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"|0d 0a 0d 0a|%PDF-"; distance:0; classtype:trojan-activity; sid:2015725; rev:9; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|adbullion|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015729; rev:2; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015731; rev:3; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_21, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:6; metadata:created_at 2012_09_25, updated_at 2012_09_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_25, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:2; metadata:created_at 2012_10_01, updated_at 2012_10_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:3; metadata:created_at 2012_10_01, updated_at 2012_10_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"|0d 0a|Mi"; isdataat:76,relative; content:"|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56|"; distance:0; classtype:trojan-activity; sid:2015752; rev:2; metadata:created_at 2012_10_01, updated_at 2012_10_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015759; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.boCheMan-A/Dexter"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:5; metadata:created_at 2012_10_06, updated_at 2012_10_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:4; metadata:created_at 2012_10_09, updated_at 2012_10_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015787; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_09, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015796; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015797; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015798; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:3; metadata:created_at 2012_10_16, updated_at 2012_10_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET DELETED Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; nocase; fast_pattern:only; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015802; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_16, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_16, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; metadata: former_category CURRENT_EVENTS; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_16, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:trojan-activity; sid:2015815; rev:3; metadata:created_at 2012_10_18, updated_at 2012_10_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:trojan-activity; sid:2015816; rev:4; metadata:created_at 2012_10_18, updated_at 2012_10_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&|23|48|3b|&|23|98|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|52|3b|&|23|49|3b|&|23|102|3b|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_19, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; metadata: former_category CURRENT_EVENTS; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_19, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:5; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:" Java/1."; http_header; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; metadata: former_category CURRENT_EVENTS; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_23, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_25, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; depth:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_25, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:3; metadata:created_at 2012_10_25, updated_at 2012_10_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:3; metadata:created_at 2012_10_31, updated_at 2012_10_31;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=|22|Pragma|22| CONTENT=|22|no-cache|22|></head><body>"; base64_decode:bytes 365, offset 0, relative; base64_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode."; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:3; metadata:created_at 2012_10_31, updated_at 2012_10_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015863; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_02, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015871; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_07, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"|3a|"; http_uri; fast_pattern; content:"|3a|"; distance:2; within:1; http_uri; content:"|3a|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]|3[0-9])\x3a){3,}([1-2][a-z]|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_07, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_09, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9; metadata:created_at 2012_11_15, updated_at 2012_11_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend...</title>"; classtype:trojan-activity; sid:2015891; rev:4; metadata:created_at 2012_11_15, updated_at 2012_11_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2015892; rev:3; metadata:created_at 2012_11_15, updated_at 2012_11_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2015893; rev:5; metadata:created_at 2012_11_15, updated_at 2012_11_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015915; rev:3; metadata:created_at 2012_11_21, updated_at 2012_11_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015916; rev:4; metadata:created_at 2012_11_21, updated_at 2012_11_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RedKit /h***.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2015927; rev:3; metadata:created_at 2012_11_26, updated_at 2012_11_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015932; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_26, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015933; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_26, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:1; metadata:created_at 2012_11_30, updated_at 2012_11_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2015978; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_12_03, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Nymaim Checkin"; flow:to_server,established; content:"POST "; depth:5; content:"/nymain/"; within:8; fast_pattern; content:"/index.php"; distance:0; content:"|0d 0a 0d 0a|filename="; distance:0; content:"&data="; distance:0; reference:md5,b904ce55532582a6ea516399d8e4b410; classtype:trojan-activity; sid:2016752; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; file_data; content:"<title>Microsoft Antivirus 2013</title>"; classtype:bad-unknown; sid:2016020; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_12_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:bad-unknown; sid:2016025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_12_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:5; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Font File Download Dec 18 2012"; flow:to_server,established; content:".eot"; http_uri; nocase; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|read|(?:fo|tu)r)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.eot|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.EOT)$/U"; classtype:trojan-activity; sid:2016057; rev:7; metadata:created_at 2012_12_18, updated_at 2012_12_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - New PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"1.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})1\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}1\.PDF)$/U"; classtype:trojan-activity; sid:2016058; rev:9; metadata:created_at 2012_12_18, updated_at 2012_12_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - Old PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"2.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})2\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}2\.PDF)$/U"; classtype:trojan-activity; sid:2016059; rev:13; metadata:created_at 2012_12_18, updated_at 2012_12_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - Jar - Jun 05 2013"; flow:to_server,established; content:".jar"; nocase; fast_pattern:only; http_uri; content:" Java/1"; http_header; pcre:"/Host\x3a[^\r\n]+?\.(pw|us)(\x3a\d{1,5})?\r$/Hmi"; pcre:"/^(\/[a-z]{3,20})?\/([a-z]{3,20}[-_])+[a-z]{3,20}\.jar$/U"; classtype:trojan-activity; sid:2016060; rev:13; metadata:created_at 2012_12_18, updated_at 2012_12_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Popads Exploit Kit font request 32hex digit .eot"; flow:established,to_server; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/Ui"; classtype:attempted-user; sid:2016064; rev:4; metadata:created_at 2012_12_19, updated_at 2012_12_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page (2)"; flow:established,to_client; file_data; content:"</title>|0D 0A|<link href=|22|favicon.ico|22| rel=|22|shortcut icon|22| type=|22|image/x-icon|22| />"; classtype:trojan-activity; sid:2016066; rev:2; metadata:created_at 2012_12_19, updated_at 2012_12_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Backdoor.Win32.Skill.gk User-Agent"; flow:established,to_server; content:"|3b 20 3b 20|"; http_header; pcre:"/User-Agent[^\r\n]+(MSIE[^\r\n]*(\x3b\x20){2}|(\x3b\x20){2}[^\r\n]*MSIE)/iH"; classtype:trojan-activity; sid:2016074; rev:4; metadata:created_at 2012_12_21, updated_at 2012_12_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?affid="; depth:8; http_uri; content:"&promo_type="; http_uri; content:"&promo_opt="; http_uri; pcre:"/^\/\?affid=\d+&promo_type=\d+&promo_opt=\d+$/U"; reference:md5,527e115876d0892c9a0ddfc96e852a16; classtype:trojan-activity; sid:2016075; rev:2; metadata:created_at 2012_12_21, updated_at 2012_12_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:trojan-activity; sid:2016092; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; content:"&comp="; distance:0; content:"&src="; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:trojan-activity; sid:2016096; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"|00 01 00 01|"; content:"|00 04 5f 82 0e 20|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:3; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|22 2a|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016112; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (iexplorer)"; flow:to_server,established; content:"User-Agent|3a 20|iexplorer|0d 0a|"; http_header; classtype:trojan-activity; sid:2016140; rev:4; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|3d 3b|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016143; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot"; flow:established,to_server; urilen:>36; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\.eot$/U"; content:!"fonts.gstatic.com|0d 0a|"; http_header; content:!".fitbit.com|0d 0a|"; http_header; classtype:attempted-user; sid:2016155; rev:6; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2016166; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Ransomware Checkin"; flow:established,to_server; content:"/index.html"; http_uri; content:"POST"; http_method; content:!"User-Agent|3a| "; http_header; content:"application/octet-stream|0d 0a 0d 0a|"; http_client_body; content:"/"; http_client_body; distance:2; within:1; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2016185; rev:2; metadata:created_at 2013_01_11, updated_at 2016_12_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Potential Zeus Binary Download - Specific PE Sections Structure"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE|00 00|"; distance:0; content:".text"; distance:0; content:"m13"; distance:0; content:"m12"; distance:0; content:"m11"; distance:0; content:"m10"; distance:0; content:"m9"; distance:0; content:"m8"; distance:0; content:"m7"; distance:0; content:"m6"; distance:0; content:"m5"; distance:0; content:"m4"; distance:0; content:"m3"; distance:0; content:".data"; distance:0; content:".data2"; distance:0; reference:url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf; classtype:trojan-activity; sid:2016188; rev:3; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016193; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_01_11, updated_at 2018_04_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80|3A|!08|3A|!!7|3A|!03|3A|!05|3A|!!0|3A|68|3A|!0!|3A|!!6|3A|!0!|3A|99|3A|!!6"; classtype:trojan-activity; sid:2016213; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_15, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download"; flow:established,to_server; content:"/pics/new.png"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/new\.png$/U"; classtype:trojan-activity; sid:2016221; rev:5; metadata:created_at 2013_01_16, updated_at 2013_01_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016229; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:3; metadata:created_at 2013_01_21, updated_at 2013_01_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016242; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_21, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Request for FakeAV Binary /two/data.exe Infection Campaign"; flow:established,to_server; content:"/index/two/data.exe"; http_uri; classtype:trojan-activity; sid:2016243; rev:2; metadata:created_at 2013_01_21, updated_at 2013_01_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - New PDF Exploit - Jan 24 2013"; flow:established,to_server; content:"3.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})3\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}3\.PDF)$/U"; classtype:trojan-activity; sid:2016278; rev:5; metadata:created_at 2013_01_25, updated_at 2013_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (2)"; flow:established,to_server; content:"/pics/image.gif"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/image\.gif$/U";  classtype:trojan-activity; sid:2016279; rev:5; metadata:created_at 2013_01_25, updated_at 2013_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (3)"; flow:established,to_server; content:"/pics/foto.png"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/foto\.png$/U"; classtype:trojan-activity; sid:2016280; rev:6; metadata:created_at 2013_01_25, updated_at 2013_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 13"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/index.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016281; rev:2; metadata:created_at 2013_01_25, updated_at 2013_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Spy.Win32.Zbot.hmcm Checkin"; flow:established,to_server; content:"/b/"; depth:3; http_uri; pcre:"/^\/b\/(eve|opt|req)\/[\-f0-9A-F]{24}$/U"; reference:md5,291b5ce96b3932944a32031d33bc8cfc; classtype:trojan-activity; sid:2018437; rev:3; metadata:created_at 2013_01_26, updated_at 2013_01_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:trojan-activity; sid:2016315; rev:3; metadata:created_at 2013_01_30, updated_at 2013_01_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Exploit Kit Java gif download"; flow:established,to_server; content:".gif"; http_uri; pcre:"/\.gif$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016320; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.Image; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:trojan-activity; sid:2016321; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_02_05, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/ZeroAccess Counter.img Checkin"; flow:established,to_server; content:"/counter.img?theme="; fast_pattern; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"User-Agent|3A| Opera/9 (Windows NT "; http_header; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2016358; rev:3; metadata:created_at 2013_02_06, updated_at 2013_02_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; reference:url,anubis.iseclab.org/index.php?action=result&task_id=4fdbf09e9bb20824658cfd45b63a309e; classtype:trojan-activity; sid:2016385; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/afma_load_ads.js"; nocase; http_uri; fast_pattern; content:"pagead2.googlesyndication.com"; http_header; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016386; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android/DNightmare -Task Killer Checkin 3"; flow:established,to_server; content:"GET"; http_method; content:"/m/gne/suggest?q="; nocase; http_uri; fast_pattern; content:"SID=DQAAAKQAAAAHga"; http_cookie; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016387; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Exploit Kit Java png download"; flow:established,to_server; content:".png"; http_uri; pcre:"/\.png$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016402; rev:2; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:6; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CoolEK landing applet plus class Feb 12 2013"; flow:established,to_client; file_data; content:"<applet"; content:"SunJCE"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016406; rev:2; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (4)"; flow:established,to_server; content:"/w"; http_uri; nocase; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\/(?:w(?:hite|orld)|step)\/\d+$/U"; classtype:trojan-activity; sid:2016408; rev:11; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

#alert udp $HOME_NET any -> 78.47.139.110 53 (msg:"ET DELETED Possible DNS Data Exfiltration to SSHD Rootkit Last Resort CnC";  reference:url,isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229; classtype:trojan-activity; sid:2016473; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Exploit Kit Java .psd download"; flow:established,to_server; content:".psd"; http_uri; pcre:"/\.psd$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016495; rev:5; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Exploit Kit Java jpeg download"; flow:established,to_server; content:".jpeg"; http_uri; pcre:"/\.jpeg$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016506; rev:5; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016524; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific -  4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016525; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch False Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_06, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (6)"; flow:established,to_server; content:"/mypic.dll"; http_uri; nocase; fast_pattern:only; pcre:"/\/(w(?:hite|orld)|step)\/mypic\.dll$/U"; classtype:trojan-activity; sid:2016547; rev:11; metadata:created_at 2013_03_06, updated_at 2013_03_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT  6.1|3B| WOW64) AppletWebKit/537.11 (KHTML, like Gecko)  Chrome/23.0.1271.97 Safari/537.11|0D 0A|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:2; metadata:created_at 2013_03_06, updated_at 2013_03_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016551; rev:6; metadata:created_at 2013_03_07, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kid.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016554; rev:5; metadata:created_at 2013_03_08, updated_at 2013_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/dab.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016555; rev:3; metadata:created_at 2013_03_08, updated_at 2013_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/jot.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016556; rev:3; metadata:created_at 2013_03_08, updated_at 2013_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kir.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016557; rev:4; metadata:created_at 2013_03_08, updated_at 2013_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (7)"; flow:established,to_server; content:"/get"; http_uri; fast_pattern:only; content:".jpg"; http_uri; content:!"Referer|3a| "; http_header; pcre:"/\/get(?:a+|n+)\.jpg$/U"; classtype:trojan-activity; sid:2016559; rev:14; metadata:created_at 2013_03_08, updated_at 2013_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|sid|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|up|22|"; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|ping|22|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|guid|22|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016561; rev:2; metadata:created_at 2013_03_12, updated_at 2013_03_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; content:"&i"; within:13; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016562; rev:4; metadata:created_at 2013_03_12, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016563; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016564; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Jar Naming Pattern March 03 2013"; flow:established,to_server; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9]{2}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016588; rev:13; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit URI Struct Flowbit"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{4}\.html?(\?[h-j]=\d+)?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2016589; rev:7; metadata:created_at 2013_03_18, updated_at 2013_03_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CrimeBoss - Java Exploit - m11.jar"; flow:established,to_server; content:"/m11.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016597; rev:2; metadata:created_at 2013_03_19, updated_at 2013_03_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_20, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Controller"; dsize:48; flow:established, from_server; content:"|54 90 1d b0 18 1b 7c ce f4 5b 24 2f ec c7 d2 21|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016657; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_03_22, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Victim"; dsize:48; flow: established, to_server; content: "|af c0 bb 65 5d 07 e0 0d bf ab 75 2f 82 79 ae 26|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016658; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_03_22, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013"; flow:established,from_server; file_data; content:"0154,0140,0154,0140,071,0167"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_22, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -5 Mar 26 2013"; flow:established,from_server; file_data; content:"0153,0137,0153,0137,070,0166"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013"; flow:established,from_server; file_data; content:"0151,0135,0151,0135,066,0164"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016686; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_01, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>35; content:".php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9A-Z]{15,35}\/((\d+[A-Z]){3}\d+|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016706; rev:21; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; classtype:bad-unknown; sid:2016712; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sakura Jar Download SET"; flow:established,to_server; content:".php"; http_uri; content:" Java/1."; http_header; fast_pattern; flowbits:set,ET.Sakura.php.Java; flowbits:noalert; classtype:trojan-activity; sid:2016720; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016723; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016724; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016725; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016729; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_05, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-9a-f]{2,4})(?P<sep>[\x2e\x2c\x3b\x3a])(?P<d>(?!(?P=p))[0-9a-f]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-9a-f]{2,4}(?P=sep)){10}(?P<q>(?!((?P=p)|(?P=d)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P<dot>(?!((?P=p)|(?P=d)|(?P=q)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=q)/R"; classtype:trojan-activity; sid:2016730; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_05, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016756; rev:5; metadata:created_at 2013_04_12, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016753; rev:9; metadata:created_at 2013_04_12, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016755; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Apr 18 2013"; flow:established,from_server; file_data; content:"telppa"; pcre:"/(?P<p>[0-7]{2,4})(?P<sep>[^0-7])(?P<d>(?!(?P=p))[0-7]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-7]{2,4}(?P=sep)){10}(?P<q>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P<dot>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-7]{2,4}(?P=sep)(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_19, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:trojan-activity; sid:2016782; rev:14; metadata:created_at 2013_04_23, updated_at 2013_04_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED - Possible BlackHole request with decryption Base "; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_05_02, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Trojan POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"/a/"; http_uri; fast_pattern; content:"PHPSESSID="; http_cookie; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016834; rev:1; metadata:created_at 2013_05_08, updated_at 2013_05_08;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:" Java/1."; http_header; metadata: former_category CURRENT_EVENTS; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_05_14, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi";content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016853; rev:15; metadata:created_at 2013_05_15, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED W32/Pushdo CnC Server Fake JPEG Response"; flow:established,to_client; file_data; content:"<!--[if IE]"; distance:0; content:"<img src=|22|data|3A|image/jpeg|3B|base64"; distance:0; reference:url,www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf; classtype:trojan-activity; sid:2016857; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016868; rev:13; metadata:created_at 2013_05_20, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1)"; flow:established,to_server; content:"User-Agent|3a| wininetget/"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016889; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(file)"; flow:established,to_server; content:"User-Agent|3a| file|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016890; rev:2; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.BlackRev Polling for DoS targets"; flow:established,to_server; content:"/gate.php?cmd=urls"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=urls$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016900; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.BlackRev Download Executable"; flow:established,to_server; content:"/gate.php?cmd=getexe"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=getexe$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016901; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:" Java/1."; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016931; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_05_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2"; flow:to_server,established; pcre:"/^\d+?.\x00\x00\x00/"; byte_extract:4,-4,d_size,relative,little; byte_test:4,>,d_size,0,relative,little; content:"|78 9c|"; distance:4; within:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2016962; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_05_31, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016971; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_06_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_06_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016973; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_06_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016974; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_06_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016975; rev:2; metadata:created_at 2013_06_05, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016984; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_06_05, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Jun 26 2013"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-7]{3})(?P<d>[0-7]{3})(?P=p)(?P=d)([0-7]{3}){10}(?P<q>[0-7]{3})[0-7]{3}(?P<dot>[0-7]{3})[0-7]{3}(?P=dot)[0-7]{3}(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_06_27, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole EK Variant Payload Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){5}&[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){10}&/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017076; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_06_28, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Neutrino EK Landing URI Format July 04 2013"; flow:established,to_server; content:"GET"; http_method; content:"/s"; depth:2; http_uri; pcre:"/^\/s[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?d[a-z]{4,11}=\d{6,7}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017104; rev:3; metadata:created_at 2013_07_05, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017140; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_07_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole EK Plugin-Detect July 12 2013"; flow:established,from_server; file_data; content:"4CMiojbvl2cyVmd71DZwRGc"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_07_12, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"keyStr = |22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017164; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_07_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Java Payload Download"; flow:established,to_server; content:" Java/1."; http_header; content:"/j"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017179; rev:3; metadata:created_at 2013_07_23, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Java Payload Download 2"; flow:established,to_server; content:" Java/1."; http_header; content:"/j"; http_uri; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017180; rev:3; metadata:created_at 2013_07_23, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Reversed Embedded JNLP Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"deddebme_plnj"; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_07_25, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fake FedEX/Pony spam campaign URI Struct"; flow:established,to_server; content:".php?label="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?label=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; content:!"dynamicdrive.com"; nocase; http_header; classtype:trojan-activity; sid:2017258; rev:4; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"var "; content:" = |22|"; within:10; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; content:" & 15) << 4)"; fast_pattern:only; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017265; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_08_01, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Neutrino EK Landing URI Format Sep 30 2013"; flow:established,to_server; content:"GET"; http_method; content:"/k"; depth:2; http_uri; content:"?e"; http_uri; pcre:"/^\/k[a-z]{4,13}\?e[a-z]{4,11}=\d{6,7}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017266; rev:6; metadata:created_at 2013_08_01, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 30 2013"; flow:established,to_server;  content:"Java/1."; http_header; fast_pattern:only; content:"/j"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017267; rev:5; metadata:created_at 2013_08_01, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:"/f"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?f[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017268; rev:5; metadata:created_at 2013_08_01, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request"; flow:established,to_server; content:"/ngen/shrift.php"; http_uri; metadata: former_category CURRENT_EVENTS; reference:cve,2011-3402; classtype:trojan-activity; sid:2017340; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_08_19, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Microsoft OpenType Font Exploit"; flow:established,to_client; content:"Content-Description|3A| File Transfer"; http_header; content:"Content-Disposition|3A| attachment|3B| filename=font.eot"; http_header; fast_pattern:33,17; metadata: former_category CURRENT_EVENTS; reference:cve,2011-3402; classtype:trojan-activity; sid:2017341; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_08_19, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool obfuscated plugindetect in charcodes w/o sep Jul 10 2013"; flow:established,from_server; file_data; content:"<div>"; content:!"<"; within:1000; pcre:"/^([0-9a-z]{8})?(?P<p>[0-9a-z]{2})(?P<d>(?!(?P=p))[0-9a-z]{2})(?P=p)(?P=d)([0-9a-z]{2}){10}(?P<q>[0-9a-z]{2})[0-9a-z]{2}(?P<dot>[0-9a-z]{2})[0-9a-z]{2}(?P=dot)[0-9a-z]{2}(?P=q)/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_08_20, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.fishplay Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CoolEK Landing Aug 29 2013"; flow:established,from_server; file_data; content:".txt?e"; nocase; fast_pattern:only; content:"value"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])((?!(?P=q)).)+?\.txt\?e=\d+(&[fh]=\d+)?(?P=q)/Ri"; classtype:trojan-activity; sid:2017396; rev:5; metadata:created_at 2013_08_29, updated_at 2013_08_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Apple CoreText Exploit Specific string"; flow:established,from_server; file_data; content:"|D8 B3 D9 85 D9 8E D9 80 D9 8E D9 91 D9 88 D9 8F D9 88 D9 8F D8 AD D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 D8 A7 D9 85 D8 A7 D8 B1 D8 AA D9 8A D8 AE 20 CC B7 CC B4 CC 90 D8 AE|"; reference:url,techcrunch.com/2013/08/29/bug-in-apples-coretext-allows-specific-string-of-characters-to-crash-ios-6-os-x-10-8-apps/; classtype:bad-unknown; sid:2017397; rev:1; metadata:created_at 2013_08_29, updated_at 2013_08_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown Malware CnC response with exe file"; flow:from_server,established; byte_jump:2,1,little,post_offset -4; isdataat:!1,relative; content:"!This program cannot be run in DOS mode."; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017414; rev:2; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Taidoor Checkin"; flow:to_server,established; content:".jsp?"; fast_pattern:only; http_uri; pcre:"/^\/(?:p(?:a(?:rs|g)e|rocess)|(?:securit|quer)y|(?:defaul|abou)t|index|login|user)\.jsp\?[a-z]{2}\x3d[a-z0-9]{9}[A-F0-9]{9}$/Ui"; content:"User-Agent|3a| "; depth:12; http_header; content:!"Referer"; http_header; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017415; rev:2; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,from_server; content:".pdf"; fast_pattern:only; nocase; http_header; file_data; content:"%PDF-"; within:100; flowbits:isset,et.BHEK.PDF; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017416; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_09_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole hex and wordlist initial landing and exploit path"; flow:established,to_server; urilen:>70; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2017452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_09_11, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole EK Payload Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){5}&[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){10}&/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017454; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_09_11, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole EK Variant PDF Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&](?:5[5-9a-e]|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]|8[9a-e])){10})*?&/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017456; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_09_11, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated base64 decoder Sep 12 2013"; flow:established,from_server; file_data; content:" & 15) << 4)"; content:" & 3) << (3+3))"; fast_pattern:only; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_09_13, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole initial landing/gate"; flow:established,to_server; content:"/jquery/get.php?ver=jquery.latest.js"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017481; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_09_18, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Neutrino EK Landing URI Format Sep 19 2013"; flow:established,to_server; content:"GET"; http_method; content:"/g"; depth:2; http_uri; content:"?t"; http_uri; distance:0; pcre:"/^\/g[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?t[a-z]{4,11}=\d{6,7}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017491; rev:4; metadata:created_at 2013_09_19, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_header; content:"/r"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017492; rev:2; metadata:created_at 2013_09_19, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_header; content:"/f"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?j[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017493; rev:2; metadata:created_at 2013_09_19, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 1"; flow:established,to_client; file_data; content:"cHJlbG9hZGVyLWNsYXNz"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017494; rev:1; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 2"; flow:established,to_client; file_data; content:"wcmVsb2FkZXItY2xhc3"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017495; rev:2; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 3"; flow:established,to_client; file_data; content:"ByZWxvYWRlci1jbGFzc"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017496; rev:2; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Styx J7u21 click2play bypass"; flow:established,to_server; content:"/jplay.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017508; rev:1; metadata:created_at 2013_09_23, updated_at 2013_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Napolar Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"v="; depth:2; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"}&w="; fast_pattern; distance:0; http_client_body; content:"&b="; distance:0; http_client_body; pcre:"/&s=\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}&w=(\d{1,2}\.){2}\d{1,2}&b=(32|64)$/Pi"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017527; rev:2; metadata:created_at 2013_09_26, updated_at 2013_09_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=[^&]{10}&[^=]+=[^&]+&[^=]+=[^&]{20}((?P<sep>[^&]{2})(?P=sep)[^&]{20})*?&/U"; flowbits:set,et.BHEK.PDF; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_10_04, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page"; flow:established,from_server; file_data; content:".javaEnabled"; content:"f1=true"; nocase; fast_pattern:only; content:"window."; nocase; pcre:"/^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)|(?P=plug2)))(?:[sj]|f1)=true/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017569; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_10_08, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Exploit Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/0"; depth:2; http_uri; pcre:"/^\/0[a-z0-9]{13}$/U"; classtype:trojan-activity; sid:2017570; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_10_08, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Payload Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_10_08, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Neutrino EK Landing URI Format Oct 15 2013"; flow:established,to_server; content:"GET"; http_method; content:"/o"; depth:2; http_uri; content:"?h"; http_uri; pcre:"/^\/o[a-z]{4,13}\?h[a-z]{4,11}=\d{6,7}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017593; rev:6; metadata:created_at 2013_10_15, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:"/b"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/b[a-z]+?\?n[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017594; rev:8; metadata:created_at 2013_10_15, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Java Payload Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:"/v"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/v[a-z]+?\?n[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017595; rev:7; metadata:created_at 2013_10_15, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 1"; flow:established,to_client; file_data; content:"M%01%06%00%18%02%11"; within:19; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017596; rev:2; metadata:created_at 2013_10_15, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 2"; flow:established,to_client; file_data; content:"_%11%11%16%0A%12%06"; within:19; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017597; rev:2; metadata:created_at 2013_10_15, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED vBulletin Administrator Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/install/upgrade.php"; http_uri; content:"username"; http_client_body; content:"password"; http_client_body; distance:0; content:"confirmpassword"; http_client_body; distance:0; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017610; rev:1; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Kelihos p2p traffic detected via byte_test - SET"; flow:established,to_server; dsize:100<>2000; pcre:"/^[^OGHPDTCMLUVRBAS]/"; content:!"HTTP/1."; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; flowbits:set,ET.Kelihos-P2P; flowbits:noalert; classtype:trojan-activity; sid:2017612; rev:5; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET DELETED Kelihos p2p traffic detected via byte_test CnC Response"; flow:established,from_server; flowbits:isset,ET.Kelihos-P2P; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; classtype:trojan-activity; sid:2017614; rev:2; metadata:created_at 2013_10_18, updated_at 2013_10_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|7c 68 a3 34 36|"; within:5; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017630; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_10_23, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK Landing URI Format Nov 1 2013"; flow:established,to_server; urilen:18<>37; content:"GET"; http_method; content:"?"; http_uri; offset:6; depth:11; content:"="; http_uri; distance:5; within:8; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=\d{6,7}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017652; rev:7; metadata:created_at 2013_11_01, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Java Exploit/Payload Download Nov 1 2013"; flow:established,to_server; content:"Java/1."; http_header; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=[a-z]{6,11}$/U"; metadata: former_category CURRENT_EVENTS; reference:url,pastebin.com/194D8UuK; classtype:trojan-activity; sid:2017653; rev:12; metadata:created_at 2013_11_01, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Badur.Spy User Agent HWMPro"; flow:established,to_server; content:"User-Agent|3A| HWMPro|0D 0A|"; http_header; reference:md5,234c47b5b29a2cfcc00900bbc13ea181; classtype:trojan-activity; sid:2017654; rev:2; metadata:created_at 2013_11_01, updated_at 2013_11_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Trojan Secondary Download"; flow:established,to_server; content:"/calc.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017658; rev:5; metadata:created_at 2013_11_04, updated_at 2013_11_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Trojan Download"; flow:established,to_server; content:"/taskmgr.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017659; rev:5; metadata:created_at 2013_11_04, updated_at 2013_11_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Redirect to Neutrino EK goi.php Nov 4 2013"; flow:established,to_server; urilen:8; content:"/goi.php"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017661; rev:2; metadata:created_at 2013_11_04, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/lgfxsrvc.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lgfxsrvc\.exe$/Ui"; classtype:trojan-activity; sid:2017678; rev:2; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Angler EK Flash Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; pcre:"/^GET \/0(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017695; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_11_08, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Possible Flash/IE Payload"; flow:established,to_server; urilen:15; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_11_11, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Angler EK SilverLight Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; fast_pattern; pcre:"/^\/0[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2017715; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_11_13, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32/Tesch.A Checkin"; flow:to_server,established; dsize:<100; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:!"|00|"; distance:3; within:1; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,f2e5900061c5ac470fa005580681be94; reference:md5,872763d48730506af7eee0bf22c2f47b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FTesch.A; classtype:trojan-activity; sid:2018611; rev:5; metadata:created_at 2013_11_14, updated_at 2013_11_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Nov 18 2013"; flow:established,from_server; file_data; content:"<title>";  content:"soft apple.";  fast_pattern; distance:0; content:"</title>"; distance:0;  content:"AgControl.AgControl"; nocase; content:"Math.floor"; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017729; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_11_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017732; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_11_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; classtype:trojan-activity; sid:2017733; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2013_11_19, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HiMan EK - Payload Requested"; flow:established,to_server; content:".php?e="; http_uri; content:"&ver="; http_uri; distance:0; classtype:trojan-activity; sid:2017793; rev:3; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED HiMan EK - Payload Downloaded - EXE in ZIP Downloaded by Java"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2017795; rev:1; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XOR'd Payload"; flow:from_server,established; file_data; content:"|7c 68 a3 34 36 36 37 38|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017809; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_12_06, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Safe/CritX/FlashPack URI with Windows Plugin-Detect Data"; flow:established,to_server; content:"/pd.php?id="; http_uri; fast_pattern:only; pcre:"/\/pd\.php\?id=[a-f0-9]+$/U"; classtype:trojan-activity; sid:2017812; rev:5; metadata:created_at 2013_12_06, updated_at 2016_08_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Neutrino EK Landing Page Dec 09 2013"; flow:from_server,established; file_data; content:".charCodeAt("; fast_pattern; pcre:"/^[^\)]+\)[\r\n\s]*?\^[\r\n\s]*?[\w\.\_\-]*?\.charCodeAt\([^\)]+\)[\r\n\s]*?\,/Rsi"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]*?\,/Rsi"; content:"+= |22 22|"; content:"+= |22 22|"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017824; rev:2; metadata:created_at 2013_12_09, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|"; http_header; depth:12; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\sMSIE\s/H"; classtype:trojan-activity; sid:2017837; rev:2; metadata:created_at 2013_12_11, updated_at 2013_12_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Styx Exploit Kit - HTML"; flow:to_server,established; urilen:>300; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.html?$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:trojan-activity; sid:2017841; rev:2; metadata:created_at 2013_12_11, updated_at 2013_12_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SPL2 PluginDetect Data Hash"; flow:to_server,established; content:".html?id"; http_uri; fast_pattern:only; pcre:"/\.html\?id\d*?=[a-f0-9]{32}$/U"; pcre:"/^GET\s[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?id\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(:?\d{1,5})?\r\n/s"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017850; rev:2; metadata:created_at 2013_12_13, updated_at 2017_09_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Ferret DDOS Bot CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/hor/input.php"; http_uri; content:"User-Agent|3a 20|Mozilla Gecko Firefox 25|0d 0a|"; fast_pattern:12,24; http_header; content:"m="; http_client_body; depth:2; content:"&h="; http_client_body; within:50; reference:md5,c49e3411294521d63c7cc28e08cf8a77; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:trojan-activity; sid:2017883; rev:1; metadata:created_at 2013_12_18, updated_at 2013_12_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 24 2013"; flow:established,to_server; urilen:15; content:"/4"; depth:2; http_uri; pcre:"/^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017901; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_12_24, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Possible Flash/IE Payload Dec 24 2013"; flow:established,to_server; urilen:15; content:"/3"; depth:2; http_uri; pcre:"/^\/3[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017902; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_12_24, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 26 2013"; flow:established,to_server; content:"/4"; depth:2; http_uri; content:"?&xkey="; http_uri; content:"&exec=aHR0cDov"; http_uri; pcre:"/\/4[a-z0-9]{13}\?&xkey=/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017904; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2013_12_26, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Styx Kein Landing URI Struct"; flow:to_server,established; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[^=&\?]{4,}=[^&]{20,}$/U"; content:"Host|3a 20|www"; http_header; content:!"."; within:1; http_header; pcre:"/^Host\x3a\x20www\d+?\.[^\.]+?\.[^\.]+?\.([^\.]+\.)*?[a-z]{2,4}(?:\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017947; rev:3; metadata:created_at 2014_01_08, updated_at 2014_01_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"window.GetKey"; nocase; fast_pattern; content:"window.GetUrl"; nocase; content:"aHR0cDov"; distance:0; content:"#default#VML"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017953; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_10, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 1"; flow:established,to_client; file_data; content:"ODAvM"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=|%3D)[\x22\x27]/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017954; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_10, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 2"; flow:established,to_client; file_data; content:"4MC8x"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=|%3D){2}[\x22\x27]/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_10, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 3"; flow:established,to_client; file_data; content:"OjgwL"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27]/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_10, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"ET DELETED Possible Neutrino EK SilverLight Exploit Jan 11 2014"; flow:established,from_server; file_data; content:"AppManifest.xaml"; content:"dig.dll"; nocase; fast_pattern:only; pcre:"/\bdig\.dll\b/"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017958; rev:2; metadata:created_at 2014_01_11, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download disguised as ASCII - SET"; flow:established; content:"|34 44 35 41|"; byte_jump:8,116,relative,multiplier 2,little,string; isdataat:1,relative; flowbits:set,ET.http.binary.ASCII; flowbits:noalert; classtype:trojan-activity; sid:2017961; rev:5; metadata:created_at 2014_01_13, updated_at 2014_01_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK IE/Silverlight Payload Download"; flow:established,to_server; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/^\/[a-z]+?\?[a-z]+?=[a-z]+$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017971; rev:9; metadata:created_at 2014_01_15, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014"; flow:established,to_server; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_\-]{48}$/Ui"; classtype:trojan-activity; sid:2017976; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_16, malware_family Angler, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 36 f4 6f 6d 6a 66 67|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017984; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_17, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (2) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 3e f2 32 30 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017985; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_17, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (3) Jan 17 2013"; flow:established,to_client; file_data; content:"|7d 6b f8 64 76 74 6e 66|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017986; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_17, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (4)"; flow:established,to_client; file_data; content:"|21 3b e3 70 65 6e 66 64|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017989; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_01_20, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible IE/SilverLight GoonEK Payload Download"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\x3frnd\x3d\d+$/U"; classtype:trojan-activity; sid:2017998; rev:8; metadata:created_at 2014_01_22, updated_at 2017_01_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Browlock Hostname Format US"; flow:established,to_server; content:"Host|3a 20|fbi.gov."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2018006; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SUSPICIOUS HTTP Request to .bit domain"; flow:to_server,established; content:".bit"; fast_pattern; nocase; http_header; pcre:"/^Host\x3a[^\r\n]+\.bit(?:\x3a\d{1,5})?\r$/Hmi"; reference:url,normanshark.com/blog/necurs-cc-domains-non-censorable/; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:bad-unknown; sid:2018009; rev:3; metadata:created_at 2014_01_24, updated_at 2014_01_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.WinSpy.pob Sending Data over SMTP 2"; flow:to_server,established; content:"Subject|3a 20|LOG|20|FILE|20 20|Current User|3a|"; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018020; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Azbreg.Backdoor CnC Beacon"; flow:established,to_server; urilen:17; content:"/instant_messages"; http_uri; content:"sid="; http_cookie; content:"locale="; http_cookie; distance:0; content:"name="; http_cookie; distance:0; content:"password="; http_cookie; content:"uid="; http_cookie; distance:0; reference:md5,4b435a3f43d0e7ffa71453cf18804b70; classtype:trojan-activity; sid:2018151; rev:1; metadata:created_at 2014_02_17, updated_at 2014_02_17;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page Feb 24 2014"; flow:from_server,established; file_data; content:"AgControl.AgControl"; nocase; fast_pattern:only; content:"parseInt"; nocase; content:"32"; pcre:"/^\W/R"; content:"63"; nocase; within:100; pcre:"/^\W/R"; content:"if"; distance:-200; within:200; nocase; pcre:"/^(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P<vname>[^\s>=]+)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?<(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?32\b.{0,200}(?P=vname)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\x3d(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?63\b.{1,200}\+=.{0,200}\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P=vname)/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018171; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_02_24, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android FakeInst.BX checkin"; flow:to_server; content:".html?c="; http_uri; content:"&o="; http_uri; distance:2; within:3; content:"&n="; http_uri; distance:0; content:"&pid="; http_uri; distance:10; within:10; content:"Apache-HttpClient"; http_header; reference:md5,b2397ddc90e57f2d0eb6b0d3b8bb63f8; classtype:trojan-activity; sid:2018180; rev:4; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Havex Rat Check-in URI Struct"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a 20|"; content:".php?id"; http_uri; content:"&v1="; http_uri; content:"&v2="; http_uri; content:"&q="; http_uri; pcre:"/\.php\?id=[A-F0-9]+\-[A-F0-9]+&v1=[A-F0-9]+&v2=[A-F0-9]+&q=[A-F0-9]+$/U"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018251; rev:1; metadata:created_at 2014_03_11, updated_at 2014_03_11;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED JCE Joomla Extension User-Agent (BOT)"; flow:to_server,established; content:"User-Agent|3a| BOT/0.1 (BOT for JCE)|0d 0a|"; http_header; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:attempted-recon; sid:2018327; rev:2; metadata:created_at 2014_03_26, updated_at 2014_03_26;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Kryptik.AZER C2 SSL Stolen Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:md5,b27e0561283697c1fb1a973c37b52265; classtype:trojan-activity; sid:2018328; rev:2; metadata:created_at 2014_03_26, updated_at 2014_03_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Apr 01 2014"; flow:established,to_client; file_data; content:"|3a|stroke id="; content:"|3a|oval>"; content:"(function"; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"(function"; distance:0; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"/*"; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag DriveBy, tag Exploit_Kit, signature_severity Major, created_at 2014_04_01, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Apr 14 2014"; flow:established,from_server; file_data; content:"Cjw/eG1sIHZlcnNpb249"; content:"^="; content:"eval"; pcre:"/^\W/R"; content:"/*"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2018387; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_04_14, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; reference:md5,6e715fe727f927bc76e923d2e524d1e3; classtype:trojan-activity; sid:2018415; rev:2; metadata:created_at 2014_04_23, updated_at 2016_12_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/MadnessPro.DDOSBot CnC Beacon"; flow:established,to_server; content:"/?uid="; http_uri; content:"&ver="; http_uri; content:"&mk="; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:trojan-activity; sid:2018424; rev:3; metadata:created_at 2014_04_28, updated_at 2014_04_28;)

#alert tcp any any -> any 443 (msg:"ET DELETED Potential Selfint C2 traffic (from client)"; flow: from_client,established; content:"PuTTY-Local|3a| Feb 5 2013 18|3a|27|3a|27"; classtype:trojan-activity; sid:2018450; rev:7; metadata:created_at 2014_05_05, updated_at 2014_05_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Alina.POS-Trojan CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/insidee/loading.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| InfoPath.1 Spark v1.1|0D 0A|"; http_header; reference:url,pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf; classtype:trojan-activity; sid:2018473; rev:1; metadata:created_at 2014_05_14, updated_at 2014_05_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED TROJAN Downloader.Win32.Tesch.A Client CnC Checkin"; flow:established,to_server; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:trojan-activity; sid:2018476; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2014_05_15, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK SilverLight Payload Request - May 2014"; flow:established,to_server; urilen:72<>78; content:!"/aHR0c"; depth:6; http_uri; content:!"/Uk0v"; depth:5; http_uri; content:"="; http_uri; offset:71; depth:6; pcre:"/^\/[-a-zA-Z0-9_]{70,75}==?$/U"; reference:url,blogs.cisco.com/security/angling-for-silverlight-exploits/; classtype:trojan-activity; sid:2018497; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_05_23, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit 2"; flow:established,from_server; file_data; content:"PK"; within:2; content:"fotosaster.dll"; fast_pattern; content:"AppManifest.xaml"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018498; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_05_23, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED food.com compromise hostile JavaScript gate"; flow:established,to_server; content:".html?0."; http_uri; fast_pattern:only; pcre:"/\/[a-z]{1,6}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity; sid:2018505; rev:5; metadata:created_at 2014_05_28, updated_at 2014_05_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (5)"; flow:established,to_client; file_data; content:"|3a 0e a6 51 77 79 53 59|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018509; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_05_30, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (6)"; flow:established,to_client; file_data; content:"|2c 3e c2 32 61 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_05_30, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (7)"; flow:established,to_client; file_data; content:"|0b 28 ff 53 4b 75 39 68|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category TROJAN; classtype:trojan-activity; sid:2018511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_05_30, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible ASPROX Download URI Struct June 19 2014"; flow:established, to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"=aHR0cD"; http_uri; content:"User-Agent|3a|"; http_header; content:!"|0d 0a|Referer|3a|"; http_header; pcre:"/\/[a-z]{2,9}\.php\?(?:[a-z0-9]{2,4}|[cktw])=[a-zA-Z0-9\x2b\x2f\x5c]{43,56}=?$/U"; classtype:trojan-activity; sid:2018589; rev:5; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Dyreza RAT Checkin Response 2"; flow:established,to_client; dsize:3; content:"/1/"; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018597; rev:2; metadata:created_at 2014_06_23, updated_at 2014_06_23;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|svr2"; distance:1; within:5; reference:md5,87223f535afd8b11dd79c6f39fc059d9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018600; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_06_24, updated_at 2016_07_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Enfal.F Checkin via HTTP Post 7"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/Owpp4.cgi"; fast_pattern:only; http_uri; content:!"User-Agent|3a|"; content:!"Referer|3a 20|"; pcre:"/^[^\r\n]{15}\x5f[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}/m"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; classtype:trojan-activity; sid:2018665; rev:3; metadata:created_at 2014_07_11, updated_at 2014_07_11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET DELETED LibSSH2 Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; content:"SSH-"; content:"libssh2"; within:20; threshold: type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:1; metadata:created_at 2014_07_17, updated_at 2014_07_17;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|20|kpai7ycr7jxqkilp.torexplorer.com"; distance:1; within:33; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018693; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|corporati-sdfs222222you.com"; distance:1; within:28; fast_pattern:8,20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018694; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|evergreen.kiev.ua"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018695; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|kilomenter.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018697; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|21|worldwidetrading-compaanny2you.su"; distance:1; within:34; fast_pattern:9,20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018698; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|delfi-fro-youindigo.net"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018699; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|jpyjcy0qmd.gov"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018700; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|riffpedia.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018701; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|slksecurity.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018702; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|billing-service.ru"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018704; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|ckytiqfles.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018705; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|web-names1.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018706; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|server265"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018707; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|statistic4he2om.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018708; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|delfi-fro-youindigo.com"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018711; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|secureonesee.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018712; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|bitcoin-send.ru"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018714; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|06|lzx.su"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018715; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|server8"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018716; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|kpai7ycr7jxqkilp.tor2www.com"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018717; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2)"; flow:established,from_server; content:"|55 04 0a|"; content:"|10|Internet Banking"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018720; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|futuredynamicteam.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018721; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|security256.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018722; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|sec-picture.net"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018723; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|planet2wideg2yandex-corti.com"; distance:1; within:30; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018724; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|kin.pgsox.cc"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018725; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|bitcoin-beta.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018726; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|invoice-maker.ru"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018727; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|poppperdropper.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018728; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.total4me.org"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018729; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|06|0bg.ru"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018730; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|greengarden1.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018731; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|server9"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018732; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|fileprofes.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018733; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gorms4tu.be"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018734; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|pistofon.ru"; distance:1; within:12; content:"|13|someone@pistofon.ru"; fast_pattern:only; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018746; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_21, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|trustasia.asia"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018747; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_21, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|do.tntcentral.mobi"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018760; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_23, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible CryptoWall encrypted download"; flow:to_client,established; file_data; byte_test:1,<,12,0; content:"|00 00 00|"; distance:1; within:3; byte_test:1,<,127,0,relative; byte_test:1,>,48,0,relative; byte_jump:1,0,from_beginning,post_offset 5; byte_test:1,=,0,0,relative; pcre:"/^[\x00-\x0c]\x00\x00\x00[a-z0-9]{6,12}\x00/s"; classtype:trojan-activity; sid:2018788; rev:2; metadata:created_at 2014_07_28, updated_at 2014_07_28;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|daznukhurebkolsek.net"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018807; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_30, updated_at 2016_07_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; content:".passinggas.net"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.passinggas\.net(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018847; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|0a|passinggas|03|net|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018848; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nagchampa.in"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018851; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_30, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Dyre SSL Self-Signed Cert Aug 06 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|94.23.236.54"; distance:1; within:13; reference:md5,384a3c3a250341aa7f7c6aba11467afb; classtype:trojan-activity; sid:2018903; rev:2; metadata:created_at 2014_08_06, updated_at 2014_08_06;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|msvsprot.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018910; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_07, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|local.domain"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018911; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_08, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|expert-256bitssl.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018913; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_08, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|siefrra1967ga@outlook.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; reference:md5,7832ac3ad8275695b8051ab70432e161; classtype:trojan-activity; sid:2018917; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_11, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.HavexSysinfo Response"; flow:from_server,established; file_data; content:"<!--havexhavex-->"; fast_pattern:only; reference:url,securelist.com/blog/research/65240/energetic-bear-more-like-a-crouching-yeti/; reference:md5,bdd1d473a56607ec366bb2e3af5aedea; reference:url,802bba9d078a09530189e95e459adcdf; classtype:trojan-activity; sid:2018921; rev:1; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE Exploit URI Struct"; flow:to_server,established; content:"GET|20|"; depth:4; content:"/ie7.html"; distance:0; content:"|20|HTTP/1."; distance:0; classtype:trojan-activity; sid:2018932; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_08_13, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE CVE-2013-2551 Payload Struct"; flow:to_server,established; content:"GET /dd HTTP/1."; depth:15; content:!"Referer|3a|"; distance:0; content:" MSIE "; distance:0; classtype:trojan-activity; sid:2018934; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2014_08_13, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ff 7f 8a 27 bf 5c f4 53|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018937; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_14, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre C2)"; flow:established,from_server; content:"|55 04 07|"; content:"|05|miami"; distance:1; within:6; content:"|55 04 03|"; distance:0; content:"|0c|94.23.236.54"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018940; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_14, updated_at 2016_07_27;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; content:"0|22 29 3b 0a 0d 0a|</script>"; pcre:"/^\s*?<script>\s*?(?P<func>[A-Za-z0-9]+)\s*?\(\s*?[\x22\x27](?P<var>[^1\x22\x27]+)1[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)2[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)3[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018950; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag DriveBy, tag Exploit_Kit, signature_severity Major, created_at 2014_08_18, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode IE"; flow:established,from_server; file_data; content:"|f1 f4 c2 a2 8b 34 6e 68|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018954; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_08_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Silverlight"; flow:established,from_server; file_data; content:"|f1 fc f4 ff 87 6a 66 67|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_08_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Flash"; flow:established,from_server; file_data; content:"|e7 c4 a6 c1 9d 79 53 59|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_08_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Java"; flow:established,from_server; file_data; content:"|d6 e2 ff c3 a1 75 39 68|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2018957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_08_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre SSL Cert venturesonsite.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|venturesonsite.com"; distance:1; within:19; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019077; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_08_27, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp any any -> any any (msg:"ET DELETED njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019223; rev:1; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Apr 01 2014"; flow:established,to_client; content:"Expires|3a| Sat, 26 Jul 1997 05|3a|00|3a|00 GMT|0d 0a|Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00|3a|00 GMT|0d 0a|"; fast_pattern:55,20; http_header; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019224; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag DriveBy, tag Exploit_Kit, signature_severity Major, created_at 2014_09_23, malware_family Angler, updated_at 2018_06_18;)

#alert udp any 67 -> any 68 (msg:"ET DELETED Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67"; content:"|02 01|"; depth:2; content:"|43|"; distance:238; content:"|28 29 20 7b 20|"; distance:1; within:10; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019238; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c32f1e7d9d6f88c4d2468fe205f4abfc; classtype:trojan-activity; sid:2019274; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Flashpack Redirect Method 3"; flow:established,to_server; content:"POST"; http_method; content:!"/gateway.php"; http_uri; content:"gate"; http_uri; fast_pattern:only; content:".php"; http_uri; content:".swf"; http_header; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; classtype:trojan-activity; sid:2019325; rev:8; metadata:created_at 2014_09_30, updated_at 2014_09_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000: (msg:"ET DELETED Possible Sweet Orange Secondary Landing"; flow:established,to_server; content:"GET "; depth:4; pcre:"/(?:\/[a-z-]+)+\.php\?[a-z]+=[0-9]+[^\r\n]+HTTP\/1\.1/R"; content:"3 HTTP/1.1"; fast_pattern:only; classtype:trojan-activity; sid:2019351; rev:3; metadata:created_at 2014_10_03, updated_at 2014_10_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/SpyClicker.ClickFraud Click CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/click?sid="; http_uri; depth:11; content:"&cid="; http_uri; distance:0; pcre:"/&cid=\d+$/U"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:trojan-activity; sid:2019356; rev:2; metadata:created_at 2014_10_06, updated_at 2014_10_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 42"; flow:to_server,established; dsize:>11; content:"|7c 01|"; offset:9; depth:2; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]{5}.{4}\x7c\x01/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:trojan-activity; sid:2019362; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_10_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/close/?channel="; http_uri; depth:16; content:"&ags="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:trojan-activity; sid:2019390; rev:2; metadata:created_at 2014_10_13, updated_at 2016_09_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 2"; flow:established,to_server; content:"/search/?"; http_uri; depth:10; pcre:"/^\x2Fsearch\x2F\x3F[a-z]{2,5}\x3D/U"; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:trojan-activity; sid:2019391; rev:2; metadata:created_at 2014_10_13, updated_at 2016_09_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/results/?text="; http_uri; depth:15; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:trojan-activity; sid:2019392; rev:2; metadata:created_at 2014_10_13, updated_at 2016_09_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 4"; flow:established,to_server; content:"GET"; http_method; content:"/find/?utm="; http_uri; depth:11; content:"&oprnd="; http_uri; content:"&channel="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:trojan-activity; sid:2019393; rev:2; metadata:created_at 2014_10_13, updated_at 2016_09_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/watch/?"; http_uri; depth:8; content:"channel="; http_uri; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; reference:md5,ee64d3273f9b4d80020c24edcbbf961e; classtype:trojan-activity; sid:2019394; rev:2; metadata:created_at 2014_10_13, updated_at 2016_09_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Spy.KeyLogger.ODN Exfiltrating Data"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"pcname="; depth:7; http_client_body; content:"&note="; distance:0; http_client_body; content:"&country="; distance:0; http_client_body; content:"&user="; distance:0; http_client_body; content:"&log="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:trojan-activity; sid:2019468; rev:1; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED APT.Fexel Checkin"; flow:established,to_server; content:"|20|HTTP/1."; content:"agtid="; distance:0; fast_pattern; content:"08x"; distance:0; reference:md5,70e87b2898333e11344b16a72183f8e9; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:trojan-activity; sid:2019469; rev:6; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Oct 22 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul";  http_header; content:"Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00"; http_header; fast_pattern:15,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019488; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_10_22, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Oct 22 2014"; flow:established,from_server; file_data; content:".join(|22 22|)|3b 3b|"; pcre:"/^\s*?\n\s*?(?P<func>[^\x28\r\n\s]+)\s*?\(\s*?(?P<var>[^\+\x29]+)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019489; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_10_22, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Flash Exploit URI Struct"; flow:established,to_server; urilen:65; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019513; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_10_27, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Java Exploit URI Struct"; flow:established,to_server; urilen:65; content:"Java/1."; http_header; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_10_27, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"// stop for sometime if needed"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:trojan-activity; sid:2019541; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_10_28, updated_at 2016_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,ca22207c5441a100437b75d7ce0d3fe2; classtype:trojan-activity; sid:2019591; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2014_10_29, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Malicious Attachment With Double Extension Ending In EXE"; flow:established,to_client; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; http_header; content:".exe|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a\x20attachment\x3b\x20filename=[^\r\n]+?\.[a-z]{2,4}\.exe\r?$/Hmi"; classtype:trojan-activity; sid:2019650; rev:1; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim "; nocase; fast_pattern; pcre:"/^\s*?Preserve/Rsi"; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text\/vbscript[\x22\x27])/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019706; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_13, updated_at 2016_12_12;)

#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019761; rev:3; metadata:created_at 2014_11_20, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019762; rev:2; metadata:created_at 2014_11_20, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014"; flow:established,to_server; content:"GET|20|"; depth:4; pcre:"/^\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)/R"; content:"x-flash-version|3a|"; fast_pattern:only; content:"Referer|3a|"; pcre:"/^[^\r\n]+\x3a\d+\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2}|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3})/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019763; rev:6; metadata:created_at 2014_11_20, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:"HTTP/1."; content:"|0d 0a|"; distance:1; within:2; content:!"Referer|3a|"; distance:0; content:!"Accept-"; distance:0; content:"User-Agent|3a 20|Mozilla"; distance:0; fast_pattern; content:"GET|20|"; depth:4; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){3,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)\x20HTTP\/1\./R"; classtype:trojan-activity; sid:2019764; rev:7; metadata:created_at 2014_11_20, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (1)"; flow:established,to_client; file_data; content:"|0e c7 9d 28 8c cb ae 85|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019893; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_12_08, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Evil Flash Redirector to Job314/Neutrino Reboot EK"; flow:established,to_server; content:"POST"; http_method; content:".php?item="; http_uri; content:"&sort="; http_uri; content:".swf?item="; http_header; fast_pattern:only; content:"photo="; http_client_body; depth:6; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019908; rev:1; metadata:created_at 2014_12_10, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Teerac.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019918; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_10, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Bedep Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"Content-Length|3a 20|2"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/^Content-Length\x3a 2\d{2}\r?$/Hmi"; flowbits:set,ET.Trojan.Bedep; classtype:trojan-activity; sid:2019949; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Bedep Checkin Response"; flow:established,from_server; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"Content-Length|3a| 108|0d 0a|"; http_header; fast_pattern:only; content:!"Keep-Alive|3a 20|"; http_header; file_data; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; classtype:trojan-activity; sid:2019952; rev:6; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (2)"; flow:established,to_client; file_data; content:"|69 b8 3c 09 08 6c b1 4c|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019968; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_12_18, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (3)"; flow:established,to_client; file_data; content:"|28 46 c5 83 df ef a3 2a|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019969; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_12_18, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (4)"; flow:established,to_client; file_data; content:"|41 ad 58 53 4c 7f 25 9e|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019992; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_12_22, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (5)"; flow:established,to_client; file_data; content:"|b8 67 f0 44 43 1e fe 5b|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2019993; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_12_22, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK Dec 24 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2039 "; http_header; fast_pattern:12,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020068; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_12_25, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (6)"; flow:established,to_client; file_data; content:"|82 67 9f c3 f1 71 70 fc|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020071; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_12_29, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (7)"; flow:established,to_client; file_data; content:"|04 6e 76 82 2e 2c 2c 48|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020072; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_12_29, malware_family Angler, updated_at 2018_06_18;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (ddnservice11.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ddnservice11|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020073; rev:1; metadata:created_at 2015_12_29, updated_at 2015_12_29;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (financialnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|financialnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020074; rev:1; metadata:created_at 2015_12_29, updated_at 2015_12_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (8)"; flow:established,to_client; file_data; content:"|31 90 49 ae c8 2b 73 75|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020204; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_01_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dalexis Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 d7 f0 71 9c ed 67 99 74|"; within:35; fast_pattern; reference:md5,a01fdd1585dc5c8b4e09536eede5e6d4; classtype:trojan-activity; sid:2020208; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (9)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_01_21, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (10)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020227; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_01_21, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Angler EK Flash Exploit URI Structure Jan 21 2015"; flow:established,to_server; urilen:>48; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; pcre:"/^Referer\x3a[^\r\n]+\/(?:[a-z0-9]+\.php|\d+)\r$/Hm"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_01_21, malware_family Angler, updated_at 2018_06_18;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Suspicious torwoman.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torwoman|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020283; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020320; rev:4; metadata:created_at 2015_01_28, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020321; rev:3; metadata:created_at 2015_01_28, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Chaintor/Tordal User-Agent spotted downloading payload"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"; fast_pattern:50,20; http_header; classtype:trojan-activity; sid:2020347; rev:4; metadata:created_at 2015_02_02, updated_at 2015_02_02;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015"; flow:established,from_server; content:"26 Jul 2039"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2039/H"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_02_04, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015 M2"; flow:established,from_server; content:"26 Jul 2040"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2040/H"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020356; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_02_04, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Elinor"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020365; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag DriveBy, tag Exploit_Kit, signature_severity Major, created_at 2015_02_05, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Dashwood"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020366; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag DriveBy, tag Exploit_Kit, signature_severity Major, created_at 2015_02_05, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Feb 04 2014 T1"; flow:established,from_server; flowbits:isset,ET.Angler.Primer; file_data; content:"|76 61 72 20 6b 3d 30 3b 20 6b 3c 31 3b 6b 2b 2b 29 7b 3b 7d 7d|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020367; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag DriveBy, tag Exploit_Kit, signature_severity Major, created_at 2015_02_05, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020379; rev:1; metadata:created_at 2015_02_06, updated_at 2015_02_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Payload DL M1 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; offset:49; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"|0d 0a|Host|3a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:trojan-activity; sid:2020385; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_02_07, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11)"; flow:established,to_client; file_data; content:"|c1 e4 07 2f 13 ad 23 2e|"; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020387; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_02_09, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; content:!"Accept-"; content:"Windows NT"; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; content:"GET|20|"; depth:4; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)\x20HTTP\/1\./R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020388; rev:6; metadata:created_at 2015_02_09, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Payload DL M2 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:trojan-activity; sid:2020399; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_02_11, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Post-infection HTTP Request Feb 20 2015"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"?"; http_uri; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[a-z]{3}\?[A-F0-9]{8}$/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020496; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_02_20, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing URI Struct Feb 21"; flow:established,to_server; urilen:<28; content:"/lists/"; depth:7; http_uri; pcre:"/^\/lists\/\d{15}(?:\d{5})?$/U"; classtype:trojan-activity; sid:2020497; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag DriveBy, tag Exploit_Kit, signature_severity Major, created_at 2015_02_21, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Microsoft Access database error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"JET Database Engine"; fast_pattern:only; classtype:web-application-attack; sid:2020502; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_23, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Scam - FakeAV Alert Request March 2 2015"; flow:established,to_server; content:"afid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&Expires="; distance:0; http_uri; content:"&Signature="; distance:0; http_uri; content:"&Key-Pair-Id="; distance:0; http_uri; classtype:trojan-activity; sid:2020587; rev:1; metadata:created_at 2015_03_03, updated_at 2015_03_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (12)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020591; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (13)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020592; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (14)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (15)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020594; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020595; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (17)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020596; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (18)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020597; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (19)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020598; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (20)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020599; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (21)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020600; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_03, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Evil Redirector Leading to EK Mar 06 2015"; flow:established,to_server; content:"/counter.php?referrer=http"; http_uri; classtype:trojan-activity; sid:2020638; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_03_06, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible CryptoWall download from e-mail link March 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".zip"; http_uri; fast_pattern:only; content:".html"; http_header; pcre:"/\.zip$/U"; content:"Referer|3a|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\x2f]+\/[a-z0-9]{6}\/[a-z0-9]{5}\.html\r?$/Hm"; classtype:trojan-activity; sid:2020649; rev:2; metadata:created_at 2015_03_09, updated_at 2016_11_01;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET DELETED FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020658; rev:3; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (22)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2020730; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_03_23, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M0"; flow:established,to_server; urilen:40<>65; content:"0"; http_uri; offset:40; depth:15; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])0(?:(?P=sep)|\d)*?$/Ui"; classtype:trojan-activity; sid:2020995; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M1"; flow:established,to_server; urilen:40<>65; content:"1"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])1(?:(?P=sep)|\d)*?$/U"; classtype:trojan-activity; sid:2020996; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M2"; flow:established,to_server; urilen:40<>65; content:"2"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])2(?:(?P=sep)|\d)*?$/U"; classtype:trojan-activity; sid:2020997; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M3"; flow:established,to_server; urilen:40<>65; content:"3"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])3(?:(?P=sep)|\d)*?$/U"; content:!"computerwoche.de|0d 0a|"; http_header; classtype:trojan-activity; sid:2020998; rev:4; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M4"; flow:established,to_server; urilen:40<>65; content:"4"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])4(?:(?P=sep)|\d)*?$/U"; classtype:trojan-activity; sid:2020999; rev:3; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M5"; flow:established,to_server; urilen:40<>65; content:"5"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])5(?:(?P=sep)|\d)*?$/U"; classtype:trojan-activity; sid:2021000; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M6"; flow:established,to_server; urilen:40<>65; content:"6"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])6(?:(?P=sep)|\d)*?$/U"; classtype:trojan-activity; sid:2021001; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M7"; flow:established,to_server; urilen:40<>65; content:"7"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])7(?:(?P=sep)|\d)*?$/U"; classtype:trojan-activity; sid:2021002; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M8"; flow:established,to_server; urilen:40<>65; content:"8"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])8(?:(?P=sep)|\d)*?$/U"; classtype:trojan-activity; sid:2021003; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M9"; flow:established,to_server; urilen:40<>65; content:"9"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])9(?:(?P=sep)|\d)*?$/U"; classtype:trojan-activity; sid:2021004; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)

#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Team Cymru Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 26 E5 46 04|"; distance:4; within:6; classtype:trojan-activity; sid:2021020; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Nuclear EK Landing URI Struct T1"; flow:to_server,established; urilen:>14; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".html"; http_uri; fast_pattern; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.html$/U"; pcre:"/Host\x3a\x20(?=[0-9]{0,22}[a-z])(?=[a-z]*?[0-9][a-z]{0,22}[0-9])[a-z0-9]{23}\x2e[^\x2e\r\n]+\x2e[^\x2e\r\n]/H"; classtype:trojan-activity; sid:2021040; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_04_30, malware_family Nuclear, updated_at 2016_07_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021059; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_05_05, malware_family Angler, updated_at 2018_06_18;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Cryptolocker .onion Proxy Domain (24u4jf7s4regu6hn)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|24u4jf7s4regu6hn"; fast_pattern; distance:0; nocase; reference:md5,36095572717aee2399b6bdacef936e22; classtype:trojan-activity; sid:2021085; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Troldesh.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 bf 81 b3 c2 61 36 e4 9d|"; fast_pattern; content:"|55 04 03|"; content:"|16|www.jyxc3nn7eu2iqd.net"; distance:1; within:23; reference:md5,3358793e79042faa2298856373e644dc; classtype:trojan-activity; sid:2021098; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_14, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021126; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_05_21, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (25)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021127; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_05_21, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Exploit URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f?[^\x2f]+\/[a-z]{3,20}((?P<sep>[_-]?)[a-z]{3,20}(?P=sep)(?:[a-z]{3,20}(?P=sep))?)?[a-z]{3,20}\/\d{10,20}(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,AnglerEK.Struct; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021157; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_05_28, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Payload URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; content:!"User-Agent"; http_header; nocase; content:!"Accept"; http_header; nocase; content:!"Referer"; nocase; http_header; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; classtype:trojan-activity; sid:2021158; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_05_28, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED External IP Lookup - whoer.net"; flow:established,to_server; content:"Host|3a 20|whoer.net|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; classtype:policy-violation; sid:2021161; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

#alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 9 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021225; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_06_09, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp any any -> any [139,445] (msg:"ET DELETED Possible Duqu 2.0 Accessing SMB/SMB2 backdoor"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"tttttttt"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021243; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Landing URI Struct Jun 11"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; flowbits:set,AnglerEK; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021248; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_11, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cryptolocker C2 SSL cert serial"; flow:established,to_client; content:"|b3 b2 82 08 58 32 5e 8e|"; fast_pattern:only; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021253; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_11, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M1"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?P=refhost))/Hsi"; classtype:trojan-activity; sid:2021263; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_13, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M2"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; classtype:trojan-activity; sid:2021264; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_13, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M3"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021265; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_13, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M2"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021266; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_14, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M3"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}\r$/Hmi"; flowbits:set,AnglerEK; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021267; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_14, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Landing URI Struct Jun 15"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK;  metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_15, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M2"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"|2e 72 65 73 75 6c 74 73 70 61 67 65 2e 63 6f 6d 0d 0a|"; http_header; flowbits:set,AnglerEK; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_15, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M3"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}(?:\x3a\d{1,5})?\r$/Hmi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|";  flowbits:set,AnglerEK; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021271; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_15, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16) M2"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; within:2048; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_16, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11) M2"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; within:2048; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_16, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing June 16 2015 M3"; flow:established,to_client; file_data; content:"<title>Virus Firewall Alert!</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; content:"popup-mac-warning.png"; nocase; distance:0; classtype:trojan-activity; sid:2021287; rev:1; metadata:created_at 2015_06_17, updated_at 2015_06_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (26)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:40; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_29, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (27)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:1424; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_06_29, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 29 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,8,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])(?P<var>[a-zA-Z0-9]{9,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021369; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_06_29, malware_family Upatre, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dridex SSL Cert July 6 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 0e 34 be 9a f3 1e d7|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:8; reference:md5,0facc32fc6f9c67650575c8a8298bef2; classtype:trojan-activity; sid:2021380; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_06, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED External IP Lookup ip-api.com"; flow:established,to_server; content:"GET"; http_method; content:"/xml"; http_uri; content:"ip-api.com"; fast_pattern:only; http_header; classtype:policy-violation; sid:2021406; rev:3; metadata:created_at 2015_07_13, updated_at 2015_07_13;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED APT CozyCar SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.illuminatistudios.net"; distance:1; within:26; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021421; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2018_03_27;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (HTTPBrowser CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 d3 99 b4 6f 4e 77 43|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021428; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 20 2015 M3"; flow:to_client,established; file_data; content:"html class=|22|js js sessionstorage|22|"; fast_pattern:13,20; content:"getURLParameter"; distance:0; content:"Toll Free"; nocase; distance:0; content:"myFunction|28 29|"; nocase; distance:0; classtype:trojan-activity; sid:2021448; rev:1; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (28)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:42; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021509; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_07_22, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (29)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:746; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_07_22, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|brutus.neuronio.pt"; distance:1; within:19; content:"|0c|sampo@iki.fi"; distance:0; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021521; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 23 2015"; flow:to_client,established; file_data; content:"navigator.sayswho"; content:"alertforSecuity"; fast_pattern; distance:0; content:"Firefox"; distance:0; content:"Chrome"; distance:0; content:"Netscape"; distance:0; classtype:trojan-activity; sid:2021522; rev:1; metadata:created_at 2015_07_23, updated_at 2015_07_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021524; rev:1; metadata:created_at 2015_07_23, updated_at 2015_07_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021562; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Aug 02 2015"; flow:established,from_server; file_data; content:"value=|22|#ffffff|22|"; content:!".swf"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?)*?\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021587; rev:5; metadata:created_at 2015_08_04, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M2 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"CWS"; fast_pattern; within:3; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021588; rev:2; metadata:created_at 2015_08_04, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M3 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"ZWS"; fast_pattern; within:3; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021589; rev:2; metadata:created_at 2015_08_04, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M1 Aug 02 2015 (IE)"; flow:to_server,established; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:!".swf"; http_uri; nocase; content:!".flv"; http_uri; nocase; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; content:!"Cookie|3a 20|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021590; rev:7; metadata:created_at 2015_08_04, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ghheranon.ad"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021613; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_11, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|idcythef.tj"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021614; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_11, updated_at 2016_07_01;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments4you. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|holidayapartments4you|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021645; rev:2; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (euro-rafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|euro-rafting|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021646; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments-Paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|holidayapartments-Paris|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021647; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (paris-holidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|paris-holidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021648; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (franceholidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|franceholidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021649; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (apartmentsin-paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|apartmentsin-paris|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021650; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingholiday.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|raftingholiday|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021651; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (eurorafting-tr.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|eurorafting-tr|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021652; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (turkeyextremerafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|turkeyextremerafting|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021653; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingtours-turkey.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|raftingtours-turkey|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021654; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-ar|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021655; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazy-jump.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|crazy-jump|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021656; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (dive-extreme.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dive-extreme|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021657; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-ar|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021658; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|groupdive|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021659; rev:2; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021660; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-br|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021661; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (brazil-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|brazil-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021662; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-br|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021663; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-br|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021664; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-au|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021665; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazyjump-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|crazyjump-uy|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021666; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (stuntjumps.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|stuntjumps|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021667; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-au|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021668; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|groupdive-au|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021669; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (au-skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|au-skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021670; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-uy|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021671; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (uruguay-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|uruguay-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021672; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-uy|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021673; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-uy|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021674; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (circlesofourlives-ir.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|circlesofourlives-ir|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021675; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (clickflowers-hk.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|clickflowers-hk|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021676; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (cropcirclestours.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cropcirclestours|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021677; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (irelancropcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|irelancropcircles|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021678; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (ir-cool.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|ir-cool|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021679; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (magnificentcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|magnificentcircles|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021680; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (china-flowershop.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|china-flowershop|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021681; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (hongkong-bouquets.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|hongkong-bouquets|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021682; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (beautifuldaisies.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|beautifuldaisies|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021683; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (rosesinchina.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|rosesinchina|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021684; rev:1; metadata:created_at 2015_08_18, updated_at 2018_01_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,8080,3128,3129] (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Aug 19 2015"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/^Host\x3a[^\r\n]*?\x3a(?!(80(?:80)|312[89]))\d+\r$/Hm"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021694; rev:4; metadata:created_at 2015_08_19, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:yndns\.[a-z]{2,3}|esi)|c(?:ricket|a?fe?)|(?:lin|wor)k|s(?:u|pace)|accountant|t(?:k|op)|g[aq]|xyz|ml|pw)(?:\x3a\d{1,5})?\r$/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021752; rev:14; metadata:created_at 2015_09_08, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED PHISH Generic Webmail - Landing Page Sept 11"; flow:established,to_client; file_data; content:"<title>Webmail Login</title>"; fast_pattern:8,20; content:"For Webmail to function properly"; distance:0; content:"you must enable JavaScript"; distance:0; content:"You have logged out"; distance:0; content:"Please select a locale"; distance:0; content:"Email Address"; distance:0; classtype:trojan-activity; sid:2021760; rev:1; metadata:created_at 2015_09_11, updated_at 2015_09_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021823; rev:2; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Angler EK Redirector Sept 25 2015"; flow:to_client,established; file_data; content:"<body>"; pcre:"/^(?:(?!<\/body).)+?Content\s*?loading.*?Please wait.*?<iframe/Rsi"; content:"Content loading"; nocase; content:"Please wait"; nocase; distance:0; content:"<iframe s1=|22|off|22|"; fast_pattern; distance:0; content:"mask=true"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_09_25, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021899; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_02, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DustySky Checkin"; flow:established,to_server; urilen:10; content:"GET"; http_method; content:"/index.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"uvnc.com|0d 0a|"; http_header; nocase; content:"Host|3a|"; depth:5; http_header; content:"Connection|3a 20|Keep-Alive"; distance:0; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n(?:\r\n)?$/H"; content:!"Cookie|3a|"; metadata: former_category TROJAN; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:trojan-activity; sid:2021918; rev:4; metadata:created_at 2015_10_06, updated_at 2017_03_21;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021932; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_07, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021933; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_07, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021934; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_07, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Oct 19 2015"; flow:established,from_server; file_data; content:!".swf"; content:"<html>"; pcre:"/^\s*?\r?\n\s*?<body>\s*?\r?\n\s*?<script>\s*\r?\n\s*?<\/script>/Rs"; content:"value=|22|#ffffff|22|"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021969; rev:2; metadata:created_at 2015_10_19, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|d8 57 45 e6 17 f8 ec bb|"; distance:4; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021970; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_10_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (2)"; flow:established,to_client; file_data; content:"|d5 88 7d dc 8a 95 4b be|"; distance:4; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021971; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_10_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (3)"; flow:established,to_client; file_data; content:"|08 42 7d|"; distance:4; within:3; pcre:"/^(?:\x4c|\x35)/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021972; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_10_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (4)"; flow:established,to_client; file_data; content:"|05 9d 45|"; distance:4; within:4; pcre:"/^(?:\x76|\x0f)/R"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_10_19, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (5)"; flow:established,to_client; file_data; content:"|91 29 83 25 66 1e be fb|"; distance:4; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021989; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_10_21, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (6)"; flow:established,to_client; file_data; content:"|57 05 11 53 6c d2 02 f9|"; distance:4; within:8; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2021990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_10_21, malware_family Angler, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Nuclear EK Landing URI Struct Oct 26 2015"; flow:to_server,established; content:".php?option=com_"; http_uri; content:"&itemid="; http_uri; content:"&id="; http_uri; pcre:"/&id=\d+(?:\x3a(?:[a-z0-9]*?[A-Z])(?:[A-Z0-9]*?[a-z])[A-Za-z0-9]{10,}\.{0,2})?&catid=\d+&itemid=\d+$/U"; classtype:trojan-activity; sid:2021999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_10_26, malware_family Nuclear, updated_at 2016_07_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Evil EXE download from MSXMLHTTP non-exe extension M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022052; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED BlackHole EK Landing Nov 17 2015"; flow:from_server,established; file_data; content:"|2e 73 74 79 6c 65 2e 6c 65 66 74 3d 3d 3d 22 22 29 7b 67 67 3d 22 67 65 74 41 22 3b 7d 71 71 3d 22 71 22 3b 67 67 2b 3d 22 74 74 72 69 22 3b 66 75 6e 63 74 69 6f 6e 20 63 78 7a 28 29|"; fast_pattern:17,20; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2022113; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2015_11_17, malware_family Blackhole, updated_at 2018_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (1)"; flow:established,to_client; file_data; content:"|01 d2 02 8b e7 98 09 18|"; distance:4; within:8; classtype:trojan-activity; sid:2022138; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_11_24, malware_family Angler, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (2)"; flow:established,to_client; file_data; content:"|29 26 9a 62 39 55 b6 0d|"; distance:4; within:8; classtype:trojan-activity; sid:2022139; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_11_24, malware_family Angler, updated_at 2016_07_01;)

#alert tcp [$EXTERNAL_NET,!208.85.44.0/24] $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (3)"; flow:established,to_client; file_data; content:"|dc 18 02|"; distance:4; within:3; pcre:"/^(?:\x62|\x1b)/R"; classtype:trojan-activity; sid:2022140; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_11_24, malware_family Angler, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (4)"; flow:established,to_client; file_data; content:"|f4 ec 9a|"; distance:4; within:4; pcre:"/^(?:\x8b|\xf2)/R"; classtype:trojan-activity; sid:2022141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_11_24, malware_family Angler, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (5)"; flow:established,to_client; file_data; content:"|63 86 34 11 a3 ae 83 1e|"; distance:4; within:8; classtype:trojan-activity; sid:2022142; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_11_24, malware_family Angler, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (6)"; flow:established,to_client; file_data; content:"|94 ae 9f 55 3d 25 7f 7d|"; distance:4; within:8; classtype:trojan-activity; sid:2022143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2015_11_24, malware_family Angler, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Phishing Landing Uri Nov 25"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; classtype:trojan-activity; sid:2022185; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_25, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHP/Mayhem Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"Pragma|3a 20|1337|0d 0a|"; http_header; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:".php HTTP/1.0|0d 0a|"; reference:url,www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox.pdf; classtype:trojan-activity; sid:2022195; rev:1; metadata:created_at 2015_11_30, updated_at 2015_11_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe(?:\?[0-9])?$/U"; pcre:"/\/wp-(?:content|admin|includes)\//U"; metadata: former_category TROJAN; reference:md5,1828f7090d0ad2844d3d665d2f41f911; classtype:trojan-activity; sid:2022239; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2015_12_08, updated_at 2018_07_18;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:trojan-activity; sid:2022324; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_31, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 07 2015"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?){3,}\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025040; rev:2; metadata:created_at 2016_01_07, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M1"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Host\x3a\x20(?P<host>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?Referer\x3a\x20http\x3a\x2f\x2f(?P=host)\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n/Hsi"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025041; rev:1; metadata:created_at 2016_01_08, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M2"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f(?P<host>[^\r\n\x3a\x2f]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=host)(?:\x3a\d{1,5})?\r\n/Hsi"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025042; rev:2; metadata:created_at 2016_01_08, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Spam/Phish Campaign Feb 25 2016"; flow:established,to_server; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/\/[a-z]\/\?[A-Z]{10}$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.pw\r?$/Hmi"; classtype:trojan-activity; sid:2022570; rev:2; metadata:created_at 2016_02_26, updated_at 2016_02_26;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputerhave"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022577; rev:1; metadata:created_at 2016_02_29, updated_at 2016_02_29;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|32kl2rwsjvqjeui7"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022659; rev:2; metadata:created_at 2016_03_25, updated_at 2016_03_25;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|velodrivve|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x08velodrivve\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_05, updated_at 2016_09_08;)

#alert tcp any any -> any any (msg:"ET DELETED LuminosityLink - Data Channel Server Response 2"; flow:established,to_client; content:"8_=_8"; isdataat:!1,relative; dsize:<25; classtype:trojan-activity; sid:2022708; rev:2; metadata:created_at 2016_04_05, updated_at 2016_09_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Taplika Browser Hijacker Status Messages"; flow:established,to_server; content:".php?context="; fast_pattern; http_uri; content:"&status="; http_uri; distance:0; content:"&sesid="; http_uri; distance:0; content:"&iid="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; metadata: former_category MALWARE; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022808; rev:1; metadata:created_at 2016_05_16, updated_at 2018_03_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Taplika Browser Hijacker Checkin M1"; flow:established,to_server; content:".php?a="; fast_pattern; http_uri; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; metadata: former_category MALWARE; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022809; rev:1; metadata:created_at 2016_05_16, updated_at 2018_03_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Taplika Browser Hijacker Checkin M2"; flow:established,to_server; content:"/?f="; depth:4; http_uri; fast_pattern; content:"&a="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; metadata: former_category MALWARE; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022810; rev:1; metadata:created_at 2016_05_16, updated_at 2018_03_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing May 31 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025043; rev:1; metadata:created_at 2016_05_31, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:"<html>"; pcre:"/^\s*?<body>(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P<var1>[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025044; rev:2; metadata:created_at 2016_06_11, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"|3c 2f 73 63 72 69 70 74 3e 0a 3c 6f 62 6a 65 63 74|"; within:150; pcre:"/^(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025045; rev:1; metadata:created_at 2016_06_12, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LoadMoney User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader 18.7|0d 0a|"; http_header; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2022911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2016_06_22, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"<script>"; within:500; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>\s*<object(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025046; rev:1; metadata:created_at 2016_06_24, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"<object"; content:"  <param"; distance:0; pcre:"/^[^>]*name\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025047; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Neutrino, signature_severity Major, created_at 2016_06_24, performance_impact Low, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Neutrino EK Landing Landing URI Struct (fb set)"; flow:to_server,established; content:!"Cookie|3a|"; content:"Windows NT"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method;  pcre:"/^User-agent\x3a\x20[^\r\n]*?(?:MSIE|rv\x3a11|Edge\/)/Hmi"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; content:!"Cookie|3a|"; flowbits:set,Neutrino.URI.Primer; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025064; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Neutrino, signature_severity Major, created_at 2016_06_24, performance_impact Moderate, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M4 (with URI Primer)"; flow:established,from_server; flowbits:isset,Neutrino.URI.Primer; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; content:"bgcolor"; nocase; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025048; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Neutrino, signature_severity Major, created_at 2016_06_24, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|62 5f 39 34 38 38 33 66 36 34 35 33 31 65 65 37 62 31 37 61 37 33 62 38 32 33 66 5f 63 31 61 36 63 63 36 36 37 65|"; fast_pattern; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025049; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Neutrino, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|3c 68 31 3e 62 6c 61 63 6b 62 6f 78 3c 2f 68 31 3e|"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Neutrino, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/[^\x22\x27]*\.html\.swf[\x22\x27]/R"; content:".html.swf"; fast_pattern:only; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025051; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Neutrino, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Neutrino, signature_severity Major, created_at 2016_07_07, performance_impact Low, updated_at 2018_06_18;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Bart .onion Payment Domain (khh5cmzh5q7yp7th)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|khh5cmzh5q7yp7th"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_07_11, malware_family Ransomware, performance_impact Low, updated_at 2016_07_13;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Ixeshe CnC)"; flow:established,from_server; content:"|09 00 b5 c7 52 c9 87 81 b5 03|"; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_07_11, performance_impact Low, updated_at 2018_05_07;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain (zjfq4lnfbs7pncr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zjfq4lnfbs7pncr5"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022997; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_08_01, performance_impact Low, updated_at 2016_08_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Evil Redirector Leading to EK Sep 12 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|CAMPAIGNE.REFERER_COOKIE="; fast_pattern:12,20; content:"CAMPAIGNE.REFERER_COOKIE="; http_cookie; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2023187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_09_12, malware_family EvilTDS, performance_impact Low, updated_at 2018_04_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, tag Redirector, tag Neutrino, signature_severity Major, created_at 2016_09_20, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, tag Redirector, tag Neutrino, signature_severity Major, created_at 2016_09_20, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M4"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025055; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, tag Redirector, tag Neutrino, signature_severity Major, created_at 2016_09_20, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M5"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025056; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, tag Redirector, tag Neutrino, signature_severity Major, created_at 2016_09_20, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M6"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025057; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, tag Redirector, tag Neutrino, signature_severity Major, created_at 2016_09_20, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M7"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025058; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, tag Redirector, tag Neutrino, signature_severity Major, created_at 2016_09_20, updated_at 2018_06_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M8"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025059; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, tag Redirector, tag Neutrino, signature_severity Major, created_at 2016_09_20, updated_at 2018_06_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nemucod Downloader Oct 04"; flow:established,to_server; content:"/log.php?f="; http_uri; depth:11; fast_pattern; pcre:"/^\/log\.php\?f=[0-1](?:\.[a-z]+)?$/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a 20|"; classtype:trojan-activity; sid:2023318; rev:2; metadata:created_at 2016_10_05, updated_at 2017_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Potentially Malicious Traffic 1"; flow:established,to_server; content:"285d7b6cf94d8fdc657edaa73c2f07f3"; classtype:trojan-activity; sid:2023339; rev:3; metadata:created_at 2016_10_18, updated_at 2016_10_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023529; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag dupe, signature_severity Major, created_at 2016_11_18, updated_at 2017_02_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Cerber Bitcoin Address Check"; flow:to_server,established; content:"/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_="; http_uri; nocase; fast_pattern:20,20; content:!"Referer"; http_header; content:!"|0d 0a|Cookie|3a 20|"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; metadata: former_category TROJAN; reference:url,www.bleepingcomputer.com/news/security/cerber-ransomware-4-10-now-shows-the-version-number-in-ransom-notes/; classtype:trojan-activity; sid:2023676; rev:1; metadata:created_at 2016_12_20, updated_at 2017_07_10;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|j24ojpexpgaorlxj"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023738; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag dupe, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023881; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, tag dupe, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_14;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024083; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_06_13;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M1"; flow:to_server,established; content:"Content-Length|3a|"; nocase; content:"{"; content:"}"; content:"java|2e|"; nocase; content:"|2e|ognl"; fast_pattern:only; pcre:"/^Content-Length\x3a[^\r\n]*?\{(?=[^\r\n]*java\.)[^\r\n]*\.ognl[^\r\n]*\}/mi"; metadata: former_category WEB_SPECIFIC_APPS; classtype:web-application-attack; sid:2024094; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_03_20, updated_at 2017_03_21;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M2"; flow:to_server,established; content:"Content-Length|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; metadata: former_category WEB_SPECIFIC_APPS; classtype:web-application-attack; sid:2024095; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_03_20, updated_at 2017_03_21;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M2"; flow:to_server,established; content:"Content-Disposition|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; metadata: former_category WEB_SPECIFIC_APPS; classtype:web-application-attack; sid:2024097; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_03_20, updated_at 2017_03_21;)

#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securitytactics|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024868; rev:2; metadata:created_at 2017_10_18, updated_at 2018_05_23;)

#alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; classtype:bad-unknown; sid:2008446; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 50, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; classtype:bad-unknown; sid:2008470; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; classtype:bad-unknown; sid:2008447; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; classtype:bad-unknown; sid:2008475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Format error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; reference:url,doc.emergingthreats.net/2001116; classtype:not-suspicious; sid:2001116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Name Error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; reference:url,doc.emergingthreats.net/2001117; classtype:not-suspicious; sid:2001117; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Not Implemented"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; reference:url,doc.emergingthreats.net/2001118; classtype:not-suspicious; sid:2001118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Refused"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; reference:url,doc.emergingthreats.net/2001119; classtype:not-suspicious; sid:2001119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103154; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10728; classtype:attempted-recon; sid:2100256; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:2100252; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10028; classtype:attempted-recon; sid:2101616; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2101948; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:3; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:bad-unknown; sid:2011911; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:6; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a .tk domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|tk|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012811; rev:2; metadata:created_at 2011_05_15, updated_at 2011_05_15;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query to a Suspicious *.vv.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|vv|02|cc|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012826; rev:1; metadata:created_at 2011_05_19, updated_at 2011_05_19;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.ae.am domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ae|02|am"; fast_pattern:only; classtype:bad-unknown; sid:2012900; rev:1; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for a Suspicious *.noc.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noc|02|su"; fast_pattern:only; classtype:bad-unknown; sid:2012901; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.be.ma domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|be|02|ma"; fast_pattern; distance:0;  classtype:bad-unknown; sid:2012902; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.qc.cx domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|qc|02|cx"; fast_pattern:only; classtype:bad-unknown; sid:2012903; rev:1; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.co.tv domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|tv"; fast_pattern:only; classtype:bad-unknown; sid:2012956; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ianxz6zefk72ulzz|05|onion"; fast_pattern:only; classtype:policy-violation; sid:2013016; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.be Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|be"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013124; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.cu.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cu|02|cc"; fast_pattern; classtype:bad-unknown; sid:2013172; rev:2; metadata:created_at 2011_07_02, updated_at 2011_07_02;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .net.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|net|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013847; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .eu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|eu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013848; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .int.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|int|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013849; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .edu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|edu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013850; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .us.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|us|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013851; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ca.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ca|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013852; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .bg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|bg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013853; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ru.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013854; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .pl.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pl|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013855; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .cz.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013856; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .de.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|de|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013857; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .at.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|at|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013858; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ch.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013859; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .sg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|sg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013860; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .nl.ai Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|nl|02|ai"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013861; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .xe.cx Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|xe|02|cx"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013862; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .noip.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noip|02|cn|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013970; rev:1; metadata:created_at 2011_11_28, updated_at 2011_11_28;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|su|00|"; fast_pattern; distance:0; nocase; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:1; metadata:created_at 2012_01_31, updated_at 2012_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|vu"; fast_pattern; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:4; metadata:created_at 2012_02_27, updated_at 2012_02_27;)

alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:12; metadata:created_at 2012_05_03, updated_at 2016_07_12;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for a Suspicious *.upas.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|upas|02|su|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2015550; rev:1; metadata:created_at 2012_07_31, updated_at 2012_07_31;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_14, updated_at 2013_02_14;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016569; rev:3; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016570; rev:2; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016571; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pw|00|"; fast_pattern; nocase; distance:0; content:!"|01|u|02|pw|00|"; nocase; classtype:bad-unknown; sid:2016778; rev:4; metadata:created_at 2013_04_19, updated_at 2013_04_19;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|tun|10|vpnoverdns|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:2; metadata:created_at 2014_05_01, updated_at 2014_05_01;)

alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_03, updated_at 2014_06_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query to a *.top domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|top|00|"; fast_pattern; nocase; distance:0; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|gr|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category DNS; reference:url,www.domain.gr.com; classtype:bad-unknown; sid:2025146; rev:1; metadata:created_at 2017_12_12, updated_at 2017_12_18;)

#alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; classtype:attempted-dos; sid:2009701; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; classtype:attempted-dos; sid:2010624; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; flow:established,to_server; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010817; classtype:attempted-dos; sid:2010817; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000010; classtype:attempted-dos; sid:2000010; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000011; classtype:attempted-dos; sid:2000011; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco Router HTTP DoS"; flow: to_server,established; content:"/%%"; http_uri; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000006; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; fast_pattern:only; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; classtype:attempted-dos; sid:2010755; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; fast_pattern:only; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; classtype:attempted-dos; sid:2002843; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6; byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,doc.emergingthreats.net/bin/view/Main/2001882; classtype:denial-of-service; sid:2001882; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow: established,to_server; content:"|10 00 00 10 cc|"; depth:5; reference:bugtraq,11265; reference:url,doc.emergingthreats.net/bin/view/Main/2001366; classtype:attempted-dos; sid:2001366; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DOS NetrWkstaUserEnum Request with large Preferred Max Len"; flow:established,to_server; content:"|ff|SMB"; content:"|10 00 00 00|"; distance:0; content:"|02 00|"; distance:14; within:2; byte_jump:4,12,relative,little,multiplier 2; content:"|00 00 00 00 00 00 00 00|"; distance:12; within:8; byte_test:4,>,2,0,relative; reference:cve,2006-6723; reference:url,doc.emergingthreats.net/bin/view/Main/2003236; classtype:attempted-dos; sid:2003236; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; classtype:denial-of-service; sid:2001795; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010491; classtype:attempted-dos; sid:2010491; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"WHERE"; distance:0; nocase; content:"SELECT"; nocase; content:"INTO"; distance:0; nocase; content:"|60|"; within:50; content:"|60|"; pcre:"/SELECT.+WHERE.+SELECT.+\x60/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010492; classtype:attempted-dos; sid:2010492; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt"; flow:established,to_server; content:"ALTER "; nocase; content:"DATABASE"; nocase; within:12; content:"|22|."; distance:0; content:"UPGRADE "; nocase; distance:0; content:"DATA"; nocase; within:8; pcre:"/ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA/si"; reference:url,securitytracker.com/alerts/2010/Jun/1024160.html; reference:url,dev.mysql.com/doc/refman/5.1/en/alter-database.html; reference:cve,2010-2008; reference:url,doc.emergingthreats.net/2011761; classtype:attempted-dos; sid:2011761; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url, securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; classtype:attempted-dos; sid:2010486; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; classtype:attempted-dos; sid:2010487; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt"; content:"|00 01 01|"; depth:3; content:"NETASCII"; reference:url,www.exploit-db.com/exploits/12683/; reference:url,doc.emergingthreats.net/2011673; classtype:attempted-dos; sid:2011673; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt"; content:"|00 02|"; depth:2; isdataat:1000,relative; content:!"|0A|"; within:1000; content:"NETASCII"; distance:1000; reference:url,www.exploit-db.com/exploits/13836/; reference:url,doc.emergingthreats.net/2011674; classtype:attempted-dos; sid:2011674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; classtype:attempted-dos; sid:2011732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; fast_pattern:only; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011821; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; fast_pattern:only; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011822; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; fast_pattern:only; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011823; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; fast_pattern:only; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011824; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS"; flow:to_server,established; content:"hihihihihihihihihihihihihihihihi"; nocase; fast_pattern:only; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012048; rev:4; metadata:created_at 2010_12_13, updated_at 2010_12_13;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:4; metadata:created_at 2010_12_13, updated_at 2010_12_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:4; metadata:created_at 2010_12_13, updated_at 2010_12_13;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|"; within:256; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:1; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:2; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:2; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DOS LOIC Javascript DDoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"/?id="; fast_pattern; http_uri; depth:5; content:"&msg="; http_uri; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:4; metadata:created_at 2012_01_23, updated_at 2012_01_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; content:"User-Agent|3a 20 20|";  http_raw_header; content:"User-Agent|3a 20 20|"; fast_pattern:only; threshold: type both, track by_src, count 225, seconds 60; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:4; metadata:created_at 2012_01_27, updated_at 2012_01_27;)

#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)

alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server,not_established; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:6; metadata:created_at 2012_03_15, updated_at 2012_03_15;)

alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url, www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)

#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)

alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_11, updated_at 2012_12_11;)

#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_11, updated_at 2012_12_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DOS LOIC POST"; flow:established,to_server; content:"POST"; http_method; content:"13"; depth:2; http_client_body; content:"=MSG"; fast_pattern; http_client_body; distance:11; within:4; pcre:"/^13\d{11}/P"; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016030; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DOS LOIC GET"; flow:established,to_server; content:"GET"; http_method; content:"/?msg=MSG"; http_uri; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016031; rev:2; metadata:created_at 2012_12_13, updated_at 2012_12_13;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern:only; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)

#alert tcp any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:1; metadata:created_at 2013_07_16, updated_at 2013_07_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:24,20; http_header; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:1; metadata:created_at 2013_11_14, updated_at 2013_11_14;)

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)

alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)

alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)

alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)

alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; content:"/?"; fast_pattern; http_uri; depth:2; content:"="; http_uri; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/U"; content:"Keep|2d|Alive|3a|"; http_header; content:"Connection|3a| keep|2d|alive"; http_header; content:"Cache|2d|Control|3a|"; http_header; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/Hm"; content:"Accept|2d|Encoding|3a|"; http_header; threshold: type both, track by_src, count 100, seconds 300; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)"; flow:established,to_server; content:"/xmlrpc.php"; http_uri; nocase; content:"pingback.ping"; nocase; http_client_body; fast_pattern; threshold:type both, track  by_src, count 5, seconds 90; classtype:attempted-dos; sid:2018277; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_03_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_src; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_dst; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:1; metadata:created_at 2014_08_21, updated_at 2014_08_21;)

alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_02, updated_at 2014_09_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)

#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:2; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; content:"User-Agent|3a| Bittorrent"; http_header; threshold: type both, count 1, seconds 60, track by_src; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:1; metadata:created_at 2015_03_18, updated_at 2015_03_18;)

alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM  Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)

alert udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Linux/Tsunami DOS User-Agent (x00_-gawa.sa.pilipinas.2015) INBOUND"; flow:to_server,established; content:"User-Agent|3a| x00_-gawa.sa.pilipinas.2015"; http_header; reference:url,vms.drweb.com/virus/?i=4656268; classtype:attempted-dos; sid:2022760; rev:1; metadata:created_at 2016_04_26, updated_at 2016_04_26;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Inbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023053; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert udp $HOME_NET 53 -> $EXTERNAL_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023054; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)

alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2016_11_11, performance_impact Low, updated_at 2017_01_12;)

alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test:  3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6;  content: "|03 00|"; offset: 16; depth:2;  reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:2; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)

alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_07;)

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS Possible SMBLoris NBSS Length Mem Exhaustion Vuln Inbound"; flow:established,to_server; content:"|00 01|"; depth:2; threshold:type both,track by_dst,count 3, seconds 90; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_02;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS SMBLoris NBSS Length Mem Exhaustion Attempt (PoC Based)"; flow:established,to_server; content:"|00 01 ff ff|"; depth:4; threshold:type both,track by_dst,count 30, seconds 300; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_03;)

alert udp $EXTERNAL_NET 389 -> $HOME_NET 389 (msg:"ET DOS CLDAP Amplification Reflection (PoC based)"; dsize:52; content:"|30 84 00 00 00 2d 02 01 01 63 84 00 00 00 24 04 00 0a 01 00|"; fast_pattern; threshold:type both, count 100, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)

alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"ET DOS Potential CLDAP Amplification Reflection"; content:"objectclass0"; fast_pattern; threshold:type both, count 200, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)

alert udp $EXTERNAL_NET any -> any 11211 (msg:"ET DOS Possible Memcached DDoS Amplification Query (set)"; content:"|00 00 00 00 00 01 00|"; depth:7; fast_pattern; content:"|0d 0a|"; distance:0; within:20; isdataat:!1,relative; threshold: type both, count 100, seconds 60, track by_dst; flowbits:set,ET.memcached.ddos; metadata: former_category DOS; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2018_03_01, performance_impact Low, updated_at 2018_03_01;)

alert udp any 11211 -> $EXTERNAL_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Response Outbound"; flowbits:isset,ET.memcached.ddos; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; metadata: former_category DOS; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025402; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2018_03_01, performance_impact Low, updated_at 2018_03_01;)

alert udp $EXTERNAL_NET 11211 -> $HOME_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Inbound"; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; metadata: former_category DOS; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_01, performance_impact Low, updated_at 2018_03_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; content:".pdf|00|"; fast_pattern:only; nocase; http_uri; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; reference:url,doc.emergingthreats.net/bin/view/Main/2001217; classtype:attempted-admin; sid:2001217; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; reference:url,doc.emergingthreats.net/bin/view/Main/2003369; classtype:attempted-admin; sid:2003369; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; distance:0; within:4; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; reference:url,www.milw0rm.com/exploits/3244; reference:url,doc.emergingthreats.net/bin/view/Main/2003378; classtype:attempted-admin; sid:2003378; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; classtype:attempted-dos; sid:2003379; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.milw0rm.com/exploits/3604; reference:url,doc.emergingthreats.net/bin/view/Main/2003518; classtype:attempted-admin; sid:2003518; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3939; reference:url,doc.emergingthreats.net/bin/view/Main/2003750; classtype:attempted-dos; sid:2003750; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e 00 00 00 00 00 00 00 00|"; within:12; reference:url, www.milw0rm.com/exploits/3940; reference:url,doc.emergingthreats.net/bin/view/Main/2003751; classtype:attempted-dos; sid:2003751; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; classtype:attempted-admin; sid:2000048; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000031; classtype:attempted-admin; sid:2000031; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000049; classtype:attempted-admin; sid:2000049; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000007; classtype:attempted-dos; sid:2000007; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; detection_filter: track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000005; classtype:attempted-dos; sid:2000005; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003039; classtype:attempted-user; sid:2003039; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002315; classtype:misc-attack; sid:2002315; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002316; classtype:misc-attack; sid:2002316; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; reference:url,doc.emergingthreats.net/bin/view/Main/2007876; classtype:successful-dos; sid:2007876; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-gsecdump.html; reference:url,doc.emergingthreats.net/2010783; classtype:suspicious-filename-detect; sid:2010783; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1"; flow:established; content:"cwd"; depth:4; nocase; dsize:>74; pcre:"/(\/\.){70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008776; classtype:web-application-attack; sid:2008776; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; flow:established; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008777; classtype:web-application-attack; sid:2008777; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow: to_server,established; content:"POST"; http_method; nocase; content:"/error.php?"; nocase; http_uri; content:"err="; nocase; http_uri; pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2003332; classtype:web-application-attack; sid:2003332; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt"; flow:established,to_server; content:"|B6 29 8C 23 FF FF FF|"; pcre:"/\xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF]/"; reference:url,dvlabs.tippingpoint.com/advisory/TPTI-09-15; reference:url,doc.emergingthreats.net/2010546; reference:cve,2007-2281; classtype:attempted-admin; sid:2010546; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; distance:0; within:20; reference:cve,2005-3277; reference:bugtraq,15136; reference:url,doc.emergingthreats.net/bin/view/Main/2002852; classtype:attempted-user; sid:2002852; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command"; flow:established,to_server; content:"SITE "; nocase; isdataat:150,relative; content:!"|0d 0a|"; within:150; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009828; reference:cve,2009-3023; classtype:attempted-admin; sid:2009828; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; nocase; content:"|2a 2f 2e 2e 2f|"; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009860; reference:cve,2009-3023; classtype:attempted-admin; sid:2009860; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001023; classtype:bad-unknown; sid:2001023; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001024; classtype:bad-unknown; sid:2001024; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?"; nocase; http_uri; fast_pattern:only; pcre:"/[\?&]mail=[^&]+?[\x3b\x2c\x7c\x27]/Ui"; reference:bugtraq,13937; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; classtype:web-application-attack; sid:2001990; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow: established,from_server; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; classtype:misc-activity; sid:2001191; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001195; classtype:misc-activity; sid:2001195; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; reference:url,doc.emergingthreats.net/bin/view/Main/2001058; classtype:attempted-admin; sid:2001058; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt"; flow:established,to_server; content:"/Security.tri"; nocase; http_uri; content:"SecurityMode=0"; nocase; reference:url,secunia.com/advisories/21372/; reference:url,doc.emergingthreats.net/bin/view/Main/2003072; classtype:attempted-admin; sid:2003072; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; content:"Authorization|3a| Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; http_header; content:"/debug.cgi"; http_uri; reference:url,seclists.org/fulldisclosure/2010/Jun/176; reference:url,doc.emergingthreats.net/2011669; classtype:attempted-admin; sid:2011669; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2001369; classtype:shellcode-detect; sid:2001369; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001363; classtype:shellcode-detect; sid:2001363; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001364; classtype:shellcode-detect; sid:2001364; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001374; classtype:misc-activity; sid:2001374; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; classtype:misc-attack; sid:2001668; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; fast_pattern:only; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001848; classtype:misc-activity; sid:2001848; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; fast_pattern:only; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001849; classtype:misc-activity; sid:2001849; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001873; classtype:misc-activity; sid:2001873; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001874; classtype:misc-activity; sid:2001874; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT "; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003067; classtype:attempted-dos; sid:2003067; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; offset:0; depth:8; reference:cve,2002-1123; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2002845; classtype:attempted-admin; sid:2002845; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/bin/view/Main/2000488; classtype:attempted-user; sid:2000488; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"|3b 00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000372; classtype:attempted-user; sid:2000372; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000373; classtype:attempted-user; sid:2000373; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000377; classtype:attempted-admin; sid:2000377; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08)"; dsize: >1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000378; classtype:attempted-dos; sid:2000378; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000379; classtype:attempted-dos; sid:2000379; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2000380; classtype:attempted-admin; sid:2000380; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_servicecontrol access"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|c|00|o|00|n|00|t|00|r|00|o|00|l|00|"; nocase; reference:url,doc.emergingthreats.net/2009999; classtype:attempted-user; sid:2009999; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_fileexist access"; flow:to_server,established; content:"x|00|p|00|_|00|f|00|i|00|l|00|e|00|e|00|x|00|i|00|s|00|t|00|"; nocase; reference:url,doc.emergingthreats.net/2010000; classtype:attempted-user; sid:2010000; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; metadata: former_category ATTACK_RESPONSE; reference:url,doc.emergingthreats.net/2010001; classtype:attempted-user; sid:2010001; rev:4; metadata:created_at 2010_07_30, updated_at 2018_01_09;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; metadata: former_category ATTACK_RESPONSE; reference:url,doc.emergingthreats.net/2010002; classtype:attempted-user; sid:2010002; rev:5; metadata:created_at 2010_07_30, updated_at 2018_01_09;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; metadata: former_category ATTACK_RESPONSE; reference:url,doc.emergingthreats.net/2010003; classtype:attempted-user; sid:2010003; rev:5; metadata:created_at 2010_07_30, updated_at 2018_01_09;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit"; flow:established,to_server; content:"FLAGS BODY"; pcre:"/[0-9a-zA-Z]{200,}/R"; content:"|EB 06 90 90 8b 11 DC 64 90|"; distance:0; reference:url,www.milw0rm.com/exploits/5248; reference:bugtraq,28245; reference:url,doc.emergingthreats.net/bin/view/Main/2008063; reference:cve,2008-1358; classtype:successful-user; sid:2008063; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"ET EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001988; classtype:attempted-admin; sid:2001988; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598; reference:url,doc.emergingthreats.net/2011235; classtype:attempted-admin; sid:2011235; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability"; flow:established,to_server; content:"GET "; depth:4; content:"Authorization:"; distance:0; content:"Basic"; distance:0; pcre:"/Authorization\x3a\s*Basic\s*[a-zA-Z0-9]{255,}==/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007874; classtype:web-application-attack; sid:2007874; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2775 (msg:"ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability"; flow:established,to_server; content:"|00 00 00 04|"; content:"|00 00 00 01|"; distance:1; pcre:"/[a-zA-Z0-9]{1000,}/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007875; classtype:web-application-attack; sid:2007875; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated script"; flow:established,from_server; content:"US-ASCII"; fast_pattern:only; nocase; pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003400; classtype:web-application-attack; sid:2003400; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript download file"; flow:established,from_server; content:"US-ASCII"; fast_pattern:only; nocase; pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003401; classtype:web-application-attack; sid:2003401; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; content:"US-ASCII"; fast_pattern:only; nocase; pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003402; classtype:web-application-attack; sid:2003402; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript"; flow:established,from_server; content:"US-ASCII"; fast_pattern:only; nocase; pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003403; classtype:web-application-attack; sid:2003403; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexMetadata"; nocase; content:"sys.dbms_export_extension.get_domain_index_metadata"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002886; classtype:attempted-admin; sid:2002886; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_tables Access"; flow:established,to_server; content:"sys.dbms_export_extension.get_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002887; classtype:attempted-admin; sid:2002887; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexUtilGetTableNames"; nocase; content:"sys.dbms_export_extension.get_v2_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002888; classtype:attempted-admin; sid:2002888; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt"; flow:established,to_server; content:"ctxsys|2E|drvxtabc|2E|create|5F|tables"; nocase; content:"dbms|5F|sql|2E|execute"; nocase; distance:0; pcre:"/ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE)/si"; reference:url,www.securityfocus.com/bid/36748; reference:cve,2009-1991; reference:url,doc.emergingthreats.net/2010375; classtype:attempted-admin; sid:2010375; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP .message file write"; flow:to_server,established; content:"STOR "; nocase; depth:5; content:".message|0d 0a|"; distance:0; pcre:"/[^a-zA-Z0-9]+\.message/"; flowbits:set,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003196; classtype:misc-attack; sid:2003196; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT ProFTPD .message file overflow attempt"; flowbits:isset,BE.ftp.message; flow:to_server,established; content:"CWD "; depth:4; nocase; flowbits:unset,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003197; classtype:misc-attack; sid:2003197; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000565; classtype:suspicious-login; sid:2000565; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000566; classtype:suspicious-login; sid:2000566; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000564; classtype:misc-attack; sid:2000564; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000567; classtype:misc-attack; sid:2000567; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000563; classtype:misc-attack; sid:2000563; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 139 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000568; classtype:misc-attack; sid:2000568; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001053; classtype:misc-activity; sid:2001053; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001544; classtype:misc-activity; sid:2001544; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001052; classtype:misc-activity; sid:2001052; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001543; classtype:misc-activity; sid:2001543; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001753; classtype:suspicious-login; sid:2001753; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001754; classtype:suspicious-login; sid:2001754; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; fast_pattern:only; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; fast_pattern:only; metadata: former_category EXPLOIT; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:5; metadata:created_at 2010_07_30, updated_at 2017_05_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Possible Vulnerable Server Response"; flow:established; dsize:12; content:"RFB 003.00"; depth:11; flowbits:noalert; flowbits:set,BSposs.vuln.vnc.svr; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002912; classtype:misc-activity; sid:2002912; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Client response"; flowbits:isset,BSposs.vuln.vnc.svr; flow:established; dsize:12; content:"RFB 003.0"; depth:9; flowbits:noalert; flowbits:set,BSis.vnc.setup; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002913; classtype:misc-activity; sid:2002913; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:20; content:"|00 00 00 02|"; depth:4; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002914; classtype:misc-activity; sid:2002914; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:2; content:"|01 02|"; depth:2; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002918; classtype:misc-activity; sid:2002918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication"; flowbits:isset,BSis.vnc.setup; flow:established; content:"|01 01|"; depth:2; flowbits:set,BSvnc.auth.offered; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002924; classtype:misc-activity; sid:2002924; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication (case 2)"; flowbits:isset,BSis.vnc.setup; dsize:4; flow:established; content:"|00 00 00 01|"; depth:4; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002923; classtype:misc-activity; sid:2002923; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Good Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:2; content:"|02|"; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002919; classtype:attempted-admin; sid:2002919; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:16; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002915; classtype:attempted-admin; sid:2002915; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RealVNC Authentication Bypass Attempt"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:1; content:"|01|"; depth:1; flowbits:set,BSvnc.null.auth.sent; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002916; classtype:attempted-admin; sid:2002916; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RealVNC Server Authentication Bypass Successful"; flowbits:isset,BSvnc.null.auth.sent; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002917; classtype:successful-admin; sid:2002917; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Multiple Authentication Failures"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 02|"; depth:4; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002921; classtype:attempted-admin; sid:2002921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT SQL sp_configure - configuration change"; flow:to_server,established; content:"s|00|p|00|_|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|e|00|"; fast_pattern:only; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008517; classtype:attempted-user; sid:2008517; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT SQL sp_configure attempt"; flow:to_server,established; content:"sp_configure"; fast_pattern:only; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008518; classtype:attempted-user; sid:2008518; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/SecurityGateway.dll"; nocase; distance:0; content:"logon"; nocase; distance:0; content:"&username"; nocase; distance:0; pcre:"/\x3d[^\x26]{720}/R"; reference:url,frsirt.com/english/advisories/2008/1717; reference:url,milw0rm.com/exploits/5718; reference:url,doc.emergingthreats.net/bin/view/Main/2008426; reference:cve,2008-4193; classtype:misc-attack; sid:2008426; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt"; flow: established,to_server; content:"|68 61 63 6b 75|"; offset: 126; depth: 5; content:"|68 61 63 6b 90 61 61 61 61|"; offset: 519; depth: 9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001385; classtype:shellcode-detect; sid:2001385; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"|90 90 90 90 90|"; depth:5; content:"|90 90 90 90 90|"; distance:0; content:"|90 90 90 90 90|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"ET EXPLOIT malformed Sack - Snort DoS-by-$um$id"; seq:0; ack:0; window:65535; dsize:0; reference:url,doc.emergingthreats.net/bin/view/Main/2002656; classtype:attempted-dos; sid:2002656; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris TTYPROMPT environment variable set"; flow: established,to_server; content:"|00 54 54 59 50 52 4F 4D 50 54|"; fast_pattern:only; reference:url,online.securityfocus.com/archive/1/293844; reference:url,doc.emergingthreats.net/bin/view/Main/2001780; classtype:attempted-admin; sid:2001780; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack inbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003411; reference:cve,2007-0882; classtype:attempted-user; sid:2003411; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack outbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003412; reference:cve,2007-0882; classtype:attempted-user; sid:2003412; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible Sendmail SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010941; classtype:attempted-user; sid:2010941; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"ET EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; reference:url,doc.emergingthreats.net/bin/view/Main/2000342; classtype:misc-attack; sid:2000342; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java runtime.exec() call"; flow:from_server,established; content:"|52 75 6e 74 69 6d 65 3b 01 00 04 65 78 65 63 01 00|"; fast_pattern:only; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002783; classtype:trojan-activity; sid:2002783; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java private function call sun.misc.unsafe"; flow:from_server,established; content:"sun/misc/Unsafe"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002784; classtype:trojan-activity; sid:2002784; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"/xml.xml"; nocase; distance:1; within:10; content:"<request"; nocase; distance:0; content:"<key "; distance:0; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2967:2968 (msg:"ET EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; distance:0; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003250; classtype:attempted-admin; sid:2003250; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Get"; content:"|01|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003198; classtype:non-standard-protocol; sid:2003198; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Put"; content:"|02|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003199; classtype:non-standard-protocol; sid:2003199; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; content:"/ISALogin.dll?"; nocase; http_uri; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002406; classtype:attempted-recon; sid:2002406; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 14942 (msg:"ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt"; flow:established,to_server; content:"splx_2376_info"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477; reference:url,www.trendmicro.com/download/product.asp?productid=20; reference:url,doc.emergingthreats.net/bin/view/Main/2003434; classtype:attempted-admin; sid:2003434; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request)"; flow:established,to_server; dsize:>1000; content:"|05|"; depth:1; content:"|10 00 00 00|"; distance:3; within:4; content:"|00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c 04 00 03 00|"; distance:14; within:22; content:"|1c 13 74 65|"; distance:500; reference:url,isc.sans.org/diary.html?storyid=3310; reference:url,doc.emergingthreats.net/bin/view/Main/2007584; classtype:misc-attack; sid:2007584; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; nocase; http_uri; content:"input|3D|smb|3A 2F|"; nocase; http_uri; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET"; http_method; content:".m3u"; http_uri; flowbits:set,ET.m3u.download; flowbits:noalert; reference:url,doc.emergingthreats.net/2011241; classtype:not-suspicious; sid:2011241; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|09 01|"; offset:18; depth:2; content:"|00 03|"; distance:10; within:2; byte_jump:2,2,relative,big; content:"|00 00|"; within:2; byte_test:2,>,512,0,relative,big; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002061; classtype:attempted-admin; sid:2002061; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002062; classtype:attempted-admin; sid:2002062; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,doc.emergingthreats.net/bin/view/Main/2002065; reference:cve,2004-1172; classtype:misc-attack; sid:2002065; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_14;)

#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2002068; classtype:attempted-recon; sid:2002068; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002181; classtype:default-login-attempt; sid:2002181; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002182; classtype:misc-attack; sid:2002182; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference:url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002734; classtype:attempted-user; sid:2002734; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; reference:url,www.securityfocus.com/bid/38010; reference:url,doc.emergingthreats.net/2010759; classtype:attempted-admin; sid:2010759; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; classtype:attempted-user; sid:2010878; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"GPL EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:2101838; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL EXPLOIT CVS non-relative path access attempt"; flow:to_server,established; content:"Argument "; content:"Directory"; distance:0; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102318; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; fast_pattern:only; metadata: former_category EXPLOIT; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:12; metadata:created_at 2010_09_23, updated_at 2017_06_29;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"GPL EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:2101751; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL EXPLOIT rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102113; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22 60|"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:2101821; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"GPL EXPLOIT Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:2103453; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"GPL EXPLOIT xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:2101987; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 2"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101898; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101894; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101896; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 3"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101899; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101895; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101897; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102559; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; nocase; isdataat:432,relative; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102556; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102552; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102557; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102558; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102560; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102554; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102553; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102555; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL EXPLOIT rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2102047; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101334; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101340; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; nocase; http_uri; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:2101610; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; reference:bugtraq,1205; classtype:web-application-activity; sid:2100953; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; content:".cmd|22|"; nocase; http_uri; pcre:"/\.cmd\x22.*?\x26/Ui"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:2103193; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100977; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; content:".htr"; nocase; http_uri; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:2100987; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; http_uri; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:2101487; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; http_uri; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase; http_uri; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:2101256; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; pcre:"/\.ida$/iU"; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101242; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:2101243; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101245; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:2101244; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; http_header; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|";  fast_pattern:32,4; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:2101661; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; http_uri; classtype:web-application-attack; sid:2101003; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:2101013; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:2101018; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-attack; sid:2101402; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; reference:nessus,10370; classtype:web-application-activity; sid:2101046; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2100687; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"GPL EXPLOIT xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2101759; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101900; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101901; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2102039; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:7; metadata:created_at 2010_09_25, updated_at 2010_09_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/act\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:5; metadata:created_at 2010_09_25, updated_at 2010_09_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"ET EXPLOIT Possible Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"<!DOCTYPE"; nocase; distance:0; content:"<!ENTITY"; nocase; distance:0; content:"<soapenv|3A|Envelope"; nocase; distance:0; content:"<ns1|3A|Username>"; nocase; distance:0; flowbits:set,ET.etrust.fieldis; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011502; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"<soap|3A|faultstring>Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/OvCgi/webappmon.exe"; http_uri; nocase; content:"ins=nowait"; http_uri; nocase; content:"cache="; http_uri; nocase; content:"OvJavaLocale="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:bugtraq,42154; reference:cve,2010-2709; classtype:web-application-attack; sid:2011328; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:4; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

#alert tcp any any -> $HOME_NET 8765 (msg:"ET EXPLOIT JDownloader Webinterface Source Code Disclosure"; flow:established,to_server; content:"|2f|index|2e|tmpl"; depth:80; nocase; pcre:"/\x2findex\x2etmpl(\x3a\x3a\x24DATA|\x2f|\x2e)\x0d\x0a/i"; reference:url,packetstormsecurity.org/files/view/96126/jdownloader-disclose.txt; classtype:attempted-recon; sid:2012055; rev:1; metadata:created_at 2010_12_15, updated_at 2010_12_15;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8307 (msg:"ET EXPLOIT VMware 2 Web Server Directory Traversal"; flow:established,to_server; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; depth:60; reference:url,www.exploit-db.com/exploits/15617/; classtype:attempted-recon; sid:2012057; rev:1; metadata:created_at 2010_12_15, updated_at 2010_12_15;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"|1b 25 2d|"; depth:3; content:"|20 28 29 20 50 4a 4c 20|"; distance:0; within:25; content:"FSDIRLIST|20|NAME="; nocase; content:"|22|0|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e|"; distance:0; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:1; metadata:created_at 2010_12_15, updated_at 2010_12_15;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; metadata: former_category NETBIOS; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3; metadata:created_at 2010_12_16, updated_at 2017_06_27;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; distance:0; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; distance:0; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; distance:0; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; distance:0; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:2; metadata:created_at 2011_12_27, updated_at 2011_12_27;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bsc_wlan.php"; nocase; http_uri; content:"ACTION_POST=final&"; nocase; http_client_body; content:"&f_ssid="; nocase; http_client_body; content:"&f_authentication=7&"; nocase; http_client_body; within:135; content:"f_cipher=2&"; nocase; http_client_body; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; http_client_body; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; http_client_body; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; nocase; http_client_body; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:5; metadata:created_at 2011_12_27, updated_at 2011_12_27;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; http_header; file_data; content:"|3c|svg xmlns="; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; distance:0; content:"transform"; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:5; metadata:created_at 2011_01_12, updated_at 2011_01_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt"; flow:established,to_server; content:"pjl_ready_message="; http_uri; nocase; fast_pattern:only; pcre:"/pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt; classtype:web-application-attack; sid:2012193; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_01_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; distance:0; nocase; http_uri; content:"hl="; distance:0; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:3; metadata:created_at 2011_02_21, updated_at 2011_02_21;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 13364 (msg:"ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt"; content:"|FF FF FF FF FF FF 00 06 FF F9|"; fast_pattern:only; reference:bid,47976; classtype:attempted-admin; sid:2012866; rev:1; metadata:created_at 2011_05_26, updated_at 2011_05_26;)

#alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via GET"; flow:established,to_server; content:"/xslt?PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_uri; content:"&PASSWORD="; http_uri; distance:0; content:"&PASSWORD_CONF="; http_uri; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013165; rev:1; metadata:created_at 2011_07_01, updated_at 2011_07_01;)

#alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via POST"; flow:established,to_server; content:"/xslt"; http_uri; content:"PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_client_body; content:"&PASSWORD="; http_client_body; distance:0; content:"&PASSWORD_CONF="; http_client_body; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013166; rev:1; metadata:created_at 2011_07_01, updated_at 2011_07_01;)

#alert tcp $HOME_NET $SSH_PORTS -> any any (msg:"ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server"; flow:established,from_server; content:"SSH-1.99-OpenSSH_3.5p1 FreeBSD-200"; reference:url,packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt; reference:url,seclists.org/2011/Jul/6; classtype:misc-activity; sid:2013167; rev:2; metadata:created_at 2011_07_01, updated_at 2011_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT VSFTPD Backdoor User Login Smiley"; flow:established,to_server; content:"USER "; depth:5; content:"|3a 29|"; distance:0; classtype:attempted-admin; sid:2013188; rev:4; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"/OvCgi/Toolbar.exe?"; http_uri; content:"/OvCgi/Toolbar.exe?"; isdataat:1024,relative; content:!"|0A|"; within:1024; reference:url,exploit-db.com/exploits/17536/; classtype:web-application-attack; sid:2013288; rev:3; metadata:created_at 2011_07_19, updated_at 2011_07_19;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible BSNL Router DNS Change Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/dnscfg.cgi"; http_uri; content:"dnsPrimary="; http_client_body; content:"&dnsSecondary="; http_client_body; content:"&dnsDynamic="; http_client_body; content:"&dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2013918; rev:2; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

#alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|7f 65 82 01 94|"; distance:24; within:5; content:"|30 19|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2; metadata:created_at 2012_03_13, updated_at 2012_03_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; distance:0; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern:6,19; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:7; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_04_04, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3; metadata:created_at 2012_07_23, updated_at 2012_07_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2; metadata:created_at 2012_07_23, updated_at 2012_07_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2; metadata:created_at 2012_07_23, updated_at 2012_07_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3; metadata:created_at 2012_12_04, updated_at 2012_12_04;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_12_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_03_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_05_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern:only; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:2; metadata:created_at 2013_05_08, updated_at 2013_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; content:"java.lang.Runtime@getRuntime().exec("; http_uri; nocase; classtype:attempted-user; sid:2016953; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; content:"memberAccess"; http_client_body; nocase; content:"allowStaticMethodAccess"; http_client_body; nocase; classtype:attempted-user; sid:2016954; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI"; flow:to_server,established; content:"memberAccess"; http_uri; nocase; content:"allowStaticMethodAccess"; http_uri; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016956; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; content:"java.lang.Runtime@getRuntime().exec("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; content:"java.io.FileOutputStream"; http_client_body; nocase; content:".write"; distance:0; nocase; http_client_body; content:"sun.misc.BASE64Decoder"; nocase; http_client_body; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI"; flow:to_server,established; content:"java.io.FileOutputStream"; http_uri; nocase; content:".write"; distance:0; nocase; http_uri; content:"sun.misc.BASE64Decoder"; nocase; http_uri; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016959; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,to_client; file_data; content:"ScriptBridge.ScriptBridge"; content:"|00|h|00|t|00|t|00|p|00 3a 00 2f 00 2f 00|"; content:"|2f 00|v|00|w|00|.|00|p|00|h|00|p|00|?|00|i|00|="; distance:0; fast_pattern; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017006; rev:4; metadata:created_at 2013_06_11, updated_at 2013_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,from_client; content:"/vw.php?i="; http_uri; fast_pattern:only; pcre:"/\/vw\.php\?i=[a-fA-F0-9]+?\-[a-fA-F0-9]+?$/U"; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017007; rev:6; metadata:created_at 2013_06_11, updated_at 2013_06_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern:only; classtype:attempted-user; sid:2017008; rev:5; metadata:created_at 2013_06_11, updated_at 2013_06_11;)

alert tcp any any -> $HTTP_SERVERS [5353,5656,80] (msg:"ET EXPLOIT SolusVM 1.13.03 SQL injection"; flow:established,to_server; content:"POST "; depth:5; content:"/centralbackup.php?"; fast_pattern:only; content:"_v="; content:"deleteid="; classtype:trojan-activity; sid:2017060; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2013_06_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $HTTP_SERVERS [5353,5656,80] (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"POST "; depth:5; content:"solusvmc-node"; fast_pattern:only; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:3; metadata:created_at 2013_06_24, updated_at 2013_06_24;)

alert tcp $HOME_NET any -> $HTTP_SERVERS [5353,5656,80] (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST "; depth:5; content:"/rootpassword.php?"; fast_pattern:only; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;)

alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3; metadata:created_at 2013_07_03, updated_at 2013_07_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; content:"java.lang.ProcessBuilder("; http_uri; nocase; classtype:attempted-user; sid:2017172; rev:3; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; content:"java.lang.ProcessBuilder("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:3; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern:only; classtype:attempted-user; sid:2017510; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS  [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10; metadata:created_at 2013_11_13, updated_at 2013_11_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data"; flow:established,to_server; content:"/post.php?referanceMod="; http_uri; nocase; content:"java"; http_uri; nocase; reference:url,github.com/MrXors/Javax/; classtype:attempted-user; sid:2017730; rev:3; metadata:created_at 2013_11_19, updated_at 2013_11_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern:only; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:1; metadata:created_at 2013_11_29, updated_at 2013_11_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Zollard PHP Exploit UA"; flow:established,to_server; content:"Zollard"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?Zollard/Hmi"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:2017798; rev:4; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"misc_addons_detect.hasSilverlight"; classtype:trojan-activity; sid:2017810; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; content:"Zollard"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?Zollard/Hmi"; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:3; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; content:"Jm9zX2ZsYXZvcj"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; content:"Zvc19mbGF2b3I9"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; content:"mb3NfZmxhdm9yP"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_23, updated_at 2016_07_01;)

alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert tcp any any -> any $HTTP_PORTS (msg:"ET EXPLOIT Netgear passwordrecovered.cgi attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/passwordrecovered.cgi?id="; nocase; http_uri; metadata: former_category CURRENT_EVENTS; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; reference:url,www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911; reference:cve,2017-5521; classtype:attempted-admin; sid:2017969; rev:3; metadata:created_at 2014_01_14, updated_at 2017_11_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; content:"GET "; depth:4; content:"/cgi-bin/fw_sys_up.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:2; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; content:"GET "; depth:4; content:"/cgi-bin/override.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:1; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass share_editor.cgi"; flow:to_server,established; content:"GET "; depth:4; content:"/cgi-bin/share_editor.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018158; rev:2; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass switch_boot.cgi"; flow:to_server,established; content:"GET "; depth:4; content:"/cgi-bin/switch_boot.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018159; rev:2; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert tcp $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)"; flow:established,to_server; urilen:6; content:"/rom-0"; http_uri; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf; classtype:attempted-admin; sid:2018232; rev:2; metadata:created_at 2014_03_07, updated_at 2017_11_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 1"; flow:established,to_server; content:"/PSBlock"; fast_pattern:only; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018585; rev:2; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 2"; flow:established,to_server; content:"/PSStore"; fast_pattern:only; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018586; rev:2; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern:only; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:2; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 4"; flow:established,to_server; content:"/wsman/simple_auth.passwd"; fast_pattern:5,20; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018588; rev:2; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection"; flow:from_server,established; file_data; content:".atob(String.fromCharCode("; pcre:"/^(?:90|0x5a|0+?132)\s*?,\s*?(?:71|0x47|0+?107)\s*?,\s*?(?:70|0x46|0+?106)\s*?,\s*?(?:48|0x30|0+?60)\s*?,\s*?(?:89|0x59|0+?131)\s*?,\s*?(?:84|0x54|0+?124)\s*?,\s*?(?:112|0x70|0+?160)/Rsi"; reference:url,www.exploit-db.com/exploits/34448/; classtype:trojan-activity; sid:2019085; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2014_08_29, updated_at 2016_07_01;)

alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern:only; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:4; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern:only; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:3; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern:only; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:2; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern:only; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:2; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Random Base CharCode JS Encoded String"; flow:from_server,established; file_data; content:"String.fromCharCode("; pcre:"/^(?=(?:(:?0x[a-f0-9]{2}|0+?\d{1,3})\s*?,\s*?)*?\d{1,3})(?=(?:(:?0x[a-f0-9]{2}|\d{1,3})\s*?,\s*?)*?0+?\d{1,3})(?=(?:(:?0+?\d{1,3}|\d{1,3})\s*?,\s*?)*?0x[a-f0-9]{2})(?:(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?,\s*?)+(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?\)/Rsi"; classtype:trojan-activity; sid:2019091; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2014_08_29, updated_at 2016_07_01;)

alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)

alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:2; metadata:created_at 2014_09_26, updated_at 2014_09_26;)

alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern:only; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:2; metadata:created_at 2014_09_30, updated_at 2014_09_30;)

alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:2; metadata:created_at 2014_09_30, updated_at 2014_09_30;)

alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern:only; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:1; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern:only; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:4; metadata:created_at 2014_10_10, updated_at 2014_10_10;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern:only; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:1; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern:only; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:1; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; content:"name["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; content:"name%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; content:"nam%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; content:"nam%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; content:"na%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; content:"na%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; content:"na%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; content:"na%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; content:"n%61me["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; content:"n%61me%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; content:"n%61m%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; content:"n%61m%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; content:"n%61%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; content:"n%61%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; content:"n%61%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; content:"n%61%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; content:"%6eame["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; content:"%6eame%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; content:"%6eam%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; content:"%6eam%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; content:"%6ea%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; content:"%6ea%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; content:"%6ea%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; content:"%6ea%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; content:"%6e%61me["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; content:"%6e%61me%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; content:"%6e%61m%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; content:"%6e%61m%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; content:"%6e%61%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; content:"%6e%61%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; content:"%6e%61%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; content:"%6e%61%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert udp $HOME_NET 5351 -> [!224.0.0.1,$EXTERNAL_NET] any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response to External Network"; dsize:12; content:"|80 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019490; rev:3; metadata:created_at 2014_10_22, updated_at 2017_01_06;)

alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful TCP Map to External Network"; dsize:16; content:"|82 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019491; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)

alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; urilen:10; content:"/login.cgi"; http_uri; content:"GO=&jump="; http_client_body; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:2; metadata:created_at 2014_11_10, updated_at 2014_11_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern:only; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:4; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct"; flow:to_client,established; file_data; content:"chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)"; reference:cve,2014-6332; classtype:attempted-user; sid:2019734; rev:2; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode"; flow:to_client,established; file_data; content:"chrw|25|"; pcre:"/^(?:25)?282176\x25(?:25)?29\x25(?:25)?26chrw\x25(?:25)?2801/Rs"; reference:cve,2014-6332; classtype:attempted-user; sid:2019735; rev:2; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp any 2067 -> $EXTERNAL_NET any (msg:"ET EXPLOIT DLSw Information Disclosure CVE-2014-7992"; flow:established,from_server; content:"Cisco"; nocase; pcre:"/^(?: Systems|\.com\/techsupport)/Ri"; threshold:type both,count 1,seconds 60,track by_dst; reference:url,www.fishnetsecurity.com/6labs/blog/cisco-dlsw-leakage-allows-retrieval-packet-contents-remote-routers; reference:url,github.com/tatehansen/dlsw_exploit; reference:cve,2014-7992; classtype:trojan-activity; sid:2019778; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1599)"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/rtpd.cgi?"; http_uri; fast_pattern:only; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019801; rev:1; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1600)"; flow:established,to_server; urilen:17; content:"GET"; http_method; content:"/upnp/asf-mp4.asf"; http_uri; fast_pattern:only; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019802; rev:1; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1601)"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/md/lums.cgi"; http_uri; fast_pattern:only; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019803; rev:1; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible PYKEK Priv Esc in-use"; flow:established,to_server; content:"|a4 11 18 0f|19700101000000Z|a5 11 18 0f|19700101000000Z|a6 11 18 0f|19700101000000Z"; content:"|a8 05 30 03 02 01 17|"; distance:8; within:7; threshold: type limit, track by_src, seconds 60, count 1; reference:url,github.com/bidord/pykek; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019897; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)

alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; distance:0; isdataat:!1,relative; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:2; metadata:created_at 2014_12_11, updated_at 2014_12_11;)

alert tcp any any -> any [$HTTP_PORTS,7547] (msg:"ET EXPLOIT Possible Misfortune Cookie - SET"; flow:established,to_server; content:"Cookie|3a| C"; nocase; pcre:"/^[0-9][^=]/R"; flowbits:set,ET.Misfortune_Cookie; flowbits:noalert; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020100; rev:1; metadata:created_at 2015_01_06, updated_at 2015_01_06;)

alert tcp any [$HTTP_PORTS,7547] -> any any (msg:"ET EXPLOIT Possible Misfortune Cookie RomPager Server banner"; flow:established,from_server; flowbits:isset,ET.Misfortune_Cookie; content:"Server|3a| RomPager"; nocase; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020101; rev:1; metadata:created_at 2015_01_06, updated_at 2015_01_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:2; metadata:created_at 2015_01_28, updated_at 2015_01_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:4; metadata:created_at 2015_01_28, updated_at 2015_01_28;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/Forms/dns_1?"; http_uri; fast_pattern; content:"Enable_DNSFollowing=1"; http_uri; distance:0; content:"dnsPrimary="; http_uri; distance:0; reference:url,www.exploit-db.com/exploits/35917; classtype:attempted-admin; sid:2023466; rev:2; metadata:created_at 2015_01_29, updated_at 2016_10_31;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible dlink-DSL2640B DNS Change Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/ddnsmngr.cmd?action=apply"; http_uri; fast_pattern:only; content:"dnsPrimary="; http_uri; content:"&dnsSecondary="; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020485; rev:1; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible ShuttleTech 915WM DNS Change Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/dnscfg.cgi?"; http_uri; fast_pattern:only; content:"dnsPrimary="; http_uri; content:"&dnsSecondary="; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020486; rev:1; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Generic ADSL Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"dnsPrimary="; http_uri; fast_pattern:only; content:"&dnsSecondary="; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020487; rev:1; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Generic ADSL Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; content:"dnsPrimary="; http_client_body; fast_pattern:only; content:"dnsSecondary="; http_client_body; content:"dnsDynamic="; http_client_body; content:"dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2020488; rev:1; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Seagate Business NAS Unauthenticated Remote Command Execution"; flow:to_server,established; content:"POST"; http_method; content:"/index.php/mv_system/get_general_setup?_=1413463189043"; http_uri; fast_pattern:only; content:"set_general"; http_client_body; reference:url,beyondbinary.io/advisory/seagate-nas-rce; classtype:attempted-admin; sid:2020583; rev:2; metadata:created_at 2015_03_02, updated_at 2015_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT PCMan FTP Server 2.0.7 Remote Command Execution"; flow:to_server,established; content:"|65 82 a5 7c|"; fast_pattern; content:"|90 90 90 90 90|"; distance:0; within:10; reference:url,exploit-db.com/exploits/36078; classtype:attempted-admin; sid:2020585; rev:2; metadata:created_at 2015_03_02, updated_at 2015_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (ping.ccp) 2015-1187"; flow:to_server,established; content:"POST"; http_method; urilen:9; content:"/ping.ccp"; http_uri; fast_pattern:only; content:"ccp_act=ping_v6&ping_addr="; http_client_body; depth:26; pcre:"/ping_addr=[\d.]*[^\d.]/P"; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020590; rev:1; metadata:created_at 2015_03_03, updated_at 2015_03_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (fwupdate.cpp) 2015-1187"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/fwupgrade.ccp"; http_uri; fast_pattern:only; content:"|0d 0a|fwupgrade"; http_client_body; content:"|0d 0a|resolv.conf"; nocase; http_client_body; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020603; rev:1; metadata:created_at 2015_03_03, updated_at 2015_03_03;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:5; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 4"; flow:established,to_server; content:"POST"; http_method; content:"b3NfbmFtZT"; depth:10; http_client_body; pcre:"/^b3NfbmFtZT[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020751; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 5"; flow:established,to_server; content:"POST"; http_method; content:"Jm9zX3ZlbmRvcj"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020752; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 6"; flow:established,to_server; content:"POST"; http_method; content:"Zvc192ZW5kb3I9"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020753; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 7"; flow:established,to_server; content:"POST"; http_method; content:"mb3NfdmVuZG9yP"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020754; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/WanDynamicIpCfgRpm.htm?"; http_uri; depth:32; content:"&dnsserver="; http_uri; content:"&Save=Save"; http_uri; fast_pattern:only; reference:url,www.exploit-db.com/exploits/34583; classtype:attempted-admin; sid:2020856; rev:1; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Belkin Wireless G Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:22; content:"/cgi-bin/setup_dns.exe"; http_uri; content:"getpage=|2e 2e|/html/setup/dns.htm"; http_client_body; depth:29; fast_pattern:9,20; content:"resolver|3a|settings/nameserver1="; http_client_body; distance:0; reference:url,www.exploit-db.com/exploits/3605; classtype:attempted-admin; sid:2020857; rev:3; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:10; content:"/apply.cgi"; content:"submit_button=index"; http_client_body; depth:19; fast_pattern; content:"&action=Apply"; http_client_body; distance:0; nocase; content:"&lan_dns0="; http_client_body; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020858; rev:1; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Netgear WNDR Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:26; content:"/apply.cgi?/BAS_update.htm"; http_uri; content:"submit_flag=ether"; http_client_body; depth:17; fast_pattern; content:"&ether_dnsaddr1="; http_client_body; distance:0; nocase; content:"&Apply=Apply"; http_client_body; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020859; rev:2; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Motorola SBG900 Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/goformFOO/AlFrame?"; http_uri; content:"/goformFOO/AlFrame?"; http_uri; distance:0; content:"Gateway.Wan.dnsAddress1="; http_uri; distance:0; reference:url,github.com/hkm/routerpwn.com/blob/master/index.html; classtype:attempted-admin; sid:2020861; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1"; flow:to_server,established; content:"GET"; http_method; content:"/start_apply.htm?"; http_uri; content:"wan_dns1="; http_uri; distance:0; content:"action_mode=apply"; http_uri; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020862; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2"; flow:to_server,established; content:"GET"; http_method; content:"/start_apply.htm?"; http_uri; content:"wan_dns1_x="; http_uri; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020863; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT FritzBox RCE POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/cgi-bin/webcm"; http_uri; fast_pattern:only; content:"getpage="; http_client_body; depth:10; content:"errorpage="; http_client_body; distance:0; content:"/html/index.html&login|3a|command"; http_client_body; distance:0; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020867; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT FritzBox RCE GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/cgi-bin/webcm?"; http_uri; fast_pattern; content:"getpage="; http_uri; distance:0; content:"|2e 2e|/html/menus/menu2.html"; http_raw_uri; content:"&var|3a|lang="; http_uri; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020868; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3"; flow:to_server,established; content:"GET"; http_method; content:"/start_apply.htm?"; http_uri; fast_pattern; content:"dnsserver="; http_uri; distance:0; content:"&dnsserver2="; http_uri; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020871; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/basic/uiViewIPAddr="; fast_pattern; http_uri; content:"&uiViewDns1Mark="; http_uri; distance:0; content:"&uiViewDns2Mark="; http_uri; distance:0; reference:url,pastebin.com/u0MRLmjp; classtype:attempted-admin; sid:2020872; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/prim.htm?"; http_uri; depth:10; fast_pattern; nocase; content:"i00110004="; http_uri; distance:0; content:"&i00110005="; http_uri; distance:0; nocase; content:"&i00035007="; http_uri; distance:0; nocase; reference:url,www.gnucitizen.org/blog/router-hacking-challenge; classtype:attempted-admin; sid:2020873; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/setup.cgi?todo=wan_dns1="; http_uri; fast_pattern:only; reference:url,www.rapid7.com/db/modules/exploit/linux/http/netgear_dgn1000b_setup_exec; classtype:attempted-admin; sid:2020874; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/setup_dns.stm?page=setup_dns"; http_uri; content:"&dns1_1="; http_uri; reference:url,www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4; classtype:attempted-admin; sid:2020875; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/apply.cgi?wan_primary_dns="; http_uri; fast_pattern:only; content:"&wan_secondary_dns="; http_uri; reference:url,malwr.com/analysis/MGY1ZDFhYjE1MzQ4NDAwM2EyZTI5YmY3MWZjMWE5OGM; classtype:attempted-admin; sid:2020876; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Known Malicious Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/router/add_dhcp_segment.cgi?"; http_uri; fast_pattern:only; content:"is_router_as_dns=1"; http_uri; content:"&dns1="; http_uri; content:"submitbutton="; http_uri; reference:url,wepawet.cs.ucsb.edu/view.php?hash=5e14985415814ed1e107c0583a27a1a2&t=1384961238&type=js; classtype:attempted-admin; sid:2020877; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/LanDhcpServerRpm.htm?"; http_uri; fast_pattern; content:"dhcpserver=1"; http_uri; content:"&dnsserver="; http_uri; content:"&Save="; http_uri; reference:url,www.exploit-db.com/exploits/34584; classtype:attempted-admin; sid:2020878; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WRT54GL DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/Basic.tri?"; http_uri; fast_pattern; content:"&dns0_0="; http_uri; content:"&dns0_1="; http_uri; reference:url,sebug.net/paper/Exploits-Archives/2008-exploits/0803-exploits/linksys-bypass.txt; classtype:attempted-admin; sid:2020879; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/WanStaticIpCfgRpm.htm"; http_uri; fast_pattern; content:"&dnsserver="; http_uri; content:"&Save=Save"; http_uri; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2020880; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; content:"POST"; http_method; content:"SOAPAction|3a|"; http_header; content:"http|3a|//purenetworks.com/HNAP1/"; fast_pattern; http_header; pcre:"/^SOAPAction\x3a\s+?[^\r\n]*?http\x3a\/\/purenetworks\.com\/HNAP1\/([^\x2f]+?[\x2f])?[^\x2f]/Hmi"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:3; metadata:created_at 2015_04_13, updated_at 2016_11_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 302"; flow:from_server,established; content:"302"; http_stat_code; content:"Found"; http_stat_msg; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020916; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 301"; flow:from_server,established; content:"301"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020917; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; content:"307"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:2020976; rev:1; metadata:created_at 2015_04_23, updated_at 2015_04_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; content:"303"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020977; rev:1; metadata:created_at 2015_04_23, updated_at 2015_04_23;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp Discovery"; flow:to_server,established; content:"POST"; http_method; content:"/apply_noauth.cgi"; http_uri; fast_pattern:only; content:"timestamp="; http_client_body; threshold: type both, track by_dst, count 10, seconds 60; reference:url,seclists.org/fulldisclosure/2015/Apr/72; classtype:attempted-admin; sid:2021018; rev:1; metadata:created_at 2015_04_27, updated_at 2015_04_27;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 63|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021124; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 65|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021125; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT AirLive RCI HTTP Request"; flow:to_server,established; content:"GET"; http_method; content:"/cgi_test.cgi?write_"; http_uri; fast_pattern:only; pcre:"/\?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b/Ui"; reference:url,packetstormsecurity.com/files/132585/CORE-2015-0012.txt; classtype:attempted-admin; sid:2021408; rev:1; metadata:created_at 2015_07_13, updated_at 2015_07_13;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M1"; flow:established,from_server; file_data; content:"|76 69 65 77 2d 73 6f 75 72 63 65 3a|"; nocase; content:"|61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 6f 7a 2d 70 6c 61 79 70 72 65 76 69 65 77 2d 70 64 66 6a 73|"; fast_pattern:15,20; nocase; content:"|73 61 6e 64 62 6f 78 43 6f 6e 74 65 78 74|"; nocase; content:"return "; pcre:"/\We[\s\x22\x27,+]*?v[\s\x22\x27,+]*?a[\s\x22\x27,+]*?l\W/"; reference:cve,2015-4495; classtype:attempted-user; sid:2021601; rev:1; metadata:created_at 2015_08_10, updated_at 2015_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M2"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b|"; nocase; content:"|64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29|"; nocase; reference:url,nakedsecurity.sophos.com/2015/08/07/firefox-zero-day-hole-used-against-windows-and-linux-to-steal-passwords/; reference:cve,2015-4495; classtype:attempted-user; sid:2021606; rev:1; metadata:created_at 2015_08_11, updated_at 2015_08_11;)

alert tcp any any -> any 8081 (msg:"ET EXPLOIT Websense Content Gateway submit_net_debug.cgi cmd_param Param Buffer Overflow Attempt"; flow:to_server,established; content:"POST"; nocase; content:"/submit_net_debug.cgi"; nocase; content:"cmd_param="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/[\?\&]cmd_param=[^\&\r\n]{500}/si"; reference:cve,2015-5718; reference:url,seclists.org/fulldisclosure/2015/Aug/8; classtype:web-application-attack; sid:2021644; rev:1; metadata:created_at 2015_08_18, updated_at 2015_08_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern:13,20; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:2; metadata:created_at 2015_08_25, updated_at 2015_08_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT FireEye Appliance Unauthorized File Disclosure"; flow:established,to_server; content:"/NEI_ModuleDispatch.php"; http_uri; content:"module=NEI_AdvancedConfig"; distance:0; http_uri; content:"&function=HapiGetFileContents"; http_uri; fast_pattern:10,19; distance:0; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ii"; reference:url,www.exploit-db.com/exploits/38090/; classtype:trojan-activity; sid:2021756; rev:4; metadata:created_at 2015_09_09, updated_at 2015_09_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern:only; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:1; metadata:created_at 2015_09_10, updated_at 2015_09_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"|98 2A 00 B0 B3 38 00 B0|"; fast_pattern; content:"|00 10 00 00 07 00 00 00 03 D0 00 D0 04 D0 00 D0 44 11 00 B0|"; distance:4; within:20; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021758; rev:1; metadata:created_at 2015_09_10, updated_at 2015_09_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; file_data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:1; metadata:created_at 2015_09_10, updated_at 2015_09_10;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"rO0ABXNyA"; content:"jb21tb25zLmNvbGxlY3Rpb25z"; fast_pattern; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022114; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"commons.collections"; nocase; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022115; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"java/io/Serializable"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022116; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Groovy Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.codehaus.groovy.runtime.ConversionHandler"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022117; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Spring Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.springframework.core.SerializableTypeWrapper"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022118; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli)"; flow:established,to_server; content:"JDatabaseDriverMysqli"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*JDatabaseDriverMysqli/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022261; rev:1; metadata:created_at 2015_12_14, updated_at 2015_12_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA)"; flow:established,to_server; content:"O|3a|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022263; rev:1; metadata:created_at 2015_12_15, updated_at 2015_12_15;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)"; flow:established,to_server; content:"O|3a|"; http_header; fast_pattern:only; pcre:"/^X-Forwarded-For\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022268; rev:1; metadata:created_at 2015_12_15, updated_at 2015_12_15;)

alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Juniper ScreenOS telnet Backdoor Default Password Attempt"; flow:established,to_server; content:"|3c 3c 3c 20 25 73 28 75 6e 3d 27 25 73 27 29 20 3d 20 25 75|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:cve,2015-7755; reference:url,community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor; classtype:attempted-admin; sid:2022291; rev:1; metadata:created_at 2015_12_21, updated_at 2015_12_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern:only; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:1; metadata:created_at 2016_01_12, updated_at 2016_01_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern:only; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:1; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:1; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; metadata: former_category EXPLOIT; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_11, updated_at 2017_05_02;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,9,12,relative; metadata: former_category EXPLOIT; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:2; metadata:created_at 2016_02_12, updated_at 2017_05_02;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,9,12,relative; metadata: former_category EXPLOIT; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022516; rev:2; metadata:created_at 2016_02_12, updated_at 2017_05_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link DCS-930L Remote Command Execution attempt"; flow:to_server,established; urilen:17; content:"POST"; nocase; http_method; content:"/setSystemCommand"; nocase; http_uri; content:"SystemCommand="; nocase; http_client_body; reference:url,www.exploit-db.com/exploits/39437/; classtype:web-application-attack; sid:2022518; rev:1; metadata:created_at 2016_02_12, updated_at 2016_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion (CVE-2016-0061)"; flow:from_server,established; file_data; content:"opener"; nocase; fast_pattern; pcre:"/^\s*\[\s*[\x22\x27]\\u[a-f0-9]{4}\\u[a-f0-9]{4}/Rsi"; reference:cve,2016-0061; classtype:attempted-user; sid:2022524; rev:2; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 PoC Server Response"; flow:from_server; content:"|83 80 00 01 00 00 00 00 00 00|"; offset:2; depth:10; isdataat:2049; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022542; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 01 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022543; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 1c 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022544; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:10; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022545; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)"; flow:established,to_server; byte_test:2,<,513,0; byte_test:1,!&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01 00 00 00 00 00 00|"; offset:6; depth:8; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; flowbits:set,ET.CVE20157547.primer; flowbits:noalert; reference:cve,2015-7547; classtype:attempted-user; sid:2022546; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,from_server; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound"; flow:to_server,established; content:"%"; http_raw_uri; content:"temp%"; nocase; http_raw_uri; within:7; pcre:"/\%(?:25)?temp\%/Ii"; content:"temp%"; fast_pattern:only; reference:url,labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/; classtype:misc-attack; sid:2022554; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js (Remote Debugger)"; flow:from_server,established; file_data; content:"/json/new/"; content:"javascript|3a|require"; distance:0; content:"child_process"; fast_pattern; distance:0; content:"spawnSync"; distance:0; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:trojan-activity; sid:2022693; rev:1; metadata:created_at 2016_03_31, updated_at 2016_03_31;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Quanta LTE Router Information Disclosure Exploit Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/data.ria?CfgType=get_homeCfg&file="; http_uri; fast_pattern; depth:35; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022698; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert udp $EXTERNAL_NET any -> $HOME_NET 39889 (msg:"ET EXPLOIT Quanta LTE Router UDP Backdoor Activation Attempt"; flow:to_server; content:"HELODBG"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022699; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 1 (ping)"; flow:to_server,established; content:"POST"; http_method; content:"/webpost.cgi"; http_uri; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 70 69 6e 67 22 2c 22 63 6d 64 22 3a 22 70 69 6e 67 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022700; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 2 (traceroute)"; flow:to_server,established; content:"POST"; http_method; content:"/webpost.cgi"; http_uri; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 74 72 61 63 65 72 74 22 2c 22 63 6d 64 22 3a 22 74 72 61 63 65 72 74 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022701; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, updated_at 2016_04_06;)

alert tcp any any -> $HOME_NET 8080 (msg:"ET EXPLOIT Linksys Router Unauthenticated Remote Code Execution"; flow:to_server,established; content:"POST"; http_method; content:".cgi"; http_uri; nocase; content:"%74%74%63%70%5f%69%70%3d%2d%68%20%60"; http_client_body; fast_pattern:only; content:"Authorization|3a| Basic"; http_header; reference:url,sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902; classtype:attempted-user; sid:2022758; rev:1; metadata:created_at 2016_04_25, updated_at 2016_04_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern:only; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:1; metadata:created_at 2016_05_06, updated_at 2016_05_06;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:1; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M2"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F A9 03 00 00|"; content:!"|00 00|"; distance:50; within:2; content:"|00 00 BA 0F 2E 01 00 00|"; distance:937; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022924; rev:1; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow"; flow:established,from_server; file_data; content:"|4d 53 43 46|"; depth:4; byte_jump:4,8,little; isdataat:1; reference:cve,2016-2211; reference:cve,CVE-2014-9732; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022930; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M2"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022932; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3"; flow:established,to_server;  content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022935; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4"; flow:established,to_client;  content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022936; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3"; flow:established,to_client;  content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022937; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M4"; flow:established,to_server;  content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022938; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M1"; flow:established,from_server; file_data; content:"%u0008%u4141%u4141%u4141"; nocase; content:"redim"; nocase; content:"Preserve"; content:"2000"; distance:0; pcre:"/^\s*?\x29/Rs";  content:"%u400C%u0000%u0000%u0000"; nocase; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022971; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag CVE_2016_0189, signature_severity Major, created_at 2016_07_15, performance_impact Low, updated_at 2016_07_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M2"; flow:established,from_server; file_data; content:"triggerBug"; nocase; content:"Dim "; nocase; distance:0; content:".resize"; nocase; pcre:"/^\s*\x28/Rs";  content:"Mid"; pcre:"/^\s*?\(x\s*,\s*1,\s*24000\s*\x29/Rs"; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022972; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_15, performance_impact Low, updated_at 2016_07_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern:only; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_28, performance_impact Low, updated_at 2016_07_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1; metadata:created_at 2016_08_04, updated_at 2016_08_04;)

alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA PMCHECK Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ac 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023070; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2016_08_17, performance_impact Low, updated_at 2016_08_17;)

alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA AAAADMINAUTH Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ad 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023071; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2016_08_17, performance_impact Low, updated_at 2016_08_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt"; flow:established,to_server; content:"POST /index HTTP/1.1|0d 0a|Host|3a 20|"; depth:28; content:!"User-Agent|3a|"; distance:0; content:!"Content-Type|3a|"; distance:0; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; pcre:"/^[^\r\n]+\r\n/R"; content:"Content-length|3a 20|0|0d 0a|Cookie|3a 20|APSCOOKIE=Era=0&Payload="; within:51; fast_pattern:31,20; pcre:"/^[A-Za-z0-9+/]{0,4}?[^\x20-\x7e]/R"; classtype:attempted-admin; sid:2023075; rev:1; metadata:affected_product Fortigate, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_08_17, performance_impact Low, updated_at 2016_08_17;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET EXPLOIT CISCO FIREWALL SNMP Buffer Overflow Extrabacon (CVE-2016-6366)"; content:"|06 01 04 01 09 09 83 6B|"; pcre:"/^(?:\x01(?:(?:\x01(?:(?:\x04(?:(?:\x03(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x04(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?|\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?))?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|\x02(?:[\x01\x02\x03\x04])?|\x03(?:[\x01\x02])?))?|\x03(?:(?:\x03(?:\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e])?)?)?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13])?|\x02(?:[\x01\x02])?))?|\x05(?:(?:\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07])?)?|\x01(?:[\x01\x02\x03])?))?|\x02(?:(?:[\x01\x02]|\x03(?:\x01(?:[\x01\x02\x03])?)?))?|\x06(?:\x01(?:[\x01\x02\x03\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x07(?:[\x01\x02])?|\x04))?|\x02(?:(?:\x02(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|(?:\x01)?\x01))?)/Rsi"; content:"|81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10|"; within:160; fast_pattern; reference:cve,2016-6366; classtype:misc-attack; sid:2023086; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2016_08_25, performance_impact Low, updated_at 2016_08_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Challack Tool in use"; flow:no_stream,to_server; flags:R; dsize:1; content:"x"; threshold: type both, track by_dst, seconds 1, count 90; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023140; rev:2; metadata:affected_product Linux, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_08_29, performance_impact Significant, updated_at 2016_08_29;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RST Flood With Window"; flow:no_stream,to_server; flags:R; window:!0; threshold: type both, track by_dst, seconds 1, count 101; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023141; rev:2; metadata:affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2016_08_29, performance_impact Significant, updated_at 2016_08_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set"; flow:established,from_server; file_data; content:"ftyp"; fast_pattern; offset:4; depth:4; content:"|00|"; distance:5; within:1; flowbits:set,ET.MP4Stagefright; flowbits:noalert; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023184; rev:1; metadata:tag Android_Exploit, created_at 2016_09_12, updated_at 2016_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) ROP"; flow:established,from_server; content:"ID3"; content:!"|FF|"; within:1; content:"|41 d8 41 d8 41 dc 41 d8 41 d8 41 dc|"; fast_pattern; within:800; pcre:"/^(\x41\xd8\x41\xd8\x41\xdc){2,}\x41\x00/R"; flowbits:isset,ET.MP4Stagefright; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023185; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android_Exploit, signature_severity Major, created_at 2016_09_12, performance_impact Low, updated_at 2016_09_12;)

alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"unhex"; nocase; distance:0; content:"67656e6572616c5f6c6f675f66696c65"; distance:0; nocase; content:"2e636e66"; nocase; content:"6e6d616c6c6f635f6c6962"; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023201; rev:1; metadata:affected_product MySQL, attack_target Server, deployment Datacenter, created_at 2016_09_13, updated_at 2016_09_13;)

alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL cnf overwrite CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"global_log_dir"; nocase; distance:0; content:".cnf"; nocase; distance:0; content:"nmalloc_lib"; fast_pattern:only; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023202; rev:1; metadata:affected_product MySQL, attack_target Server, deployment Datacenter, created_at 2016_09_13, updated_at 2016_09_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2015-2419 As observed in Magnitude EK"; flow:established,from_server; file_data; content:"|5b 30 78 35 33 2c 20 30 78 35 35 2c 20 30 78 35 36 2c 20 30 78 65 38 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 65 2c 20 30 78 35 64 2c 20 30 78 35 62 2c 20 30 78 38 62 2c 20 30 78 36 33 2c 20 30 78 30 63 2c 20 30 78 63 32 2c 20 30 78 30 63 2c 20 30 78 30 30 2c 20 30 78 39 30 5d|"; nocase; content:"|30 78 31 32 38 65 30 30 32 30|"; nocase; content:"|4a 53 4f 4e|"; nocase; content:"|73 74 72 69 6e 67 69 66 79|"; nocase; classtype:trojan-activity; sid:2023253; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Magnitude_EK, signature_severity Major, created_at 2016_09_21, malware_family Magnitude, updated_at 2016_09_21;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible Cisco IKEv1 Information Disclosure Vulnerability CVE-2016-6415"; dsize:>828; content:"|00 00 00 00 00 00 00 00 01 10|"; offset:8; depth:10; content:"|80 02 00|"; distance:30; byte_test:1,<,3,0,relative; byte_test:1,>,0,0,relative; content:"|80 04 00 01 00 06|"; distance:1; within:6; fast_pattern; byte_test:2,>,768,0,relative; reference:cve,2016-6415; classtype:attempted-user; sid:2023311; rev:1; metadata:affected_product Cisco_PIX, attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2016_09_29, performance_impact Low, updated_at 2016_09_29;)

alert udp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT BIND9 msg->reserved Assertion DoS Packet Inbound (CVE-2016-2776)"; dsize:>512; content:"|00 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|00 00 01 00 01|"; distance:0; content:"|00 00 FA|"; distance:0; reference:cve,cve-2016-2776; reference:url,blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html; classtype:attempted-dos; sid:2023317; rev:3; metadata:affected_product BIND, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_10_04, updated_at 2016_10_05;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/dnscfg.cgi?"; http_uri; fast_pattern; nocase; content:"dnsPrimary="; http_uri; content:"dnsDynamic="; http_uri; nocase; content:"dnsRefresh="; http_uri; nocase; reference:url,www.expku.com/remote/5853.html; classtype:attempted-admin; sid:2023467; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_31, updated_at 2016_10_31;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Unknown Router Remote DNS Change Attempt"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/setup.htm"; http_uri; nocase; content:"wan_proto=dhcp"; nocase; http_client_body; content:"dhcps_dns_1="; http_client_body; nocase; fast_pattern:only; content:"dhcps_mode=enabled"; http_client_body; nocase; content:"lan_proto=enable"; http_client_body; nocase; content:!"Cookie|3a|"; content:!"Authorization|3a|"; http_header; classtype:attempted-admin; sid:2023468; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_31, updated_at 2016_10_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,from_server; file_data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern:only; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:1; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_11_07, performance_impact Low, updated_at 2016_11_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attemted SSH Authorized Key Writing Attempt"; flow:established,to_server; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"|0D 0A|dbfilename|0D 0A|"; distance:0; content:"|0D 0A|authorized_keys|0D 0A|"; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023511; rev:1; metadata:attack_target Client_Endpoint, deployment Datacenter, tag SCAN_Redis_SSH, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attempted SSH Key Upload"; flow:established,to_server; content:"*"; depth:1; content:"|0D 0A|set|0D 0A|"; content:"ssh-rsa "; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023512; rev:1; metadata:attack_target Client_Endpoint, deployment Datacenter, tag SCAN_Redis_SSH, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)

alert tcp any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE "; flow:to_server,established; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern:only; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:2; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_11_28, updated_at 2016_11_29;)

alert tcp any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit Retrieving Wifi Key"; flow:to_server,established; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern:only; content:"|3c 75 3a 47 65 74 53 65 63 75 72 69 74 79 4b 65 79 73|"; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023549; rev:2; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_11_28, performance_impact Low, updated_at 2016_11_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M1"; flow:established,from_server; file_data; content:"|66 69 6e 64 50 6f 70 52 65 74|"; nocase; content:"|66 69 6e 64 53 74 61 63 6b 50 69 76 6f 74|"; nocase; content:"|56 69 72 74 75 61 6c 41 6c 6c 6f 63|"; nocase; content:"|72 6f 70 43 68 61 69 6e|"; nocase; content:"|6b 65 72 6e 65 6c 33 32 2e 64 6c 6c|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023559; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2016_11_30, performance_impact Low, updated_at 2016_11_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M2"; flow:established,from_server; file_data; content:"|72 6f 70 43 68 61 69 6e 28 72 6f 70 42 61 73 65 2c 76 74 61 62 6c 65 5f 6f 66 66 73 65 74 2c 31 30 2c 72 6f 70 41 72 72 42 75 66 29 3b|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023560; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2016_11_30, performance_impact Low, updated_at 2016_11_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_11_30, updated_at 2016_11_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_11_30, updated_at 2016_11_30;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Netgear R7000 Command Injection Exploit"; flow:established,to_server; content:"/cgi-bin/"; http_uri; depth:9; content:"$IFS"; http_uri; fast_pattern; distance:0; content:"|3b|"; http_uri; reference:url,www.kb.cert.org/vuls/id/582384; classtype:attempted-user; sid:2023628; rev:2; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_12, performance_impact Low, updated_at 2016_12_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b|"; http_header; content:"<?php"; http_client_body; fast_pattern; content:"|5c 22 20|"; http_client_body; content:"-X"; http_client_body; content:".php"; http_client_body; content:"@"; http_client_body; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; reference:url,github.com/opsxcq/exploit-CVE-2016-10033; classtype:attempted-user; sid:2023686; rev:1; metadata:affected_product PHPMailer, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_12_27, performance_impact Low, updated_at 2016_12_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 3"; flow:established,from_server; file_data; content:"|66 75 6e 63 74 69 6f 6e 20 54 72 69 67 67 65 72 46 69 6c 6c 46 72 6f 6d 50 72 6f 74 6f 74 79 70 65 73 42 75 67 28 6c 6f 2c 20 68 69 29|"; nocase; content:"|63 68 61 6b 72 61 42 61 73 65 2e 61 64 64|"; nocase; content:"|73 68 63 6f 64 65 41 64 64 72 2e 61 6e 64|"; nocase; classtype:trojan-activity; sid:2023699; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 1"; flow:established,to_client; file_data; content:"0x1DA2F5"; fast_pattern; nocase; content:"0x1DA2CB"; nocase; distance:0; content:"getPrototypeOf"; nocase; content:".__proto__"; nocase; content:"Symbol.species"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023700; rev:1; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 2"; flow:established,to_client; file_data; content:"rop.length"; fast_pattern; nocase; content:"Write64"; nocase; distance:0; pcre:"/^\s*\x28\s*retPtrAddr\.add\s*\x28\s*i\s*\*\s*8\s*\x29\s*,\s*rop\s*\x5b/Rsi"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023701; rev:1; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,from_server; file_data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:1; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B642"; flow:established,from_server; file_data; content:"RyaWdnZXJGaWxsRnJvbVByb3RvdHlwZXNCdW"; classtype:trojan-activity; sid:2023703; rev:1; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B643"; flow:established,from_server; file_data; content:"UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn"; classtype:trojan-activity; sid:2023704; rev:1; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET EXPLOIT Possible Ticketbleed Client Hello (CVE-2016-9244)"; flow:established,from_client; content:"|16 03|"; depth:2; content:"|01|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; byte_test:1,<,32,32,relative; byte_test:1,>,1,32,relative; flowbits:set,ET.ticketbleed; flowbits:noalert; reference:cve,2016-9244; reference:url,filippo.io/Ticketbleed; classtype:misc-attack; sid:2023896; rev:3; metadata:affected_product HTTP_Server, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2017_02_10, performance_impact Moderate, updated_at 2017_02_13;)

#alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Ticketbleed Server Hello (CVE-2016-9244)"; flow:established,to_client; content:"|16 03|"; depth:2; content:"|02|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; content:"|20|"; distance:32; within:1; flowbits:isset,ET.ticketbleed; reference:url,filippo.io/Ticketbleed; reference:cve,2016-9244; classtype:misc-attack; sid:2023897; rev:3; metadata:affected_product HTTP_Server, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2017_02_10, performance_impact Moderate, updated_at 2017_02_13;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK DNS Change GET Request (DNSChanger EK)"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/"; http_uri; depth:9; fast_pattern; content:"&dnsserver="; http_uri; threshold:type both,track by_dst,count 3, seconds 90; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023995; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internet, signature_severity Major, created_at 2017_02_17, performance_impact Moderate, updated_at 2017_02_17;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK Password Change GET Request (DNSChanger EK)"; flow:to_server,established; content:"GET"; http_method; content:"/router/UserPassSet.cgi?"; http_uri; depth:24; fast_pattern; content:"new_user_name="; http_uri; content:"password1="; http_uri; threshold:type limit,track by_dst,count 3, seconds 90; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023996; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_02_17, performance_impact Moderate, updated_at 2017_02_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET EXPLOIT IBM WebSphere - RCE Java Deserialization"; flow:to_server,established; content:"SOAPAction|3a| |22|urn:AdminService|22|"; content:"<objectname xsi|3a|type=|22|ns1|3a|javax.management.ObjectName|22|>"; content:"vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbn"; fast_pattern:only; metadata: former_category EXPLOIT; reference:cve,2015-7450; classtype:attempted-user; sid:2024062; rev:2; metadata:affected_product IBM_Websphere, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:to_server,established; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; metadata: former_category EXPLOIT; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:2; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:to_server,established; content:"/lang_check.html"; http_uri; content:"timestamp="; http_uri; content:"&hidden_lang_avi="; isdataat:36,relative; content:!"|00|"; within:36; content:!"|25|"; within:36; content:!"|26|"; within:36; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2024121; rev:4; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_30, performance_impact Low, updated_at 2017_03_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT D-LINK DIR-615 Cross-Site Request Forgery (CVE-2017-7398)"; flow:from_server,established; file_data; content:"/form2WlanBasicSetup.cgi"; fast_pattern; nocase; content:"method"; nocase; distance:0; pcre:"/^\s*=\s*[\x27\x22]\s*POST/Rsi"; content:"ssid"; nocase; content:"save"; nocase; content:"Apply"; nocase; distance:0; metadata: former_category EXPLOIT; reference:cve,CVE-2017-7398; classtype:attempted-user; sid:2024181; rev:2; metadata:affected_product D_Link_DIR_615, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_05, performance_impact Low, updated_at 2017_04_05;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-Link Archer C2 and Archer C20i Remote Code Execution"; flow:to_server,established; content:"POST"; http_method; content:"/cgi?"; http_uri; nocase; content:"/mainFrame.htm"; http_header; content:"IPPING"; nocase; http_client_body; content:"X_TP_ConnName=ewan_ipoe_s"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,github.com/reverse-shell/routersploit/blob/master/routersploit/modules/exploits/tplink/archer_c2_c20i_rce.py; classtype:attempted-recon; sid:2024191; rev:2; metadata:affected_product TPLINK, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_07, performance_impact Low, updated_at 2017_04_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; file_data; content:"|7b 5c 72 74|"; distance:1; content:"|7b 5c|"; distance:0; content:"|7b 5c|"; distance:0;  metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024192; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, signature_severity Major, created_at 2017_04_10, performance_impact Low, updated_at 2017_08_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2"; flow:established,from_server; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; file_data; content:"|2e 65 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 41 50 50 44 41 54 41 25 22 29 20|"; content:"|4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 5c|";  metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, signature_severity Major, created_at 2017_04_10, performance_impact Low, updated_at 2017_08_07;)

alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Catalyst Remote Code Execution (CVE-2017-3881)"; flow:to_server,established; content:"|ff fa 24 00 03|CISCO_KITS"; content:"|3a|"; distance:2; within:1; isdataat:160,relative; content:!"|3a|"; within:160; metadata: former_category EXPLOIT; reference:url,artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/; classtype:attempted-user; sid:2024194; rev:1; metadata:affected_product CISCO_Catalyst, attack_target IoT, deployment Datacenter, signature_severity Critical, created_at 2017_04_10, performance_impact Low, updated_at 2017_04_10;)

alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010"; flow:from_server,established; content:"|FF|SMB|25 05 00 00 80|"; offset:4; depth:9; content:"LSbfLScnLSepLSlfLSmf"; distance:0; fast_pattern; content:"LSrfLSsrLSscLSblLSss"; within:20; content:"LSshLStrLStcLSopLScd"; within:20; flowbits:set,ETPRO.ETERNALROMANCE; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024208; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Possible Successful ETERNALROMANCE MS17-010 - Windows Executable Observed"; flow:to_server,established; flowbits:isset,ETPRO.ETERNALROMANCE; content:"|FF|SMB|26 00 00 00 00|"; offset:4; depth:9; content:"|4d 5a|"; distance:0; content:"This program cannot be run"; nocase; distance:0; fast_pattern:6,20; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024207; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; isdataat:!1,relative; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024216; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Possible ECLIPSEDWING RPCTOUCH MS08-067"; flow:to_server,established;  content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"NTLMSSP|00 03 00 00 00 01 00 01 00|"; distance:0; fast_pattern; content:"|00 00 00 00 49 00 00 00|"; distance:4; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 49 00 00 00|"; within:8; content:"|00 00 00 00 00 00 00 00 00|"; distance:4; within:9; isdataat:!1,relative; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024214; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Possible ECLIPSEDWING MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 ff ff ff ff 08 00|"; distance:30; within:10; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; fast_pattern; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; isdataat:800,relative; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024215; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Request (set)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; content:"|00 00 00 00 ff ff ff ff 00 00|"; distance:17; within:10; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 4c 00 41 00 4e 00 4d 00 41 00 4e 00 00 00|"; distance:13; within:26; content:"|82 00|zb12g12DWrLehig24"; within:19; fast_pattern; flowbits:set,ET.ETERNALCHAMPIONsync; flowbits:noalert; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024212; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Response"; flow:from_server,established; flowbits:isset,ET.ETERNALCHAMPIONsync; content:"|ff|SMB|25 00 00 00 00 98 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; fast_pattern:4,20; content:"|7c 00|"; distance:32; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; isdataat:!1,relative; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024213; rev:3; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; offset:4; depth:30; fast_pattern:10,20; content:"|00 09 00 00 00 10|"; distance:1; within:6; content:"|00 00 00 00 00 00 00 10|"; within:8; content:"|00 00 00 10|"; distance:4; within:4; pcre:"/^[a-zA-Z0-9+/]{1000,}/R"; threshold: type both, track by_src, count 3, seconds 30; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024217; rev:4; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_05_13;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ET.ETERNALBLUE; flowbits:noalert; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024220; rev:3; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_11_27;)

alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ET.ETERNALBLUE; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024218; rev:3; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_11_27;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18|"; offset:4; depth:10; content:"|07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08|"; fast_pattern; within:16; content:"|00 08|"; distance:2; within:2; content:"|0e 00 00 40 00|"; distance:2; within:5; content:"|00 00 00 00 00 00 01 00 00 00 00 00 00 00 00|"; distance:2; within:15; content:"|00 00 00 00 00 00 00 00 00|"; isdataat:!1,relative; threshold: type threshold, track by_src, count 20, seconds 1; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024219; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible EXPLODINGCAN IIS5.0/6.0 Exploit Attempt"; flow:to_server,established; urilen:1; content:"PROPFIND"; http_method; content:"Content-Length|3a 20|0|0d 0a|Host|3a 20|"; http_header; depth:25; content:"|0d 0a|If|3a 20|<http"; fast_pattern; http_header; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024222; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_04_18, updated_at 2017_04_18;)

alert tcp any any -> $HOME_NET 8082 (msg:"ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/report-email/send"; nocase; http_uri; content:"/dev-report-overview.html"; nocase; http_client_body; content:"|3B|"; http_client_body; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/Pi"; metadata: former_category EXPLOIT; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:2024234; rev:1; metadata:affected_product HTTP_Server, attack_target Web_Server, deployment Internal, signature_severity Major, created_at 2017_04_21, performance_impact Moderate, updated_at 2017_04_21;)

alert tcp any any -> $HOME_NET [16992,16993,623,664] (msg:"ET EXPLOIT Intel AMT Login Attempt Detected (CVE 2017-5689)"; flow:to_server,established; content:"Authorization|3a 20|Digest"; content:"username=|22|"; distance:0; content:"response="; distance:0; fast_pattern; pcre:"/^\s*\x22{2}/R"; metadata: former_category EXPLOIT; reference:url,mjg59.dreamwidth.org/48429.html; reference:url,www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability; reference:cve,2017-5689; classtype:attempted-admin; sid:2024287; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Major, created_at 2017_05_10, performance_impact Moderate, updated_at 2017_05_10;)

alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; metadata: former_category CURRENT_EVENTS; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_16, performance_impact Low, updated_at 2017_07_06;)

alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-01 - Unauthed RCE via bprd"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; pcre:"/^.*?[\x24\x60]/R"; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024308; rev:1; metadata:attack_target Server, deployment Internal, signature_severity Major, created_at 2017_05_17, performance_impact Moderate, updated_at 2017_05_17;)

alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-02 - Possible Unauthed RCE via nbbsdtar"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"/bin/"; distance:0; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024309; rev:1; metadata:attack_target Server, deployment Internal, signature_severity Major, created_at 2017_05_17, performance_impact Moderate, updated_at 2017_05_17;)

alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-04 - Possible Unauthed RCE via whitelist bypass"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"BPCD_WHITELIST_PATH"; distance:0; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024310; rev:1; metadata:attack_target Server, deployment Internal, signature_severity Major, created_at 2017_05_17, performance_impact Moderate, updated_at 2017_05_17;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|2d 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|12 00|"; distance:40; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; metadata: former_category EXPLOIT; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024335; rev:1; metadata:attack_target SMB_Server, deployment Datacenter, signature_severity Critical, created_at 2017_05_25, performance_impact Low, updated_at 2017_05_25;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|a2 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; metadata: former_category EXPLOIT; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024336; rev:1; metadata:attack_target SMB_Server, deployment Datacenter, signature_severity Critical, created_at 2017_05_25, performance_impact Low, updated_at 2017_05_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible $MFT NTFS Device Access in HTTP Response"; flow:from_server,established; content:"file://"; content:"/$MFT/"; distance:0; fast_pattern; content:"src"; pcre:"/^\s*=\s*[^>]*file\x3a[^>]*\/\x24MFT\//Ris"; metadata: former_category EXPLOIT; reference:url,www.securitytracker.com/id/1038575; classtype:trojan-activity; sid:2024337; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_30, performance_impact Moderate, updated_at 2017_05_30;)

alert udp any any -> $HOME_NET 50000  (msg:"ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)"; dsize:18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern:only; metadata: former_category EXPLOIT; reference:url,www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:2024376; rev:1; metadata:attack_target Client_and_Server, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2017_06_12, performance_impact Low, updated_at 2017_06_12;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; distance:0; fast_pattern; isdataat:!1,relative; metadata: former_category EXPLOIT; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:1; metadata:affected_product Linux, attack_target Server, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2017_06_16, performance_impact Moderate, updated_at 2017_06_16;)

alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:to_server,established; content:"@PJL FS"; depth:7;  content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; metadata: former_category EXPLOIT; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:2; metadata:attack_target IoT, deployment Internal, signature_severity Major, created_at 2017_06_16, performance_impact Moderate, updated_at 2017_06_20;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible SharePoint XSS (CVE-2017-8514) Inbound"; flow:to_server,established; content:"FollowSite="; http_uri; nocase; fast_pattern; content:"SiteName="; nocase; http_uri; content:"-confirm"; http_uri; nocase; distance:0; metadata: former_category EXPLOIT; reference:url,respectxss.blogspot.fr/2017/06/a-look-at-cve-2017-8514-sharepoints.html; classtype:attempted-user; sid:2024412; rev:2; metadata:affected_product HTTP_Server, attack_target Server, deployment Internal, signature_severity Major, created_at 2017_06_19, performance_impact Moderate, updated_at 2017_06_19;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Possible ETERNALBLUE Exploit M3 MS17-010"; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024430; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Critical, created_at 2017_06_27, updated_at 2017_07_06;)

alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"ET EXPLOIT Possible WINS Server Remote Memory Corruption Vulnerability"; flow:to_server,established; dsize:48; content:"|00 00 78 00|"; offset:4; depth:4; content:"|00 00 00 05|"; offset:16; depth:4; fast_pattern; threshold: type both, count 3, seconds 1, track by_src; metadata: former_category EXPLOIT; reference:url,blog.fortinet.com/2017/06/14/wins-server-remote-memory-corruption-vulnerability-in-microsoft-windows-server; classtype:attempted-user; sid:2024435; rev:1; metadata:affected_product Windows_DNS_server, attack_target DNS_Server, deployment Datacenter, signature_severity Major, created_at 2017_06_29, performance_impact Low, updated_at 2017_06_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; content:"GET"; nocase; http_method; urilen:7; content:"/status"; http_uri; fast_pattern; content:"Host|3a|"; nocase; http_header; content:"|3b|"; http_header; within:50; distance:0; pcre:"/^Host\x3a[^\n]{0,50}?\x3b/Hmi"; metadata: former_category EXPLOIT; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:2024548; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_08_14, performance_impact Moderate, updated_at 2017_08_14;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)"; flow:to_server,established; content:"java.lang.ProcessBuilder"; nocase; http_client_body; fast_pattern; content:"<command"; nocase; distance:0; http_client_body; pcre:"/<command[\s>]/si"; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024663; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_09_06, performance_impact Low, updated_at 2017_09_06;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec)"; flow:to_server,established; content:"java.lang.Runtime"; nocase; http_client_body; fast_pattern; content:".exec"; distance:0; http_client_body; content:"<command"; nocase; distance:0; http_client_body; pcre:"/<command[\s>]/si"; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024664; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_09_06, performance_impact Low, updated_at 2017_09_06;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1"; flow:to_server,established; content:"POST"; http_method; content:"eXNvc2VyaWFsL"; http_client_body; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024668; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2"; flow:to_server,established; content:"POST"; http_method; content:"lzb3NlcmlhbC"; http_client_body; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024669; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3"; flow:to_server,established; content:"POST"; http_method; content:"5c29zZXJpYWwv"; http_client_body; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024670; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4"; flow:to_server,established; content:"POST"; http_method; content:"|79 76 36 36 76|"; http_client_body; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024671; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5"; flow:to_server,established; content:"POST"; http_method; content:"|72 2b 75 72|"; http_client_body; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024672; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6"; flow:to_server,established; content:"POST"; http_method; content:"|4b 2f 72 71 2b|"; http_client_body; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024673; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec)"; flow:to_server,established; content:"POST"; http_method; content:"java.lang.Runtime"; nocase; http_client_body; fast_pattern; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024674; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)"; flow:to_server,established; content:"POST"; http_method; content:"java.lang.ProcessBuilder"; nocase; http_client_body; fast_pattern; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024675; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; metadata: former_category EXPLOIT; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, deployment Internet, signature_severity Major, created_at 2017_09_25, performance_impact Low, updated_at 2017_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M1"; flow:established,to_server; content:"="; http_uri; content:"%"; http_uri; distance:0; content:"{"; http_uri; distance:0; content:"ProcessBuilder"; http_uri; nocase; distance:0; fast_pattern; content:"java"; nocase; http_uri; content:"lang"; http_uri; nocase; pcre:"/=\s*\x25\s*\{\s*.+?\bProcessBuilder\b/Ui"; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2024814; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_06, updated_at 2017_10_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M2"; flow:established,to_server; content:"="; http_uri; content:"%"; http_uri; distance:0; content:"{"; http_uri; distance:0; content:"getRunTime"; http_uri; nocase; distance:0; fast_pattern; content:"exec"; nocase; http_uri; pcre:"/=\s*\x25\s*\{\s*(?=.+?\bgetRunTime\b).+?\bexec\b/Ui"; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2024815; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_06, updated_at 2017_10_06;)

alert tcp any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP POST)"; flow:to_server,established; content:"POST"; depth:4; content:"newcollection/config"; distance:0; content:"Content-Type|3a 20|application/json"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:"|22|add-listener|22|"; content:"|22|event|22||3a||22|postCommit|22|"; content:"|22|class|22|"; content:"RunExecutableListener|22||2c|"; fast_pattern; content:"|22|exe|22|"; content:"|22|dir|22|"; content:"|22|args|22|"; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024884; rev:1; metadata:affected_product Apache_Solr, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_20, updated_at 2017_10_20;)

alert tcp any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 XXE Exploit Attempt (URI)"; flow:to_server,established; content:"GET"; depth:3; content:"?q=|7b 21|xmlparser"; distance:0; content:"|21|DOCTYPE"; nocase; distance:0; fast_pattern; pcre:"/^(?:(?!\x0d\x0a).)+\x22(?:https?|file):\x2f\x2f/R"; flowbits:set,ET.CVE-2017-12629; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024885; rev:1; metadata:affected_product Apache_Solr, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_20, updated_at 2017_10_20;)

alert tcp any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 1)"; flow:to_server,established; content:"GET "; depth:4; content:"?q="; distance:0; content:"%22add-listener%22|3a|"; distance:0; content:"%22event%22|3a|%22postCommit%22"; distance:0; content:"%22class%22"; distance:0; content:"RunExecutableListener%22|2c|%22exe"; distance:0; fast_pattern; content:"|0d 0a 0d 0a|"; distance:0; flowbits:isset,ET.CVE-2017-12629; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024886; rev:2; metadata:affected_product Apache_Solr, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_20, updated_at 2017_10_20;)

alert tcp any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 2)"; flow:to_server,established; content:"GET "; depth:4; content:"?q="; distance:0; content:"update?"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:"stream.body="; content:"|0d 0a 0d 0a|"; distance:0; content:"commit="; content:"|0d 0a 0d 0a|"; distance:0; content:"overwrite="; content:"|0d 0a 0d 0a|"; distance:0; flowbits:isset,ET.CVE-2017-12629; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024887; rev:1; metadata:affected_product Apache_Solr, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_20, updated_at 2017_10_20;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link 850L Password Extract Attempt"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/hedwig.cgi"; http_uri; fast_pattern; content:"DEVICE.ACCOUNT"; http_client_body; metadata: former_category EXPLOIT; reference:url,blogs.securiteam.com/index.php/archives/3364; classtype:attempted-recon; sid:2024913; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution"; flow:to_server,established; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir=|25|27"; depth:52; http_uri; metadata: former_category EXPLOIT; reference:url,blogs.securiteam.com/index.php/archives/3409; classtype:attempted-recon; sid:2024914; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution"; flow:to_server,established; content:"/board.cgi?cmd="; depth:15; http_uri; metadata: former_category EXPLOIT; reference:url,blogs.securiteam.com/index.php/archives/3445; classtype:attempted-recon; sid:2024915; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Netgear DGN Remote Command Execution"; flow:to_server,established; content:"/setup.cgi?next_file="; nocase; http_uri; content:"&todo=syscmd&cmd="; nocase; distance:0; http_uri; content:"currentsetting.htm"; nocase; fast_pattern; http_uri; metadata: former_category EXPLOIT; reference:url,seclists.org/bugtraq/2013/Jun/8; classtype:attempted-recon; sid:2024916; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT AVTECH Unauthenticated Command Injection in DVR Devices"; flow:to_server,established; content:"/Search.cgi?action=cgi_query"; nocase; fast_pattern; http_uri; content:"&username="; nocase; distance:0; http_uri; content:"&password="; nocase; distance:0; http_uri; metadata: former_category EXPLOIT; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024917; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi"; flow:to_server,established; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; http_uri; metadata: former_category EXPLOIT; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024918; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in adcommand.cgi"; urilen:33; flow:to_server,established; content:"POST"; http_method; content:"/cgi-bin/supervisor/adcommand.cgi"; nocase; fast_pattern; http_uri; content:"DoShellCmd"; nocase; http_client_body; metadata: former_category EXPLOIT; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024919; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in PwdGrp.cgi"; flow:to_server,established; content:"/cgi-bin/supervisor/PwdGrp.cgi?action="; nocase; depth:38; fast_pattern; http_uri; metadata: former_category EXPLOIT; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024920; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp any any -> $HTTP_SERVERS 7001 (msg:"ET EXPLOIT Possible Oracle Identity Manager Attempt to Logon with default account"; flow:to_server,established; content:"=OIMINTERNAL"; fast_pattern:only; metadata: former_category EXPLOIT; reference:cve,CVE-2017-10151; reference:url,oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html; classtype:attempted-admin; sid:2024941; rev:1; metadata:affected_product Oracle_Identity_Manager, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_11_01, performance_impact Low, updated_at 2017_11_01;)

alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M2"; flow:established,to_server; content:"CenturyL1nk"; fast_pattern:only; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2024980; rev:3; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Critical, created_at 2017_11_13, malware_family Mirai, performance_impact Low, updated_at 2017_11_29;)

alert tcp any any -> $SMTP_SERVERS [25,587] (msg:"ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)"; flow:established,to_server; content:"BDAT"; depth:5; pcre:"/^\s*\d*[^\x20-\x7e\r\n\t]/R"; metadata: former_category EXPLOIT; reference:url,lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html; classtype:attempted-admin; sid:2025063; rev:3; metadata:attack_target SMTP_Server, deployment Internal, deployment Datacenter, signature_severity Major, created_at 2017_11_27, performance_impact Moderate, updated_at 2017_11_28;)

alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M1"; flow:established,to_server; content:"QwestM0dem"; fast_pattern:only; metadata: former_category EXPLOIT; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2025080; rev:3; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_11_28, malware_family Mirai, performance_impact Low, updated_at 2017_11_29;)

alert tcp any any -> $HOME_NET 52869 (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361"; flow:established,to_server; content:"POST /picdesc.xml"; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; distance:0; metadata: former_category EXPLOIT; reference:url,blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/; reference:cve,CVE-2014-8361; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb; reference:url,www.exploit-db.com/exploits/37169/; classtype:attempted-user; sid:2025132; rev:3; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible MeltDown PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|57 53 41 50 41 51|"; content:"|0F AE F0|"; distance:50; within:53; content:"|0F AE|"; distance:15; within:12; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|0F AE F0 0F 31|"; distance:45; within:25; content:"|0F AE F0 0F 31|"; distance:17; within:12; metadata: former_category EXPLOIT; reference:cve,2017-5754; classtype:attempted-admin; sid:2025195; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_10, malware_family MeltDown_Exploit, performance_impact Low, updated_at 2018_02_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Spectre PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|E7 03 00 00|"; content:"|48 0F AE|"; distance:17; within:9; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|48 0F AE 3D|"; distance:41; within:10; content:"|48 98|"; distance:64; within:22; content:"|0F 01 F9|"; distance:50; within:9; content:"|0F 01 F9|"; distance:30; within:9; metadata: former_category EXPLOIT; reference:cve,2017-5753; reference:cve,2017-5715; classtype:attempted-admin; sid:2025196; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_10, malware_family Spectre_Exploit, performance_impact Low, updated_at 2018_02_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Generic ADSL Router DNS Change Request"; flow:to_server,established; content:"dnsPrimary="; http_uri; fast_pattern:only; content:"dnsSecondary="; http_uri; content:"Enable_DNSFollowing=1"; http_uri; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025222; rev:2; metadata:affected_product D_Link_DSL_2640R, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_01_19, performance_impact Low, updated_at 2018_01_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible Belkin N600DB Wireless Router Request Forgery Attempt"; flow:to_server,established; content:"/proxy.cgi?chk&url="; http_uri; fast_pattern:only; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025223; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_01_19, performance_impact Low, updated_at 2018_01_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT MikroTik RouterOS Chimay Red Remote Code Execution Probe"; flow:to_server,established; content:"POST"; http_method; urilen:8; content:"/jsproxy"; http_uri; fast_pattern; content:"Content-Length|3a 20|"; http_header; depth:16; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/44284/; reference:url,www.exploit-db.com/exploits/44283/; classtype:attempted-admin; sid:2025426; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Minor, created_at 2018_03_13, performance_impact Moderate, updated_at 2018_03_13;)

alert tcp any any -> $HOME_NET 25 (msg:"ET EXPLOIT [PT Security] Exim <4.90.1 Base64 Overflow RCE (CVE-2018-6789)"; flow: established,to_server,only_stream; content:"|0D 0A|AUTH"; pcre:"/AUTH\s+\S+\s+(?:[a-zA-Z0-9\+\/=]{4})*+[a-zA-Z0-9\+\/=]{3}\s/"; metadata: former_category EXPLOIT; reference:cve,2018-6789; reference:url,devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/; reference:url,github.com/ptresearch/AttackDetection/blob/master/CVE-2018-6789/cve-2018-6789.rules; classtype:attempted-admin; sid:2025427; rev:1; metadata:attack_target SMTP_Server, deployment Perimeter, signature_severity Minor, created_at 2018_03_13, performance_impact Moderate, updated_at 2018_03_13;)

alert tcp any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)"; flow: established,to_server,only_stream; content:"PUT /_config/query_servers/cmd HTTP"; depth:35; content:"Authorization|3a 20|Basic"; distance:0; pcre:"/\x0d\x0a\x0d\x0a\s*[\x22\x27]/"; metadata: former_category EXPLOIT; reference:cve,2017-12636; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025432; rev:1; metadata:deployment Datacenter, signature_severity Major, created_at 2018_03_13, performance_impact Moderate, updated_at 2018_03_13;)

alert tcp any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12635)"; flow: established,to_server,only_stream; content:"PUT /_users/"; depth:12; fast_pattern; content:"|0d 0a 0d 0a|"; distance:0; content:"_admin"; distance:0; metadata: former_category EXPLOIT; reference:cve,2017-12635; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025435; rev:1; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_03_19, malware_family CoinMiner, updated_at 2018_03_19;)

alert tcp any any -> $HOME_NET 4786 (msg:"ET EXPLOIT Possible CVE-2018-0171 Exploit (PoC based)"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 07|"; depth:12; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:12; within:36; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; distance:4; within:44; metadata: former_category EXPLOIT; reference:cve,2018-0171; reference:url,embedi.com/blog/cisco-smart-install-remote-code-execution/; classtype:attempted-admin; sid:2025472; rev:1; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2018_04_06, updated_at 2018_04_06;)

alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - Update Ios and Execute"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; depth:16; content:"://"; distance:0; metadata: former_category EXPLOIT; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025520; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - ChangeConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; depth:16; content:"://"; distance:0; metadata: former_category EXPLOIT; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025521; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - GetConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; depth:16; content:"copy|20|"; distance:0; metadata: former_category EXPLOIT; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025522; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HackingTrio UA (Hello, World)"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Hello, World|0d 0a|"; http_header; fast_pattern:6,20; metadata: former_category EXPLOIT; reference:cve,2018-10561; reference:cve,2018-10562; reference:url,github.com/f3d0x0/GPON; classtype:attempted-admin; sid:2025576; rev:3; metadata:attack_target IoT, deployment Perimeter, tag GPON, signature_severity Major, created_at 2018_05_11, performance_impact Low, updated_at 2018_05_15;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT phpLDAPadmin LDAP Injection"; flow:to_server,established; content:"!(()&&!|7c|*|7c|*|7c|"; nocase; http_uri; metadata: former_category EXPLOIT; classtype:web-application-attack; sid:2025733; rev:2; metadata:affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_22, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT phpMyAdmin 4.8.1 - Local File Inclusion"; flow:to_server,established; content:"db_sql.php"; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; metadata: former_category EXPLOIT; classtype:web-application-attack; sid:2025734; rev:2; metadata:affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_22, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Command Execution"; flow:to_server,established; content:"/wps.setup.json"; fast_pattern; nocase; http_uri; content:"operation=write"; http_client_body; content:"option=connect"; http_client_body; content:"wps_setup_pin="; http_client_body; content:"%2Fbin%2Fsh"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44912/; classtype:web-application-attack; sid:2025735; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_22, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Ecessa WANWorx WVR-30 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"user_username"; content:"user_passwd"; content:"checked"; content:"savecrtcfg"; fast_pattern; metadata: former_category EXPLOIT; classtype:web-application-attack; sid:2025737; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_25, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Intex Router N-150 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"PPW"; content:"submit"; content:"SSID"; content:"isp"; content:"WAN"; content:"wirelesspassword"; fast_pattern; content:"name"; content:"value"; metadata: former_category EXPLOIT; classtype:web-application-attack; sid:2025739; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_25, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT AsusWRT RT-AC750GF Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"<form action=|22|http://router.asus.com/findasus.cgi|22 20|method=|22|POST|22|>"; nocase; content:"name=|22|action_mode|22 20|value=|22|refresh_networkmap|22|"; nocase; distance:0; content:"start_apply.htm?productid="; nocase; distance:0; content:"&current_page=Advanced_System_Content.asp";  nocase; distance:0; content:"&next_page=Advanced_System_Content.asp"; nocase; distance:0; fast_pattern:18,20; content:"&action_mode=apply"; nocase; distance:0; content:"&http_username="; nocase; distance:0; content:"&http_passwd="; nocase; distance:0; content:"&sshd_enable="; nocase; distance:0; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/44937/; classtype:web-application-attack; sid:2025736; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2018_06_25, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (GET conf.bin)"; flow:established,to_server; content:"/cgi/conf.bin"; http_uri; content:"/mainFrame.htm"; http_header; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025753; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Add Port Forwarding)"; flow:established,to_server; content:"/cgi?3"; http_uri; isdataat:!1,relative; content:"/mainFrame.htm"; http_header; content:"IP_CONN_PORTTRIGGERING"; http_client_body; content:"openProtocol"; http_client_body; content:"openPort="; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025750; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Reboot Router)"; flow:established,to_server; content:"/cgi?7"; http_uri; content:"mainFrame.htm"; http_header; content:"ACT_REBOOT"; http_client_body; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025754; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Enable Guest Network)"; flow:established,to_server; content:"/cgi?2&2&2&2&2"; http_uri; content:"/mainFrame.htm"; http_header; content:"LAN_WLAN_MULTISSID"; fast_pattern; http_client_body; content:"multiSSIDEnable"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025752; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (DMZ enable and Disable)"; flow:established,to_server; content:"/cgi?2"; http_uri; isdataat:!1,relative; content:"/mainFrame.htm"; http_header; content:"DMZ_HOST_CFG"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025751; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (WiFi Password Change)"; flow:established,to_server; content:"/cgi?2"; http_uri; isdataat:!1,relative; content:"/mainFrame.htm"; http_header; content:"LAN_WLAN"; fast_pattern; http_client_body; content:"IEEE11iAuthenticationMode"; http_client_body; content:"IEEE11iEncryptionModes"; http_client_body; content:"X_TP_PreSharedKey="; http_client_body; content:"X_TP_GroupKeyUpdateInterval"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:web-application-attack; sid:2025755; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link DSL-2750B - OS Command Injection"; flow:established,to_server; content:"/login.cgi?cli="; http_uri; pcre:"/\/login\.cgi\?cli=[ a-zA-Z0-9+_]*[\x27\x3b]/Ui"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44760/; classtype:attempted-user; sid:2025756; rev:2; metadata:attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_27, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Exec Backdoor"; flow:established,to_server; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; content:"|7b 22|action|22 3a 20 22|exec|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025761; rev:2; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_28, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Install Backdoor"; flow:established,to_server; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; content:"|7b 22|action|22 3a 20 22|install|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025762; rev:3; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_28, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor"; flow:established,to_server; content:"/upload"; http_uri; isdataat:!1,relative; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; content:"!<arch>|0a|debian-binary"; http_client_body; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025763; rev:2; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_28, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco Adaptive Security Appliance - Path Traversal"; flow:established,to_server; content:"../"; http_raw_uri; content:"+CSCOE+/files/file_list.json?path=+CSCOE+"; fast_pattern; http_uri; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44956/; reference:cve,2018-0296; classtype:attempted-user; sid:2025764; rev:2; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_29, performance_impact Low, updated_at 2018_07_18;)

alert udp any 67 -> any 68 (msg:"ET EXPLOIT DynoRoot DHCP - Client Command Injection"; content:"|02|"; depth:1; content:"|35 01 05 fc|"; distance:0; content:"|2f|bin|2f|sh"; fast_pattern; distance:0; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44652/; reference:cve,2018-1111; classtype:attempted-admin; sid:2025765; rev:2; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Critical, created_at 2018_06_29, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e  d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, deployment Perimeter, signature_severity Major, created_at 2018_06_29, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; content:"/scripts/ajaxPortal.lua"; http_uri; fast_pattern; content:"destination="; http_client_body; content:"source="; http_client_body; content:"test="; http_client_body; content:"&requestTimeout="; http_client_body; content:"auth_token="; http_client_body; content:"cmd=run_diagnostic"; http_client_body; pcre:"/destination=[^&]*\x24\x28/Pi"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection 2"; flow:established,to_server; content:"/scripts/ajaxPortal.lua"; http_uri; fast_pattern; content:"name="; http_client_body; content:"source="; http_client_body; content:"test="; http_client_body; content:"&requestTimeout="; http_client_body; content:"auth_token="; http_client_body; content:"cmd=run_diagnostic"; http_client_body; pcre:"/name=[^&]*\x24\x28/Pi"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025768; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Geutebruck Remote Command Execution"; flow:established,to_server; content:"/uapi-cgi/viewer/simple_loglistjs.cgi?"; http_uri; fast_pattern; content:"/bin/sh"; http_uri; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44957/; reference:cve,2018-7520; classtype:attempted-user; sid:2025769; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_07_02, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; content:"/nagiosim.php?mode=resolve&host=|27|"; http_uri; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Nagios XI Remote Code Execution"; flow:established,to_server; content:"/ajaxhelper.php?cmd=getxicoreajax"; http_uri; fast_pattern; content:"&opts=%7b%22func%22%3a%22get_hoststatus_table%22%7d"; http_raw_uri; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025774; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Nagios XI Remote Code Execution 2"; flow:established,to_server; content:"/graphApi.php?host="; fast_pattern; http_uri; content:"%3bsudo%20../profile/getprofile.sh%20%23"; http_raw_uri; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025773; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; content:"/admin/helpedit.php"; http_uri; fast_pattern; content:"selInfoKey1="; http_client_body; pcre:"/^selInfoKey1=[^&]+\x2527(?:UNION|SELECT)/Pi"; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; content:"/index.php?cmd=submitcommand&command="; http_uri; content:"&command_data=$("; http_uri; fast_pattern; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Nagios XI Set DB User Root"; flow:established,to_server; content:"/admin/settings.php"; http_uri; content:"txtRootPath="; http_client_body; content:"&txtBasePath="; http_client_body; content:"&selProtocol="; http_client_body; content:"&txtTempdir="; http_client_body; content:"&selLanguage="; http_client_body; content:"&txtEncoding="; http_client_body; content:"&txtDBserver="; http_client_body; content:"&txtDBport="; http_client_body; content:"&txtDBname="; http_client_body; content:"&txtDBuser=root"; fast_pattern; http_client_body; content:"&txtDBpass="; http_client_body; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025777; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Nagios XI Adding Administrative User"; flow:established,to_server; content:"/api/v1/system/user"; http_uri; content:"username="; http_client_body; content:"&password="; http_client_body; content:"&name="; http_client_body; content:"&email="; http_client_body; content:"&auth_level=admin&force_pw_change=0"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025778; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"ET EXPLOIT FTPShell client Stack Buffer Overflow"; flow:established,from_server; content:"220|20 22|"; isdataat:400,relative; content:!"|00|"; within:400; content:!"|22|"; within:400; content:!"|0b|"; within:400; content:!"|0a|"; within:400; content:!"|0d|"; within:400; content:"|ed 2e 45 22 20|"; fast_pattern; distance:400; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-7573; reference:url,exploit-db.com/exploits/44968/; classtype:attempted-user; sid:2025779; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_03, performance_impact Low, updated_at 2018_07_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible ModSecurity 3.0.0 Cross-Site Scripting"; flow:established,from_server; file_data; content:"onError"; content:"prompt"; fast_pattern; content:"img"; pcre:"/^\s*((?!>).)+?\s*src\s*=\s*[\x22\x27]\s*[^\x27\x28]+?[\x22\x27]\s*onError\s*=\s*prompt\s*\x28\s*[^)]*?(?:document|s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Rsi"; metadata: former_category EXPLOIT; reference:cve,2018-13065; reference:url,exploit-db.com/exploits/44970/; classtype:attempted-user; sid:2025781; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Critical, created_at 2018_07_03, performance_impact Moderate, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT ADB Broadband Authorization Bypass"; flow:established,to_server; content:"/ui/dboard/settings/management/"; http_uri; fast_pattern; content:"/management//"; http_raw_uri; metadata: former_category EXPLOIT; reference:cve,2018-13109; reference:url,exploit-db.com/exploits/44982/; classtype:web-application-attack; sid:2025785; rev:2; metadata:attack_target IoT, deployment Datacenter, signature_severity Critical, created_at 2018_07_05, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization Remote Command Execution"; flow:established,to_server; content:"java.rmi.registry.Registry"; fast_pattern; content:"java.lang.reflect.Proxy"; content:"java.rmi.server.RemoteObjectInvocationHandler"; content:"UnicastRef"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44553/; reference:cve,2018-2628; classtype:attempted-user; sid:2025788; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_05, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim Internet Mailer Remote Code Execution"; flow:established,to_server; content:"JHtydW57L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3Av"; metadata: former_category EXPLOIT; reference:cve,2018-6789; reference:url,exploit-db.com/exploits/44571/; classtype:attempted-user; sid:2025793; rev:2; metadata:attack_target SMTP_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_09, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET EXPLOIT xdebug OS Command Execution "; flow:established,to_server; content:"eval -i 1 --|0d 0a|ZmlsZV9wdXRfY29udGVudH"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44568/; classtype:attempted-user; sid:2025794; rev:2; metadata:attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2018_07_09, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"c3lzdGVtKCIgcGhw"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025795; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"N5c3RlbSgiIHBoc"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025796; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"zeXN0ZW0oIiBwaH"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025797; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"c3lzdGVtKCJwaH"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025798; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"N5c3RlbSgicGhw"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025799; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"zeXN0ZW0oInBoc"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025800; rev:2; metadata:created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"ZmlsZV9wdXRfY29udGVudH"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025801; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"ZpbGVfcHV0X2NvbnRlbnRz"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025802; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"maWxlX3B1dF9jb250ZW50c"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025803; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"L2Jpbi9iYXNo"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025804; rev:2; metadata:attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"9iaW4vYmFza"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025805; rev:2; metadata:attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vYmluL2Jhc2"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025806; rev:2; metadata:attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"Lyo8P3BocC"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025807; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"8qPD9waHAg"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025808; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vKjw/cGhwI"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025809; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"THlvOFAzQm9jQ"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025810; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"x5bzhQM0JvY0"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025811; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"MeW84UDNCb2ND"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025812; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"OHFQRDl3YUhBZ"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025813; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"hxUEQ5d2FIQW"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025814; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"4cVBEOXdhSEFn"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 7"; flow:established,to_server; content:"dktqdy9jR2h3S"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 8"; flow:established,to_server; content:"ZLancvY0dod0"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025817; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 9"; flow:established,to_server; content:"2S2p3L2NHaHdJ"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025818; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link DIR601 2.02 Credential Disclosure"; flow:established,to_server; content:"/my_cgi.cgi"; http_uri; content:"request=no_auth"; http_client_body; content:"request=load_settings"; http_client_body; content:"table_name=admin_user"; fast_pattern; http_client_body; content:"table_name=user_user"; http_client_body; content:"table_name=wireless_settings"; http_client_body; content:"table_name=wireless_security"; http_client_body; content:"table_name=wireless_wpa_settings"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/45002/; classtype:attempted-recon; sid:2025823; rev:2; metadata:attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_07_10, performance_impact Low, updated_at 2018_07_18;)

alert udp any any -> $HOME_NET 4070 (msg:"ET EXPLOIT HID VertX and Edge door controllers command_blink_on Remote Command Execution"; content:"command_blink_on|3b|"; fast_pattern; content:"|60|"; within:44; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-user; sid:2025821; rev:2; metadata:attack_target IoT, deployment Datacenter, created_at 2018_07_10, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MSF Probe MS17-010"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 01 28|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category EXPLOIT; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025649; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, tag Metasploit, tag ETERNALBLUE, signature_severity Major, created_at 2018_07_11, updated_at 2018_07_11;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MSF Probe Vulnerable System Response MS17-010"; flow:from_server,established; content:"|ff|SMB|25 05 02 00 c0 98 01 68|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|00 00 00|"; distance:8; within:3; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category EXPLOIT; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025650; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, tag Metasploit, tag ETERNALBLUE, signature_severity Major, created_at 2018_07_11, updated_at 2018_07_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT IBM QRadar SIEM Unauthenticated Remote Code Execution"; flow:established,to_server; content:"/ForensicsAnalysisServlet/?"; http_uri; fast_pattern; content:"[pcap]=$("; http_uri; content:"/bin/bash"; http_uri; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/45005/; classtype:attempted-user; sid:2025826; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_11, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution"; flow:established,to_server; content:"/init.do?"; http_uri; content:"java.util"; http_uri; content:"Runtime.getRuntime().exec"; fast_pattern; http_uri; content:"cmd"; http_uri; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44292/; reference:cve,2018-2380; classtype:attempted-user; sid:2025835; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_12, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution"; flow:established,to_server; content:"/amf"; http_uri; content:"sun.rmi.server.UnicastRef"; http_client_body; content:"|f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00|"; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/43993/; reference:cve,2017-3066; classtype:attempted-user; sid:2025836; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_13, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Unix"; flow:established,to_server; content:"/CoordinatorPortType"; http_uri; content:"<soapenv:"; http_client_body; content:"java.lang.ProcessBuilder"; http_client_body; content:"<string>/bin/sh"; http_client_body; content:"<string>-c</string>"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025837; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2018_07_13, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Windows"; flow:established,to_server;content:"/CoordinatorPortType"; http_uri; content:"<soapenv:"; http_client_body; content:"java.lang.ProcessBuilder"; http_client_body; content:"<string>cmd</string>"; http_client_body; content:"<string>/c</string>"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025838; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2018_07_13, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1; metadata:attack_target Server, deployment Datacenter, created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT MVPower DVR Shell UCE MSF Check"; flow:to_server,established; content:"/shell?echo+"; http_uri; depth:12; fast_pattern; content:!"Referer"; http_header; metadata: former_category EXPLOIT; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025882; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2018_07_23, malware_family Mirai, updated_at 2018_07_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT MVPower DVR Shell UCE"; flow:to_server,established; content:"/shell?"; http_uri; depth:7; fast_pattern; content:!"Referer"; http_header; metadata: former_category EXPLOIT; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025883; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_07_23, malware_family Mirai, updated_at 2018_07_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Multiple CCTV-DVR Vendors RCE"; flow:to_server,established; content:"/language/Swedish${IFS}&&"; http_uri; depth:25; fast_pattern; content:!"Referer"; http_header; metadata: former_category EXPLOIT; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025884; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2018_07_23, malware_family Mirai, updated_at 2018_07_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge"; flow:from_server,established; content:"CNXN|00 00 00 01 00 10 00 00 07 00 00 00 32 02 00 00 BC B1 A7 B1|host|3a 3a|"; distance:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025887; rev:1; metadata:created_at 2018_07_24, updated_at 2018_07_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge 2"; flow:from_server,established; content:"OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"; fast_pattern; metadata: former_category EXPLOIT; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025888; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_24, updated_at 2018_07_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic Unrestricted File Upload (CVE-2018-2894)"; flow:to_server,established; content:"POST"; http_method; content:"/ws_utc/resources/setting/keystore"; http_uri; fast_pattern; content:"ks_filename="; http_client_body; metadata: former_category EXPLOIT; reference:url,github.com/LandGrey/CVE-2018-2894/blob/master/CVE-2018-2894.py; reference:cve,2018-2894; classtype:attempted-admin; sid:2025907; rev:1; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_25, updated_at 2018_07_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP CWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"CWD"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010731; classtype:attempted-recon; sid:2010731; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP SITE command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"SITE"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010732; classtype:attempted-recon; sid:2010732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RMDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RMDIR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010733; classtype:attempted-recon; sid:2010733; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP MKDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"MKDIR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010734; classtype:attempted-recon; sid:2010734; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP PWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"PWD"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010735; classtype:attempted-recon; sid:2010735; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RETR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RETR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010736; classtype:attempted-recon; sid:2010736; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP NLST command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"NLST"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010737; classtype:attempted-recon; sid:2010737; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RNTO command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNTO"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010738; classtype:attempted-recon; sid:2010738; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RNFR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNFR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010739; classtype:attempted-recon; sid:2010739; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP STOR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"STOR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010740; classtype:attempted-recon; sid:2010740; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; depth:5; flowbits:set,ET.ftp.user.login; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002850; classtype:not-suspicious; sid:2002850; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP HP-UX LIST command without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:"LIST "; nocase; depth:5; reference:cve,2005-3296; reference:bugtraq,15138; reference:url,doc.emergingthreats.net/bin/view/Main/2002851; classtype:attempted-recon; sid:2002851; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"SELECT"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/SELECT.+FROM/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009981; classtype:attempted-user; sid:2009981; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"DELETE"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/DELETE.+FROM/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009982; classtype:attempted-user; sid:2009982; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INSERT"; within:200; nocase; content:"INTO"; distance:0; nocase; pcre:"/INSERT.+INTO/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009983; classtype:attempted-user; sid:2009983; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UPDATE"; within:200; nocase; content:"SET"; distance:0; nocase; pcre:"/UPDATE.+SET/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009984; classtype:attempted-user; sid:2009984; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UNION"; within:200; nocase; content:"SELECT"; distance:0; nocase; pcre:"/UNION.+SELECT/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009985; classtype:attempted-user; sid:2009985; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INTO"; within:200; nocase; content:"OUTFILE"; distance:0; nocase; pcre:"/INTO.+OUTFILE/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010081; classtype:attempted-user; sid:2010081; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"GPL FTP NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; fast_pattern:only; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:2100308; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:2100334; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP .rhosts"; flow:to_server,established; content:".rhosts"; fast_pattern:only; reference:arachnids,328; classtype:suspicious-filename-detect; sid:2100335; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; fast_pattern; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:2100144; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2102449; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2102391; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:2100337; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2101621; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:2101229; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:2101779; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; fast_pattern; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2102125; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:2101919; rev:23; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:2101672; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:2101728; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:2100336; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101975; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKD overflow"; flow:to_server,established; content:"MKD "; isdataat:100,relative; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:2100349; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; fast_pattern:only; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:2100339; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT * dos attempt"; flow:to_server,established; content:"STAT"; fast_pattern:only; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; metadata: former_category FTP; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101777; rev:11; metadata:created_at 2010_09_23, updated_at 2017_03_21;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x3f/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101778; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE EXEC format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:2100338; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PWD overflow"; flow:to_server,established; content:"PWD|0A|/i"; fast_pattern:only; classtype:attempted-admin; sid:2100340; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XXXXX overflow"; flow:to_server,established; content:"XXXXX/"; fast_pattern:only; classtype:attempted-admin; sid:2100341; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:2100346; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:2100343; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; fast_pattern:only; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:2100344; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; fast_pattern:only; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:2100342; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; fast_pattern; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:2100345; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:2100348; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:100,relative; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx; classtype:misc-attack; sid:2102338; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:2101992; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2102272; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2102546; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:nessus,12108; classtype:attempted-admin; sid:2101973; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102332; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2102374; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; classtype:misc-attack; sid:2102179; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:2101972; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:2103441; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102333; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:2101974; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:2103460; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2102574; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2102392; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101976; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; reference:bugtraq,819; classtype:attempted-admin; sid:2101942; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:2101622; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2103077; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2102389; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2102340; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:2101562; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:2101888; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:2100361; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:2101971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:2101864; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:2101920; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:2101921; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:2101529; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:2101379; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; reference:cve,2000-0133; classtype:attempted-admin; sid:2102343; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2102178; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER|20|"; nocase; isdataat:100,relative; pcre:"/^USER\x20[^\x00\x20\x0a\x0d]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:2101734; rev:35; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,11542; reference:bugtraq,8704; classtype:attempted-admin; sid:2102344; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2102373; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP authorized_keys file transferred"; flow:to_server,established; content:"authorized_keys"; fast_pattern:only; classtype:suspicious-filename-detect; sid:2101927; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:2101748; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2102417; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%p"; fast_pattern:only; nocase; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; classtype:attempted-admin; sid:2101530; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP invalid MODE"; flow:to_server,established; content:"MODE"; fast_pattern:only; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:2101623; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern:only; reference:arachnids,331; classtype:suspicious-login; sid:2100354; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP large PWD command"; flow:to_server,established; dsize:10; content:"PWD"; nocase; classtype:protocol-command-decode; sid:2101624; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP large SYST command"; flow:to_server,established; dsize:10; content:"SYST"; nocase; classtype:protocol-command-decode; sid:2101625; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; fast_pattern:only; nocase; reference:arachnids,324; classtype:suspicious-login; sid:2100355; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:2100356; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern:only; classtype:suspicious-login; sid:2100357; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern:only; reference:arachnids,330; classtype:suspicious-login; sid:2100358; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern:only; reference:arachnids,329; classtype:suspicious-login; sid:2100359; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; fast_pattern:only; nocase; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:2100360; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; fast_pattern:only; classtype:suspicious-filename-detect; sid:2101928; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; fast_pattern:only; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:2100362; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; fast_pattern:only; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:2100489; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'CWD  ' possible warez site"; flow:to_server,established; content:"CWD  "; depth:5; nocase; classtype:misc-activity; sid:2100546; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100545; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKD space space possible warez site"; flow:to_server,established; content:"MKD  "; depth:5; nocase; classtype:misc-activity; sid:2100547; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:2100548; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKD / possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100554; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; fast_pattern; distance:1; nocase; classtype:misc-activity; sid:2100544; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; fast_pattern; distance:1; nocase; classtype:misc-activity; sid:2100543; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:2101449; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP anonymous login attempt"; flow:to_server,established; content:"USER "; nocase; depth:5; content:"anon"; distance:0; classtype:misc-activity; sid:2100553; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:2101445; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"GPL FTP FTP Bad login"; flow:from_server,established; content:"530 "; depth:4; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:2100491; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Suspicious Percentage Symbol Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; nocase; content:!"|0d 0a|"; within:50; content:"%"; distance:0; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011487; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Suspicious Quotation Mark Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; content:"|22|"; distance:0; pcre:"/^USER [^\r\n]*?\x22/";  reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011488; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp any any -> $HOME_NET 21 (msg:"ET FTP ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)"; flow:established,to_server; content:"HELP "; depth:5; content:"ACIDBITCHEZ"; distance:0; nocase; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011994; rev:5; metadata:created_at 2010_12_02, updated_at 2010_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Anonymous FTP Login"; flow:to_server,established; content:"USER anonymous|0d 0a|PASS Java1."; fast_pattern:7,20; pcre:"/^\d\.\d(_\d+)?\@\r\n/R"; flowbits:set,ET.Java.FTP.Logon; classtype:misc-activity; sid:2016687; rev:2; metadata:created_at 2013_03_28, updated_at 2013_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Downloading jar over FTP"; flow:to_server,established; flowbits:isset,ET.Java.FTP.Logon; content:".jar"; nocase; fast_pattern:only; content:"RETR "; pcre:"/^[^\r\n]+\.jar/Ri"; classtype:misc-activity; sid:2016688; rev:2; metadata:created_at 2013_03_28, updated_at 2013_03_28;)

#alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print|0A 5C|"; isdataat:257,relative; pcre:"/\x5C[^\x5C\x00]{257}/"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Starcraft login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"RATS"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002101; classtype:policy-violation; sid:2002101; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Brood War login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"PXES"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002102; classtype:policy-violation; sid:2002102; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Diablo login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"LTRD"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002103; classtype:policy-violation; sid:2002103; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Diablo 2 login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"VD2D"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002104; classtype:policy-violation; sid:2002104; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Diablo 2 Lord of Destruction login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"PX2D"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002105; classtype:policy-violation; sid:2002105; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Warcraft 2 login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"NB2W"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002106; classtype:policy-violation; sid:2002106; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Warcraft 3 login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"3RAW"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002107; classtype:policy-violation; sid:2002107; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Warcraft 3 The Frozen throne login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"PX3W"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002108; classtype:policy-violation; sid:2002108; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net old game version"; flow:established,from_server; content:"|FF 51|"; depth:2; content:"|00 01 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002109; classtype:policy-violation; sid:2002109; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net invalid version"; flow:established,from_server; content:"|FF 51 08 00 01 01 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002110; classtype:policy-violation; sid:2002110; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net invalid cdkey"; flow:established,from_server; content:"|FF 51 09 00 00 02 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002111; classtype:policy-violation; sid:2002111; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net cdkey in use"; flow:established,from_server; content:"|FF 51|"; depth:2; content:"|01 02 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002112; classtype:policy-violation; sid:2002112; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net banned key"; flow:established,from_server; content:"|FF 51 09 00 02 02 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002113; classtype:policy-violation; sid:2002113; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net wrong product"; flow:established,from_server; content:"|FF 51 09 00 03 02 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002114; classtype:policy-violation; sid:2002114; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net failed account login (OLS) wrong password"; flow:established,from_server; content:"|FF 3A 08 00 02 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002115; classtype:policy-violation; sid:2002115; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net failed account login (NLS) wrong password"; flow:established,from_server; content:"|FF 54 1C 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002116; classtype:policy-violation; sid:2002116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET !443 (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; flow:to_client; flags:R,12; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; classtype:policy-violation; sid:2002117; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user in channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|01 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002118; classtype:policy-violation; sid:2002118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user joined channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|02 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002140; classtype:policy-violation; sid:2002140; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user left channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|03 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002141; classtype:policy-violation; sid:2002141; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net received whisper message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|04 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002142; classtype:policy-violation; sid:2002142; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net received server broadcast"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|06 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002143; classtype:policy-violation; sid:2002143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net joined channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|07 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002144; classtype:policy-violation; sid:2002144; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user had a flags update"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|09 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002145; classtype:policy-violation; sid:2002145; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net sent a whisper"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0a 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002146; classtype:policy-violation; sid:2002146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net channel full"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0d 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002147; classtype:policy-violation; sid:2002147; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net channel doesn't exist"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0e 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002148; classtype:policy-violation; sid:2002148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net channel is restricted"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0f 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002149; classtype:policy-violation; sid:2002149; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net informational message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|12 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002150; classtype:policy-violation; sid:2002150; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net error message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|13 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002151; classtype:policy-violation; sid:2002151; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net 'emote' message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|17 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002152; classtype:policy-violation; sid:2002152; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net outgoing chat message"; flow:established,to_server; content:"|FF 0E|"; depth:2; reference:url,doc.emergingthreats.net/bin/view/Main/2002119; classtype:policy-violation; sid:2002119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3724 (msg:"ET GAMES World of Warcraft connection"; flow:established,to_server; content:"|00|"; depth:1; content:"|25 00|WoW|00|"; distance:1; within:7; reference:url,doc.emergingthreats.net/bin/view/Main/2002138; classtype:policy-violation; sid:2002138; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 3724 -> $HOME_NET any (msg:"ET GAMES World of Warcraft failed logon"; flow:established,from_server; content:"|01 0A|"; depth:2; reference:url,doc.emergingthreats.net/bin/view/Main/2002139; classtype:policy-violation; sid:2002139; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Guild Wars connection"; flow:established,to_server; content:"|01 00 00 00 00 F1 00 10 00 01 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002154; classtype:policy-violation; sid:2002154; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net incoming chat message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|05 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002170; classtype:policy-violation; sid:2002170; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET GAMES PunkBuster Server webkey Buffer Overflow"; flow:established,to_server; content:"/pbsvweb"; nocase; http_uri; content:"webkey="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; content:!"&"; within:500; reference:url,aluigi.altervista.org/adv/pbwebbof-adv.txt; reference:url,doc.emergingthreats.net/2002947; classtype:attempted-admin; sid:2002947; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 27015 (msg:"ET GAMES Steam connection"; content:"getchallengesteam"; reference:url,doc.emergingthreats.net/bin/view/Main/2002155; classtype:policy-violation; sid:2002155; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 27020:27050 (msg:"ET GAMES STEAM Connection (v2)"; flow:established,to_server; content:"|00 00 00 03|"; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003089; classtype:policy-violation; sid:2003089; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak3 Connect"; content:"|00 00 00 00 02 9d 74 8b 45 aa 7b ef b9 9e fe ad 08 19 ba cf 41 e0 16 a2|"; offset:8; depth:24; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011733; classtype:policy-violation; sid:2011733; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Login"; content:"|f4 be 03 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011734; classtype:policy-violation; sid:2011734; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Login Replay"; content:"|f4 be 04 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011735; classtype:policy-violation; sid:2011735; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Ping"; content:"|f4 be 01 00|"; depth:4; threshold:type limit, count 1, seconds 300, track by_src; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011736; classtype:policy-violation; sid:2011736; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Ping Reply"; content:"|f4 be 02 00|"; depth:4; threshold:type limit, count 1, seconds 300, track by_src; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011737; classtype:policy-violation; sid:2011737; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Login Part 2"; flow:established; content:"|f0 be 05 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011738; classtype:policy-violation; sid:2011738; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Channel List"; content:"|f0 be 06 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011739; classtype:policy-violation; sid:2011739; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Player List"; content:"|f0 be 07 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011740; classtype:policy-violation; sid:2011740; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Login End"; content:"|f0 be 08 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011741; classtype:policy-violation; sid:2011741; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/New Player Joined"; content:"|f0 be 64 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011742; classtype:policy-violation; sid:2011742; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Player Left"; content:"|f0 be 65 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011743; classtype:policy-violation; sid:2011743; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Change Status"; content:"|f0 be 30 01|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011744; classtype:policy-violation; sid:2011744; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Known Player Update"; content:"|f0 be 68 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011745; classtype:policy-violation; sid:2011745; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Disconnect"; content:"|f0 be 2c 01|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011746; classtype:policy-violation; sid:2011746; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 ACK"; content:"|f1 be|"; depth:2; dsize:16; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011747; classtype:policy-violation; sid:2011747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Launch"; flow:to_server,established; content:"GET"; http_method; content:"/online_game/launcher_init.php?"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011748; classtype:policy-violation; sid:2011748; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Check for Patch"; flow:to_server,established; content:"GET"; http_method; content:"/online_game/patch.php?"; http_uri; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011749; classtype:policy-violation; sid:2011749; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetConnectionAndGameParams"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>GetConnectionAndGameParams</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011750; classtype:policy-violation; sid:2011750; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request OpenSession"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>OpenSession</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011751; classtype:policy-violation; sid:2011751; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Connect"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>Connect</name>"; nocase; http_client_body; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011752; classtype:policy-violation; sid:2011752; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Disconnect"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>Disconnect</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011753; classtype:policy-violation; sid:2011753; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetOnlineProfile"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>GetOnlineProfile</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011754; classtype:policy-violation; sid:2011754; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetBuddies"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>GetBuddies</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011755; classtype:policy-violation; sid:2011755; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request SearchNew"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>SearchNew</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011756; classtype:policy-violation; sid:2011756; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request LiveUpdate"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>LiveUpdate</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011757; classtype:policy-violation; sid:2011757; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Ad Report"; flow:to_server,established; content:"GET"; http_method; content:"/online_game/ad_report.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"protocol="; http_uri; content:"author="; http_uri; content:"login="; http_uri; content:"zone="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011758; classtype:policy-violation; sid:2011758; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x)"; flow:to_server,established; content:"User-Agent|3a| Blizzard"; fast_pattern:11,9; http_header; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/2011708; classtype:policy-violation; sid:2011708; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET GAMES Gold VIP Club Casino Client in Use"; flow:established,to_server; dsize:25; content:"Gold VIP Club Casino"; reference:url,doc.emergingthreats.net/2007746; classtype:policy-violation; sid:2007746; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"GPL GAMES Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:2103080; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Blizzard Web Downloader Install Detected"; flow: established,to_server; content: "User-Agent|3a| Blizzard Web Client"; nocase; classtype:policy-violation; sid:2012170; rev:2; metadata:created_at 2011_01_10, updated_at 2011_01_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES Second Life setup download"; flow:established,to_server; content:"/Second_Life_Setup.exe"; reference:url,en.wikifur.com/wiki/Second_Life; reference:url,wiki.secondlife.com/wiki/Furry; classtype:policy-violation; sid:2013910; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES Nintendo Wii User-Agent"; flow:established,to_server; content:"(Nintendo Wii"; http_header; reference:url,www.useragentstring.com/pages/Opera/; classtype:policy-violation; sid:2014718; rev:2; metadata:created_at 2012_05_07, updated_at 2012_05_07;)

alert tcp $EXTERNAL_NET 25565 -> $HOME_NET any (msg:"ET GAMES MINECRAFT Server response inbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021701; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)

alert tcp $HOME_NET 25565 -> $EXTERNAL_NET any (msg:"ET GAMES MINECRAFT Server response outbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021702; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP undefined code"; icode:>18; classtype:misc-activity; sid:2100197; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:2100387; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:2100389; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:2100391; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:2100393; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:2100392; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Destination Unreachable undefined code"; icode:>15; itype:3; classtype:misc-activity; sid:2100407; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:2100409; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:2100412; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:2100414; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:2100418; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:2100466; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:2100499; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:2100420; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:2100422; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:2100424; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:2100365; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:2100425; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:2100426; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:2100427; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:2100428; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:2100429; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:2100430; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:2100431; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:2100432; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:2100433; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:2100438; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:2100440; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:2100439; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:2100446; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:2100448; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:2100452; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:2100454; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:2100457; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:2100459; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:2100461; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:2100463; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:2100416; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:2100450; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:2100388; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:2100390; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:2100394; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:2100395; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:2100396; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:2100397; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:2100398; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:2100399; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:2100400; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:2100401; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:2100402; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:2100403; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:2100404; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:2100405; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:2100406; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:2100408; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:2100410; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:2100411; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:2100413; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:2100363; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:2100364; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Information Request"; icode:0; itype:15; classtype:misc-activity; sid:2100417; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:2100419; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:2100421; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:2100423; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:2100366; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:2100368; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:2100369; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:2100370; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:2100371; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:2100373; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:2100374; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:2100375; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:2100376; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:2100377; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:2100378; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:2100379; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Seer Windows"; itype:8; content:"|88 04|              "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:2100380; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:2100381; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:2100482; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:2100382; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:2100480; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING"; icode:0; itype:8; classtype:misc-activity; sid:2100384; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:2100436; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:2100437; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:2100441; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:2100443; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO SKIP"; icode:0; itype:39; classtype:misc-activity; sid:2100445; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:2100477; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:2100481; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:2100451; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:2100453; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:2100455; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:2100456; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:2100472; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:2100473; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:2100475; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:2100385; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:2100458; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:2100460; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:2100462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP_INFO Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:2100386; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP_INFO Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:2100415; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:2100485; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:2100486; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:2100487; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP Overflow Attempt"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100293; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101780; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103066; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; isdataat:100,relative; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2102330; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2102105; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2101844; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; fast_pattern:only; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:2103058; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2102107; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"{"; distance:1; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2102120; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:2103008; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:2103007; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; fast_pattern:only; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103067; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103068; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; fast_pattern:only; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103069; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:500,relative; pcre:"/\sFETCH\s[^\n]{500}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103070; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101904; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101845; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102118; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:2101993; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102665; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101902; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102106; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101755; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; isdataat:1024,relative; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2102046; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; content:"{"; distance:1; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102119; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101903; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103071; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103073; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103074; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103075; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103076; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INAPPROPRIATE Google Image Search, Safe Mode Off"; flow:established,to_server; content:"&safe=off"; http_uri; content:"|0d 0a|Host|3a| images.google.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002925; classtype:policy-violation; sid:2002925; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn preteen"; flow: from_server,established; content:"preteen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001346; classtype:policy-violation; sid:2001346; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pre-teen"; flow: from_server,established; content:"pre-teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001347; classtype:policy-violation; sid:2001347; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn early teen"; flow: from_server,established; content:"early teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001348; classtype:policy-violation; sid:2001348; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pthc"; flow: from_server,established; content:" pthc "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001386; classtype:policy-violation; sid:2001386; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn zeps"; flow: from_server,established; content:" zeps "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001387; classtype:policy-violation; sid:2001387; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn r@ygold"; flow: from_server,established; content:" r@ygold "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001388; classtype:policy-violation; sid:2001388; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn childlover"; flow: from_server,established; content:" childlover "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001389; classtype:policy-violation; sid:2001389; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE free XXX"; flow: to_client,established; content:"FREE XXX"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001349; classtype:policy-violation; sid:2001349; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE hardcore anal"; flow: to_client,established; content:"hardcore anal"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001350; classtype:policy-violation; sid:2001350; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE masturbation"; flow: to_client,established; content:"masturbat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001351; classtype:policy-violation; sid:2001351; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE ejaculation"; flow: to_client,established; content:"ejaculat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001352; classtype:policy-violation; sid:2001352; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE BDSM"; flow: to_client,established; content:"BDSM"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001353; classtype:policy-violation; sid:2001353; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (1)"; flow: from_server,established; content:"BEGIN SEXLIST REFERRER-STATS CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001392; classtype:policy-violation; sid:2001392; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (2)"; flow: from_server,established; content:"BEGIN SEXTRACKER CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001393; classtype:policy-violation; sid:2001393; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Likely Porn"; flow: established,from_server; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|ejaculat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001608; classtype:policy-violation; sid:2001608; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL INAPPROPRIATE alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:policy-violation; sid:2101837; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL INAPPROPRIATE anal sex"; flow:to_client,established; content:"anal sex"; nocase; classtype:policy-violation; sid:2101317; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck fuck fuck"; flow:to_client,established; content:"fuck fuck fuck"; nocase; classtype:policy-violation; sid:2101316; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck movies"; flow:to_client,established; content:"fuck movies"; nocase; classtype:policy-violation; sid:2101320; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore anal"; flow:to_client,established; content:"hardcore anal"; nocase; classtype:policy-violation; sid:2101311; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore rape"; flow:to_client,established; content:"hardcore rape"; nocase; classtype:policy-violation; sid:2101318; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL INAPPROPRIATE hot young sex"; flow:to_client,established; content:"hot young sex"; nocase; classtype:policy-violation; sid:2101315; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL INAPPROPRIATE naked lesbians"; flow:to_client,established; content:"naked lesbians"; nocase; classtype:policy-violation; sid:2101833; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL INAPPROPRIATE up skirt"; flow:to_client,established; content:"up skirt"; fast_pattern:only; nocase; classtype:policy-violation; sid:2101313; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO PUP/PUA OSSProxy HTTP Header"; flow: to_server,established; content:"X-OSSProxy|3a| OSSProxy"; http_header; threshold: type limit, count 5, seconds 300, track by_src; metadata: former_category MALWARE; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; classtype:policy-violation; sid:2001564; rev:12; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; classtype:protocol-command-decode; sid:2003254; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; classtype:protocol-command-decode; sid:2003255; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; metadata: former_category INFO; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; classtype:protocol-command-decode; sid:2003256; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; classtype:protocol-command-decode; sid:2003257; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; classtype:protocol-command-decode; sid:2003258; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; classtype:protocol-command-decode; sid:2003259; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; classtype:protocol-command-decode; sid:2003260; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; classtype:protocol-command-decode; sid:2003261; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; classtype:protocol-command-decode; sid:2003262; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; classtype:protocol-command-decode; sid:2003263; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; classtype:protocol-command-decode; sid:2003266; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; classtype:protocol-command-decode; sid:2003267; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category INFO; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; classtype:protocol-command-decode; sid:2003268; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category INFO; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; classtype:protocol-command-decode; sid:2003269; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; classtype:protocol-command-decode; sid:2003270; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; classtype:protocol-command-decode; sid:2003271; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; classtype:protocol-command-decode; sid:2003272; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; classtype:protocol-command-decode; sid:2003273; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; classtype:protocol-command-decode; sid:2003274; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; classtype:protocol-command-decode; sid:2003275; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; classtype:protocol-command-decode; sid:2003276; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; classtype:protocol-command-decode; sid:2003277; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; classtype:protocol-command-decode; sid:2003278; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; classtype:protocol-command-decode; sid:2003279; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; classtype:protocol-command-decode; sid:2003280; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category INFO; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; classtype:protocol-command-decode; sid:2003281; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Windows Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003284; classtype:protocol-command-decode; sid:2003284; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Linux Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003285; classtype:protocol-command-decode; sid:2003285; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

#alert udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; classtype:protocol-command-decode; sid:2003286; rev:8; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

#alert udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; classtype:protocol-command-decode; sid:2003287; rev:7; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003288; classtype:protocol-command-decode; sid:2003288; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003289; classtype:protocol-command-decode; sid:2003289; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003290; classtype:protocol-command-decode; sid:2003290; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003291; classtype:protocol-command-decode; sid:2003291; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspected PUP/PUA User-Agent (OSSProxy)"; flow: to_server,established; content:"User-Agent|3a| OSSProxy"; http_header; threshold:type limit, count 2, seconds 300, track by_src; metadata: former_category MALWARE; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/2001562; classtype:policy-violation; sid:2001562; rev:32; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:28; metadata:created_at 2010_07_30, updated_at 2017_12_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; http_header; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2009295; classtype:trojan-activity; sid:2009295; rev:12; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET INFO Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; content:!"autodesk.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:8; metadata:created_at 2010_07_30, updated_at 2017_04_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:10; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0+(compatible|3b|+MSIE+/"; fast_pattern:23,20; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2003530; classtype:trojan-activity; sid:2003530; rev:12; metadata:created_at 2010_07_30, updated_at 2017_10_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:6; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:7; metadata:created_at 2010_09_25, updated_at 2010_09_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"This program cannot be run in DOS mode"; nocase; classtype:bad-unknown; sid:2011865; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2010_10_29, updated_at 2016_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO http string in hex Possible Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2012118; rev:3; metadata:created_at 2011_12_30, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|3322|03|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:6; metadata:created_at 2011_01_12, updated_at 2011_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP"; flow:established,to_server; content:".php"; http_uri; nocase; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1)|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; within:50; classtype:trojan-activity; sid:2012384; rev:3; metadata:created_at 2011_02_27, updated_at 2011_02_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; content:!".taobao.com|0d 0a|"; http_header; content:!".dict.cn|0d 0a|"; http_header; content:!".avg.com|0d 0a|"; http_header; content:!"SlimBrowser"; http_header; content:!".weather.hao.360.cn"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2012612; rev:14; metadata:created_at 2011_03_31, updated_at 2018_01_10;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8866|03|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:6; metadata:created_at 2011_04_28, updated_at 2011_04_28;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to *.dyndns. Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|dyndns|03|"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012758; rev:4; metadata:created_at 2011_05_02, updated_at 2011_05_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; pcre:"/\.dyndns-(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work)\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2013096; rev:3; metadata:created_at 2011_06_22, updated_at 2011_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; fast_pattern; http_header; content:!" checkip.dyndns."; http_header; pcre:"/Host\x3a [^\n]+\.dyndns\.(biz|info|org|tv)\x0d\x0a/iH"; classtype:bad-unknown; sid:2013097; rev:5; metadata:created_at 2011_06_22, updated_at 2011_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.org"; flow:established,to_server; content:"Host|3a| "; http_header; content:".3322.org|0D 0A|"; within:50; http_header; classtype:misc-activity; sid:2013213; rev:4; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8866.org"; flow:established,to_server; content:"8866.org"; nocase; http_header; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2E8866.org/Hi"; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:2; metadata:created_at 2011_07_14, updated_at 2017_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.de.ms domain"; flow:to_server,established; content:".de.ms|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013378; rev:2; metadata:created_at 2011_08_08, updated_at 2011_08_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.co.com.au domain"; flow:to_server,established; content:".co.com.au|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013412; rev:2; metadata:created_at 2011_08_16, updated_at 2011_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.cz.tf domain"; flow:to_server,established; content:".cz.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013415; rev:2; metadata:created_at 2011_08_16, updated_at 2011_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Redirection to driveby Page Home index.php"; flow:established,from_server; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; metadata: former_category INFO; classtype:bad-unknown; sid:2013436; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_08_19, updated_at 2017_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.uni.cc domain"; flow:to_server,established; content:".uni.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013438; rev:2; metadata:created_at 2011_08_19, updated_at 2011_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.c0m.li domain"; flow:to_server,established; content:".c0m.li|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013460; rev:2; metadata:created_at 2011_08_25, updated_at 2011_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.tc domain"; flow:to_server,established; content:".tc|0d 0a|"; fast_pattern:only; http_header; pcre:"/^Host\x3a[^\r\n]+\.tc\r?$/Hmi"; classtype:bad-unknown; sid:2013535; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.dtdns.net domain"; flow:to_server,established; content:".dtdns.net|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013684; rev:2; metadata:created_at 2011_09_21, updated_at 2011_09_21;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Suspicious Self Signed SSL Certificate to 'My Company Ltd'"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"My Company Ltd"; classtype:bad-unknown; sid:2013703; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2011_09_27, updated_at 2016_07_01;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|no-ip|03|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2013743; rev:3; metadata:created_at 2011_10_05, updated_at 2011_10_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain"; flow:established,to_server; content:".no-ip.com|0d 0a|"; http_header; nocase; content:!"www.no-ip.com|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013744; rev:7; metadata:created_at 2011_10_05, updated_at 2011_10_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|myftp|03|biz"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013823; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain"; flow:established,to_server; content:".myftp.biz|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013824; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.eu.tf domain"; flow: to_server,established; content:".eu.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013828; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.int.tf domain"; flow:to_server,established; content:".int.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013829; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.edu.tf domain"; flow:to_server,established; content:".edu.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013830; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.us.tf domain"; flow:to_server,established; content:".us.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013831; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.ca.tf domain"; flow:to_server,established; content:".ca.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013832; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.bg.tf domain"; flow:to_server,established; content:".bg.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013833; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.ru.tf domain"; flow:to_server,established; content:".ru.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013834; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.pl.tf domain"; flow:to_server,established; content:".pl.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013835; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.de.tf domain"; flow:to_server,established; content:".de.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013837; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.at.tf domain"; flow:to_server,established; content:".at.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013838; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.ch.tf domain"; flow:to_server,established; content:".ch.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013839; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.sg.tf domain"; flow:to_server,established; content:".sg.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013840; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.nl.ai domain"; flow:to_server,established; content:".nl.ai|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013841; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.xe.cx domain"; flow:to_server,established; content:".xe.cx|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013842; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query to a Suspicious *.orge.pl Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|orge|02|pl"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013843; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.orge.pl Domain"; flow:established,to_server; content:".orge.pl|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013844; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ez-dns|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013845; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ez-dns.com Domain"; flow:established,to_server; content:".ez-dns.com|0d 0a|"; http_header; classtype:bad-unknown; sid:2013846; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyndns-web.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dyndns-web|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013863; rev:3; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-web.com Domain"; flow:to_server,established; content:".dyndns-web.com|0D 0A|";  http_header; classtype:bad-unknown; sid:2013864; rev:2; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a .noip.cn domain"; flow:to_server,established; content:".noip.cn|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013969; rev:2; metadata:created_at 2011_11_28, updated_at 2011_11_28;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query for Suspicious .dyndns-at-home.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dyndns-at-home|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013971; rev:3; metadata:created_at 2011_11_28, updated_at 2011_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.info Domain"; flow:established,to_server; content:".ddns.info|0D 0A|"; nocase; http_header; classtype:bad-unknown; sid:2018220; rev:4; metadata:created_at 2011_12_14, updated_at 2011_12_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.name Domain"; flow:established,to_server; content:".ddns.name|0D 0A|"; nocase; http_header; classtype:bad-unknown; sid:2018221; rev:4; metadata:created_at 2011_12_14, updated_at 2011_12_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.osa.pl domain"; flow:established,to_server; content:".osa.pl|0D 0A|"; http_header; classtype:bad-unknown; sid:2014037; rev:2; metadata:created_at 2011_12_22, updated_at 2011_12_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; file_data; content:"http|3a|//"; within:7; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:2; metadata:created_at 2012_01_23, updated_at 2012_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a 3322.org.cn Domain"; flow:to_server,established; content:"Host|3a| "; http_header; content:".3322.org.cn|0D 0A|"; within:50; http_header; classtype:bad-unknown; sid:2014289; rev:2; metadata:created_at 2012_02_28, updated_at 2012_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain"; flow:established,to_server; content:".sytes.net|0D 0A|";  http_header; classtype:bad-unknown; sid:2018219; rev:5; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient;  file_data; content:"PK"; within:2; content:".class"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2014472; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A|PK";  file_data; content:"PK"; within:2;  classtype:trojan-activity; sid:2014473; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"|CA FE BA BE|"; within:4; classtype:trojan-activity; sid:2014474; rev:3; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|CA FE BA BE|"; within:4; classtype:trojan-activity; sid:2014475; rev:4; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.3d-game.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|3d-game|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014478; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.3d-game.com Domain"; flow:established,to_server; content:".3d-game.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014479; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.4irc.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|4irc|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014480; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4irc.com Domain"; flow:established,to_server; content:".4irc.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014481; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.b0ne.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|b0ne|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014482; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.b0ne.com Domain"; flow:established,to_server; content:".b0ne.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014483; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.bbsindex.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|bbsindex|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014484; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.bbsindex.com Domain"; flow:established,to_server; content:".bbsindex.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014485; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.chatnook.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|chatnook|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014486; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.chatnook.com Domain"; flow:established,to_server; content:".chatnook.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014487; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|darktech|03|org|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014488; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.darktech.org Domain"; flow:established,to_server; content:".darktech.org|0D 0A|"; http_header; classtype:bad-unknown; sid:2014489; rev:3; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.deaftone.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|deaftone|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014490; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.deaftone.com Domain"; flow:established,to_server; content:".deaftone.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014491; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.dtdns.net Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|dtdns|03|net|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014492; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns.net Domain"; flow:established,to_server; content:".dtdns.net|0D 0A|"; http_header; classtype:bad-unknown; sid:2014493; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.effers.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|effers|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014494; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.effers.com Domain"; flow:established,to_server; content:".effers.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014495; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.net Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|etowns|03|net|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014496; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.net Domain"; flow:established,to_server; content:".etowns.net|0D 0A|"; http_header; classtype:bad-unknown; sid:2014497; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.org Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|etowns|03|org|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014498; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.org Domain"; flow:established,to_server; content:".etowns.org|0D 0A|"; http_header; classtype:bad-unknown; sid:2014499; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.flnet.org Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|flnet|03|org|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014500; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.flnet.org Domain"; flow:established,to_server; content:".flnet.org|0D 0A|"; http_header; classtype:bad-unknown; sid:2014501; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.gotgeeks.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|gotgeeks|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014502; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.gotgeeks.com Domain"; flow:established,to_server; content:".gotgeeks.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014503; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.scieron.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|scieron|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014504; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.scieron.com Domain"; flow:established,to_server; content:".scieron.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014505; rev:3; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.slyip.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|slyip|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014506; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.com Domain"; flow:established,to_server; content:".slyip.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014507; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query to a *.slyip.net Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:4; content:"|05|slyip|03|net|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014508; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.net Domain"; flow:established,to_server; content:".slyip.net|0D 0A|"; http_header; classtype:bad-unknown; sid:2014509; rev:3; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.suroot.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|suroot|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014510; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.suroot.com Domain"; flow:established,to_server; content:".suroot.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014511; rev:3; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/Intel"; flow:established,to_client; file_data; content:"|CA FE BA BE|"; within:4; content:"|CE FA ED FE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014514; rev:3; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/PowerPC"; flow:established,to_client; file_data; content:"|CA FE BA BE|"; within:4; content:"|FE ED FA CE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014515; rev:3; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Intel Arch"; flow:established,to_client; file_data; content:"|CE FA ED FE|"; within:4; content:"__TEXT"; distance:0;  classtype:misc-activity; sid:2014516; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - PowerPC Arch"; flow:established,to_client; file_data; content:"|FE ED FA CE|";  within:4; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014517; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - OSX Disk Image Download"; flow:established,to_client; file_data; content:"<plist version="; distance:0; content:"Apple_partition_map"; distance:0; content:"Apple_HFS"; distance:0; classtype:misc-activity; sid:2014518; rev:3; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - Served Inline HTTP"; flow:established,to_client; content:"Content-Disposition"; nocase; http_header; content:"inline"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:misc-activity; sid:2014519; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - Served Attached HTTP"; flow:to_client,established; content:"Content-Disposition"; nocase; http_header; content:"attachment"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:misc-activity; sid:2014520; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE Download With Content Type Specified As Empty"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; file_data; content:"MZ"; within:2; isdataat:80,relative; content:"This program "; distance:0; content:"PE|00|"; distance:0; reference:md5,d51218653323e48672023806f6ace26b; classtype:trojan-activity; sid:2014567; rev:2; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Potential Malicious PDF (EmbeddedFiles) improper case"; flow:from_server,established; file_data; content:"%PDF"; within:4; content:"/EmbeddedFiles"; within:128; nocase; content:!"/EmbeddedFiles"; distance:-14; within:14; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:trojan-activity; sid:2014575; rev:3; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET INFO RuggedCom Banner with MAC"; flow:to_client,established; content:"Rugged Operating System"; content:"Copyright |28|c|29| RuggedCom"; distance:0; content:"MAC Address|3A|"; distance:0; flowbits:set,ET.RUGGED.BANNER; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014645; rev:3; metadata:created_at 2012_04_27, updated_at 2012_04_27;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.2288.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|2288|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014779; rev:6; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|3322|03|net|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014781; rev:6; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.6600.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|6600|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014782; rev:6; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.7766.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|7766|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014783; rev:6; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8800.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8800|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014784; rev:5; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.9966.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|9966|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014786; rev:5; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.2288.org"; flow:established,to_server; content:".2288.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014787; rev:4; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net"; flow:established,to_server; content:".3322.net|0D 0A|"; http_header; classtype:misc-activity; sid:2014788; rev:5; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.6600.org"; flow:established,to_server; content:".6600.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014789; rev:3; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.7766.org"; flow:established,to_server; content:".7766.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014790; rev:4; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8800.org"; flow:established,to_server; content:".8800.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014791; rev:3; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.9966.org"; flow:established,to_server; content:".9966.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014792; rev:3; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Packed Executable Download"; flow:established,to_client; file_data; content:"MZ"; within:2; isdataat:100,relative; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; content:!"data"; within:400; content:!"text"; within:400; content:!"rsrc"; within:400; classtype:misc-activity; sid:2014819; rev:1; metadata:created_at 2012_05_30, updated_at 2012_05_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a dns-stuff.com Domain *.dns-stuff.com"; flow:established,to_server; content:"dns-stuff.com|0d 0a|"; http_header; classtype:bad-unknown; sid:2014867; rev:2; metadata:created_at 2012_06_07, updated_at 2012_06_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|dns-stuff|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014868; rev:2; metadata:created_at 2012_06_07, updated_at 2012_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO .exe File requested over FTP"; flow:established,to_server; content:"RETR"; depth:4; content:".exe|0d 0a|"; distance:0; pcre:"/^RETR\s+[^\r\n]+?\x2eexe\r?$/m"; classtype:policy-violation; sid:2014906; rev:1; metadata:created_at 2012_06_15, updated_at 2012_06_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"ET INFO NetSSH SSH Version String Hardcoded in Metasploit"; flow:established,to_server; content:"SSH-2.0-OpenSSH_5.0|0d 0a|"; depth:21; reference:url,github.com/rapid7/metasploit-framework/blob/master/lib/net/ssh/transport/server_version.rb; classtype:attempted-user; sid:2014925; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_06_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF embedded in XDP file (Possibly Malicious)"; flow:established, to_client; content:"<xdp|3a|xdp"; nocase; fast_pattern; content:"<pdf"; nocase; distance:0; pcre:"/\<xdp\x3axdp(\s+[^\>]*)?\>((?!\<\/xdp[^\>]*\>).)*?\<pdf/si"; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:2014926; rev:2; metadata:created_at 2012_06_20, updated_at 2012_06_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; content:"User-Agent|3a| iTunes/10.6."; http_header;  pcre:"/^User-Agent\x3a\x20iTunes\/10\.6\.[0-1]/Hm"; flowbits:set,ET.iTunes.vuln; flowbits:noalert; classtype:policy-violation; sid:2014954; rev:8; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP"; flow:established,to_client; file_data; content:"SZDD"; fast_pattern; within:4; content:"PE|00 00|"; distance:0; reference:url,blog.fireeye.com/research/2012/07/inside-customized-threat.html#more; reference:url,www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html; classtype:bad-unknown; sid:2015004; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO FTP STOR to External Network"; flow:established,to_server; content:"STOR "; depth:5; classtype:misc-activity; sid:2015016; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Potential Common Malicious JavaScript Loop"; flow:established,to_client; file_data; content:"for("; distance:0; content:"|3B|"; within:20; content:">=0|3B|"; fast_pattern; within:10; content:"--)"; within:10; pcre:"/for\x28[^\x3D\r\n]*[0-9]{1,6}\x2D[0-9]{1,5}\x3B[^\x3D\r\n]\x3E\x3D0\x3B[^\x29\r\n]\x2D\x2D\x29/"; classtype:bad-unknown; sid:2015045; rev:2; metadata:created_at 2012_07_06, updated_at 2012_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Java .jar request to dotted-quad domain"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^Host: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?$/Hmi"; classtype:bad-unknown; sid:2015483; rev:2; metadata:created_at 2012_07_17, updated_at 2012_07_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Googlebot User-Agent Outbound (likely malicious)"; flow:to_server,established; content:"Googlebot"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*?Googlebot/Hmi"; classtype:bad-unknown; sid:2015529; rev:2; metadata:created_at 2012_07_26, updated_at 2012_07_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.upas.su domain"; flow:to_server,established; content:".upas.su|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2015551; rev:2; metadata:created_at 2012_07_31, updated_at 2012_07_31;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF Using CCITTFax Filter"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/CCITTFaxDecode"; distance:0; metadata: former_category INFO; reference:url,nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/; reference:url,blog.fireeye.com/research/2012/07/analysis-of-a-different-pdf-malware.html#more; classtype:bad-unknown; sid:2015561; rev:1; metadata:created_at 2012_08_02, updated_at 2017_06_01;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|mooo|03|com|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2015633; rev:2; metadata:created_at 2012_08_16, updated_at 2012_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com"; flow:established,to_server; content:".mooo.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2015634; rev:2; metadata:created_at 2012_08_16, updated_at 2012_08_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO 3XX redirect to data URL"; flow:from_server,established; content:"3"; depth:1; http_stat_code; content:"Location|3a| data|3a|"; http_header; fast_pattern:only;  classtype:misc-activity; sid:2015674; rev:2; metadata:created_at 2012_09_04, updated_at 2012_09_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SimpleTDS go.php (sid)"; flow:established,to_server; content:"/go.php?sid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015675; rev:2; metadata:created_at 2012_09_04, updated_at 2012_09_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - document.createElement applet"; flow:established,to_client; file_data; content:"document.createElement"; nocase; content:"applet"; nocase; fast_pattern; within:10; classtype:misc-activity; sid:2015707; rev:1; metadata:created_at 2012_09_17, updated_at 2012_09_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO - Applet Tag In Edwards Packed JavaScript"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern:only; content:!"|7C|_dynarch_popupCalendar|7C|"; classtype:bad-unknown; sid:2015708; rev:4; metadata:created_at 2012_09_17, updated_at 2016_11_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Revoked Adobe Code Signing Certificate Seen"; flow:established,to_client; content:"|30 82|"; content:"|a0 03 02 01 02 02 10 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00|"; distance:6; within:38; content:"|1e 17 0d|101215000000Z|17 0d|121214235959Z0"; distance:184; within:32; content:"Adobe Systems Incorporated"; distance:66; within:26; reference:url,www.adobe.com/support/security/advisories/apsa12-01.html; classtype:policy-violation; sid:2015743; rev:2; metadata:created_at 2012_09_28, updated_at 2012_09_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client;  flowbits:isset,ET.http.binary; content:"IsDebuggerPresent"; content:!"|0d 0a|x-avast"; http_header; classtype:misc-activity; sid:2015744; rev:3; metadata:created_at 2012_09_28, updated_at 2012_09_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"CheckRemoteDebuggerPresent"; classtype:misc-activity; sid:2015745; rev:1; metadata:created_at 2012_09_28, updated_at 2012_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 7 User-Agent"; flow: established,to_server; content:"Windows NT 7"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 7/Hmi"; classtype:trojan-activity; sid:2015820; rev:1; metadata:created_at 2012_10_19, updated_at 2012_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; content:"Windows NT 8"; nocase; http_header; fast_pattern:only; content:!"NOKIA"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 8/Hmi"; classtype:trojan-activity; sid:2015821; rev:2; metadata:created_at 2012_10_19, updated_at 2012_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; content:"Windows NT 9"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 9/Hmi"; classtype:trojan-activity; sid:2015822; rev:1; metadata:created_at 2012_10_19, updated_at 2012_10_19;)

alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"|80 00 00 01 00 01|"; offset:2; depth:6; content:"|04|wpad|00 00 01 00 01 04|wpad|00 00 01 00 01|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2; metadata:created_at 2012_10_24, updated_at 2012_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; content:"Windows NT 1"; nocase; http_header; content:!"0"; within:1; http_header; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 1[^0-9]/Hmi"; classtype:trojan-activity; sid:2015898; rev:4; metadata:created_at 2012_11_19, updated_at 2012_11_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 2 User-Agent"; flow: established,to_server; content:"Windows NT 2"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 2/Hmi"; classtype:trojan-activity; sid:2015899; rev:1; metadata:created_at 2012_11_19, updated_at 2012_11_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 3 User-Agent"; flow: established,to_server; content:"Windows NT 3"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 3/Hmi"; classtype:trojan-activity; sid:2015900; rev:1; metadata:created_at 2012_11_19, updated_at 2012_11_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF /FlateDecode and PDF version 1.0"; flow:established,from_server; file_data; content:"%PDF-1.0"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015954; rev:1; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO PHISH Generic - Bank and Routing"; flow:established,to_server; content:"POST"; http_method; content:"bank"; http_client_body; nocase; content:"routing"; http_client_body; nocase; classtype:bad-unknown; sid:2015963; rev:2; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"SCardForgetReaderGroupA"; fast_pattern:only; reference:url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick; classtype:misc-activity; sid:2015965; rev:3; metadata:created_at 2012_11_29, updated_at 2012_11_29;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET INFO MySQL Database Query Version OS compile"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |40 40|version_compile_os"; nocase; pcre:"/SELECT @@version_compile_os\s*?\x3b/i"; classtype:misc-activity; sid:2015994; rev:2; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Executable Download from dotted-quad Host"; flow:established,to_server; content:".exe"; http_uri; nocase; content:".exe HTTP/1."; fast_pattern:only; content:"Host|3A 20|"; http_header; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|"; http_header; distance:1; within:3; pcre:"/^Host\x3A\x20[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}(\x3A|\x0D\x0A)/Hmi"; classtype:trojan-activity; sid:2016141; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PTUNNEL OUTBOUND"; itype:8; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016145; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PTUNNEL INBOUND"; itype:0; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016146; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016149; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 1"; content:"miniupnpd/1."; fast_pattern:only; pcre:"/^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:successful-recon-limited; sid:2016302; rev:5; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016303; rev:4; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 3"; content:"Portable SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..|8\.0.|(6\.[0-9]|6\.1[0-7])))/m"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016304; rev:2; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; classtype:misc-activity; sid:2016360; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"CAFEEFAC-00"; content:"-FFFF-ABCDEFFEDCBA"; distance:7; within:18; classtype:misc-activity; sid:2016361; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Adobe Flash Uncompressed"; flow:from_server,established; file_data; content:"FWS"; within:3; flowbits:set,HTTP.UncompressedFlash; flowbits:noalert; classtype:not-suspicious; sid:2016394; rev:5; metadata:deployment Perimeter, signature_severity Audit, created_at 2013_02_08, performance_impact Low, updated_at 2017_01_06;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO MPEG Download Over HTTP (1)"; flow:established,to_client; file_data; content:"|00 00 01 ba|"; depth:4; flowbits:set,ET.mpeg.HTTP; flowbits:noalert; classtype:not-suspicious; sid:2016404; rev:2; metadata:created_at 2013_02_12, updated_at 2013_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; classtype:trojan-activity; sid:2016494; rev:4; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java Serialized Data via vulnerable client"; flow:established,from_server; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016502; rev:1; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java Serialized Data"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016503; rev:1; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Serialized Data request"; flow:established,to_server; content:" Java/1"; http_header; content:".ser"; http_uri; pcre:"/\.ser$/U"; classtype:bad-unknown; sid:2016504; rev:1; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO file possibly containing Serialized Data file"; flow:to_client,established; file_data; content:"PK"; within:2; content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2016505; rev:1; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<embed"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; content:"application/x-java-"; fast_pattern:only; classtype:trojan-activity; sid:2016510; rev:3; metadata:created_at 2013_02_26, updated_at 2013_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO GET Minimal HTTP Headers Flowbit Set"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:!"If-"; http_header; content:!"Referer|3A|"; http_header; content:!"User-Agent|3A|"; http_header; fast_pattern; content:!"Content"; http_header; flowbits:set,min.gethttp; flowbits:noalert; classtype:bad-unknown; sid:2016537; rev:1; metadata:created_at 2013_03_05, updated_at 2013_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download"; flowbits:isset,min.gethttp; flow:established,to_client; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2016538; rev:2; metadata:created_at 2013_03_05, updated_at 2013_03_05;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Web Capture [8-9].0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Web Capture "; pcre:"/^[8-9]\.0/R"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016646; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe LiveCycle Designer ES 8.2"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe LiveCycle Designer ES 8.2"; fast_pattern:11,20; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016647; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Python PDF Library"; flow:from_server,established; flowbits:isset,ET.pdf.in.http;  file_data; content:"Python PDF Library - http|3a|//pybrary.net/pyPdf/"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016648; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 9.0.0 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 9.0.0 (Windows)"; fast_pattern:3,20; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016649; rev:1; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 6.0.1 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 6.0.1 (Windows)"; fast_pattern:3,20; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016650; rev:1; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator pdfeTeX-1.21a"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"pdfeTeX-1.21a"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016651; rev:1; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe Acrobat 9.2.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe Acrobat 9.2.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016652; rev:1; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe PDF Library 9.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe PDF Library 9.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016653; rev:1; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/7"; flow:established,to_server; content:"User-Agent|3a| Mozilla/7"; fast_pattern:1,20; nocase; http_header; classtype:bad-unknown; sid:2016692; rev:1; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/8"; flow:established,to_server; content:"User-Agent|3a| Mozilla/8"; fast_pattern:1,20; nocase; http_header; classtype:bad-unknown; sid:2016693; rev:1; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/9"; flow:established,to_server; content:"User-Agent|3a| Mozilla/9"; fast_pattern:1,20; nocase; http_header; classtype:bad-unknown; sid:2016694; rev:1; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/0"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0"; fast_pattern:1,20; nocase; http_header; classtype:bad-unknown; sid:2016695; rev:1; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO PDF - Acrobat Enumeration - pdfobject.js"; flow:established,to_server; content:"/pdfobject.js"; http_uri; fast_pattern:only; classtype:misc-activity; sid:2016765; rev:1; metadata:created_at 2013_04_17, updated_at 2013_04_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF - Acrobat Enumeration - var PDFObject"; flow:established,to_client; file_data; content:"var PDFObject="; classtype:misc-activity; sid:2016766; rev:1; metadata:created_at 2013_04_17, updated_at 2013_04_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - SCR in PKZip Compressed Data Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:".scr"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2016767; rev:2; metadata:created_at 2013_04_17, updated_at 2013_04_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET INFO Generic HTTP EXE Upload Inbound"; flow:established,to_server; content:"POST"; http_method; nocase; content:"MZ"; http_client_body; content:"|00 00 00 00|"; http_client_body; distance:0; content:"PE|00 00|"; http_client_body; fast_pattern; distance:0; classtype:misc-activity; sid:2016774; rev:1; metadata:created_at 2013_04_18, updated_at 2013_04_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Generic HTTP EXE Upload Outbound"; flow:established,to_server; content:"POST"; http_method; nocase; content:"MZ"; http_client_body; content:"|00 00 00 00|"; http_client_body; distance:0; content:"PE|00 00|"; http_client_body; fast_pattern; distance:0; classtype:misc-activity; sid:2016775; rev:1; metadata:created_at 2013_04_18, updated_at 2013_04_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.pw domain"; flow:to_server,established; content:".pw"; nocase; fast_pattern; http_header; content:"|0d 0a|"; http_header; within:8; content:!"|20|u.pw|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\.pw(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016777; rev:11; metadata:created_at 2013_04_19, updated_at 2013_04_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO myobfuscate.com Encoded Script Calling home"; flow:to_server,established; content:"/?getsrc="; http_uri; content:"&url="; http_uri; content:"api.myobfuscate.com|0d|"; http_header; nocase; fast_pattern:only; classtype:misc-activity; sid:2016802; rev:3; metadata:created_at 2013_04_30, updated_at 2013_04_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Possible CollectGarbage in base64 1"; flow:established,from_server; file_data; content:"Q29sbGVjdEdhcmJhZ2U"; classtype:misc-activity; sid:2016825; rev:2; metadata:created_at 2013_05_06, updated_at 2013_05_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Possible CollectGarbage in base64 2"; flow:established,from_server; file_data; content:"NvbGxlY3RHYXJiYWdlK"; classtype:misc-activity; sid:2016826; rev:2; metadata:created_at 2013_05_06, updated_at 2013_05_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Possible CollectGarbage in base64 3"; flow:established,from_server; file_data; content:"Db2xsZWN0R2FyYmFnZS"; classtype:misc-activity; sid:2016827; rev:2; metadata:created_at 2013_05_06, updated_at 2013_05_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible Firefox Plugin install"; flow:to_server,established; content:".xpi"; http_uri; nocase; fast_pattern:only; pcre:"/\.xpi$/Ui"; content:" Firefox/"; http_header; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:2016846; rev:2; metadata:created_at 2013_05_14, updated_at 2013_05_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible Chrome Plugin install"; flow:to_server,established; content:"|2f|crx|2f|blobs"; http_uri; nocase; fast_pattern:only; content:" Chrome/"; http_header; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:2016847; rev:1; metadata:created_at 2013_05_14, updated_at 2013_05_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 0 User-Agent"; flow:established,to_server; content:"Windows NT 0"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+?\sWindows NT 0\./Hmi"; classtype:trojan-activity; sid:2016880; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious MSIE 10 on Windows NT 5"; flow:established,to_server; content:" MSIE 10.0|3b| Windows NT 5."; fast_pattern:4,20; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s10\.0\x3b\sWindows\sNT\s5\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016898; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Mozilla UA with no Space after colon"; flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; nocase; fast_pattern:only; threshold: type limit,track by_src,count 2,seconds 60; metadata: former_category INFO; classtype:trojan-activity; sid:2016921; rev:4; metadata:created_at 2013_05_23, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Executable Served From /tmp/ Directory - Malware Hosting Behaviour"; flow:established,to_server; content:"/tmp/"; http_uri; depth:5; content:".exe"; http_uri; distance:0; pcre:"/^\x2Ftmp\x2F.+\x2Eexe$/U"; classtype:bad-unknown; sid:2016985; rev:1; metadata:created_at 2013_06_06, updated_at 2013_06_06;)

alert tcp any any -> any $HTTP_PORTS (msg:"ET INFO ClearTextAuth - HTTP - http_client_body contains pasa="; flow:established,to_server; content:"pasa="; http_client_body; pcre:"/pasa=(?!&)./Pi"; classtype:policy-violation; sid:2017080; rev:1; metadata:created_at 2013_07_01, updated_at 2013_07_01;)

alert tcp any any -> any $HTTP_PORTS (msg:"ET INFO ClearTextAuth - HTTP - http_uri contains pasa="; flow:established,to_server; content:"pasa="; http_uri; nocase; fast_pattern:only; pcre:"/(?<=(\?|&))pasa=(?!&)./Ui"; classtype:policy-violation; sid:2017081; rev:2; metadata:created_at 2013_07_01, updated_at 2013_07_01;)

alert tcp any any -> any $HTTP_PORTS (msg:"ET INFO ClearTextAuth - HTTP - http_client_body contains pasa form"; flow:established,to_server; content:"name=|22|pasa|22|"; http_client_body; classtype:policy-violation; sid:2017082; rev:1; metadata:created_at 2013_07_01, updated_at 2013_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JJEncode Encoded Script"; flow:established,from_server; file_data; content:"$$$$|3a|(![]+|22 22|)["; pcre:"/^(?P<global_var>((?!(\]\,__\$\x3a\+\+)).)+)]\,__\$\x3a\+\+(?P=global_var)/R"; classtype:bad-unknown; sid:2017127; rev:1; metadata:created_at 2013_07_10, updated_at 2013_07_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JNLP embedded file"; flow:established,to_client; file_data; content:"jnlp"; content:"PD94bWwgdmVyc2lvbj0"; distance:0; classtype:bad-unknown; sid:2017197; rev:2; metadata:created_at 2013_07_25, updated_at 2013_07_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 1"; flow:established,from_server; file_data; content:"|22|e|22|+|22|val|22|"; classtype:trojan-activity; sid:2017206; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 2"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|al|22|"; classtype:trojan-activity; sid:2017207; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 3"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|al|22|"; classtype:trojan-activity; sid:2017208; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 4"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017209; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 5"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017210; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 6"; flow:established,from_server; file_data; content:"|22|e|22|+|22|va|22|+|22|l|22|"; classtype:trojan-activity; sid:2017211; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|e|27|+|27|val|27|"; classtype:trojan-activity; sid:2017212; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|al|27|"; classtype:trojan-activity; sid:2017213; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|eva|27|+|27|l|27|"; classtype:trojan-activity; sid:2017214; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|al|27|"; classtype:trojan-activity; sid:2017215; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017216; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017217; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|e|27|+|27|va|27|+|27|l|27|"; classtype:trojan-activity; sid:2017218; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 7"; flow:established,from_server; file_data; content:"|22|eva|22|+|22|l|22|"; classtype:trojan-activity; sid:2017219; rev:1; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|s|27|+|27|plit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017220; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017221; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017222; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017223; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017224; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017225; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017226; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 8"; flow:established,from_server; file_data; content:"|27|spli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017227; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 9"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017228; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 10"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|li|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017229; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 11"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017230; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 12"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017231; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 13"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017232; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 1"; flow:established,from_server; file_data; content:"|22|s|22|+|22|plit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017233; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 2"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017234; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 3"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017235; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 4"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017236; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 5"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017237; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 6"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017238; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 7"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017239; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 8"; flow:established,from_server; file_data; content:"|22|spli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017240; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 9"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017241; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 10"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|li|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017242; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 11"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017243; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 12"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017244; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 13"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017245; rev:1; metadata:created_at 2013_07_29, updated_at 2013_07_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Microsoft Script Encoder Encoded File"; flow:established,from_server; file_data; content:"#@~^"; within:4; classtype:trojan-activity; sid:2017282; rev:2; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Adobe PKG Download Flowbit Set"; flow:established,to_server; content:"pkg"; http_uri; content:"Host|3a 20|platformdl.adobe.com|0d 0a|"; http_header; nocase; flowbits:set,ET.Adobe.Site.Download; flowbits:noalert; classtype:misc-activity; sid:2017294; rev:2; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPICIOUS Reassigned Eval Function 1"; flow:established,from_server; file_data; content:"=(eval)|3b|"; classtype:bad-unknown; sid:2017334; rev:2; metadata:created_at 2013_08_15, updated_at 2013_08_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPICIOUS Reassigned Eval Function 2"; flow:established,from_server; file_data; content:"=[|22|eval|22|]|3b|"; classtype:bad-unknown; sid:2017335; rev:2; metadata:created_at 2013_08_15, updated_at 2013_08_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPICIOUS Reassigned Eval Function 3"; flow:established,from_server; file_data; content:"=[|27|eval|27|]|3b|"; classtype:bad-unknown; sid:2017336; rev:2; metadata:created_at 2013_08_15, updated_at 2013_08_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Iframe For IP Address Site"; flow:established,to_client; file_data; content:"iframe src=|22|http|3A|//"; nocase; distance:0; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}[^\r\n]*\x3C\x2Fiframe\x3E/Ri"; classtype:bad-unknown; sid:2017342; rev:2; metadata:created_at 2013_08_19, updated_at 2013_08_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO InetSim Response from External Source Possible SinkHole"; flow:from_server,established; content:"Server|3a| INetSim HTTP Server"; http_header; classtype:bad-unknown; sid:2017363; rev:1; metadata:created_at 2013_08_21, updated_at 2013_08_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPCIOUS Non-standard base64 charset used for encoding"; flow:established,from_server; file_data; content:" & 15) << 4)"; fast_pattern; content:"(|22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2017364; rev:6; metadata:created_at 2013_08_21, updated_at 2013_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 1"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\:[^\r\n]+?\.(?:c(?:o(?:l(?:leg(?:e(?:(?:confidential|-station|prowler)\.net|s?explained\.com)|iate(?:explained|info)\.com)|(?:o(?:rado-springs-jobs|nexplained)|umnexplore)\.com)|m(?:p(?:uter(?:explained\.com|themes\.net)|assiondefinition\.com)|m(?:oditylingerie|unesinfo|ercekid)\.com)|n(?:ce(?:rtparis\.net|ptsets\.com)|trolwedding\.com)|(?:(?:rnell|upon)explained|peguide)\.com|7\.us)|a(?:(?:(?:mpaign|talog|det)explained|n(?:cersexplained|adadaycore)|p(?:itali[sz]eguide|ricornhi)|b(?:leexplained|indynamic))\.com|r(?:(?:tograph(?:yanalysis|erwhat)|cinomas?explained|scratch-remover|eblack)\.com|insurance-compare\.net)|ce\.us)|h(?:(?:a(?:r(?:med-episodes|les-proxy|tpixel)|p(?:elsinfo|terball)|nnelexplained)|ristmas(?:gift-ideas|motion)|inesenewyearboom|eckingwatch)\.com|(?:orizo|urros)\.es)|(?:e(?:l(?:lularexplained|iac-diet)|ntigrade(?:explained|info))|(?:li(?:nical|ck)|ustomized)explained|r(?:uiseshipdating|iticsmart)|pu-benchmark|nc-cs)\.com|8\.biz|z\.cc)|a(?:(?:ll(?:about(?:(?:(?:collegi|gradu)at|yal)e|s(?:eminary|tudent)|(?:facul|varsi)ty|bestsellers|academic|teaching|harvard|ucla|pro)|babyours)|n(?:(?:tipodesbi|alyzelan)d|onymous-film)|(?:mericas-nexttopmode|gentsbal)l|r(?:chitectureice|lingtonwriter)|c(?:ademicexplaine|tionmo)d|ero(?:flotinfo|bicfund))\.com|u(?:(?:toma(?:tedexplained|kers24)|stralia-airlines|xiliaryverb)\.com|di(?:t(?:jewellery\.com|report\.net)|o-planet\.com))|p(?:(?:rilfools(?:hotel|spin)|ple-airport)\.com|[fh]i\.biz)|ir(?:(?:bnb-coupon|waysinfo)\.com|portshuttleseattle\.net)|v(?:enue(?:domain|hello)\.com|li\.biz)|\.e\.gy)|b(?:(?:a(?:c(?:helorexplained|kpackscope)|by(?:online-shop|revision)|(?:rcelonarea|ggagecoo)l|s(?:icexplained|escope)|ttle-field-3)|e(?:(?:st-hoteldeal|er-calorie|t-award)s|nefitexplained)|u(?:y-invite|dgetyep)|logger-com)\.com|r(?:(?:o(?:adbandinternet-providers|king(?:explained|guide))|unomarsalbum|yan-college)\.com|ea(?:st(?:cancertattoos\.net|explained\.com)|dmachine-recipes\.com))|o(?:(?:(?:om(?:ing|s)|nd)explained|tany(?:explained|info)|dybuildingdomains|rrowings?24)\.com|stoncolleges\.net)|irthcertificatetemplate\.net|3g\.biz)|d(?:e(?:(?:(?:(?:benture|posit)explaine|alershipislan)d|n(?:guefevertreatment|verhowto)|ductguide|veloptea)\.com|(?:xterstreaming|ciduoustrees)\.net)|o(?:(?:ctorate(?:s?explained|info)|llar-converter|gwalking-jobs|texplained|mainsknow)\.com|wnload(?:starcraft|-films|ubuntu)\.net)|(?:a(?:ncecentralsonglist|rtmouthexplained)|na-replication|hcp-server|vd-codec|rivewww)\.com|i(?:(?:s(?:count|ease)explained|nnerparty-recipes|walifile)\.com|rect-golf\.net))|e(?:(?:a(?:r(?:fulexplained|th-clinic)|sy(?:-costumes|repayment))|conomic(?:save|24))\.com|\.gy)|4(?:(?:4qs|h5)\.com|[jp]\.org|ql\.biz)|3(?:vt\.info|gb\.biz|q\.org)|2(?:eat\.com|sf\.biz|u\.se)|8(?:c1\.net|x\.biz)|7(?:c\.org|p\.biz)|11r\.(?:biz|us))(\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2017457; rev:1; metadata:created_at 2013_09_13, updated_at 2013_09_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 2"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\:[^\r\n]+?\.(?:f(?:(?:a(?:c(?:ultyexplained|e-bok)|(?:ncy-font|ke-nail)s|ir(?:explained|fuse)|shion-wallpaper|lterguide)|i(?:nanc(?:i(?:al|ng)explained|epets)|rm(?:explained|s24)|lter-coffee)|o(?:r(?:umexplained|ecastbooks|ceestate)|x-drama)|udaninfo)\.com|re(?:e(?:-(?:(?:(?:foodcoupon|angrybird)s|s(?:oundclips|tock)|photoeditor)\.com|music-download\.net)|(?:p(?:owerpointthem|roduct-sampl)es|dom-ofspeech)\.com|fileconverter\.net)|snoever\.com)|l(?:a(?:shplayerdownload\.net|tbelly-diet\.com)|oridaunemploymentclaim\.com|v-downloader\.net)|e(?:rtility-calculator\.net|stivalexplained\.com)|b(?:-smileys\.com|skins\.net))|l(?:(?:i(?:n(?:k(?:explained|master)|colnsbirthdaytea)|(?:ability|ver)explained|(?:berty-saf|ftmov)e|stings(?:biz|red)|teraturemulti)|u(?:ng(?:explained|abscess)|ggageboom)|o(?:cationssecure|ndon-riots|gback))\.com|e(?:(?:a(?:singexplained|ther-trousers)|(?:edsunited-new|d-candle)s|cturer(?:explained|info)|nd(?:ing|er)explained|isure-diving)\.com|u(?:kemiaexplained\.com|e\.biz)|tup\.org)|a(?:guay\.(?:com|es)|-gazzetta\.com)|6\.org)|i(?:n(?:s(?:(?:ur(?:er(?:s(?:explained|24)|explained)|ancesexplained)|ide-film)\.com|(?:pection-camera|taflex)\.net)|d(?:e(?:pendenceday(?:portal|realty)|mnityexplained)\.com|ividual-healthinsurance\.net)|t(?:er(?:estexplained\.com|trigo\.net)|ranet(?:explained|pm)\.com)|(?:(?:vestment|centive)explained|expensivehyper)\.com|f(?:ections?explained\.com|o\.se))|(?:(?:mmersio|sd)nexplained|ronmancom|pone-5)\.com|i(?:nkai|lg)\.biz)|m(?:(?:e(?:tropolis(?:(?:cruis|fac|mov)e|pixel)|(?:lanoma|dical)explained|r(?:idiantotal|cedes-cls)|ntal-healthjobs|morialdaycon|ssenger-mac|ansgift)|i(?:ami(?:-holidays|what)|di-editor)|baexplained)\.com|a(?:r(?:(?:tial-empires|ket-hq)\.com|iogames-online\.net)|n(?:(?:agejoin|ualzap)\.com|ipal-university\.net)|(?:lignanthypertension|gazinedownload)\.net|s(?:on(?:wave|car)|tersexplained)\.com|c2\.org))|e(?:(?:s(?:ta(?:tes(?:mob|fx)|blishstyle)|lexplained)|mploy(?:e(?:eexplained|r24)|mentexplained))\.com|n(?:(?:(?:gagement-photo|able-cookie)s|rollexplained)\.com|trepreneur-ideas\.net)|x(?:(?:(?:hibition|po)explained|ecutive-decision)\.com|tremedeal\.net)|l(?:ect(?:ronicexplained|orate123)\.com|guay\.(?:com|es))|q(?:uityexplained\.com|8\.biz))|g(?:(?:o(?:a(?:d(?:minister|vertize|just)|cademic|llocate)|(?:thic-literatur|handl)e|(?:bailou|conduc)t|govern)|r(?:a(?:duate(?:explained|sinfo)|ndparentsdayplan)|oceryexplained|4)|ym(?:glas|car)s|m[69])\.com|a(?:(?:(?:llaudet|te)explained|mevelocity|rnerguide)\.com|511\.net)|cwsa\.org)|h(?:o(?:(?:me(?:made-biscuits|pageexplained)|(?:nours|tline|using)explained|6)\.com|stel-barcelona\.net)|a(?:r(?:dback(?:city|yoga)|vardexplained)|n(?:dlechange|ukkahbio)|lloweenorange)\.com|y(?:perthyroidsymptoms\.net|d\.me)|ellokittypictures\.net)|j(?:(?:o(?:urnalism(?:explained|info)|hn-grisham|ker-tattoo)|query-examples)\.com|a(?:cksonvillepath\.com|vacollection\.net)|(?:vvg|6)\.org)|k(?:ilometersreach|udosexplained|jyg)\.com)(\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2017458; rev:1; metadata:created_at 2013_09_13, updated_at 2013_09_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 3"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\:[^\r\n]+?\.(?:p(?:r(?:o(?:pert(?:ies(?:-forsale\.net|winters\.com)|y-(?:singapore|rental)\.net)|(?:fessors|state)explained\.com)|e(?:miums(?:e(?:xplained|ek)|guide)|(?:acher|cinct|late)sinfo|pexplained)\.com|i(?:va(?:te(?:car-sales|explained)\.com|do\.info)|nceton\.me))|e(?:(?:n(?:sionexplained|thousepal|cetruck)|diatricsexplained)\.com|rsonal(?:trainer-certification\.net|-injuryclaims\.com)|tardo\.es)|o(?:(?:wer(?:borrowings?|repayment|debts)|rt(?:land-holidays|alexplained)|intexplained|litical24)\.com|kertexas-holdem\.net)|a(?:(?:ss(?:engersinfo|agepix)|ge(?:explained|as)|cemaker-surgery|ttinson-robert|rk-edu)\.com|loaltocollege\.net)|(?:u(?:blicationgift|pils?info)|ickups(?:articles|gen)|neumoniaexplained|sychologyquotes|lus-sign)\.com|h(?:o(?:toedit(?:orfreedownload\.net|ingsite\.com)|neexplained\.com)|pbb-themes\.com|yscology\.net)|cbp\.net|9\.org)|o(?:n(?:line(?:(?:(?:f(?:o(?:ster|rce)|irstborn|raternal|ulltime)|b(?:r(?:idegroom|owse)|oxoffice)|e(?:(?:valuat|xpress)e|fficient)|-(?:collegecourse|radiostation)|d(?:escendant|aughter|iscusse)|v(?:illage|acant)|re(?:sidence|al))s|c(?:(?:r(?:iti(?:c(?:ize|al)|que)|ew)|o(?:nsider|usin)|a(?:pture|meo)|elluloid)s|ha(?:racters|teau))|a(?:(?:(?:vailabl|doptiv|llianc|pprais)e|ss(?:esse|ay)|unt)s|n(?:(?:cestor|alyze)s|imated)|way)|per(?:sonal-trainer|manents))\.com|mediaconverter\.net)|e-lyrics\.com|amia\.biz)|(?:ver(?:seasexplained|drawnreal)|(?:wnership|ffline)explained|cean(?:ic-cable|you)|rphanagesinfo|klahomafuse)\.com|a(?:klandour\.com|pg\.org))|r(?:e(?:(?:s(?:idenc(?:e(?:attorney|dating|cook|food)|yexplained)|erves(?:development|core))|(?:c(?:o(?:ver(?:ing|ed)|up)|laim)guid|laxationhyp|bateventur)e|g(?:i(?:on(?:private|mentor)|stercommunity)|ainguide)|t(?:r(?:ainingexplained|ieveguide)|ailexplained)|motecontrol-helicopter|viewwinters|payment24)\.com|alestate-perth\.net)|(?:a(?:cetracksinfo|veexplained|iserepair|tetask)|ising-antivirus|bnnetwork)\.com|o(?:(?:o(?:m(?:sfootball|mateco)|fcute)|admodern)\.com|yallondonhospital\.net))|s(?:(?:o(?:(?:lventsourc|ftenguid)e|urceexplained|cietiesinfo|ng-india)|a(?:n(?:antoniosource|diegodiscover)|l(?:aryexplaine|euploa)d)|ta(?:nford(?:explained|info)|(?:bilis|v)eguide|r-treck)|p(?:ecialtyexplained|iralwatch|orts-tab)|ch(?:oolexplained|eduleedu)|ites?explained)\.com|e(?:(?:minar(?:y(?:explained|info)|explained)|c(?:(?:urities|tor)explained|what)|aworld-coupons)\.com|rvertransfer\.net)|m(?:ier\.org|oz\.us)|hellgascard\.net|gba\.biz)|m(?:o(?:(?:t(?:oristsinfo|iveshare)|ntre-breitling|dernexplained|squesinfo)\.com|hamed\.me)|(?:y(?:borrowings|-husband)|ultimediaexplained|inistriesinfo)\.com|mcd\.us)|n(?:(?:a(?:ming(?:mac|our)|uticalfit|vigateadd)|e(?:tworkexplained|w-college))\.com|8\.biz))(\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2017459; rev:1; metadata:created_at 2013_09_13, updated_at 2013_09_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 4"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\:[^\r\n]+?\.(?:t(?:e(?:(?:l(?:e(?:phoneexplained|comsguide)|learth)|n(?:ured(?:explained|info)|nis-ranking))\.com|mp(?:l(?:ates-gratis\.com|ecollege\.net)|converter\.net)|a(?:ching(?:-certificate\.net|explained\.com)|m\.pro))|r(?:a(?:(?:(?:nsferbyt|de-)e|in(?:eesinf|ge)o|mray)\.com|vel(?:insurance-comparison\.net|agentnerd\.com))|e(?:k-bicycles|nd-online)\.net|uckstool\.com|onco\.es)|(?:o(?:wn(?:housepic|study|euro|meta)|(?:tal-tool|memap)s|pgamebook|olboxsol)|u(?:mors?explained|lsatrain|rn-ons)|attoo-websites|ype-racer|wainfo)\.com|h(?:(?:anksgivinggaming|riftexplained)\.com|e(?:sis-examples\.com|atreparis\.net))|i(?:mezonevendor\.com|dl\.net)|cmn\.biz)|w(?:e(?:b(?:(?:b(?:estseller|ailout)|administer)\.com|site(?:downloader\.net|explained\.com)|developertoolbar\.net)|(?:l(?:lesley|fare)explained|akenguide)\.com)|or(?:th(?:voice|war)\.com|ld-records\.net)|ater(?:front-property\.net|-plants\.com)|(?:riterpics|hoiscan)\.com|pbh\.org|sse\.us)|s(?:(?:t(?:ud(?:ent(?:financecontact|s?explained)|yexplained)|r(?:eetmaphub|ongat)|patricksweightloss|onewhat)|wissairinfo)\.com|u(?:(?:mmertimelyrics|nset-wallpaper|per-committee|itegraphic)\.com|b\.(?:name|cat|es)))|v(?:(?:i(?:llage(?:(?:in|na)no|crystal)|deo(?:-mediaset|explained)|ta(?:minssms|lwow)|rtualexplained)|o(?:lumesynergy|ucheragent|ters24)|a(?:rsityexplained|lentinesproxy)|entureexplained)\.com|qtel\.net|f1\.us)|u(?:n(?:i(?:versityexplained\.com|nstalltool\.net|\.me)|(?:(?:secured|am)explained|ravelguide)\.com|limited-web-hosting\.net)|(?:cla(?:explained|info)|s-inflation|alinfo|zdom)\.com|[04]\.org)|y(?:(?:o(?:u(?:ngstersinfo|rbroking)|mkippursocial)|(?:eshiva|ale)explained|vxs)\.com|nna\.biz)|zwr\.org)(\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2017460; rev:1; metadata:created_at 2013_09_13, updated_at 2013_09_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET INFO User-Agent (python-requests) Inbound to Webserver"; flow:established,to_server; content:"User-Agent|3A| python-requests/"; http_header; classtype:attempted-recon; sid:2017515; rev:2; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|22|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?m(?:\x22\s*?\+\s*?\x22)?C(?:\x22\s*?\+\s*?\x22)?h(?:\x22\s*?\+\s*?\x22)?a(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?c(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?d(?:\x22\s*?\+\s*?\x22)?e/Ri"; classtype:bad-unknown; sid:2017565; rev:3; metadata:created_at 2013_10_07, updated_at 2013_10_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|27|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?m(?:\x27\s*?\+\s*?\x27)?C(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?c(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?d(?:\x27\s*?\+\s*?\x27)?e/Ri"; classtype:bad-unknown; sid:2017566; rev:4; metadata:created_at 2013_10_07, updated_at 2013_10_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits"; flow:established,to_client; content:"Content-Type|3A| application/java-archive"; http_header; fast_pattern:25,13; content:"X-Powered-By|3A| PHP/"; http_header; file_data; content:"PK"; within:2; classtype:bad-unknown; sid:2017637; rev:1; metadata:created_at 2013_10_28, updated_at 2013_10_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAR Size Under 30K Size - Potentially Hostile"; flow:established,to_client; content:"Content-Type|3A| application/java-archive"; http_header; fast_pattern:26,12; content:"Content-Length|3A| "; http_header; content:"|0D 0A|"; http_header; distance:5; within:2; file_data; content:"PK"; within:2; pcre:"/^Content\x2DLength\x3A\x20[12]\d{1,4}\x0D\x0A/Hmi"; classtype:bad-unknown; sid:2017639; rev:2; metadata:created_at 2013_10_28, updated_at 2013_10_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Zip File"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:set,et.http.PK; flowbits:noalert; classtype:misc-activity; sid:2017669; rev:4; metadata:created_at 2013_11_06, updated_at 2013_11_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java Downloading Archive flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017748; rev:5; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java Downloading Class flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|CA FE BA BE|"; within:4; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017749; rev:5; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound)"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017884; rev:5; metadata:created_at 2013_12_19, updated_at 2013_12_19;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017885; rev:5; metadata:created_at 2013_12_19, updated_at 2013_12_19;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - EXE SMTP Attachment"; flow:established; content:"|0D 0A 0D 0A|TV"; content:"AAAAAAAAAAAAAAAA"; within:200; classtype:bad-unknown; sid:2017886; rev:1; metadata:created_at 2013_12_19, updated_at 2013_12_19;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - ZIP file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017887; rev:2; metadata:created_at 2013_12_19, updated_at 2013_12_19;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - RAR file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017888; rev:2; metadata:created_at 2013_12_19, updated_at 2013_12_19;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - ZIP file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017889; rev:2; metadata:created_at 2013_12_19, updated_at 2013_12_19;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - RAR file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017890; rev:2; metadata:created_at 2013_12_19, updated_at 2013_12_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO suspicious - uncompressed pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ca fe d0 0d|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017909; rev:2; metadata:created_at 2014_12_30, updated_at 2014_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO suspicious - gzipped file via JAVA - could be pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|1f 8b 08 00|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017910; rev:2; metadata:created_at 2014_12_30, updated_at 2014_12_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Possible Process Dump in POST body"; flow:established,to_server; content:"POST"; http_method; content:"System Idle Process"; fast_pattern:only; http_client_body; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; classtype:trojan-activity; sid:2017968; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO InformationCardSigninHelper ClassID (Vulnerable ActiveX Control in CVE-2013-3918)"; flow:established,to_client; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:misc-activity; sid:2017980; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2014_01_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Control Panel Applet File Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"CPlApplet"; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/bb776392%28v=vs.85%29.aspx; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf; classtype:policy-violation; sid:2018087; rev:2; metadata:created_at 2014_02_06, updated_at 2014_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO RelevantKnowledge Adware CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"X-OSSProxy|3a|"; fast_pattern:only; http_header; content:"&os="; http_uri; content:"&osmajorver="; http_uri; distance:0; content:"&osminorver="; http_uri; distance:0; content:"&osmajorsp="; http_uri; distance:0; content:"&lang="; http_uri; distance:0; content:"&country="; http_uri; distance:0; content:"&ossname="; http_uri; distance:0; content:"&brand="; http_uri; distance:0; content:"&bits="; http_uri; distance:0; metadata: former_category MALWARE; reference:md5,d93b888e08693119a1b0dd3983b8d1ec; classtype:trojan-activity; sid:2018174; rev:3; metadata:created_at 2014_02_25, updated_at 2017_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Connection To DDNS Domain Adultdns.net"; flow:established,to_server; content:".adultdns.net"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2Eadultdns\x2Enet/H"; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018211; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Connection To DDNS Domain Servehttp.com"; flow:established,to_server; content:".servehttp.com"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2Eservehttp.com/H"; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018212; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Connection To DDNS Domain Myvnc.com"; flow:established,to_server; content:".myvnc.com"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2Emyvnc.com/H"; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018213; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Connection To DDNS Domain Redirectme.net"; flow:established,to_server; content:".redirectme.net"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2Eredirectme\x2Enet/H"; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018214; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Connection To DDNS Domain Zapto.org"; flow:established,to_server; content:".zapto.org"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2Ezapto\x2Eorg/H"; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018215; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Connection To DDNS Domain Hopto.org"; flow:established,to_server; content:".hopto.org"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2Ehopto\x2Eorg/H"; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018216; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Connection To DDNS Domain serveblog.net"; flow:established,to_server; content:".serveblog.net"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2serveblog\x2Enet/H"; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018217; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Connection To DDNS Domain myftp.com"; flow:established,to_server; content:".myftp.com"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2myftp\x2Ecom/H"; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018218; rev:1; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS .scr file download"; flow:established,to_server; content:".scr"; http_uri; fast_pattern:only; pcre:"/\x2Escr$/U"; content:!"kaspersky.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2018231; rev:3; metadata:created_at 2014_03_07, updated_at 2016_08_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Image - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:"Content-Type|3A| image/"; http_header; file_data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:bad-unknown; sid:2018233; rev:1; metadata:created_at 2014_03_07, updated_at 2014_03_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Text Content - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:"Content-Type|3A| text/"; http_header; file_data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:bad-unknown; sid:2018234; rev:1; metadata:created_at 2014_03_07, updated_at 2014_03_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible Phish - Mirrored Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- Mirrored from "; content:"by HTTrack Website Copier/"; distance:0; classtype:trojan-activity; sid:2018302; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2014_03_21, performance_impact Low, updated_at 2016_08_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible Phish - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:bad-unknown; sid:2018334; rev:1; metadata:created_at 2014_03_31, updated_at 2014_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1"; flow:established,to_server; content:"POST"; http_method; content:!"groove.microsoft.com|0d 0a|"; http_header; content:" MSIE "; nocase; http_header; fast_pattern; content:!"Accept-Encoding|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a| Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|DynGate)"; http_header; content:!"X-Requested-With|3a 20|"; http_header; nocase; content:!"Windows Live Messenger"; http_header; content:!"MS Web Services Client Protocol"; http_header; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; content:"|0d 0a 0d 0a|"; content:!"grooveDNS|3a|//"; http_client_body; classtype:bad-unknown; sid:2018358; rev:5; metadata:created_at 2014_04_04, updated_at 2014_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2"; flow:established,to_server; content:"POST"; http_method; content:" Firefox/"; nocase; http_header; fast_pattern; content:!"Accept-Encoding|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"X-Requested-With|3a 20|"; http_header; nocase; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; content:"|0d 0a 0d 0a|"; metadata: former_category INFO; classtype:bad-unknown; sid:2018359; rev:1; metadata:created_at 2014_04_04, updated_at 2017_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbasic.com Domain"; flow:established,to_server; content:".mrbasic.com"; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.mrbasic\.com(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018365; rev:1; metadata:created_at 2014_04_04, updated_at 2014_04_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbasic.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|mrbasic|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2018366; rev:2; metadata:created_at 2014_04_04, updated_at 2014_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; content:".passinggas.net"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.passinggas\.net(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018809; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|0a|passinggas|03|net|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018810; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myredirect.us Domain (Sitelutions)"; flow:established,to_server; content:".myredirect.us"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.myredirect\.us(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018811; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *.myredirect.us Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|0a|myredirect|02|us|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018812; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.rr.nu Domain (Sitelutions)"; flow:established,to_server; content:".rr.nu"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.rr\.nu(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018813; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *.rr.nu Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|02|rr|02|nu|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018814; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.kwik.to Domain (Sitelutions)"; flow:established,to_server; content:".kwik.to"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.kwik\.to(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018815; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *.kwik.to Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|04|kwik|02|to|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018816; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myfw.us Domain (Sitelutions)"; flow:established,to_server; content:".myfw.us"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.myfw\.us(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018817; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *.myfw.us Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|04|myfw|02|us|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018818; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.ontheweb.nu Domain (Sitelutions)"; flow:established,to_server; content:".ontheweb.nu"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.ontheweb\.nu(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018819; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *ontheweb.nu Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|08|ontheweb|02|nu|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018820; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isthebe.st Domain (Sitelutions)"; flow:established,to_server; content:".isthebe.st"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.isthebe\.st(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018821; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *isthebe.st Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|07|isthebe|02|st|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018822; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.byinter.net Domain (Sitelutions)"; flow:established,to_server; content:".byinter.net"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.byinter\.net(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018823; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *byinter.net Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|07|byinter|03|net|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018824; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.findhere.org Domain (Sitelutions)"; flow:established,to_server; content:".findhere.org"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.findhere\.org(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018825; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *findhere.org Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|08|findhere|03|org|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018826; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.onthenetas.com Domain (Sitelutions)"; flow:established,to_server; content:".onthenetas.com"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.onthenetas\.com(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018827; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *onthenetas.com Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|0a|onthenetas|03|com|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018828; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.uglyas.com Domain (Sitelutions)"; flow:established,to_server; content:".uglyas.com"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.uglyas\.com(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018829; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *uglyas.com Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|06|uglyas|03|com|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018830; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.assexyas.com Domain (Sitelutions)"; flow:established,to_server; content:".assexyas.com"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.assexyas\.com(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018831; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *assexyas.com Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|08|assexyas|03|com|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018832; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passas.us Domain (Sitelutions)"; flow:established,to_server; content:".passas.us"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.passas\.us(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018833; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *passas.us Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|06|passas|02|us|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018834; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athissite.com Domain (Sitelutions)"; flow:established,to_server; content:".athissite.com"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.athissite\.com(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018835; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *atthissite.com Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|09|athissite|03|com|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018836; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athersite.com Domain (Sitelutions)"; flow:established,to_server; content:".athersite.com"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.athersite\.com(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018837; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *athersite.com Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|09|athersite|03|com|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018838; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isgre.at Domain (Sitelutions)"; flow:established,to_server; content:".isgre.at"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.isgre\.at(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018839; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *isgre.at Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|05|isgre|02|at|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018840; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lookin.at Domain (Sitelutions)"; flow:established,to_server; content:".lookin.at"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.lookin\.at(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018841; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *lookin.at Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|06|lookin|02|at|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018842; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.bestdeals.at Domain (Sitelutions)"; flow:established,to_server; content:".bestdeals.at"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.bestdeals\.at(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018843; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *bestdeals.at Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|09|bestdeals|02|at|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018844; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lowestprices.at Domain (Sitelutions)"; flow:established,to_server; content:".lowestprices.at"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.lowestprices\.at(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018845; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *lowestprices Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|0c|lowestprices|02|at|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018846; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 00|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018904; rev:6; metadata:created_at 2014_08_06, updated_at 2014_08_06;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 02|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018905; rev:6; metadata:created_at 2014_08_06, updated_at 2014_08_06;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 04|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018906; rev:6; metadata:created_at 2014_08_06, updated_at 2014_08_06;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_06, updated_at 2014_08_06;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01 00 44|"; depth:4; content:"|00 01 00 08|"; distance:16; within:4; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tools.ietf.org/html/rfc5389; classtype:protocol-command-decode; sid:2018908; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO WinHttpRequest (flowbits no alert)"; flow:established,to_server; content:"WinHttp.WinHttpRequest"; http_header; fast_pattern; content:!".microsoft.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; flowbits:set,et.WinHttpRequest; flowbits:noalert; classtype:trojan-activity; sid:2019821; rev:6; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Microsoft Compact Office Document Format File Download"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; flowbits:set,et.MCOFF; flowbits:noalert; classtype:misc-activity; sid:2019834; rev:1; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> 195.22.26.192/26 443 (msg:"ET INFO invalid.cab domain in SNI"; flow:established,to_server; content:"|0b|invalid.cab"; fast_pattern:only; flowbits:set,ET.invalid.cab; flowbits:noalert; classtype:misc-activity; sid:2020888; rev:1; metadata:created_at 2015_04_10, updated_at 2015_04_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible ThousandEyes User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; http_header; fast_pattern:68,20; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021025; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET INFO Possible ThousandEyes User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; http_header; fast_pattern:68,20; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021026; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M1 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x201\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021067; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M2 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|2"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x202\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021068; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M3 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|3"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x203\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021069; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M4 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|4"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x204\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021070; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M5 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|5"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x205\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021071; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M6 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|6"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x206\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021072; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M7 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|7"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x207\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021073; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M8 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|8"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x208\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021074; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M9 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|9"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x209\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021075; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPICIOUS Dotted Quad Host MZ Response"; flow:established,to_client; flowbits:isset,http.dottedquadhost; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2021076; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Executable Downloaded from Google Cloud Storage"; flow:established,to_client; content:"x-goog-generation|3a 20|"; http_header; fast_pattern; content:"x-goog-metageneration|3a 20|"; http_header; content:"x-goog-stored-content-encoding|3a 20|"; http_header; content:"x-goog-stored-content-length|3a 20|"; http_header; content:"x-goog-hash|3a 20|"; http_header; file_data; content:"MZ"; within:2; reference:md5,e742e844d0ea55ef9f1c68491c702120; classtype:trojan-activity; sid:2021216; rev:2; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO User-Agent (wininet)"; flow:established,to_server; content:"User-Agent|3a 20|wininet|0d 0a|"; http_header; flowbits:set,ET.wininet.UA; flowbits:noalert; classtype:misc-activity; sid:2021311; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible MSXMLHTTP Request (no .exe)"; flow:to_server,established; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; fast_pattern:92,20; pcre:"/^[^\r\n]+\r\nHost\x3a\x20/R"; content:!"|0d 0a|Cookie|3a|"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"UA-CPU|3a|"; http_header; content:!".exe"; nocase; http_uri; content:!".msi"; nocase; http_uri;  content:!".msp"; nocase; http_uri; flowbits:set,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; classtype:misc-activity; sid:2022049; rev:5; metadata:created_at 2015_11_09, updated_at 2015_11_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request to Dotted Quad"; flow:to_server,established; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; fast_pattern:92,20; pcre:"/^[^\r\n]+\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/R"; content:!"|0d 0a|UA-CPU|3a|"; content:!"|0d 0a|Cookie|3a|"; content:!"|0d 0a|Referer|3a|"; content:!"|0d 0a|Accept-Language|3a|"; flowbits:set,et.MS.XMLHTTP.ip.request; flowbits:noalert; classtype:misc-activity; sid:2022054; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PK/Compressed doc/JAR header"; flow:from_server,established; file_data; content:"|50 4B 03 04|"; depth:4; flowbits:set,ET.zipfile; flowbits:noalert; classtype:misc-activity; sid:2022055; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO form-data flowbit set (noalert)"; flow:to_server,established; dsize:>0; content:"Content-Type|3a 20|multipart|2f|form-data"; fast_pattern:only; flowbits:set,ET.formdata; flowbits:noalert; classtype:not-suspicious; sid:2022080; rev:1; metadata:created_at 2015_11_12, updated_at 2015_11_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; content:"GET"; http_method; content:".jpg"; http_uri; content:!"Referer|3A|"; http_header; content:!"Accept-Language|3A|"; http_header; content:"Accept|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; depth:102; fast_pattern:82,20; http_header; pcre:"/\.jpg(?:\?\d+)?$/U"; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; classtype:trojan-activity; sid:2022220; rev:1; metadata:created_at 2015_12_04, updated_at 2015_12_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; content:"GET"; http_method; content:".jpg"; http_uri; content:!"Referer|3A|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Range|3a 20|"; http_header; content:"MSIE 7.0|3b| Windows NT"; fast_pattern; http_header; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; classtype:trojan-activity; sid:2022262; rev:2; metadata:created_at 2015_12_14, updated_at 2015_12_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible MSXMLHTTP Request (exe) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; content:".exe"; nocase; http_uri; fast_pattern:only; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; classtype:misc-activity; sid:2022264; rev:3; metadata:created_at 2015_12_15, updated_at 2015_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible MSXMLHTTP Request (msi) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; content:".msi"; nocase; http_uri; fast_pattern:only; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; classtype:misc-activity; sid:2022265; rev:3; metadata:created_at 2015_12_15, updated_at 2015_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible MSXMLHTTP Request (msp) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; content:".msp"; nocase; http_uri; fast_pattern:only; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; classtype:misc-activity; sid:2022266; rev:5; metadata:created_at 2015_12_15, updated_at 2015_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Possible Evil Download wsf Double Ext No Referer"; flow:established,to_server; content:"GET"; http_method; content:!"User-Agent|3a 20 2a|"; http_header; content:".wsf"; http_uri; nocase; fast_pattern:only; pcre:"/\/[^\x2f]+\.[^\x2f]+\.wsf$/Ui"; classtype:trojan-activity; sid:2022271; rev:2; metadata:created_at 2015_12_17, updated_at 2017_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO ZoneAlarm Download Flowbit Set"; flow:established,to_server; content:"pkg"; http_uri; content:"Host|3a 20|"; http_header; nocase; content:"zonealarm.com|0d 0a|"; distance:0; http_header; pcre:"/^Host\x3a[^\r\n]+?zonealarm\.com\r?$/Hmi"; flowbits:set,ET.ZoneAlarm.Site.Download; flowbits:noalert; classtype:misc-activity; sid:2022285; rev:1; metadata:created_at 2015_12_18, updated_at 2015_12_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsalias.ru Domain"; flow:to_server,established; content:".dnsalias.ru|0D 0A|"; http_header; metadata: former_category INFO; classtype:bad-unknown; sid:2022377; rev:2; metadata:created_at 2016_01_19, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsip.ru Domain"; flow:to_server,established; content:".dnsip.ru|0D 0A|"; http_header; metadata: former_category INFO; classtype:bad-unknown; sid:2022378; rev:1; metadata:created_at 2016_01_19, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyn-dns.ru Domain"; flow:to_server,established; content:".dyn-dns.ru|0D 0A|"; http_header; classtype:bad-unknown; sid:2022379; rev:2; metadata:created_at 2016_01_19, updated_at 2016_01_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-free.ru Domain"; flow:to_server,established; content:".dns-free.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2022380; rev:2; metadata:created_at 2016_01_19, updated_at 2016_01_19;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsalias.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|dnsalias|02|ru"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2022381; rev:2; metadata:created_at 2016_01_19, updated_at 2016_01_19;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsip.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|dnsip|02|ru"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2022382; rev:1; metadata:created_at 2016_01_19, updated_at 2016_01_19;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyn-dns.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|dyn-dns|02|ru"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2022383; rev:2; metadata:created_at 2016_01_19, updated_at 2016_01_19;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dns-free.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|dns-free|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2022384; rev:2; metadata:created_at 2016_01_19, updated_at 2016_01_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)"; flow:established,to_client; file_data; content:"PK"; within:2; content:"PK|01 02|"; distance:0; pcre:"/^.{42}[\x20-\x7f]{1,500}\.jsPK\x05\x06.{4}\x01\x00\x01\x00/Rsi"; content:".jsPK|05 06|"; nocase; fast_pattern:only; classtype:misc-activity; sid:2022636; rev:2; metadata:created_at 2016_03_22, updated_at 2016_03_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible WinHttpRequest (no .exe)"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http_header; fast_pattern:36,20; content:!"|0d 0a|Cookie|3a|"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"UA-CPU|3a|"; http_header; content:!".exe"; nocase; http_uri; content:!".msi"; nocase; http_uri; content:!".msp"; nocase; http_uri; flowbits:set,et.MS.WinHttpRequest.no.exe.request; flowbits:noalert; classtype:misc-activity; sid:2022652; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO PhishMe.com Phishing Exercise - Client Plugins"; flow:to_server,established; urilen:15; content:"POST"; http_method; content:"/plugin_surveys"; http_uri; fast_pattern; content:"_phishme.com_session_id="; http_cookie; classtype:trojan-activity; sid:2022729; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PhishMe.com Phishing Landing Exercise"; flow:to_client,established; content:"200"; http_stat_code; content:"_phishme.com_session_id="; http_cookie; file_data; content:"<!-- ORGANIZATION LOGO"; nocase; fast_pattern; metadata: former_category INFO; classtype:trojan-activity; sid:2022730; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_04_13, updated_at 2017_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Flowbit set for POST to Quicken Updater"; flow:established,to_server; content:"POST"; http_method; content:"quicken.com|0d 0a|"; http_header; content:"User-Agent|3a 20|InetClntApp"; fast_pattern; content:"Date|3a|"; http_header; flowbits:set,ET.QuickenUpdater; flowbits:noalert; classtype:misc-activity; sid:2022803; rev:1; metadata:created_at 2016_05_11, updated_at 2016_05_11;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious dynapoint.pw Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|dynapoint|02|pw|00|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2022876; rev:1; metadata:created_at 2016_06_08, updated_at 2016_06_08;)

alert tcp any any -> any any (msg:"ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel"; flow:established,to_server; content:"GET /wpad.dat HTTP/1.1"; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022913; rev:1; metadata:created_at 2016_06_23, updated_at 2016_06_23;)

alert udp any any -> $HOME_NET 137 (msg:"ET INFO NBNS Name Query Response Possible WPAD Spoof BadTunnel"; byte_test:1,&,0x80,2; byte_test:1,!&,0x40,2; byte_test:1,!&,0x20,2; byte_test:1,!&,0x10,2; byte_test:1,=,0x00,3; content:"|00 00|"; offset:4; depth:2; content:"|46 48 46 41 45 42 45|"; fast_pattern:only; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022914; rev:1; metadata:created_at 2016_06_23, updated_at 2016_06_23;)

alert udp any 67 -> any 68 (msg:"ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel"; content:"|02|"; depth:1; content:"|fc|"; byte_jump:1,0,relative,post_offset -9; content:"/wpad.dat"; within:9; fast_pattern; classtype:protocol-command-decode; sid:2022915; rev:1; metadata:created_at 2016_06_24, updated_at 2016_06_24;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|duckdns|03|"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2022918; rev:1; metadata:created_at 2016_06_27, updated_at 2016_06_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Excel Add-in Download M1"; flow:to_server,established; content:".xla"; nocase; http_uri; pcre:"/\.xla$/Ui"; reference:url,blogs.mcafee.com/mcafee-labs/patch-now-simple-office-protected-view-bypass-could-have-big-impact/; classtype:bad-unknown; sid:2022965; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_13, performance_impact Low, updated_at 2016_07_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Excel Add-in Download M2"; flow:to_server,established; content:".xla"; nocase; http_header; pcre:"/Content-Disposition\x3a[^\r\n]*?\.xla[\s\x22\x27]/Hi"; reference:url,blogs.mcafee.com/mcafee-labs/patch-now-simple-office-protected-view-bypass-could-have-big-impact/; classtype:bad-unknown; sid:2022966; rev:1; metadata:created_at 2016_07_13, updated_at 2016_07_13;)

#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO QUIC UDP Internet Connections Protocol Client Hello (OUTBOUND)"; flow:to_server; content:"|80 01|CHLO"; content:"PAD"; content:"SNI"; content:"CCS"; content:"PDMD"; content:"VERS"; nocase;flowbits:set,ET.QUIC.FirstClientHello; reference:url,tools.ietf.org/html/draft-tsvwg-quic-protocol-00; classtype:protocol-command-decode; sid:2022996; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_01, performance_impact Low, updated_at 2016_08_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Symantec Download Flowbit Set"; flow:established,to_server; content:".symantec.com|0d 0a|"; http_header; nocase; pcre:"/^Host\x3a[^\r\n]*\.symantec\.com(?:\x3a\d{1,5})?\r?$/Hmi";  flowbits:set,ET.Symantec.Site.Download; flowbits:noalert; classtype:misc-activity; sid:2023067; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2016_08_16, performance_impact Low, updated_at 2016_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Form Data Submitted to yolasite.com - Possible Phishing"; flow:to_server,established; content:"POST"; http_method; content:"/formservice/"; http_uri; depth:13; content:"forms.yola.com"; http_header; fast_pattern; classtype:trojan-activity; sid:2023139; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_26, performance_impact Low, updated_at 2016_08_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Dropbox Page - Possible Phishing Landing"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Dropbox"; fast_pattern; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"_csp_external_script_nonce"; content:!"when_ready_configure_requirejs"; distance:0; content:!"DETERMINISTIC_MONKEY_CHECK"; distance:0; metadata: former_category INFO; classtype:trojan-activity; sid:2025659; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_29, performance_impact Low, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Google Docs Page - Possible Phishing Landing"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; content:"Google Docs"; fast_pattern; within:20; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"<title>|0a 20 20 20 20 20 20|Google Docs"; metadata: former_category INFO; classtype:trojan-activity; sid:2025669; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_29, performance_impact Low, updated_at 2018_07_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern:only; content:"|16|"; content:"|02|"; distance:0; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0; content:"|00|"; distance:1; within:2; classtype:trojan-activity; sid:2023629; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_24, performance_impact Low, updated_at 2016_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.science) - set"; flow:established,to_server; content:".science|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.science(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023454; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.top) - set"; flow:established,to_server; content:".top|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.top(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023455; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.stream) - set"; flow:established,to_server; content:".stream|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.stream(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023456; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.download) - set"; flow:established,to_server; content:".download|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.download(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023457; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.gdn) - set"; flow:established,to_server; content:".gdn|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.gdn(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023458; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.biz) - set"; flow:established,to_server; content:".biz|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.biz(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023459; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.accountant) - set"; flow:established,to_server; content:".accountant|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.accountant(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023460; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.click) - set"; flow:established,to_server; content:".click|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.click(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023461; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.link) - set"; flow:established,to_server; content:".link|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.link(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023462; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.win) - set"; flow:established,to_server; content:".win|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.win(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023463; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible EXE Download From Suspicious TLD"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,ET.SuspExeTLDs; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023464; rev:1; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 33434 (msg:"ET INFO Noction IRP Probe"; flow:stateless; flags:SP; content:"|4E 4F 43 54 49 4F 4E 20 49 52 50|"; reference:url,www.noction.com/faq; classtype:bad-unknown; sid:2023640; rev:1; metadata:deployment Perimeter, signature_severity Minor, created_at 2016_12_14, performance_impact Low, updated_at 2016_12_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Unconfigured nginx Access"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"|3C|title|3E|Welcome to nginx|213C2F|title|3E|"; classtype:bad-unknown; sid:2023668; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_19, performance_impact Low, updated_at 2016_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO IE7UA No Cookie No Referer"; flow:to_server,established; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; fast_pattern:36,10; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; flowbits:set,et.IE7.NoRef.NoCookie; flowbits:noalert; classtype:bad-unknown; sid:2023670; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_19, malware_family Trojan_Kwampirs, updated_at 2016_12_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|66 74 79 70 6D|"; offset:4; depth:5; content:"mp4"; within:12; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023713; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_10, performance_impact Low, updated_at 2017_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO ATF file in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|41 54 46|"; within:3; flowbits:set,ET.atf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023714; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, created_at 2017_01_10, updated_at 2017_01_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Adobe FDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%FDF-"; within:5; flowbits:set,ET.fdf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023715; rev:2; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_10, performance_impact Low, updated_at 2017_01_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Lock Emoji In Title - Possible Social Engineering Attempt"; flow:from_server,established; file_data; content:"<title>"; nocase; pcre:"/^(?:(?!<\/title).)*\x26\x23x1F512/Ri"; content:"|26 23|x1F512"; fast_pattern:only; classtype:trojan-activity; sid:2023749; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_01_19, performance_impact Low, updated_at 2017_01_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Windows Update/Microsoft FP Flowbit"; flow:established,to_server; content:".windowsupdate.com|0d 0a|"; http_header; pcre:"/\.windowsupdate\.com\r?$/Hmi"; flowbits:set,ET.INFO.WindowsUpdate; flowbits:noalert; classtype:trojan-activity; sid:2023818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_01, performance_impact Low, updated_at 2017_02_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.top domain"; flow:to_server,established; content:".top"; nocase; fast_pattern; http_header; content:"|0d 0a|"; http_header; within:8; pcre:"/^Host\x3a[^\r\n]+?\.top(\x3a\d{1,5})?\r$/Hmi"; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023882; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M2"; flow:from_server,established; file_data; content:"|66 74 79 70 69 73 6f 6d|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023892; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_10, performance_impact Low, updated_at 2017_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M3"; flow:from_server,established; file_data; content:"|66 74 79 70 71 74 20 20|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023900; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_14, performance_impact Low, updated_at 2017_02_14;)

#alert tcp any any -> any [139,445] (msg:"ET INFO Potentially unsafe SMBv1 protocol in use"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; content:!"r"; within:1; threshold: type limit, count 1, track by_src, seconds 1200; metadata: former_category INFO; reference:url,www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices; reference:url,blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/; classtype:not-suspicious; sid:2023997; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, performance_impact Low, updated_at 2017_03_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Opera Adblocker Update Flowbit Set"; flow:established,to_server; content:"Host|3a 20|get.geo.opera.com.global.prod.fastly.net|0d 0a|"; http_header; flowbits:set,ET.opera.adblock; flowbits:noalert; classtype:not-suspicious; sid:2024006; rev:1; metadata:deployment Perimeter, signature_severity Audit, created_at 2017_02_22, performance_impact Low, updated_at 2017_02_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5500 (msg:"ET INFO Suspicious VNC Remote Admin Request"; flow:to_server,established; content:"|49 44 3a|"; depth:3; content:"temp"; nocase; fast_pattern; distance:0; content:"|52 46 42 20 30 30 33 2e 30 30 38 0a|"; distance:0; metadata: former_category INFO; reference:md5,2faf3040e8286d506144a0585d8f4162; classtype:trojan-activity; sid:2024029; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_01, performance_impact Low, updated_at 2017_03_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Lets Encrypt Free SSL Cert Observed with IDN/Punycode Domain - Possible Phishing"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; fast_pattern; content:"|55 04 03|"; distance:0; content:"|78 6e 2d 2d|"; within:25; nocase; metadata: former_category INFO; reference:url,isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024227; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_04_19, updated_at 2017_04_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"|26 23|"; within:5; content:"|3b 26 23|"; fast_pattern; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"</title>"; nocase; distance:0; metadata: former_category INFO; classtype:trojan-activity; sid:2024228; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_04_19, updated_at 2017_04_19;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query to Free Hosting Domain (freevnn . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; content:"|07|freevnn|03|com"; distance:0; fast_pattern; metadata: former_category INFO; reference:md5,18c1c99412549815bdb89c36316243a7; classtype:bad-unknown; sid:2024235; rev:2; metadata:deployment Perimeter, signature_severity Minor, created_at 2017_04_21, performance_impact Low, updated_at 2017_04_21;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SMTP PDF Attachment Flowbit Set"; flow:established,from_server; content:"|0d 0a 0d 0a|JVBERi"; fast_pattern:only; flowbits:set,ET.pdf.in.smtp.attachment; flowbits:noalert; metadata: former_category INFO; classtype:bad-unknown; sid:2024236; rev:2; metadata:attack_target SMTP_Server, deployment Perimeter, signature_severity Audit, created_at 2017_04_21, updated_at 2017_04_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO ARM File Requested via WGET (set)"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a 20|Wget/"; http_header; fast_pattern; pcre:"/\.(?:arm(?:5n|7)?|m(?:ips|psl))$/U"; flowbits:set,ET.armwget; flowbits:noalert; metadata: former_category INFO; classtype:policy-violation; sid:2024240; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_04_25, updated_at 2017_04_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Miniproxy Cloned Page - Possible Phishing Landing"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- Proxified page constructed by miniProxy"; fast_pattern:22,20; nocase; within:100; metadata: former_category INFO; reference:url,github.com/joshdick/miniProxy; classtype:trojan-activity; sid:2024283; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_05_09, updated_at 2017_05_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Bitcoin QR Code Generated via Btcfrog.com"; flow:established,to_server; content:"/qr/bitcoinPNG.php?address="; fast_pattern; http_uri; content:"Host|3a 20|www.btcfrog.com|0d 0a|"; http_header; metadata: former_category INFO; classtype:misc-activity; sid:2024292; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_12, performance_impact Low, updated_at 2017_05_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible Phishing Landing - Common Multiple JS Unescape May 25 2017"; flow:from_server,established; file_data; content:"<script type=|22|text/javascript|22|>|20|<!--|20|document.write("; nocase; fast_pattern:32,20; content:"//-->"; distance:0; content:"<script type=|22|text/javascript|22|>|20|<!--|20|document.write("; nocase; distance:0; content:"//-->"; distance:0; content:"<script type=|22|text/javascript|22|>|20|<!--|20|document.write("; nocase; distance:0; content:"//-->"; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025227; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_05_25, updated_at 2018_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible Successful Hostinger Generic Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"wb_form_id="; nocase; depth:11; http_client_body; fast_pattern; content:"&message=&wb_input_0="; nocase; distance:8; within:21; http_client_body; content:"&wb_input_0="; nocase; http_client_body; distance:0; content:"&wb_input_1="; nocase; http_client_body; distance:0; content:"&wb_input_1="; nocase; http_client_body; distance:0; metadata: former_category INFO; classtype:trojan-activity; sid:2024375; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_06_09, updated_at 2017_06_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious HTML Hex Obfuscated Title - Possible Phishing Landing Jun 28 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:!"</title>"; nocase; within:20; content:"|26 23|x"; within:20; content:"|3b 26 23|x"; distance:2; within:4; fast_pattern; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"</title>"; nocase; distance:0; metadata: former_category INFO; classtype:trojan-activity; sid:2024432; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_28, updated_at 2017_06_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP POST to Free Webhost - Possible Successful Phish (site40 . net) Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"site40.net|0d 0a|"; http_header; fast_pattern; metadata: former_category INFO; classtype:trojan-activity; sid:2024470; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_17, updated_at 2017_07_21;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Phishery Phishing Tool - Default SSL Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|go-phish"; fast_pattern; distance:1; within:9; metadata: former_category INFO; reference:url,github.com/ryhanson/phishery; classtype:trojan-activity; sid:2024505; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_07_28, updated_at 2017_07_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Adilbo HTML Encoder Observed"; flow:established,to_client; file_data; content:"|2f 2a 20 61 64 69 6c 62 6f 20 48 54 4d 4c 20 45 6e 63 6f 64 65 72|"; fast_pattern:2,20; content:"*|20 20|Checksum|3a 20|927c770095e0daa48298343b8fd14624"; within:200; metadata: former_category INFO; classtype:policy-violation; sid:2024763; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_23, updated_at 2017_09_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Darkwave Popads Pop Under Redirect"; flow:established,to_client; file_data; content:"|2f 2a 20 50 72 69 76 65 74 20 64 61 72 6b 76 2e 20 45 61 63 68 20 64 6f 6d 61 69 6e 20 69 73 20 32 68 20 66 6f 78 20 64 65 61 64 20 2a 2f|"; metadata: former_category INFO; classtype:policy-violation; sid:2024764; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_23, updated_at 2017_09_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Download of Embedded OpenType (EOT) File flowbit set"; flow:established,to_client; file_data; content:"|4c 50|"; offset:34; depth:2; flowbits:set,ET.EOT.Download; flowbits:noalert; metadata: former_category INFO; reference:url,www.w3.org/Submission/EOT/#FileFormat; classtype:misc-activity; sid:2024829; rev:1; metadata:affected_product Internet_Explorer, affected_product Mac_OSX, affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_10_10, performance_impact Low, updated_at 2017_10_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Browser Plugin Detect - Observed in Apple Phishing"; flow:to_server,established; urilen:10; content:"POST"; http_method; content:"/ping.html"; http_uri; content:".html?appIdKey="; http_header; content:"data=eyJwbHVnaW4i"; http_client_body; depth:17; fast_pattern; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Pi"; metadata: former_category INFO; classtype:bad-unknown; sid:2024978; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_11_08, updated_at 2017_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP POST Request to Suspicious *.gdn Domain"; flow:established,to_server; content:"POST"; http_method; content:".gdn|0d 0a|"; fast_pattern; http_header; metadata: former_category INFO; classtype:bad-unknown; sid:2025097; rev:2; metadata:created_at 2017_12_02, updated_at 2017_12_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DNS Query for Suspicious .gdn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|gdn|00|"; fast_pattern; nocase; distance:0; metadata: former_category DNS; classtype:bad-unknown; sid:2025098; rev:2; metadata:created_at 2017_12_02, updated_at 2017_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP POST Request to Suspicious *.gq domain"; flow:established,to_server; content:"POST"; http_method; content:".gq|0d 0a|"; fast_pattern; http_header; classtype:bad-unknown; sid:2025100; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP POST Request to Suspicious *.ga Domain"; flow:established,to_server; content:"POST"; http_method; content:".ga|0d 0a|"; fast_pattern; http_header; classtype:bad-unknown; sid:2025101; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP POST Request to Suspicious *.ml Domain"; flow:established,to_server; content:"POST"; http_method; content:".ml|0d 0a|"; fast_pattern; http_header; metadata: former_category INFO; classtype:bad-unknown; sid:2025102; rev:3; metadata:created_at 2017_12_03, updated_at 2017_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP POST Request to Suspicious *.cf Domain"; flow:established,to_server; content:"POST"; http_method; content:".cf|0d 0a|"; fast_pattern; http_header; metadata: former_category INFO; classtype:bad-unknown; sid:2025103; rev:3; metadata:created_at 2017_12_03, updated_at 2017_12_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DNS Query for Suspicious .gq Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|gq|00|"; fast_pattern; nocase; distance:0; threshold: type limit, count 1, track by_src, seconds 120; metadata: former_category INFO; classtype:bad-unknown; sid:2025104; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DNS Query for Suspicious .ga Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ga|00|"; fast_pattern; nocase; distance:0; threshold: type limit, count 1, track by_src, seconds 120; metadata: former_category INFO; classtype:bad-unknown; sid:2025105; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DNS Query for Suspicious .ml Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ml|00|"; fast_pattern; nocase; distance:0; threshold: type limit, count 1, track by_src, seconds 120; metadata: former_category INFO; classtype:bad-unknown; sid:2025106; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO DNS Query for Suspicious .cf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cf|00|"; fast_pattern; nocase; distance:0; threshold: type limit, count 1, track by_src, seconds 120; metadata: former_category INFO; classtype:bad-unknown; sid:2025107; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO MIPSEL File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".mipsel"; nocase; http_uri; pcre:"/\.mipsel$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025122; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO MIPS File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".mips"; nocase; http_uri; pcre:"/\.mips$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025123; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO ARM File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".arm"; nocase; http_uri; pcre:"/\.arm$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025124; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO ARM7 File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".arm7"; nocase; http_uri; pcre:"/\.arm7$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025125; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO x86 File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".x86"; nocase; http_uri; pcre:"/\.x86$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025126; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO m68k File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".m68k"; nocase; http_uri; pcre:"/\.m68k$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025127; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SPARC File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".sparc"; nocase; http_uri; pcre:"/\.sparc$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025128; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO POWERPC File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".powerpc"; nocase; http_uri; pcre:"/\.powerpc$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025129; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO X86_64 File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".x86_64"; nocase; http_uri; pcre:"/\.x86_64$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025130; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUPERH File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".superh"; nocase; http_uri; pcre:"/\.superh$/Ui"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}/Hmi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025131; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Request for Doc to IP Address with Terse Headers"; flow:established,to_server; content:"GET"; http_method; content:".doc"; http_uri; pcre:"/\.doc$/Ui"; content:!"Referer"; http_header; content:!"Accept"; http_header; content:!"User-Agent"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20Keep-Alive\r\n$/Hi"; metadata: former_category INFO; classtype:bad-unknown; sid:2025162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_12_21, updated_at 2017_12_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Multiple Javascript Unescapes - Common Obfuscation Observed in Phish Landing"; flow:established,to_client; file_data; content:"document.write(unescape"; fast_pattern; nocase; within:100; content:"document.write(unescape"; nocase; distance:0; content:"document.write(unescape"; nocase; distance:0; metadata: former_category INFO; classtype:bad-unknown; sid:2025231; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_22, updated_at 2018_01_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Base64 Encoded powershell.exe in HTTP Response M1"; flow:established,from_server; file_data; content:"cG93ZXJzaGVsbC5leG"; fast_pattern; metadata: former_category INFO; reference:url,otx.alienvault.com/pulse/5a1348416dd9eb0c92d9897a; classtype:bad-unknown; sid:2025238; rev:1; metadata:created_at 2018_01_22, updated_at 2018_01_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Base64 Encoded powershell.exe in HTTP Response M2"; flow:established,from_server; file_data; content:"Bvd2Vyc2hlbGwuZXhl"; fast_pattern; reference:url,otx.alienvault.com/pulse/5a1348416dd9eb0c92d9897a; classtype:bad-unknown; sid:2025239; rev:1; metadata:created_at 2018_01_22, updated_at 2018_01_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Base64 Encoded powershell.exe in HTTP Response M3"; flow:established,from_server; file_data; content:"wb3dlcnNoZWxsLmV4Z"; fast_pattern; reference:url,otx.alienvault.com/pulse/5a1348416dd9eb0c92d9897a; classtype:bad-unknown; sid:2025240; rev:1; metadata:created_at 2018_01_22, updated_at 2018_01_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible Phishing Redirect 2018-01-30"; flow:established,to_client; file_data; content:"<html>|0d 0a|<body>|0d 0a|<script type=|22|text/JavaScript|22|>|0d 0a|<!--|0d 0a|"; nocase; depth:55; content:"setTimeout(|22|location.href|20|=|20 27|redirection.php?"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9_]{50,}/Ri"; content:"|27 3b 22|,0)|3b 0d 0a|-->|0d 0a|</script>|0d 0a|</body>"; nocase; within:100; metadata: former_category INFO; classtype:bad-unknown; sid:2025267; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_30, updated_at 2018_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; content:"POST"; http_method; content:"metadata.svc"; http_uri; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http_header; content:"User-Agent|3a 20|MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT|0d 0a|"; http_header; fast_pattern:12,20; metadata: former_category INFO; classtype:misc-activity; sid:2025275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_01_31, performance_impact Low, updated_at 2018_01_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Browser Plugin Detect - Observed in Phish Landings"; flow:established,to_client; file_data; content:"#browser_info"; content:"getBrowserMajorVersion()"; nocase; distance:0; fast_pattern; content:"#os_info"; nocase; distance:0; content:"getOSVersion()"; nocase; distance:0; content:"getScreenPrint()"; nocase; distance:0; content:"getPlugins()"; nocase; distance:0; content:"getJavaVersion()"; nocase; distance:0; content:"getFlashVersion()"; nocase; distance:0; content:"getSilverlightVersion()"; nocase; distance:0; metadata: former_category INFO; classtype:bad-unknown; sid:2025399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_26, updated_at 2018_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Secondary Flash Request Seen (no alert)"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:"/[[DYNAMIC]]/1"; http_header; fast_pattern; flowbits:set,ET.SecondaryFlash.Req; flowbits:noalert; metadata: former_category INFO; classtype:trojan-activity; sid:2025411; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Sundown_EK, signature_severity Major, created_at 2018_03_09, updated_at 2018_03_09;)

alert tcp any any -> any any (msg:"ET INFO Possible Sandvine PacketLogic Injection"; flow:established,from_server; id:13330; flags:AF; content:"HTTP/1.1 307 Temporary Redirect|0a|Location|3a 20|"; depth:42; fast_pattern:17,20; content:"Connection: close|0a 0a|"; distance:0; isdataat:!1,relative; metadata: former_category INFO; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:misc-activity; sid:2025428; rev:2; metadata:attack_target Client_and_Server, deployment Datacenter, signature_severity Minor, created_at 2018_03_13, performance_impact Low, updated_at 2018_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious User-Agent (CustomStringHere)"; flow:established,to_server; content:"User-Agent|3a 20|CustomStringHere"; http_header; metadata: former_category INFO; reference:md5,7a8cb1223e006bc7e70169c060d7057b; classtype:misc-activity; sid:2025436; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_19, updated_at 2018_03_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO NYU Internet HTTP/SSL Census Scan"; flow:to_server,established; content:"User-Agent|3a 20|NYU Internet Census (https://scan.lol|3b 20|research@scan.lol)"; http_header; fast_pattern:49,20; metadata: former_category INFO; reference:url,scan.lol; classtype:network-scan; sid:2025460; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Minor, created_at 2018_04_03, updated_at 2018_04_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.men) - set"; flow:established,to_server; content:".men|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.men(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025495; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.webcam) - set"; flow:established,to_server; content:".webcam|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.webcam(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025497; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.yokohama) - set"; flow:established,to_server; content:".yokohama|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.yokohama(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025498; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.tokyo) - set"; flow:established,to_server; content:".tokyo|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.tokyo(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025499; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.gq) - set"; flow:established,to_server; content:".gq|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.gq(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025500; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible EXE Download From Suspicious TLD (.work) - set"; flow:established,to_server; content:".work|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.work(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025501; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp any any -> any 4786 (msg:"ET INFO Cisco Smart Install Protocol Observed"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; depth:8; metadata: former_category INFO; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; classtype:misc-activity; sid:2025519; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, deployment Internal, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible Rogue LoJack Asset Tracking Agent"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"TagId|3a 20|"; http_header; fast_pattern; content:!".namequery.com|0d 0a|"; http_header; threshold: type limit, count 2, seconds 300, track by_src;  metadata: former_category INFO; reference:url,asert.arbornetworks.com/lojack-becomes-a-double-agent/amp/; classtype:misc-attack; sid:2025553; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_05_02, updated_at 2018_05_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET INFO Observed DNS Query to .myq-see .com DDNS Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|myq-see|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category INFO; classtype:policy-violation; sid:2025560; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_07, performance_impact Moderate, updated_at 2018_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO [eSentire] Possible Kali Linux Updates"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|APT-HTTP|2f|"; http_header; content:"kali.org|0d 0a|"; http_header; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.kali\.org/Hm"; metadata: former_category INFO; classtype:trojan-activity; sid:2025627; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_25, updated_at 2018_06_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; content:"keywords/kyf"; nocase; http_uri; content:"partner_id="; nocase; http_client_body; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; classtype:trojan-activity; sid:2002001; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Install"; flow: to_server,established; content:"/downloads/installers/"; nocase; http_uri; content:"simpleinternet/180sainstaller.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; classtype:trojan-activity; sid:2002003; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; content:"/geodefs/gdf"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; classtype:trojan-activity; sid:2002048; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware config Download"; flow: to_server,established; content:"/config.aspx?did="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; classtype:trojan-activity; sid:2002099; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; content:"/versionconfig.aspx?"; http_uri; content:"&ver="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; classtype:trojan-activity; sid:2002354; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Actionlibs Download"; flow:to_server,established; content:"/actionurls/ActionUrlb"; nocase; http_uri; content:"partnerid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; classtype:trojan-activity; sid:2003057; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; content:"/downloads/valueadd/ping/ping.htm"; nocase; http_uri; content:"zango.com|0d 0a|"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; classtype:trojan-activity; sid:2003058; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; content:"/ZangoTBInstaller.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; classtype:trojan-activity; sid:2003059; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; content:"/php/rpc_uci.php"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; classtype:trojan-activity; sid:2003060; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; content:"/php/uci.php"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; classtype:trojan-activity; sid:2003061; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; nocase; http_uri; content:"?ver="; nocase; http_uri;  content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:trojan-activity; sid:2003217; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; content:"/trackedevent.aspx?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&rnd="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; classtype:trojan-activity; sid:2003306; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; content:"/tbrequest"; nocase; http_uri; content:"&q="; nocase; http_uri; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; classtype:trojan-activity; sid:2003610; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"IpAddr="; nocase; http_uri; content:"&OS="; nocase; http_uri; content:"&RegistryChanged="; nocase; http_uri; content:"&RegistryUpdate="; nocase; http_uri; content:"&NewInstallation="; nocase; http_uri; content:"&utilMissing="; nocase; http_uri; content:"&Basedir="; nocase; http_uri; content:"&BundleID="; nocase; http_uri; content:"&InitInstalled="; nocase; http_uri; content:"&Interval="; nocase; http_uri; content:"&LastInitRun="; nocase; http_uri; content:"&LastInitVer="; nocase; http_uri; content:"&LastSrngRun="; nocase; http_uri; content:"&LastUtilRun="; nocase; http_uri; content:"&SrngInstalled="; nocase; http_uri; content:"&SrngVer="; nocase; http_uri; content:"&UtilInstalled="; nocase; http_uri; content:"&UtilVer="; nocase; http_uri; content:"&PCID"; nocase; http_uri; reference:url,vil.nai.com/vil/content/v_103738.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99; reference:url,doc.emergingthreats.net/2009807; classtype:trojan-activity; sid:2009807; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; classtype:trojan-activity; sid:2001447; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:trojan-activity; sid:2008149; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 51yes.com Spyware Reporting User Activity"; flow:established,to_server; content:"/sa.aspx?id="; nocase; http_uri; content:"&refe=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:trojan-activity; sid:2003620; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; content:"/cgi-bin/PopupV"; nocase; http_uri; content:"?ID={"; nocase; http_uri; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; classtype:trojan-activity; sid:2001730; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; content:"/app/VT00/ucmd.php?V="; nocase; http_uri; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; classtype:trojan-activity; sid:2001735; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; content:"/abx_search_webinstall/abx_search.cab"; nocase; http_uri; reference:url,isc.sans.org/diary.php?date=2005-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2001761; classtype:trojan-activity; sid:2001761; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abcsearch.com Spyware Reporting"; flow:established,to_server; content:"/cgi-bin/search/mxml.fcgi?"; nocase; http_uri; content:"Terms="; nocase; http_uri; content:"&affiliate="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&Hits_Per_Page="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; classtype:trojan-activity; sid:2003438; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET MALWARE Abox Download"; flow:established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset:160; depth:26; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; classtype:trojan-activity; sid:2001440; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abox Install Report"; flow: to_server,established; content:"&time="; nocase; http_uri; content:"/new_install?id="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; classtype:trojan-activity; sid:2001441; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Updating"; flow:established,to_server; content:"/cnconfig.gz?ct="; http_uri; content:"&bp="; http_uri; content:"&vs="; http_uri; content:"&country="; http_uri; content:"&grp="; http_uri; content:"&tcpc="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; classtype:trojan-activity; sid:2008419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/check.php?tcpc="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; classtype:trojan-activity; sid:2008425; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; content:"?UID="; nocase; http_uri; content:"&DIST="; nocase; http_uri; content:"&NPR="; nocase; http_uri; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; classtype:trojan-activity; sid:2007601; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:trojan-activity; sid:2007602; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; content:"/Games/villains.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; classtype:policy-violation; sid:2001228; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; content:"/Games/cakedeal.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; classtype:policy-violation; sid:2001230; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware Command Client Checkin"; flow: to_server,established; content:"/client.php?str="; nocase; http_uri; content:"User-Agent|3a| "; nocase; http_header; content:"Indy Library)"; nocase; http_header; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; classtype:policy-violation; sid:2003446; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Generic Adware Install Report"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/nsi_install.php?inst_result=success&aff_id="; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2010630; classtype:trojan-activity; sid:2010630; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wintools Download/Configure"; flow: to_server,established; content:"/WTools"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; classtype:trojan-activity; sid:2001450; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; content:"/SyncAkSoft.da_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; classtype:trojan-activity; sid:2001530; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; content:"/akcore.dl_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; classtype:trojan-activity; sid:2001737; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; content:"/image_server.cgi?size=small&url=http|3a|/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; classtype:trojan-activity; sid:2002349; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting"; flow:established,to_server; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&dat="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; classtype:trojan-activity; sid:2003219; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL Visited"; flow:established,to_server; content:"/data/"; nocase; http_uri; content:"cli="; nocase;  http_uri; content:"&ver=alxi"; nocase; http_uri; fast_pattern:only; content:"&url="; nocase; http_uri; content:"alexa.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; classtype:trojan-activity; sid:2003606; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Redirecting User"; flow:established,to_server; content:"/redirect?http"; nocase; http_uri; content:"Host|3a| redirect.alexa.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; classtype:trojan-activity; sid:2003619; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; content:"/ie/updatenew/"; http_uri; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; classtype:trojan-activity; sid:2000903; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; classtype:trojan-activity; sid:2001999; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Reporting"; flow:to_server,established; content:"/update/barcab/"; nocase; http_uri; metadata: former_category MALWARE; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; classtype:policy-violation; sid:2003340; rev:4; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; content:"/update/cab/loadmovie.swf"; nocase; http_uri; content:"bar.baidu.com"; nocase; http_header; fast_pattern; metadata: former_category MALWARE; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; classtype:policy-violation; sid:2003341; rev:8; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; content:"/cpro/ui/ui"; nocase; http_uri; content:"baidu.com"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; metadata: former_category MALWARE; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; classtype:trojan-activity; sid:2003578; rev:9; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Activity"; flow:to_server,established; content:"/n?cmd="; nocase; http_uri; content:"&class="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&tn"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; classtype:trojan-activity; sid:2003605; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; content:"/sobar/sobar"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; classtype:trojan-activity; sid:2003630; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adaware.BarACE Checkin and Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|2E|php|3F|zone="; http_uri; nocase; content:"|26|name="; nocase; http_uri; content:"|26|bpid="; nocase; http_uri; content:"|26|bnum="; nocase; http_uri; content:"|26|pid="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2; reference:url,doc.emergingthreats.net/bin/view/Main/2008318; classtype:trojan-activity; sid:2008318; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bargain Buddy"; flow: to_server,established; content:"/download/bargin_buddy"; nocase; http_uri; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; classtype:trojan-activity; sid:2000574; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; classtype:policy-violation; sid:2001885; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; content:"/checkin.php?"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"version="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; classtype:trojan-activity; sid:2003209; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Install"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"&pais="; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:trojan-activity; sid:2003210; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; content:"/ping.php?"; nocase; http_uri; content:"ul=http"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; classtype:trojan-activity; sid:2003211; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Tibs Checkin"; flow:established,to_server; content:"/adv/"; nocase; http_uri; content:".php?a1="; nocase; http_uri; content:"&a2=Type of Processor|3a|"; nocase; http_uri; content:"&a3=Windows version is "; nocase; http_uri; content:"&a4=Build|3a|"; nocase; http_uri; reference:md5,65448c8678f03253ef380c375d6670ce; classtype:trojan-activity; sid:2002955; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; content:"/vxgame1/vxv.php"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; classtype:trojan-activity; sid:2002956; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; content:"/win32.exe"; nocase; http_uri; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; classtype:trojan-activity; sid:2002957; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Exploit Download"; flow:established,to_server; content:"/sploit.anr"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; classtype:trojan-activity; sid:2003153; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Data Upload"; flow:established,to_server; content:"/objects/ocget.dll"; nocase; http_uri; content:"mybest"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; classtype:trojan-activity; sid:2003154; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (download complete)"; flow: to_server,established; content:"/download/cabs/"; nocase; http_uri; content:"download_complete.htm"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; classtype:trojan-activity; sid:2000366; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (set_pix)"; flow: to_server,established; content:"/download/cabs/set_pix.php"; nocase; http_uri; content:"abetterinternet.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; classtype:trojan-activity; sid:2000367; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (randreco.exe)"; flow: to_server,established; content:"/download/cabs/RANDRECO/randreco.exe"; nocase; http_uri; content:"abetterinternet.com|0d 0a|"; nocase; http_header; fast_pattern; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; classtype:trojan-activity; sid:2000371; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet Ad Retrieval"; flow: to_server,established; content:"/bba/flashimages/"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; classtype:trojan-activity; sid:2000593; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Download Attempt"; flow: to_server,established; content:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; classtype:trojan-activity; sid:2001198; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Ad Retrieval"; flow: to_server,established; content:"/twain/servlet/Twain?adcontext="; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; classtype:trojan-activity; sid:2001199; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Reporting Data"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; classtype:trojan-activity; sid:2001216; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Upload"; flow: to_server,established; content:"/bi/servlet/ThinstallPre"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001339; classtype:trojan-activity; sid:2001339; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Install Report"; flow: to_server,established; content:"/bi/servlet/ThinstallPost"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; classtype:trojan-activity; sid:2001576; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bfast.com Spyware"; flow: to_server,established; content:"/bfast/serve?bfmid"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; classtype:policy-violation; sid:2001398; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/zuzu.php?&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; classtype:trojan-activity; sid:2005319; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bonziportal Traffic"; flow: to_server,established; content:"/bonziportal/bin/"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; classtype:trojan-activity; sid:2001345; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Download"; flow:established,to_server; content:"/bravesentry.exe"; nocase; http_uri; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; classtype:trojan-activity; sid:2002954; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; classtype:trojan-activity; sid:2003541; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host|3a| www.bullseye-network.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; classtype:trojan-activity; sid:2001501; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware Download"; flow: to_server,established; content:"/app/InternetFuel/AppWrap.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; classtype:policy-violation; sid:2001451; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer|3a| ms-its|3a|mhtml|3a|file|3a|//C|3a|counter.mht!http|3a|//"; nocase; content:"/counter/HELP3.CHM|3a 3a|/help.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; classtype:trojan-activity; sid:2001452; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware cab Download"; flow: to_server,established; content:"/counter/counter_v3.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; classtype:trojan-activity; sid:2001458; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; content:"/js.php?event_type=onload&recurrence="; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; classtype:trojan-activity; sid:2002088; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; content:"/download/CnsMin"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; classtype:trojan-activity; sid:2003417; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; content:"/download/CnsUp"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; classtype:trojan-activity; sid:2003418; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; content:"/download/autolvsw.ini?"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; classtype:trojan-activity; sid:2003419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; content:"/x/in.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; classtype:trojan-activity; sid:2002089; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; content:"/x/tbd_web.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; classtype:trojan-activity; sid:2002095; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Trafcool.biz Related Installer"; flow:established,to_server; content:"/progs_traff/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002931; classtype:trojan-activity; sid:2002931; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; content:"/?advid="; nocase; http_uri; content:"spy-sheriff.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; classtype:trojan-activity; sid:2002933; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; content:"/download/cabs/THNALL1L/thnall1l.exe"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; classtype:trojan-activity; sid:2001521; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; content:"/sd?"; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; reference:url,doc.emergingthreats.net/2009880; classtype:trojan-activity; sid:2009880; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; content:"/sd?"; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; classtype:trojan-activity; sid:2002196; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Install"; flow: to_server,established; content:"/newdownload/newsetup/"; nocase; http_uri; content:"casinone"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; classtype:trojan-activity; sid:2001041; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Reporting Data"; flow: to_server,established; content:"/logs.asp?MSGID=100"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; classtype:trojan-activity; sid:2001031; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Ping Hit"; flow: to_server,established; content:"/Ping/Ping.txt"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; classtype:trojan-activity; sid:2001032; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Data Download"; flow: to_server,established; content:"/sdl/casinov"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; classtype:trojan-activity; sid:2001033; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Catchonlife.com Spyware"; flow: to_server,established; content:"/nw3/r1.txt?"; http_uri; content:"catchonlife"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; classtype:trojan-activity; sid:2003358; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; content:"/notify.php?pid=remupd&module=install&v="; nocase; http_uri; content:"&result=1&message=Success"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001494; classtype:trojan-activity; sid:2001494; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; classtype:trojan-activity; sid:2001500; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic"; flow: to_server,established; content:"/cc/"; http_uri; content:"Host|3a| update.cc.cometsystems.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; classtype:policy-violation; sid:2000931; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CometSystems Spyware"; flow: to_server,established; content:"/comet/request"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; classtype:policy-violation; sid:2001050; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; content:"/context/1/up_context_1.xml"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; classtype:policy-violation; sid:2001655; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host|3a| log.cc.cometsystems.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; classtype:policy-violation; sid:2001658; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Update Download"; flow: to_server,established; content:"/cc/5/masterconfig/"; nocase; http_uri; content:"/update.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; classtype:policy-violation; sid:2002351; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Context Report"; flow: to_server,established; content:"/context/1/up_context_1.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; classtype:policy-violation; sid:2002352; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Cursor DL"; flow: to_server,established; content:"/czcontent/cursor"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; classtype:policy-violation; sid:2003307; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; content:"/Message/"; http_uri; content:"User-Agent|3a| EI"; nocase; http_header; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; classtype:trojan-activity; sid:2003218; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install"; flow: to_server,established; content:"/getexe/?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; classtype:trojan-activity; sid:2003074; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install 2"; flow: to_server,established; content:"/getdata/getdata.php?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; classtype:trojan-activity; sid:2003075; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; content:"/fdial2.php?o="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; classtype:trojan-activity; sid:2003076; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware Install"; flow: established,to_server; content:"/AproposClientInstaller.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; classtype:trojan-activity; sid:2001704; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ContextPanel Reporting"; flow: to_server,established; content:"/cplog/?logtype="; nocase; http_uri; content:"contextpanel.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; classtype:policy-violation; sid:2001456; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolDeskAlert Spyware Activity"; flow:to_server,established; content:"/alert/get_xml"; nocase; http_uri; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; classtype:trojan-activity; sid:2003462; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; classtype:trojan-activity; sid:2001479; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"pcpeek-webcam-sex.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; classtype:trojan-activity; sid:2002766; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"businessopportunityseeker.biz"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; classtype:trojan-activity; sid:2002767; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"studiolacase.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; classtype:trojan-activity; sid:2002769; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msits.exe access"; flow:to_server,established; content:"/msits.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; classtype:trojan-activity; sid:2002770; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msys.exe access"; flow:to_server,established; content:"/msys.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; classtype:trojan-activity; sid:2002771; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Download"; flow: to_server,established; content:".dl_"; nocase; http_uri; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; classtype:policy-violation; sid:2001453; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; classtype:policy-violation; sid:2001454; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:trojan-activity; sid:2001683; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .txt file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".txt"; nocase; http_uri; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; classtype:trojan-activity; sid:2010500; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .cfg file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".cfg"; nocase; http_uri; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; classtype:trojan-activity; sid:2010501; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload)"; flow: established,to_server; content:"/in/payload/payload.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; classtype:trojan-activity; sid:2002816; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup)"; flow: established,to_server; content:"/in/defaults/setup.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; classtype:trojan-activity; sid:2002817; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup-alt)"; flow: established,to_server; content:"/in/defaults/setup-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; classtype:trojan-activity; sid:2003472; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload-alt)"; flow: established,to_server; content:"/in/payload/payload-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; classtype:trojan-activity; sid:2003473; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; content:"cgi-bin/ezl_kws.fcgi?cat"; nocase; http_uri; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; classtype:trojan-activity; sid:2001884; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install INI Download"; flow: to_server,established; content:"/GetAd/tekID"; nocase; http_uri; content:".ini"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; classtype:policy-violation; sid:2003445; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install Code Download"; flow: to_server,established; content:"/ax/acdt-pid"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; classtype:policy-violation; sid:2003444; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; content:".php?appname="; nocase; http_uri; content:"&appseq="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&type="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; classtype:trojan-activity; sid:2007978; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/nchkmac.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; classtype:trojan-activity; sid:2006427; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; content:"/open.php?sn="; nocase; http_uri; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; classtype:trojan-activity; sid:2006428; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkblack.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; classtype:trojan-activity; sid:2006431; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; content:"/ret.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&cname="; nocase; http_uri; content:"&cn="; nocase; http_uri; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; classtype:trojan-activity; sid:2006432; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/api_result.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&PartID="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; classtype:trojan-activity; sid:2006433; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/chkvs.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; classtype:trojan-activity; sid:2007642; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dollarrevenue.com Spyware Code Download"; flow:established,to_server; content:"/bundle/drsmartload.exe"; nocase; http_uri; reference:url,dollarrevenue.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002967; classtype:trojan-activity; sid:2002967; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TROJAN_VB Microjoin"; flow:established,to_server; content:"/bundle/loader.exe"; nocase; http_uri; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; classtype:trojan-activity; sid:2003084; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dropspam.com Spyware Reporting"; flow:established,to_server; content:"/reportaddon.cgi?"; nocase; http_uri; content:"report.cgi?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"software="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; classtype:trojan-activity; sid:2003440; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting Install"; flow: to_server,established; content:"/count/count.php?&mm"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; classtype:trojan-activity; sid:2001416; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Receiving Config"; flow: to_server,established; content:"/config/?"; nocase; http_uri; content: "v=5"; nocase; http_uri;content: "n=mm2"; nocase; http_uri; content: "i="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; classtype:trojan-activity; sid:2001417; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading Code"; flow: to_server,established; content:"/soft/unstall.exe"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001418; classtype:trojan-activity; sid:2001418; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting"; flow: to_server,established; content:"/count/count.php?&mm2cpr"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; classtype:trojan-activity; sid:2001423; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Spyware Reporting (check url)"; flow: to_server,established; content:"/go/check?build="; nocase; http_uri; content:"&source="; nocase; http_uri; content:"&merchants="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; classtype:trojan-activity; sid:2003504; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; content:"/files/eSyndicateInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; classtype:trojan-activity; sid:2002009; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; content:"/files/SEPInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; classtype:trojan-activity; sid:2002010; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; content:"/partner/rt.php?q="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; classtype:trojan-activity; sid:2002317; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; content:"/partner/rt.php?cat="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; classtype:trojan-activity; sid:2002318; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; content:"/partner/bom.php?e="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; classtype:trojan-activity; sid:2002319; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ebates Install"; flow: to_server,established; content:"/ebates.exe"; http_uri; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; classtype:policy-violation; sid:2001038; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin"; flow:established,to_server; content:"/iis2ebs.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; classtype:trojan-activity; sid:2003304; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; content:"/iis2ucms.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; classtype:trojan-activity; sid:2003360; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Elitemediagroup.net Spyware Config Download"; flow:established,to_server; content:"/bundle.php?aff="; nocase; http_uri; reference:url,elitemediagroup.net; reference:url,doc.emergingthreats.net/bin/view/Main/2002966; classtype:trojan-activity; sid:2002966; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting"; flow:established,to_server; content:"/getresults.aspx"; nocase; http_uri; content:"?aff="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&keyword="; nocase; http_uri; content:"&source="; nocase; http_uri; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; classtype:trojan-activity; sid:2003414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting Clicks"; flow:established,to_server; content:"/click.aspx?"; nocase; http_uri; content:"?xp="; nocase; http_uri; content:"Host|3a| "; nocase; http_header; content:"epilot.com"; nocase; http_header; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; classtype:trojan-activity; sid:2003416; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Install Attempt"; flow: to_server,established; content:"/f1/objects/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; classtype:trojan-activity; sid:2000585; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Reporting"; flow: to_server,established; content:"/f1/audit/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; classtype:trojan-activity; sid:2000582; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Config Download"; flow: to_server,established; content:"/F1/Cmd4F1"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; classtype:trojan-activity; sid:2001221; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (clickthrough)"; flow: to_server,established; content:"/bin/findwhat.dll?clickthrough&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; classtype:trojan-activity; sid:2003579; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (sendmedia)"; flow: to_server,established; content:"/bin/findwhat.dll?sendmedia&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; classtype:trojan-activity; sid:2003581; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FlashTrack Agent Retrieving New App Code"; flow: to_server,established; content:"/apps/r.exe"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; classtype:trojan-activity; sid:2000936; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (cxtpls)"; flow: established,to_server; content:"/softwares/cxtpls_loader_ff.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; classtype:trojan-activity; sid:2001710; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; content:"/softwares/SportsInteraction.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; classtype:trojan-activity; sid:2001705; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install)"; flow: to_server,established; content:"/checkhttp.htm"; nocase; http_uri; content:"User-Agent|3a| Wise"; nocase; http_header; content:"freeze.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; classtype:policy-violation; sid:2002840; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; content:"/ping/?shortname="; nocase; http_uri; content:"User-Agent|3a| Wise"; nocase; http_header; content:"freeze.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; classtype:policy-violation; sid:2002841; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; content:"/ToastMessage/"; nocase; http_uri; content:"/Toast.asp?ysaid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; classtype:policy-violation; sid:2003362; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W3i Related Adware/Spyware"; flow:established,to_server; content:"GET"; nocase; http_method; content:"shortname="; nocase; http_uri; content:"os="; nocase; http_uri; content:"v="; nocase; http_uri; content:"browsers="; nocase; http_uri; content:"readable="; nocase; http_uri; reference:url,www.tallemu.com/oasis2/vendor/w3i__llc/623302; reference:url,doc.emergingthreats.net/2009705; classtype:trojan-activity; sid:2009705; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Install"; flow: to_server,established; content:"/install_ie.jsp?product="; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; classtype:policy-violation; sid:2000599; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral"; flow: to_server,established; content:"/images/smileycentral/"; nocase; http_uri; content:"FunWebProducts"; nocase; http_header; fast_pattern; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; classtype:policy-violation; sid:2001013; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; classtype:policy-violation; sid:2002305; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; classtype:policy-violation; sid:2002310; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Cursorchooser Spyware"; flow: to_server,established; content:"/CursorChooser.html?"; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; classtype:policy-violation; sid:2002306; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products StationaryChooser Spyware"; flow: to_server,established; content:"/StationeryChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; classtype:policy-violation; sid:2002858; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; content:"/download/install_ie_sp2.jhtml?"; nocase; http_uri; content:"product="; nocase; http_uri; content:"utmCall="; nocase; http_uri; content:"bOrganic="; nocase; http_uri; reference:url,www.myfuncards.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; classtype:trojan-activity; sid:2003151; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com Activity"; flow: to_server,established; content:"/game-quit-count.jsp?ghgamecode="; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; classtype:trojan-activity; sid:2003348; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; classtype:policy-violation; sid:2000025; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator New Code Download"; flow: to_server,established; content:"/gatorcme/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; classtype:policy-violation; sid:2000597; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Claria Data Submission"; flow: to_server,established; content:"POST"; nocase;  http_method; content:"gs_trickler"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; classtype:policy-violation; sid:2000596; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Agent"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; content:"gtrg2ze"; nocase; http_uri; reference:url,malware.wikia.com/wiki/Claria_Corporation; reference:url,doc.emergingthreats.net/bin/view/Main/2001306; classtype:policy-violation; sid:2001306; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; content:".scr"; nocase; http_uri; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; classtype:trojan-activity; sid:2001850; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; content:".exe"; nocase; http_uri; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; classtype:trojan-activity; sid:2002093; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; classtype:misc-attack; sid:2000514; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell|3a|windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; classtype:misc-attack; sid:2000519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell|3a|winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; classtype:misc-attack; sid:2000520; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer"; flow: to_server,established; content:"Host|3a| www.globalphon.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; classtype:trojan-activity; sid:2001656; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer Download"; flow: to_server,established; content:"/dialer/internazionale_ver"; nocase; http_uri; content:".CAB"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; classtype:trojan-activity; sid:2001657; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; content:"/no_pop.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; classtype:trojan-activity; sid:2001659; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; content:"/add_ocx.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; classtype:trojan-activity; sid:2001660; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?z="; nocase; http_uri; content:"|26|ch="; nocase; http_uri; content:"|26|dim="; nocase; http_uri; content:"|26|abr="; nocase; http_uri; content:!"Referer|3a| "; nocase; http_header; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; classtype:trojan-activity; sid:2008375; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Install"; flow: to_server,established; content:"/tdtb.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; classtype:trojan-activity; sid:2002012; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Update"; flow: to_server,established; content:"/wupdsnff.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; classtype:trojan-activity; sid:2002013; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"&advid="; http_uri; content:"&u="; http_uri; content:"&p="; http_uri; content:"HTTP/1."; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; classtype:trojan-activity; sid:2007744; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"Host|3a| 0x"; http_header; pcre:"/^Host\x3a\x200x[0-9a-f]+\r?$/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; classtype:trojan-activity; sid:2007951; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Checkin"; flow:established,to_server; content:"?udata="; http_uri; content:"mission_supgrade|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; classtype:trojan-activity; sid:2007749; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Start Report"; flow:established,to_server; content:"?udata="; http_uri; content:"program_started|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007750; classtype:trojan-activity; sid:2007750; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (1)"; flow: to_server,established; content:"/install/startInstallprocess.asp?"; nocase; http_uri; content: "Defau"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; classtype:trojan-activity; sid:2000920; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (2)"; flow: to_server,established; content:"/install/process/upsale/hotbar"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; classtype:trojan-activity; sid:2000921; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (3)"; flow: to_server,established; content:"/installs/hotbar/programs/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; classtype:trojan-activity; sid:2000922; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; http_method; content:"/reports/hotbar/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; classtype:trojan-activity; sid:2000923; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Upgrading"; flow: to_server,established; content:"/updates/hotbar/"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; classtype:trojan-activity; sid:2000924; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Activity"; flow: to_server,established; content:"/dynamic/hotbar/"; nocase; http_uri; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; classtype:trojan-activity; sid:2000929; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Partner Checkin"; flow: to_server,established; content:"/partners/"; nocase; http_uri; content:"partners.xip"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; classtype:trojan-activity; sid:2000925; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Subscription POST"; flow: to_server,established; content:"/hotbar/"; nocase; http_uri; content:"Subscription.dll?"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; classtype:trojan-activity; sid:2002820; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Adopt/Zango"; flow: to_server,established; content:"/adopt.jsp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"cid="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; classtype:trojan-activity; sid:2003364; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Keywords Download"; flow: to_server,established; content:"/keywords/kyfb."; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; classtype:trojan-activity; sid:2003388; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Install Report"; flow:established,to_server; content:"/ciconfig.aspx?did="; http_uri; content:"&brandid="; http_uri; content:"&os="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; classtype:trojan-activity; sid:2008917; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Activity Report"; flow:established,to_server; content:"/trackedevent.aspx?eid="; http_uri; content:"&brand="; http_uri; content:"&os="; http_uri; content:"&mt="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; classtype:trojan-activity; sid:2008918; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ICQ-Update.biz Reporting Install"; flow: to_server,established; content:"log.php?"; nocase; http_uri; content: "IP="; nocase; http_uri; content:"Port1="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; classtype:trojan-activity; sid:2001490; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware Installer"; flow:established,to_server; content:"/counter/help.chm"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; classtype:trojan-activity; sid:2002090; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware checkin"; flow:established,to_server; content:"/l/gpr.php?"; nocase; http_uri; content: "ID1="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; classtype:trojan-activity; sid:2002096; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; content:"/ist/scripts/log_downloads.php"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; classtype:trojan-activity; sid:2000927; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; content:"/ist/bars/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; classtype:trojan-activity; sid:2000928; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; content:"/ist/softwares/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001395; classtype:trojan-activity; sid:2001395; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech Toolbar Data Submission"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?"; nocase; http_uri; content: "version="; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; classtype:trojan-activity; sid:2001697; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Ping"; flow: established,to_server; content:"/ping.asp"; nocase; http_uri; content:"incredisearch.com";  nocase;  http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; classtype:trojan-activity; sid:2001793; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host|3a| www.incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; classtype:trojan-activity; sid:2001794; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Instafinder.com spyware"; flow: established,to_server; content:"/404/update/instafi"; nocase;  http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; classtype:trojan-activity; sid:2003376; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Fuel.com Install"; flow: to_server,established; content:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; classtype:trojan-activity; sid:2002015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optomizer Reporting Data"; flow: to_server,established; content:"/io/downloads/"; nocase; http_uri; content:"/wsi8/optimize"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; classtype:policy-violation; sid:2001308; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optimizer Spyware Install"; flow: to_server,established; content:"/internet-optimizer/"; nocase; http_uri; content:"/optimize"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; classtype:policy-violation; sid:2001396; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (1)"; flow: to_server,established; content:"/install.qg?"; nocase; http_uri; content: "ID="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,wilderssecurity.com/threads/hijack-this-log-sandoxer-jmnad1.42146/; classtype:trojan-activity; sid:2002019; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (2)"; flow: to_server,established; content:"/download/mw_4s_stub.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; classtype:trojan-activity; sid:2002016; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; content:"/sdfg.jar"; http_uri; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; classtype:trojan-activity; sid:2010438; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Keenvalue Update Engine"; flow: to_server,established; content:"Host|3a|secure.keenvalue.com"; http_header; fast_pattern; content:"|0d0a|Extension|3a|Remote-Passphrase"; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; classtype:trojan-activity; sid:2000932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Install"; flow:established,to_server; content:"/soft/installers/spyguardf.php"; nocase; http_uri; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; classtype:trojan-activity; sid:2003201; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Update Check"; flow:established,to_server; content:"/soft/update/check_update.php"; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; classtype:trojan-activity; sid:2003202; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hitvirus Fake AV Install"; flow:established,to_server; content:"/soft/installers/hitvirusf.php"; nocase; http_uri; content:"get.hitvirus.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; classtype:trojan-activity; sid:2003203; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Updating"; flow:established,to_server; content:"/soft/update/get.php"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"mail="; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; classtype:trojan-activity; sid:2003204; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware"; flow:established,to_server; content:"/iesocks?peer_id="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; classtype:trojan-activity; sid:2003298; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware 2"; flow:established,to_server; content:"/sp?c=N&i="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; classtype:trojan-activity; sid:2003526; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; content:"/statics.php?maddr="; nocase; http_uri; content:"&ipaddr="; nocase; http_uri; content:"&ovt="; nocase; http_uri; content:"&verno="; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; classtype:trojan-activity; sid:2008067; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; content:"/alive.php?ovt=new_link"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; classtype:trojan-activity; sid:2008069; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content: "adcontext"; nocase; http_uri; reference:url,www.localnrd.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; classtype:trojan-activity; sid:2001340; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer|3a| Look2Me"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001499; classtype:trojan-activity; sid:2001499; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Look2Me Activity"; flow:established,to_server; content:"&ID={"; http_uri; fast_pattern:only; content:"&rand="; http_uri; content:"User-Agent|3a|Mozilla/4.0 (compatible|3b|"; http_header; pcre:"/&ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; classtype:trojan-activity; sid:2008474; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:"Host|3a| www.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; classtype:trojan-activity; sid:2003611; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/madownload.php?&advid="; nocase; http_uri;  content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"Host|3a| download.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; classtype:trojan-activity; sid:2003612; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Configuration Access"; flow: to_server,established; content:"/oss/remoteconfig.asp"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; classtype:policy-violation; sid:2000902; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Access"; flow: to_server,established; content:"proxyhttp|0b|marketscore|03|com"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; classtype:policy-violation; sid:2001359; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; classtype:policy-violation; sid:2001563; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore Spyware Uploading Data"; flow: to_server,established; content:"/scripts/contentidpost.dll"; nocase; http_uri; content:"OSS-Proxy"; nocase; http_header; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; classtype:policy-violation; sid:2003253; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent|3a| ManInTheMiddle-Proxy"; http_header; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; classtype:policy-violation; sid:2001586; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Upgrading"; flow: to_server,established; content:"/oss/upgrchk_2a.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; classtype:policy-violation; sid:2001587; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (1)"; flow: to_server,established; content:"/oss/dittorules.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; classtype:policy-violation; sid:2001588; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (2)"; flow: to_server,established; content:"/oss/routerrules2.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; classtype:policy-violation; sid:2001589; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8080] (msg:"ET MALWARE Matcash Trojan Related Spyware Code Download"; flow:established,to_server; content:"User-Agent|3a| Windows 5.1 (2600)|3b| DMCP"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; classtype:trojan-activity; sid:2008759; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; content:"/upd/check?version="; nocase; http_uri; content:"&localeId="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"&updatevalue="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003344; classtype:trojan-activity; sid:2003344; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Media Pass ActiveX Install"; flow: to_server,established; content:"/MediaPassK.exe"; nocase; http_uri; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001783; classtype:policy-violation; sid:2001783; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Download"; flow: to_server,established; content:"MediaTicketsInstaller.cab"; http_uri; content:"Host|3a| www.mt-download.com"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; classtype:trojan-activity; sid:2001448; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Spyware Install"; flow: to_server,established; content:"/mtrslib2.js"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; classtype:trojan-activity; sid:2001481; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Config"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; classtype:trojan-activity; sid:2001503; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; content:"/dw/cgi/register.cgi?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; classtype:trojan-activity; sid:2001509; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; content:"/dw/cgi/country.cgi"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"NSISDL"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; classtype:trojan-activity; sid:2001507; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Metarewards Spyware Activity"; flow: to_server,established; content:"Host|3a| www.metareward.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; classtype:policy-violation; sid:2001666; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; content:"/dlhelper.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; classtype:trojan-activity; sid:2001641; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (2)"; flow: established,to_server; content:"/DownloadHNew.asp?"; nocase; http_uri; content:"btag="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; classtype:trojan-activity; sid:2001643; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Reporting Installation"; flow: established,to_server; content:"/dlhelper/downloadlogger2.asp?"; nocase; http_uri; content:"time="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; classtype:trojan-activity; sid:2001644; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Casino App Install"; flow: established,to_server; content:"/viper/thunderluck/00"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; classtype:trojan-activity; sid:2001645; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (1)"; flow: to_server,established; content:"/mindset5/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; classtype:trojan-activity; sid:2000583; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (2)"; flow: to_server,established; content:"/mindset/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; classtype:trojan-activity; sid:2000584; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirarsearch.com Spyware Posting Data"; flow:established,to_server; content:"/v70match.cgi?"; nocase; http_uri; content:"key1="; nocase; http_uri; content:"&key2="; nocase; http_uri; content:"&match="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; classtype:trojan-activity; sid:2003577; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Mirar Reporting (BAR)"; flow:to_server,established; content:"download.cgi?BUILDNAME="; nocase; http_uri; content:"&AFFILIATE="; http_uri; content:"&ID="; http_uri; content:"&ERROR=0"; http_uri; content:"User-Agent|3a| BAR"; http_header; reference:url,doc.emergingthreats.net/2009234; classtype:policy-violation; sid:2009234; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My-Stats.com Spyware Checkin"; flow: established,to_server; content:"/ad-partner/SelectConfirm.php?"; nocase; http_uri; content:"dummy="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; classtype:misc-activity; sid:2001747; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; content:"/images/mysearchbar/highlight"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:trojan-activity; sid:2003351; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; content:"/images/mysearchbar/customize"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:trojan-activity; sid:2003352; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/CSetup_xp.cab"; http_uri; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; classtype:trojan-activity; sid:2007996; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearchNow.com Spyware"; flow: to_server,established; content:"exe/dns.html"; nocase; http_uri; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.mysearchnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; classtype:trojan-activity; sid:2003221; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch.com Spyware Install"; flow:established,to_server; content:".php?aff=mysidesearch&act=install"; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; classtype:trojan-activity; sid:2008915; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch Browser Optimizer"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; nocase; http_header; content:".php?aff="; nocase; http_uri; content:"&act="; nocase; http_uri; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; classtype:trojan-activity; sid:2009524; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My Search Spyware Config Download"; flow: to_server,established; content:"/ms"; nocase; http_uri; content:"cfg.jsp?"; http_uri; content:"v="; nocase; http_uri; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002839; classtype:trojan-activity; sid:2002839; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; content:"/speedbar/mySpeedbarCfg"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; classtype:trojan-activity; sid:2000600; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; content:"/barcfg.jsp?"; nocase; http_uri; content:"MyWebSearchWB"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; classtype:trojan-activity; sid:2002836; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; content:"/mySpeedbarCfg2.jsp"; nocase; http_uri; content:"MyWebSearch"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; classtype:trojan-activity; sid:2003222; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; content:"/jsp/cfg_redir2.jsp?id="; nocase; http_uri; content:"url=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; classtype:trojan-activity; sid:2003617; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware updating"; flow:established,to_server; content:"/download/NewDotNet/"; nocase; http_uri; content:"/upgrade.cab?"; nocase; http_uri; content:"upg="; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; classtype:trojan-activity; sid:2003240; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware Checkin"; flow:established,to_server; content:"/?version="; nocase; http_uri; content:"discard_tag="; nocase; http_uri; content:"source="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"br=NewDotNet"; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; classtype:trojan-activity; sid:2003241; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oenji.com Install"; flow: to_server,established; content:"/Bundled/OemjiInstall"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; classtype:trojan-activity; sid:2001538; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".oemji.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; classtype:trojan-activity; sid:2001539; rev:10; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

#alert tcp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; flowbits:isnotset,ET.pdf.in.http; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, updated_at 2017_09_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OfferOptimizer.com Spyware"; flow: to_server,established; content:"/ctx/keyword_context.php?"; nocase; http_uri; content:"urlContext=http"; nocase; http_uri; reference:url,www.offeroptimizer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; classtype:policy-violation; sid:2001341; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OneStepSearch Host Activity"; flow: to_server,established; content:"GET"; nocase; http_method; content:"host|3a| upgrade.onestepsearch.net"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; classtype:trojan-activity; sid:2007855; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OutBlaze.com Spyware Activity"; flow: to_server,established; content:"/scripts/adpopper/webservice.main"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; classtype:trojan-activity; sid:2002044; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Install"; flow: to_server,established; content:"/ctxad-"; nocase; http_uri; pcre:"/ctxad-\d+\.sig/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; classtype:trojan-activity; sid:2001495; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; content:"/campaigns"; nocase; http_uri; content:"outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001496; classtype:trojan-activity; sid:2001496; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host|3a| campaigns.outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001497; classtype:trojan-activity; sid:2001497; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Checkin"; flow: to_server,established; content:"/notify.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&module="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&result="; nocase; http_uri; content:"&message="; nocase; http_uri; content:"outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; classtype:trojan-activity; sid:2003426; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host|3a| download.overpro.com"; nocase; http_header; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; classtype:trojan-activity; sid:2001444; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Games"; flow: to_server,established; content:"/blocks/blasterblocks"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; classtype:trojan-activity; sid:2001459; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Install Report"; flow: to_server,established; content:"/processInstall.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; classtype:trojan-activity; sid:2002017; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:trojan-activity; sid:2008456; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pacimedia Spyware 1"; flow:to_server,established; content:"/mcp/mcp.cgi"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; classtype:trojan-activity; sid:2002083; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"User-Agent|3a| PCDoc"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; classtype:trojan-activity; sid:2007786; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"User-Agent|3a| mypcdoc"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; classtype:trojan-activity; sid:2007804; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?kind="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&addresses="; nocase; http_uri; content:"&hdmacid="; nocase; reference:url,doc.emergingthreats.net/2009712; classtype:trojan-activity; sid:2009712; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/privacyprotectorfreesetup.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; classtype:trojan-activity; sid:2003547; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; content:"?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri;content:"&v="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"&platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri;content:"&ac="; nocase; http_uri; content:"&appid="; nocase; http_uri; content:"&em="; nocase; http_uri; content:"&pcid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:trojan-activity; sid:2007664; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Pynix.dll BHO Activity"; flow: established,to_server; content:"ABETTERINTERNET.EXE"; nocase; http_uri; content:"bho=PYNIX.DLL"; nocase; http_uri; reference:url,www.pynix.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; classtype:trojan-activity; sid:2001748; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST"; nocase; http_method; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:trojan-activity; sid:2007820; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio.com Related Adware/Spyware User-Agent (HTTP_CONNECT_2)"; flow:established,to_server; content:"User-Agent|3a| HTTP_Connect_"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007821; classtype:trojan-activity; sid:2007821; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rdxrp.com Traffic"; flow: to_server,established; content:"/rdxr020304.dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; classtype:trojan-activity; sid:2001311; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; classtype:trojan-activity; sid:2008402; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Access"; flow: to_server,established; content:"/softsell/visitor.cgi?"; nocase; http_uri; content:"affiliate="; nocase; http_uri; reference:url,www.regnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001223; classtype:trojan-activity; sid:2001223; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Gamehouse.com Access"; flow: to_server,established; content:"/affiliates/template.jsp?"; nocase; http_uri; content:"AID="; nocase; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; classtype:trojan-activity; sid:2001224; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Salongas Infection"; flow: to_server,established; content:"/sp.htm?id="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; classtype:trojan-activity; sid:2000601; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Relevancy Spyware"; flow: established,to_server; content:"/SearchRelevancy/SearchRelevancy.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; classtype:trojan-activity; sid:2001696; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 1"; flow: to_server,established; content:"/rd/Clk.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; classtype:trojan-activity; sid:2002296; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 2"; flow: to_server,established; content:"/rd/feed/TextFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; classtype:trojan-activity; sid:2002297; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 3"; flow: to_server,established; content:"/rd/feed/XMLFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; classtype:trojan-activity; sid:2002298; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 4"; flow: to_server,established; content:"/rd/feed/JavaScriptFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; classtype:trojan-activity; sid:2002299; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 5"; flow: to_server,established; content:"/rd/feed/JavaScriptFeedSE.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; classtype:trojan-activity; sid:2002300; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 6"; flow: to_server,established; content:"/rd/SearchResults.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; classtype:trojan-activity; sid:2002301; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 7"; flow: to_server,established; content:"/rd/jsp/BidRank/index.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; classtype:trojan-activity; sid:2002302; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 8"; flow: to_server,established; content:"/SFToolBar.html"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; classtype:trojan-activity; sid:2002303; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (prog)"; flow: to_server,established; content:"/dkprogs/dktibs.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; classtype:trojan-activity; sid:2001474; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Receiving Commands"; flow: to_server,established; content:"/xpsystem/commands.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; classtype:trojan-activity; sid:2001475; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (systime)"; flow: to_server,established; content:"/dkprogs/systime.txt"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; classtype:trojan-activity; sid:2001480; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (mstask)"; flow: to_server,established; content:"/dkprogs/mstasks3.txt"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; classtype:trojan-activity; sid:2001483; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (d.exe)"; flow: to_server,established; content:"/x30/d.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; classtype:trojan-activity; sid:2001484; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; content:"/cab/v3cab.cab"; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; classtype:trojan-activity; sid:2001540; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; classtype:trojan-activity; sid:2001533; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; content:"/silent_install.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; classtype:trojan-activity; sid:2001534; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; content:"/protector.exe"; http_uri; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; classtype:trojan-activity; sid:2001535; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (install)"; flow: to_server,established; content:"/sideb.exe"; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; classtype:trojan-activity; sid:2001744; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; content:"/silent.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; classtype:trojan-activity; sid:2002091; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host|3a| content.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; classtype:policy-violation; sid:2001650; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host|3a| results.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; classtype:policy-violation; sid:2001653; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Security-updater.com Spyware Posting Data"; flow:established,to_server; content:"/SA/receive_data.php3?tcpc="; http_uri; content:"security-updater.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003576; classtype:trojan-activity; sid:2003576; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Seekmo.com Spyware Data Upload"; flow:established,to_server; content:".aspx?"; http_uri; content:"eid="; http_uri; content:"&pkg_ver="; http_uri; content:"&ver="; http_uri; content:"&brand="; http_uri; content:"&mt="; http_uri; content:"&partid="; content:"&altdid="; http_uri; content:"&os="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; classtype:trojan-activity; sid:2008356; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; content:".php?kind="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&ver2="; nocase; http_uri; content:"&ver3="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&supportid="; nocase; http_uri; content:"&uniq="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; classtype:trojan-activity; sid:2008016; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sexmaniack Install Tracking"; flow: to_server,established; content:"/counted.php?ref="; nocase; http_uri; content:"Host|3a| counter.sexmaniack.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; classtype:trojan-activity; sid:2001460; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop At Home Select.com Install Attempt"; flow: to_server,established; content:"/mindset/bunsetup.cab"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; classtype:policy-violation; sid:2000580; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; classtype:policy-violation; sid:2000581; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Heartbeat"; flow: established,to_server; content:"/s.dll?MfcISAPICommand=heartbeat&param="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; classtype:policy-violation; sid:2001708; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Install"; flow: established,to_server; content:"/arcadecash/setup"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; classtype:policy-violation; sid:2002037; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopnav Spyware Install"; flow: to_server,established; content:"/toolbarv3.cgi?UID="; nocase; http_uri; content:"&version="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; classtype:trojan-activity; sid:2002000; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopcenter.co.kr Spyware Install Report"; flow:established,to_server; content:"/RewardInstall.php?mac=0"; http_uri; content:"&hdd="; http_uri;content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:trojan-activity; sid:2008370; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Install"; flow: to_server,established; content:"/servlet/sbinstservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; classtype:policy-violation; sid:2001016; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data"; flow: to_server,established; content:"/servlet/sblogservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; classtype:policy-violation; sid:2001017; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; content:"/servlet/SbStartservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; classtype:policy-violation; sid:2002821; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Simbar Spyware User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"|3b| SIMBAR={"; http_header; fast_pattern; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; reference:url,vil.nai.com/vil/content/v_131206.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2009005; classtype:policy-violation; sid:2009005; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install rh.exe"; flow: to_server,established; content:"/install/RH/rh.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; classtype:trojan-activity; sid:2001505; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install"; flow: to_server,established; content:"/install/SE/sed.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; classtype:trojan-activity; sid:2001516; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Update"; flow: to_server,established; content:"/data/spv15.dat?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; classtype:trojan-activity; sid:2001513; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)"; flow:established,to_server; content:"User-Agent|3a| SnoopStick "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007956; classtype:trojan-activity; sid:2007956; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install"; flow:established,to_server; content:"/setup/setup.asp?id="; nocase; http_uri; content:"&pcid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&taday="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; classtype:trojan-activity; sid:2008135; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; content:"/setup/adClick.asp?Id="; nocase; http_uri; content:"&WebId="; nocase; http_uri; content:"&sDate="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; classtype:trojan-activity; sid:2008148; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softcashier.com Spyware Install Checkin"; flow:established,to_server; content:".php?wmid="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&hs="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; classtype:trojan-activity; sid:2007861; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softwarereferral.com Adware Checkin"; flow:established,to_server; content:"wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; classtype:trojan-activity; sid:2007696; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:trojan-activity; sid:2002988; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Pulling IP List to Spam"; flow:established,to_server; content:"/devrandom/access.php"; nocase; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible)"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; classtype:trojan-activity; sid:2002990; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe"; flow:established,to_server; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; classtype:trojan-activity; sid:2002991; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Specificclick.net Spyware Activity"; flow: to_server,established; content:"/adopt.sm?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"&redir="; nocase; http_uri; content:"&nmv="; nocase; http_uri; content:"&nrsz="; nocase; http_uri; content:"&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; classtype:policy-violation; sid:2003450; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speedera Agent (Specific)"; flow: to_server,established; content:"/io/downloads/3/wsem302.dl"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; classtype:trojan-activity; sid:2001321; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Updating"; flow:to_server,established; content:"/updates1/SKVersion.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; classtype:trojan-activity; sid:2003377; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; content:"/updates1/SKSignatures.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; classtype:trojan-activity; sid:2003375; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySherriff Spyware Activity"; flow: to_server,established; content:"/progs_exe/jbsrak/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; classtype:trojan-activity; sid:2002984; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Jupitersatellites.biz Spyware Download"; flow: to_server,established; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; classtype:trojan-activity; sid:2002987; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySheriff Intial Phone Home"; flow:established,to_server; content:"trial.php?rest="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"trial.php"; nocase; content:!"User-Agent|3a| "; http_header; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; classtype:trojan-activity; sid:2003251; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; content:"&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"?=______"; http_uri; content:"&vs="; nocase; http_uri; content:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; classtype:trojan-activity; sid:2007593; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Update"; flow: to_server,established; content:"/updates/database/dbver.php"; nocase; http_uri; content:"spywareaxe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; classtype:trojan-activity; sid:2002804; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Version Check"; flow: to_server,established; content:"/updates/database/dbver.dat"; nocase; http_uri; content:"spywareaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; classtype:trojan-activity; sid:2002805; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware Checkin"; flow: to_server,established; content:"/download.php?sid="; nocase; http_uri; content:"spyaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; classtype:trojan-activity; sid:2002806; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:trojan-activity; sid:2001489; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Install"; flow: to_server,established; content:"/SpySpotterInstall.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; classtype:trojan-activity; sid:2001536; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access"; flow: to_server,established; content:"Host|3a| "; http_header; content:"spyspotter.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; classtype:trojan-activity; sid:2001537; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; classtype:trojan-activity; sid:2000587; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs Application Install"; flow: to_server,established; content:"/DistID/BaseInstalls/V"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"Wise"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; classtype:trojan-activity; sid:2001522; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer Reporting Data"; flow: established,to_server; content:"/showme.aspx?keyword="; nocase; http_uri; content:"ecomdata1="; nocase; http_client_body; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; classtype:trojan-activity; sid:2001570; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer/Error Guard Activity"; flow: established,to_server; content:"/sell.cgi?errorguard/1/errorguard"; nocase; http_uri; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; classtype:trojan-activity; sid:2001571; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; content:"User-Agent|3a| update|0d|"; http_header; content:"statblaster"; http_header; fast_pattern:only; pcre:"/\/updatestats\/update\d+?\.xml$/U"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:policy-violation; sid:2001225; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster.MemoryWatcher Download"; flow: to_server,established; content:"/memorywatcher.exe"; http_uri; reference:url,www.memorywatcher.com/eula.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; classtype:trojan-activity; sid:2001442; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity"; flow: established,to_server; content:"/Bundling/SskUpdater"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; classtype:trojan-activity; sid:2001731; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Download"; flow: established,to_server; content:"/requestimpression.aspx?ver="; nocase; http_uri; content:"host="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; classtype:trojan-activity; sid:2001992; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (ipixel)"; flow: established,to_server; content:"/ipixel.htm?cid="; nocase; http_uri; content:"&pck_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; classtype:trojan-activity; sid:2001994; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (rinfo)"; flow: established,to_server; content:"/rinfo.htm?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"client=SSK"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; classtype:trojan-activity; sid:2002738; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Updating"; flow:to_server,established; content:"/sacc/sacc.cfg.php?"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; classtype:trojan-activity; sid:2003390; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; content:"/sacc/popup.php"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; classtype:trojan-activity; sid:2003391; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Install"; flow: to_server,established; content:"/distribution/questmod-1.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; classtype:trojan-activity; sid:2001510; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Reporting"; flow: to_server,established; content:"/sa/?a="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; classtype:trojan-activity; sid:2001514; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE System-defender.com Fake AV Install Checkin"; flow:established,to_server; content:"?wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lndid="; nocase; http_uri; reference:url,www.system-defender.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007856; classtype:trojan-activity; sid:2007856; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"User-Agent|3a| gh20"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; classtype:trojan-activity; sid:2007944; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; content:"/victim.php?"; http_uri; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; classtype:trojan-activity; sid:2007945; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sytes.net Related Spyware Reporting"; flow:to_server,established; content:"/Reporting/admin/upload.php"; nocase; http_uri; content:"POST"; nocase; http_method; content:"sytes.net"; nocase; http_header; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; classtype:trojan-activity; sid:2003533; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; content:"/request/req.cgi?gu="; nocase; http_uri; content:"&sid="; nocase; http_uri; content:"&kw="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; classtype:trojan-activity; sid:2001997; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; content:"/data/tn.dat?v="; nocase; http_uri; content:"&sid="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; classtype:trojan-activity; sid:2002046; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; content:"/pa/glx.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; classtype:trojan-activity; sid:2001482; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; content:"/pa/proxyrnd.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; classtype:trojan-activity; sid:2001485; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Initial Checkin"; flow:established,to_server; content:"/plist.php?uid="; http_uri; content:"Host|3a| "; http_header; content:"theinstalls.com"; http_header; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007788; classtype:trojan-activity; sid:2007788; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Download"; flow: to_server,established; content:"/d4.fcgi?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; classtype:trojan-activity; sid:2001488; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (1)"; flow: to_server,established; content:"/fcgi-bin/iza2.fcgi?m="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; classtype:trojan-activity; sid:2001729; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (2)"; flow: to_server,established; content:"/tb/loader2.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; classtype:trojan-activity; sid:2001734; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; content:"/ldr.exe"; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001890; classtype:trojan-activity; sid:2001890; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; classtype:trojan-activity; sid:2001895; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; classtype:trojan-activity; sid:2000588; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (downloads)"; flow: to_server,established; uricontent:"/external/builds/downloads2/"; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; classtype:trojan-activity; sid:2000589; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (common)"; flow: to_server,established; uricontent:"/external/builds/common/"; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; classtype:trojan-activity; sid:2000590; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (1)"; flow: established,to_server; content:"/acti.asp?cl=1&gd=1&clpid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; classtype:trojan-activity; sid:2001646; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (2)"; flow: established,to_server; content:"/builds/"; nocase; http_uri; content:"AutoTrack_Install.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; classtype:trojan-activity; sid:2001647; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com User Confirming Membership"; flow: established,to_server; content:"/cgi/account.plx?pid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; classtype:trojan-activity; sid:2001648; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ezula Install .exe"; flow: to_server,established; content:"/install/eZinstall.exe"; nocase; http_uri; content:"User-Agent|3a| eZula"; http_header; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001334; classtype:trojan-activity; sid:2001334; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; classtype:trojan-activity; sid:2001335; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; content:"/spywareremovers.php?"; http_uri; content:"Host|3a| topantispyware.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; classtype:trojan-activity; sid:2001520; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Install"; flow: to_server,established; content:"/activex/weirdontheweb_topc.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; classtype:trojan-activity; sid:2002004; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Reporting"; flow: to_server,established; content:"/trigger.php?partner="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; classtype:trojan-activity; sid:2002040; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)"; flow:established,to_server; content:"User-Agent|3a| RichCasino"; nocase; http_header; reference:url,doc.emergingthreats.net/2009831; classtype:trojan-activity; sid:2009831; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Traffic Syndicate Add/Remove"; flow: to_server,established; content:"/Support/AddRemove.aspx?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; classtype:policy-violation; sid:2001313; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Traffic Syndicate Agent Updating (1)"; flow: to_server,established; content:"/TbLinkConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; classtype:policy-violation; sid:2001315; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Traffic Syndicate Agent Updating (2)"; flow: to_server,established; content:"/TbInstConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; classtype:policy-violation; sid:2001316; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trafficsector.com Spyware Install"; flow: to_server,established; content:"/install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; http_uri; content:"trafficsector"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; classtype:policy-violation; sid:2002736; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Transponder Spyware Activity"; flow:established,to_server; content:"/sendROIcookie.cfm?refer="; nocase; http_uri; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; classtype:trojan-activity; sid:2002320; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Travel Update Spyware"; flow:established,to_server; content:"/abt?data="; nocase; http_uri; pcre:"/\/abt\?data=\S{150}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; classtype:trojan-activity; sid:2003297; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe?nva="; http_uri; content:"&aff="; http_uri; content:"&token="; http_uri; content:"User-Agent|3a| Macrovision_DM"; nocase; http_header; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; classtype:policy-violation; sid:2009091; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Reporting"; flow: to_server,established; content:"/iis2ucms.asp"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001995; classtype:trojan-activity; sid:2001995; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Downloading Ads"; flow: to_server,established; content:"/clientsetupfinish.html?sponsor_id="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; classtype:trojan-activity; sid:2001998; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; content:"/jk/exp.wmf"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; classtype:trojan-activity; sid:2002999; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PopupSh.ocx Access Attempt"; flow:to_server,established; content:"/PopupSh.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; classtype:trojan-activity; sid:2003000; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:trojan-activity; sid:2008157; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:trojan-activity; sid:2008158; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE V-Clean.com Fake AV Checkin"; flow:established,to_server; content:"/bill_mod/bill_count.php?C_FLAG="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.5|3b| Windows 98)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; classtype:trojan-activity; sid:2008180; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; classtype:trojan-activity; sid:2002348; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware Reporting URL"; flow:established,to_server; content:"/js.vppimage?key="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; classtype:trojan-activity; sid:2002350; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/version/controllerVersion"; fast_pattern:only; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; classtype:trojan-activity; sid:2007995; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; content:"/mmdom.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; classtype:trojan-activity; sid:2001525; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; content:"/bkinst.exe"; nocase; http_uri; content:"virtumonde.com"; http_header; reference:url,www.lurhq.com/iframeads.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; classtype:trojan-activity; sid:2001526; rev:22; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/scripts/get_cookie.php"; nocase; http_uri; content:"vomba="; http_client_body; depth:6; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; classtype:trojan-activity; sid:2007870; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webbuying.net Spyware Installing"; flow:established,to_server; content:"/inst.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"&cl="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&v=wbi_v"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&win="; nocase; http_uri; content:"&un=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; classtype:trojan-activity; sid:2003442; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; classtype:trojan-activity; sid:2001317; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Data Post"; flow: to_server,established; content:"POST"; nocase; http_method; content:"http|3a|//prime.webhancer.com"; nocase; content:"AgentTag|3a|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001677; classtype:trojan-activity; sid:2001677; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Agent Activity"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; within:32; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; classtype:trojan-activity; sid:2001678; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Spyware"; flow: to_server,established; content:"/sitereview.asmx/GetReview"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001325; classtype:trojan-activity; sid:2001325; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; content:"/1/rdgUS10.exe"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; classtype:trojan-activity; sid:2001517; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weird on the Web /180 Solutions Checkin"; flow: to_server,established; content:"/notifier/config.ini?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; classtype:trojan-activity; sid:2002036; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; content:"/vsn/ISA/"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; classtype:policy-violation; sid:2000908; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; content:"/Appinstall?app=VVSN"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; classtype:policy-violation; sid:2000909; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=clock"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; classtype:policy-violation; sid:2000910; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=weather"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; classtype:policy-violation; sid:2000911; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; content:"/clock?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; classtype:policy-violation; sid:2000912; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; content:"/clockDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; classtype:policy-violation; sid:2000913; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; content:"/weatherDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; classtype:policy-violation; sid:2000914; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; content:"/weather?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; classtype:policy-violation; sid:2000915; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=whenusave"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; classtype:policy-violation; sid:2000916; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; content:"/OffersDataGZ?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; classtype:policy-violation; sid:2000917; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Desktop Bar Install"; flow: to_server,established; content:"/Appinstall?app=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; classtype:policy-violation; sid:2000918; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; content:"/SearchDB?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; classtype:policy-violation; sid:2000919; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Application Version Check"; flow: to_server,established; content:"/versions.html"; nocase; http_uri; content:"whenu.com"; nocase; http_header; fast_pattern; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; classtype:policy-violation; sid:2003389; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; content:"/DataChunksGZ?update="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"svr="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; classtype:policy-violation; sid:2003404; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Installation"; flow: to_server,established; content:"/Recovery/Checkin.aspx?version"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; classtype:trojan-activity; sid:2001307; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Checking In"; flow: to_server,established; content:"/CDADeliveries/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; classtype:trojan-activity; sid:2001309; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Traffic"; flow: to_server,established; content:"/CDAFiles/DP/SysConfig"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; classtype:trojan-activity; sid:2001310; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent"; flow: to_server,established; content:"/CDAFiles/"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; classtype:trojan-activity; sid:2001314; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent New Install"; flow: to_server,established; content:"/NewUser/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; classtype:trojan-activity; sid:2001322; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Install"; flow: to_server,established; content:"/updatestats/AI_Euro.exe"; nocase; http_uri; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; classtype:trojan-activity; sid:2002008; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Install"; flow: established,to_server; content:"/cab/CDTInc/ie/"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; classtype:trojan-activity; sid:2001700; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Loggin Data"; flow: established,to_server; content:"/logging.php?p="; nocase; http_uri; content:"Host|3a| public.windupdates.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; classtype:trojan-activity; sid:2001701; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/dispatcher.php?action="; nocase; http_uri; content:"Host|3a| www.winfix"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; classtype:trojan-activity; sid:2003543; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winferno Registry Fix Spyware Download"; flow: to_server,established; content:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; classtype:trojan-activity; sid:2003353; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware Download"; flow: to_server,established; content:"/WebServices/DesktopManager/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003356; classtype:trojan-activity; sid:2003356; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/checkupdate.php"; nocase; http_uri; content:"User-Agent|3a| Opera"; http_header; content:"Computer ID|3a| "; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; classtype:trojan-activity; sid:2008197; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; content:"/fa/evil.html"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; classtype:trojan-activity; sid:2001461; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; content:"/fa/?d=get"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; classtype:trojan-activity; sid:2001462; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http|3a|//xpire.info/i.exe"; nocase; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; classtype:trojan-activity; sid:2001463; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; content:"/i.exe"; nocase; http_uri; content:"xpire.info"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; classtype:trojan-activity; sid:2001464; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; content:"/dl/adv121.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; classtype:trojan-activity; sid:2001466; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; content:"/dl/adv121/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; classtype:trojan-activity; sid:2001467; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; content:"/fa/ied_s7m.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; classtype:trojan-activity; sid:2001468; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; content:"/fa/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; classtype:trojan-activity; sid:2001469; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; content:"/fa/xpl3.htm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; classtype:trojan-activity; sid:2001470; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Exploit"; flow: to_server,established; content:"/2DimensionOfExploitsEnc.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; classtype:trojan-activity; sid:2001471; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Install Reporting"; flow: to_server,established; content:"/report.php?user_id="; fast_pattern; http_uri; content:"&status="; http_uri; content:"&country_id="; http_uri; content:"User-Agent|3a| Windows Internet|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:md5,17c204bb156dd7f6a3ebd1547129f347; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FZdesnado.AD&ThreatID=-2147454482; classtype:trojan-activity; sid:2001472; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:trojan-activity; sid:2001491; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; classtype:trojan-activity; sid:2001541; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yourscreen.com Spyware Download"; flow: to_server,established; content:"/data/yourscreen_data.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; classtype:trojan-activity; sid:2003354; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; content:"/protector.exe"; nocase; http_uri; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; classtype:trojan-activity; sid:2002092; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; content:"/sideb.exe"; nocase; http_uri; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; classtype:trojan-activity; sid:2002098; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware"; flow: to_server,established; content:"/cl/clientdump"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; classtype:policy-violation; sid:2001947; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware 2"; flow: to_server,established; content:"/cl/clienthost"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; classtype:policy-violation; sid:2002735; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Spyware Install Report"; flow: to_server,established; content:"/instreport"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; classtype:policy-violation; sid:2002737; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:trojan-activity; sid:2008757; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp?rnd="; http_uri; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&umode="; http_client_body; content:"&cn="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008798; classtype:trojan-activity; sid:2008798; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Supergames.aavalue.com Spyware"; flow: established,to_server; content:"/toolbars/msg/msg_serverside.xml"; nocase; http_uri; content:"aavalue.com"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; classtype:trojan-activity; sid:2003525; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE adservs.com Spyware"; flow: to_server,established; content:"/binaries/relevance.dat"; http_uri; content:"adservs"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; classtype:policy-violation; sid:2002740; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - sploit.anr"; flow:established,to_server; content:"GET";  nocase; http_method; content:"/sploit.anr"; nocase; http_uri; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; classtype:trojan-activity; sid:2002708; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loaderadv"; nocase; http_uri; pcre:"/loaderadv\d+\.jar/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; classtype:trojan-activity; sid:2002709; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loadadv***.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loadadv"; nocase; http_uri; pcre:"/loadadv\d+\.exe/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002710; classtype:trojan-activity; sid:2002710; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; content:"/qwertyuiyw12ertyuytre"; nocase; http_uri; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; classtype:trojan-activity; sid:2008681; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE K8l.info Spyware Activity"; flow: to_server,established; content:"/media/servlet/view/dynamic/url/zone?"; nocase; http_uri; content:"zid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&DHWidth="; nocase; http_uri; content:"&DHHeight="; nocase; http_uri; content:"Ref="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; classtype:policy-violation; sid:2003451; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 404Search Spyware User-Agent (404search)"; flow:established,to_server; content:"User-Agent|3a| 404search"; http_header; reference:url,doc.emergingthreats.net/2001852; classtype:trojan-activity; sid:2001852; rev:27; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel)"; flow:to_server,established; content:"User-Agent|3a| 91cast"; nocase; http_header; reference:url,doc.emergingthreats.net/2003640; classtype:trojan-activity; sid:2003640; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pigeon.AYX/AVKill Related User-Agent (CTTBasic)"; flow: established,to_server; content:"User-Agent|3a| CTT"; http_header; reference:url,doc.emergingthreats.net/2009236; classtype:trojan-activity; sid:2009236; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adwave.com Related Spyware User-Agent (STBHOGet)"; flow:to_server,established; content:"User-Agent|3a| STBHOGet"; nocase; http_header; reference:url,doc.emergingthreats.net/2003500; classtype:trojan-activity; sid:2003500; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alawar Toolbar Spyware User-Agent (Alawar Toolbar)"; flow:to_server,established; content:"User-Agent|3a| Alawar Toolbar"; nocase; http_header; reference:url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html; reference:url,doc.emergingthreats.net/2003506; classtype:trojan-activity; sid:2003506; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Search Toolbar User-Agent 2 (Alexa Toolbar)"; flow: to_server,established; content:"Alexa Toolbar"; http_header; fast_pattern:only; threshold: type limit, count 2, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2008085; classtype:trojan-activity; sid:2008085; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser)"; flow:to_server,established; content:"AntiVerminser"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003336; classtype:trojan-activity; sid:2003336; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans)"; flow:to_server,established; content:"User-Agent|3a| AntiVermeans"; nocase; http_header; reference:url,www.bleepingcomputer.com/forums/topic69886.htm; reference:url,doc.emergingthreats.net/2003531; classtype:trojan-activity; sid:2003531; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toplist.cz Related Spyware Checkin"; flow:to_server,established; content:"User-Agent|3a| BWL"; http_header; pcre:"/BWL(\sToplist|\d_UPDATE)/H"; classtype:trojan-activity; sid:2003505; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Better Internet Spyware User-Agent (thnall)"; flow: to_server,established; content:"THNALL"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/iH"; reference:url,doc.emergingthreats.net/2002002; classtype:trojan-activity; sid:2002002; rev:34; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolWebSearch Spyware User-Agent (iefeatsl)"; flow:to_server,established; content:"User-Agent|3a| iefeatsl"; nocase; http_header; reference:url,www.applicationsignatures.com/backend/index.php; reference:url,doc.emergingthreats.net/2003570; classtype:trojan-activity; sid:2003570; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolWebSearch Spyware (Feat)"; flow: to_server,established; content:"User-Agent|3a| Feat"; nocase; http_header; pcre:"/^User-Agent\x3a\x20+Feat[^\r\n]+(?:Install|Updat)er/Hmi"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; reference:url,doc.emergingthreats.net/2002160; classtype:trojan-activity; sid:2002160; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE chnsystem.com Spyware User-Agent (Update1.0)"; flow:established,to_server; content:"User-Agent|3a| Update1.0"; http_header; reference:url,doc.emergingthreats.net/2010680; classtype:trojan-activity; sid:2010680; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE clickspring.com Spyware Install User-Agent (CS Fingerprint Module)"; flow:to_server,established; content:"User-Agent|3a| CS Fingerprint Module"; nocase; http_header; reference:url,doc.emergingthreats.net/2003425; classtype:trojan-activity; sid:2003425; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; content:"SF Installer"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003428; classtype:trojan-activity; sid:2003428; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE xxxtoolbar.com Spyware Install User-Agent"; flow:to_server,established; content:"User-Agent|3a 32 8b 86 85 86 8e 85 86 8c 0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003429; classtype:trojan-activity; sid:2003429; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent)"; flow:to_server,established; content:"User-Agent|3a| CommonName"; nocase; http_header; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618; reference:url,doc.emergingthreats.net/2003532; classtype:trojan-activity; sid:2003532; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware User-Agent (Apropos)"; flow: established,to_server; content:"Apropos"; http_header; pcre:"/User-Agent\:[^\n]+Apropos/Hi"; reference:url,doc.emergingthreats.net/2001703; classtype:trojan-activity; sid:2001703; rev:38; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware User-Agent (Envolo)"; flow: established,to_server; content:"Envolo"; http_header; pcre:"/User-Agent\:[^\n]+Envolo/Hi"; reference:url,doc.emergingthreats.net/2001706; classtype:trojan-activity; sid:2001706; rev:38; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus User-Agent (PTS)"; flow: to_server,established; content:"User-Agent|3a| PTS"; http_header; reference:url,www.contextplus.net; reference:url,doc.emergingthreats.net/2002403; classtype:trojan-activity; sid:2002403; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Cpushpop.com Spyware User-Agent (CPUSH_UPDATER)"; flow:established,to_server; content:"User-Agent|3a| CPUSH_"; http_header; reference:url,doc.emergingthreats.net/2006553; classtype:trojan-activity; sid:2006553; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (CustomSpy)"; flow:to_server,established; content:"User-Agent|3a| |28|CustomSpy|29 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011271; classtype:trojan-activity; sid:2011271; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deepdo Toolbar User-Agent (FavUpdate)"; flow:established,to_server; content:"User-Agent|3a| FavUpdate"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,doc.emergingthreats.net/2008457; classtype:trojan-activity; sid:2008457; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate)"; flow:established,to_server; content:"User-Agent|3a| DeepdoUpdate/"; nocase; http_header; reference:url,doc.emergingthreats.net/2006386; classtype:trojan-activity; sid:2006386; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE dialno Dialer User-Agent (dialno)"; flow:to_server,established; content:"dialno"; http_header; threshold: type limit, count 5, seconds 60, track by_src; pcre:"/User-Agent\:[^\n]+dialno/Hi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003387; classtype:trojan-activity; sid:2003387; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; content:"DSInstall"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+DSInstall/iH"; reference:url,doc.emergingthreats.net/2003439; classtype:trojan-activity; sid:2003439; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EELoader Malware Packages User-Agent (EELoader)"; flow:to_server,established; content:"User-Agent|3a| EELoader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003613; classtype:trojan-activity; sid:2003613; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZULA Spyware User Agent"; flow: established,to_server; content:"User-Agent|3a| ezula"; nocase; http_header; reference:url,doc.emergingthreats.net/2001854; classtype:trojan-activity; sid:2001854; rev:24; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ezula Related User-Agent (mez)"; flow: to_server,established; content:"User-Agent|3a| mez|0d 0a|"; nocase; http_header; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/2000586; classtype:trojan-activity; sid:2000586; rev:30; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Easy Search Bar Spyware User-Agent (ESB)"; flow: established,to_server; content:"User-Agent|3a| ESB"; http_header; reference:url,doc.emergingthreats.net/2001853; classtype:trojan-activity; sid:2001853; rev:24; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP))"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| ERRN200"; http_header; reference:url,doc.emergingthreats.net/2009861; classtype:trojan-activity; sid:2009861; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errorsafe.com Fake antispyware User-Agent (ErrorSafe)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"ErrorSafe "; http_header; fast_pattern; within:150; pcre:"/^User-Agent\x3a\x20[^\n]+ErrorSafe/Hmi"; reference:url,doc.emergingthreats.net/2003346; classtype:trojan-activity; sid:2003346; rev:14; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER)"; flow:to_server,established; content:"User-Agent|3a| EVNUKER"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:trojan-activity; sid:2003569; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (FaceCooker)"; flow:to_server,established; content:"User-Agent|3a| FaceCooker"; nocase; http_header; reference:url,doc.emergingthreats.net/2010717; classtype:trojan-activity; sid:2010717; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus)"; flow:established,to_server; content:"User-Agent|3a| Update Internet Antivirus"; http_header; reference:url,doc.emergingthreats.net/2008647; classtype:trojan-activity; sid:2008647; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE malwarewipeupdate.com Spyware User-Agent (MalwareWipe)"; flow:to_server,established; content:"User-Agent|3a| MalwareWipe|0d 0a|"; nocase; http_header; reference:url,www.malwarewipeupdate.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086; reference:url,doc.emergingthreats.net/2003489; classtype:trojan-activity; sid:2003489; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect)"; flow:to_server,established; content:"User-Agent|3a| ad-protect"; nocase; http_header; reference:url,spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.virusblast.com; reference:url,doc.emergingthreats.net/2003476; classtype:trojan-activity; sid:2003476; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Terminexor.com Spyware User-Agent (DInstaller2)"; flow:to_server,established; content:"User-Agent|3a| DInstaller"; nocase; http_header; reference:url,www.terminexor.com; reference:url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor; reference:url,doc.emergingthreats.net/2003477; classtype:trojan-activity; sid:2003477; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER)"; flow:to_server,established; content:"User-Agent|3a| ERRORNUKER"; nocase; http_header; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.errornuker.com; reference:url,doc.emergingthreats.net/2003478; classtype:trojan-activity; sid:2003478; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"Antivir"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+\;\sAntivir/H"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; reference:url,doc.emergingthreats.net/2008549; classtype:trojan-activity; sid:2008549; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Cleancop.co.kr Fake AV User-Agent (CleancopUpdate)"; flow:established,to_server; content:"User-Agent|3a| Cleancop"; http_header; reference:url,doc.emergingthreats.net/2008484; classtype:trojan-activity; sid:2008484; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchtool.co.kr Fake Product User-Agent (searchtoolup)"; flow:established,to_server; content:"User-Agent|3a| searchtool"; http_header; reference:url,doc.emergingthreats.net/2008485; classtype:trojan-activity; sid:2008485; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AntiSpywareMaster.com Fake AV User-Agent (AsmUpdater)"; flow:to_server,established; content:"User-Agent|3a| AsmUpdater"; http_header; reference:url,doc.emergingthreats.net/2008294; classtype:trojan-activity; sid:2008294; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dokterfix.com Fake AV User-Agent (Magic NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Magic NetInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007977; classtype:trojan-activity; sid:2007977; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader)"; flow:established,to_server; content:"User-Agent|3a| IM Downloader|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2008000; classtype:trojan-activity; sid:2008000; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mycomclean.com Spyware User-Agent (HTTP_GET_COMM)"; flow:to_server,established; content:"User-Agent|3a| HTTP_GET_COMM|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007881; classtype:trojan-activity; sid:2007881; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mycomclean.com Spyware User-Agent (SHINI)"; flow:to_server,established; content:"User-Agent|3a| SHINI|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007882; classtype:trojan-activity; sid:2007882; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virusheat.com Fake Anti-Spyware User-Agent (VirusHeat 4.3)"; flow:to_server,established; content:"User-Agent|3a| VirusHeat"; http_header; reference:url,doc.emergingthreats.net/2007883; classtype:trojan-activity; sid:2007883; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antivirgear.com Fake Anti-Spyware User-Agent (AntiVirGear)"; flow:established,to_server; content:"User-Agent|3a| AntiVirGear"; nocase; http_header; reference:url,doc.emergingthreats.net/2007697; classtype:trojan-activity; sid:2007697; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download)"; flow:established,to_server; content:"User-Agent|3a| IM Download|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007759; classtype:trojan-activity; sid:2007759; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Drpcclean.com Related Spyware User-Agent (DrPCClean Transmit)"; flow:to_server,established; content:"User-Agent|3a| DrPCClean"; http_header; reference:url,doc.emergingthreats.net/2007839; classtype:trojan-activity; sid:2007839; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Locus "; http_header; reference:url,doc.emergingthreats.net/2007845; classtype:trojan-activity; sid:2007845; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| LocusSoftware, NetInstaller"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008150; classtype:trojan-activity; sid:2008150; rev:8; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1)"; flow:established,to_server; content:"User-Agent|3a| IEDefender "; nocase; http_header; reference:url,doc.emergingthreats.net/2007690; classtype:trojan-activity; sid:2007690; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winxpperformance.com Related Spyware User-Agent (Microsoft Internet Browser)"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Browser|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007660; classtype:trojan-activity; sid:2007660; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VirusProtectPro Spyware User-Agent (VirusProtectPro)"; flow:established,to_server; content:"User-Agent|3a| VirusProtectPro"; http_header; reference:url,doc.emergingthreats.net/2007617; classtype:trojan-activity; sid:2007617; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ufixer.com Fake Antispyware User-Agent (Ultimate Fixer)"; flow: established,to_server; content:"User-Agent|3a| Ultimate Fixer"; nocase; http_header; reference:url,doc.emergingthreats.net/2007645; classtype:trojan-activity; sid:2007645; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vikiller.com Fake Antispyware User-Agent (vikiller ctrl...)"; flow: established,to_server; content:"User-Agent|3a| vikiller ctrl"; nocase; http_header; reference:url,doc.emergingthreats.net/2007582; classtype:trojan-activity; sid:2007582; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Fast Browser Search)"; flow:to_server,established; content:"User-Agent|3a| Fast Browser Search"; nocase; http_header; reference:url,doc.emergingthreats.net/2010676; classtype:trojan-activity; sid:2010676; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Hostile User-Agent (Forthgoer)"; flow:to_server,established; content:"User-Agent|3a| Forthgoer"; http_header; reference:url,doc.emergingthreats.net/2011247; classtype:trojan-activity; sid:2011247; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yourscreen.com Spyware User-Agent (FreezeInet)"; flow:to_server,established; content:"FreezeInet"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+FreezeInet/iH"; reference:url,doc.emergingthreats.net/2003355; classtype:trojan-activity; sid:2003355; rev:14; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware User-Agent (YourScreen123)"; flow:to_server,established; content:"User-Agent|3a| YourScreen"; http_header; reference:url,doc.emergingthreats.net/2003405; classtype:trojan-activity; sid:2003405; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Spyware User-Agent (MyWay)"; flow:established,to_server; content:"MyWay|3b|"; http_header; pcre:"/User-Agent\x3a[^\n]+MyWay/iH"; threshold:type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001864; classtype:trojan-activity; sid:2001864; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Spyware User-Agent (FunWebProducts)"; flow: established,to_server; content:"FunWebProducts"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+FunWebProducts/Hi"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001855; classtype:trojan-activity; sid:2001855; rev:32; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Grandstreet Interactive Spyware User-Agent (IEP)"; flow: to_server,established; content:"User-Agent|3a| IEP"; nocase; http_header; reference:url,doc.emergingthreats.net/2002021; classtype:trojan-activity; sid:2002021; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com User-Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; content:"GAMEHOUSE"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+GAMEHOUSE/iH"; reference:url,doc.emergingthreats.net/2003347; classtype:trojan-activity; sid:2003347; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com Related Spyware User-Agent (Sprout Game)"; flow:to_server,established; content:"User-Agent|3a| Sprout Game|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003498; classtype:trojan-activity; sid:2003498; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adsincontext.com Related Spyware User-Agent (Connector v1.2)"; flow: established; content:"User-Agent|3a| Connector v"; http_header; reference:url,doc.emergingthreats.net/2008372; classtype:trojan-activity; sid:2008372; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ask.com Toolbar/Spyware User-Agent (AskPBar)"; flow:established,to_server; content:"AskPBar"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskPBar/Hi"; reference:url,doc.emergingthreats.net/2006381; classtype:trojan-activity; sid:2006381; rev:15; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; content:"AskSearch"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskSearch/iH"; threshold:type limit, count 2, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2003493; classtype:trojan-activity; sid:2003493; rev:15; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"|3b| AskBar"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskBar/iH"; reference:url,doc.emergingthreats.net/2003496; classtype:trojan-activity; sid:2003496; rev:16; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestoffersnetwork.com Related Spyware User-Agent (TBONAS)"; flow:to_server,established; content:"User-Agent|3a| TBONAS|0d 0a|"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670; reference:url,doc.emergingthreats.net/2003501; classtype:trojan-activity; sid:2003501; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar)"; flow:to_server,established; content:"User-Agent|3a| Coolstreaming"; nocase; http_header; reference:url,doc.emergingthreats.net/2003652; classtype:trojan-activity; sid:2003652; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6)"; flow:to_server,established; content:"User-Agent|3a| mc_v1"; nocase; http_header; reference:url,www.f-secure.com/v-descs/rizo.shtml; reference:url,doc.emergingthreats.net/2003656; classtype:trojan-activity; sid:2003656; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Debelizombi.com Spyware User-Agent (blahrx)"; flow:established,to_server; content:"User-Agent|3a| blahrx"; http_header; reference:url,doc.emergingthreats.net/2006778; classtype:trojan-activity; sid:2006778; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; content:"User-Agent|3a| atsu|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006370; classtype:trojan-activity; sid:2006370; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware User-Agent (GTBank)"; flow:to_server,established; content:"User-Agent|3a| GTBank"; nocase; http_header; reference:url,doc.emergingthreats.net/2003654; classtype:trojan-activity; sid:2003654; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirage.ru Related Spyware User-Agent (szNotifyIdent)"; flow:established,to_server; content:"User-Agent|3a| szNotifyIdent"; http_header; reference:url,doc.emergingthreats.net/2006782; classtype:trojan-activity; sid:2006782; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Popads123.com Related Spyware User-Agent (LmaokaazLdr)"; flow:established,to_server; content:"User-Agent|3a| LmaokaazLdr"; nocase; http_header; reference:url,doc.emergingthreats.net/2007694; classtype:trojan-activity; sid:2007694; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0)"; flow:to_server,established; content:"User-Agent|3a| Internet 1."; nocase; http_header; reference:url,doc.emergingthreats.net/2003655; classtype:trojan-activity; sid:2003655; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zredirector.com Related Spyware User-Agent (BndDriveLoader)"; flow:established,to_server; content:"User-Agent|3a| BndDriveLoader"; nocase; http_header; reference:url,doc.emergingthreats.net/2007693; classtype:trojan-activity; sid:2007693; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Win32.InternetAntivirus User-Agent (General Antivirus)"; flow:to_server,established; content:"User-Agent|3a| General Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010679; classtype:trojan-activity; sid:2010679; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044)"; flow:established,to_server; content:"User-Agent|3a| UbrenQuatroRusDldr"; http_header; reference:url,doc.emergingthreats.net/2008202; classtype:trojan-activity; sid:2008202; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr)"; flow:established,to_server; content:"User-Agent|3a| BndVeano4GetDownldr"; http_header; reference:url,doc.emergingthreats.net/2008203; classtype:trojan-activity; sid:2008203; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update)"; flow:to_server,established; content:"User-Agent|3a| fs3update|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007935; classtype:trojan-activity; sid:2007935; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager)"; flow:to_server,established; content:"User-Agent|3a| fian3manager|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007938; classtype:trojan-activity; sid:2007938; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Qcbar/Adultlinks Spyware User-Agent (IBSBand)"; flow:to_server,established; content:"User-Agent|3a| IBSBand-"; http_header; reference:url,doc.emergingthreats.net/2006362; classtype:trojan-activity; sid:2006362; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IE Toolbar User-Agent (IEToolbar)"; flow:established,to_server; content:"User-Agent|3a| IEToolbar"; http_header; reference:url,doc.emergingthreats.net/2009766; classtype:trojan-activity; sid:2009766; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE YourSiteBar User-Agent (istsvc)"; flow: to_server,established; content:"User-Agent|3a| istsvc|0d 0a|"; nocase; http_header; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/2001699; classtype:trojan-activity; sid:2001699; rev:259; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InTeRNeT)"; flow:to_server,established; content:"User-Agent|3a| |5f|InTeRNeT"; http_header; reference:url,doc.emergingthreats.net/2011127; classtype:trojan-activity; sid:2011127; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Infobox3 Spyware User-Agent (InfoBox)"; flow:established,to_server; content:"User-Agent|3a| InfoBox"; http_header; reference:url,doc.emergingthreats.net/2010934; classtype:trojan-activity; sid:2010934; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Movies-etc User-Agent (IOInstall)"; flow: to_server,established; content:"User-Agent|3a| IOInstall"; nocase; http_header; reference:url,www.movies-etc.com; reference:url,doc.emergingthreats.net/2002404; classtype:trojan-activity; sid:2002404; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optimizer Activity User-Agent (IOKernel)"; flow: to_server,established; content:" IOKernel/"; http_header; pcre:"/User-Agent\:[^\n]+IOKernel/iH"; reference:url,doc.emergingthreats.net/2001498; classtype:trojan-activity; sid:2001498; rev:34; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)"; flow:to_server,established; content:"User-Agent|3a| SexTrackerWSI"; nocase; http_header; reference:url,doc.emergingthreats.net/2003627; classtype:trojan-activity; sid:2003627; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/InternetAntivirus User-Agent (Internet Antivirus Pro)"; flow:to_server,established; content:"User-Agent|3a| Internet Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010218; classtype:trojan-activity; sid:2010218; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE dns-look-up.com Spyware User-Agent (KRSystem)"; flow:to_server,established; content:"User-Agent|3a| KRSystem"; nocase; http_header; reference:url,doc.emergingthreats.net/2003625; classtype:trojan-activity; sid:2003625; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE No-ad.co.kr Fake AV Related User-Agent (U2Clean)"; flow: established,to_server; content:"User-Agent|3a| U2Clean"; http_header; reference:url,doc.emergingthreats.net/2009289; classtype:trojan-activity; sid:2009289; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruskill.co.kr Fake AV User-Agent Detected (virus_kill)"; flow:to_server,established; content:"User-Agent|3a| virus_kill"; http_header; reference:url,doc.emergingthreats.net/2009150; classtype:trojan-activity; sid:2009150; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake AV User-Agent (N1)"; flow:to_server,established; content:"User-Agent|3a| N1|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009157; classtype:trojan-activity; sid:2009157; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ezday.co.kr Related Spyware User-Agent (Ezshop)"; flow:established,to_server; content:"User-Agent|3a| Ezshop"; http_header; reference:url,doc.emergingthreats.net/2008594; classtype:trojan-activity; sid:2008594; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruscheck.co.kr Fake Antispyware User-Agent (viruscheck)"; flow: established,to_server; content:"User-Agent|3a| viruscheck"; nocase; http_header; reference:url,doc.emergingthreats.net/2007643; classtype:trojan-activity; sid:2007643; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mycashbank.co.kr Spyware User-Agent (pint_agency)"; flow:established,to_server; content:"User-Agent|3a| pint_agency"; http_header; reference:url,doc.emergingthreats.net/2006413; classtype:trojan-activity; sid:2006413; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Platinumreward.co.kr Spyware User-Agent (WT_GET_COMM)"; flow:established,to_server; content:"User-Agent|3a| WT_GET_COMM"; http_header; reference:url,doc.emergingthreats.net/2006422; classtype:trojan-activity; sid:2006422; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vaccineprogram.co.kr Related Spyware User-Agent (anycleaner)"; flow:established,to_server; content:"User-Agent|3a| anycleaner"; http_header; reference:url,doc.emergingthreats.net/2006419; classtype:trojan-activity; sid:2006419; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorvaccine.co.kr Related Spyware User-Agent (DoctorVaccine)"; flow:established,to_server; content:"User-Agent|3a| DoctorVaccine"; http_header; reference:url,doc.emergingthreats.net/2006421; classtype:trojan-activity; sid:2006421; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorvaccine.co.kr Related Spyware-User Agent (ers)"; flow:established,to_server; content:"User-Agent|3a| ers|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007809; classtype:trojan-activity; sid:2007809; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Spyware User-Agent (doctorpro1)"; flow:established,to_server; content:"User-Agent|3a| doctorpro"; http_header; reference:url,doc.emergingthreats.net/2006423; classtype:trojan-activity; sid:2006423; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Karine.co.kr Related Spyware User Agent (chk Profile)"; flow:established,to_server; content:"User-Agent|3a| chk Profile|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006429; classtype:trojan-activity; sid:2006429; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Karine.co.kr Related Spyware User-Agent (Access down)"; flow:established,to_server; content:"User-Agent|3a| Access down|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006430; classtype:trojan-activity; sid:2006430; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus)"; flow:to_server,established; content:"User-Agent|3a| PCClear"; http_header; reference:url,www.pcclear.com; reference:url,www.pcclear.co.kr; reference:url,doc.emergingthreats.net/2008198; classtype:trojan-activity; sid:2008198; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE vaccine-program.co.kr Related Spyware User-Agent (vaccine)"; flow:established,to_server; content:"User-Agent|3a| vaccine"; http_header; reference:url,doc.emergingthreats.net/2008200; classtype:trojan-activity; sid:2008200; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yeps.co.kr Related User-Agent (ISecu)"; flow:established,to_server; content:"User-Agent|3a| ISecu"; http_header; reference:url,doc.emergingthreats.net/2008204; classtype:trojan-activity; sid:2008204; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yeps.co.kr Related User-Agent (ISUpd)"; flow:established,to_server; content:"User-Agent|3a| ISUpd"; http_header; reference:url,doc.emergingthreats.net/2008205; classtype:trojan-activity; sid:2008205; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Nguide.co.kr Fake Security Tool User-Agent (nguideup)"; flow:to_server,established; content:"User-Agent|3a| nguideup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007947; classtype:trojan-activity; sid:2007947; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN)"; flow:to_server,established; content:"User-Agent|3a| BACKMAN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007958; classtype:trojan-activity; sid:2007958; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Msconfig.co.kr Related User-Agent (GLOBALx)"; flow:to_server,established; content:"User-Agent|3a| GLOBAL"; http_header; reference:url,doc.emergingthreats.net/2007959; classtype:trojan-activity; sid:2007959; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kpang.com Spyware User-Agent (auctionplusup)"; flow:to_server,established; content:"User-Agent|3a| auctionplusup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007900; classtype:trojan-activity; sid:2007900; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPGETDATA)"; flow:to_server,established; content:"User-Agent|3a| HTTPGETDATA|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007908; classtype:trojan-activity; sid:2007908; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPFILEDOWN)"; flow:to_server,established; content:"User-Agent|3a| HTTPFILEDOWN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007909; classtype:trojan-activity; sid:2007909; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTP_FILEDOWN)"; flow:to_server,established; content:"User-Agent|3a| HTTP_FILEDOWN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007910; classtype:trojan-activity; sid:2007910; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Donkeyhote.co.kr Spyware User-Agent (UDonkey)"; flow:to_server,established; content:"User-Agent|3a| UDonkey|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007927; classtype:trojan-activity; sid:2007927; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gcashback.co.kr Spyware User-Agent (InvokeAd)"; flow:to_server,established; content:"User-Agent|3a| InvokeAd|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007928; classtype:trojan-activity; sid:2007928; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Live Enterprise Suite)"; flow:to_server,established; content:"User-Agent|3a| Live Enterprise Suite"; http_header; nocase; reference:url,doc.emergingthreats.net/2010727; classtype:trojan-activity; sid:2010727; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb User-Agent (Lobo Lunar)"; flow: established,to_server; content:"User-Agent|3a| Lobo Lunar"; http_header; reference:url,doc.emergingthreats.net/2009222; classtype:trojan-activity; sid:2009222; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MalwareWiped.com Spyware User-Agent (MalwareWiped)"; flow:to_server,established; content:"User-Agent|3a| MalwareWiped"; nocase; http_header; reference:url,doc.emergingthreats.net/2003582; classtype:trojan-activity; sid:2003582; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adwave/MarketScore User-Agent (WTA)"; flow: to_server,established; content:"User-Agent|3a| WTA_"; http_header; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; reference:url,doc.emergingthreats.net/2002394; classtype:trojan-activity; sid:2002394; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Megaupload Spyware User-Agent (Megaupload)"; flow:to_server,established; content:"User-Agent|3a| Megaupload|0d 0a|"; http_header; reference:url,www.budsinc.com; reference:url,doc.emergingthreats.net/2003224; classtype:trojan-activity; sid:2003224; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Microgaming Install Program|0d 0a|"; nocase; http_header; reference:url,vil.nai.com/vil/content/v_151034.htm; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25; reference:url,www.threatexpert.com/reports.aspx?find=mgsmup.com; reference:url,doc.emergingthreats.net/2009783; classtype:trojan-activity; sid:2009783; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; content:"User-Agent|3a| Mbar|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003928; classtype:trojan-activity; sid:2003928; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mirar_Toolbar)"; flow:to_server,established; content:"User-Agent|3a| Mirar_Toolbar"; nocase; http_header; reference:url,doc.emergingthreats.net/2003929; classtype:trojan-activity; sid:2003929; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Spyware User-Agent (Mirar_KeywordContent)"; flow:to_server,established; content:"User-Agent|3a| Mirar_KeywordContent|0d 0a|"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; reference:url,doc.emergingthreats.net/2003490; classtype:trojan-activity; sid:2003490; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Miva User-Agent (TPSystem)"; flow: to_server,established; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.miva.com; reference:url,www.findwhat.com; reference:url,doc.emergingthreats.net/2002395; classtype:trojan-activity; sid:2002395; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Miva Spyware User-Agent (Travel Update)"; flow: to_server,established; content:"User-Agent|3a| Travel Update|0d 0a|"; http_header; reference:url,www.miva.com; reference:url,doc.emergingthreats.net/2002396; classtype:trojan-activity; sid:2002396; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; content:"SmartInstaller"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SmartInstaller/iH"; reference:url,doc.emergingthreats.net/2003398; classtype:trojan-activity; sid:2003398; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3)"; flow:to_server,established; content:"User-Agent|3a| MsgPlus3"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931; reference:url,doc.emergingthreats.net/2003529; classtype:trojan-activity; sid:2003529; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; content:" MySearch"; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+MySearch/iH"; reference:url,doc.emergingthreats.net/2002080; classtype:trojan-activity; sid:2002080; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Enhance My Search Spyware User-Agent (HelperH)"; flow: established,to_server; content:"HelperH"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+HelperH/iH"; reference:url,doc.emergingthreats.net/2001746; classtype:trojan-activity; sid:2001746; rev:38; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mysearch.com/Morpheus Bar Spyware User-Agent (Morpheus)"; flow:to_server,established; content:" Morpheus"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+Morpheus/iH"; reference:url,doc.emergingthreats.net/2003396; classtype:trojan-activity; sid:2003396; rev:15; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE searchenginebar.com Spyware User-Agent (RX Bar)"; flow:to_server,established; content:"User-Agent|3a| RX Bar"; nocase; http_header; reference:url,doc.emergingthreats.net/2003407; classtype:trojan-activity; sid:2003407; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; content:"iMeshBar"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+iMeshBar/iH"; reference:url,doc.emergingthreats.net/2003406; classtype:trojan-activity; sid:2003406; rev:14; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; content:!".windows.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010677; classtype:trojan-activity; sid:2010677; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Spyware User-Agent (MyWebSearch)"; flow: established,to_server; content:"MyWebSearch"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+MyWebSearch/Hi"; reference:url,doc.emergingthreats.net/2001865; classtype:trojan-activity; sid:2001865; rev:29; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NavExcel Spyware User-Agent (NavHelper)"; flow:to_server,established; content:"User-Agent|3a| NavHelper"; nocase; http_header; reference:url,doc.emergingthreats.net/2005321; classtype:trojan-activity; sid:2005321; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (B Register)"; flow:established,to_server; content:"User-Agent|3a| B Register"; nocase; http_header; reference:url,doc.emergingthreats.net/2007597; classtype:trojan-activity; sid:2007597; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (updatesodui)"; flow:established,to_server; content:"User-Agent|3a| updatesodui"; nocase; http_header; reference:url,doc.emergingthreats.net/2007598; classtype:trojan-activity; sid:2007598; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (aaaabbb)"; flow:established,to_server; content:"User-Agent|3a| aaaabbb"; nocase; http_header; reference:url,doc.emergingthreats.net/2007599; classtype:trojan-activity; sid:2007599; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; content:" Oemji"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Oemji/iH"; reference:url,doc.emergingthreats.net/2003468; classtype:trojan-activity; sid:2003468; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Recuva User-Agent (OpenPage) - likely trojan dropper"; flow:to_server,established; content:"User-Agent|3a| OpenPage"; http_header; reference:url,doc.emergingthreats.net/2011101; classtype:trojan-activity; sid:2011101; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Personalweb Spyware User-Agent (PWMI/1.0)"; flow:to_server,established; content:"User-Agent|3a| PWMI/"; nocase; http_header; reference:url,doc.emergingthreats.net/2003926; classtype:trojan-activity; sid:2003926; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pivim Multibar User-Agent (Pivim Multibar)"; flow:established,to_server; content:"User-Agent|3a| Pivim"; http_header; reference:url,doc.emergingthreats.net/2009765; classtype:trojan-activity; sid:2009765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg)"; flow:established,to_server; content:"User-Agent|3a| PopupBlockade"; http_header; reference:url,doc.emergingthreats.net/2008894; classtype:trojan-activity; sid:2008894; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector Related Spyware User-Agent (Ssol NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Ssol NetInstaller"; http_header; reference:url,doc.emergingthreats.net/2008040; classtype:trojan-activity; sid:2008040; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adload.Generic Spyware User-Agent (ProxyDown)"; flow:to_server,established; content:"User-Agent|3a| ProxyDown"; nocase; http_header; reference:url,doc.emergingthreats.net/2003639; classtype:trojan-activity; sid:2003639; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE qq.com related Spyware User-Agent (QQGame)"; flow:to_server,established; content:"User-Agent|3a| QQGame"; nocase; http_header; reference:url,doc.emergingthreats.net/2003658; classtype:trojan-activity; sid:2003658; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:trojan-activity; sid:2009785; rev:9; metadata:created_at 2010_07_30, updated_at 2016_09_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"User-Agent|3a| Releasexp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009796; classtype:trojan-activity; sid:2009796; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010)"; flow:to_server,established; content:"User-Agent|3a| AV2010"; http_header; reference:url,doc.emergingthreats.net/2008656; classtype:trojan-activity; sid:2008656; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware User-Agent (Bundle)"; flow: established,to_server; content:"User-Agent|3a| Bundle"; http_header; reference:url,doc.emergingthreats.net/2001702; classtype:policy-violation; sid:2001702; rev:35; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware User-Agent (SAH)"; flow: established,to_server; content:"SAH Agent"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2001707; classtype:policy-violation; sid:2001707; rev:35; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopathomeselect.com Spyware User-Agent (WebDownloader)"; flow: to_server,established; content:"WebDownloader"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+WebDownloader/iH"; reference:url,doc.emergingthreats.net/2002038; classtype:trojan-activity; sid:2002038; rev:250; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Save)"; flow:to_server,established; content:"User-Agent|3a| Save|0d 0a|"; http_header; reference:url,poweredbysave.com; classtype:trojan-activity; sid:2011120; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Engine 2000 Spyware User-Agent (searchengine)"; flow: established,to_server; content:" searchengine"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+searchengine/iH"; reference:url,doc.emergingthreats.net/2001867; classtype:trojan-activity; sid:2001867; rev:28; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Generic.Malware.dld User-Agent (Sickloader)"; flow:to_server,established; content:"User-Agent|3a| Sickloader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003644; classtype:trojan-activity; sid:2003644; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (Sidesearch)"; flow: established,to_server; content:"User-Agent|3a| Sidesearch"; http_header; reference:url,doc.emergingthreats.net/2001869; classtype:trojan-activity; sid:2001869; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidebar Related Spyware User-Agent (Sidebar Client)"; flow:established,to_server; content:"User-Agent|3a| Sidebar"; http_header; reference:url,doc.emergingthreats.net/2008201; classtype:trojan-activity; sid:2008201; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection)"; flow:established,to_server; content:"User-Agent|3a| Smileware"; http_header; reference:url,doc.emergingthreats.net/2008892; classtype:trojan-activity; sid:2008892; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogou.com Spyware User-Agent (SogouIMEMiniSetup)"; flow:established,to_server; content:"User-Agent|3a| SogouIME"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (SogouExplorerMiniSetup)"; flow:to_server,established; content:"User-Agent|3a| SogouExplorerMiniSetup"; nocase; http_header; reference:url,doc.emergingthreats.net/2010675; classtype:trojan-activity; sid:2010675; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpamBlockerUtility Fake Anti-Spyware User-Agent (SpamBlockerUtility x.x.x)"; flow:to_server,established; content:"SpamBlockerUtility "; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SpamBlockerUtility \d/iH"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003384; classtype:trojan-activity; sid:2003384; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"User-Agent|3a| SRInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008145; classtype:trojan-activity; sid:2008145; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"User-Agent|3a| SpeedRunner|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008146; classtype:trojan-activity; sid:2008146; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRRecover)"; flow:to_server,established; content:"User-Agent|3a| SRRecover|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008151; classtype:trojan-activity; sid:2008151; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iDownloadAgent Spyware User-Agent (iDownloadAgent)"; flow:to_server,established; content:"iDownloadAgent"; http_header; pcre:"/User-Agent\:[^\n]+iDownloadAgent/H"; reference:url,doc.emergingthreats.net/2002739; classtype:trojan-activity; sid:2002739; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware User-Agent (spywareaxe)"; flow:to_server,established; content:"spywareaxe"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+spywareaxe/H"; reference:url,doc.emergingthreats.net/2002808; classtype:trojan-activity; sid:2002808; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn)"; flow:to_server,established; content:"User-Agent|3a| SpyDawn|0d 0a|"; nocase; http_header; reference:url,www.spywareguide.com/spydet_3366_spydawn.html; reference:url,doc.emergingthreats.net/2003499; classtype:trojan-activity; sid:2003499; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer)"; flow:to_server,established; content:"User-Agent|3a| SpyHeal"; nocase; http_header; reference:url,doc.emergingthreats.net/2003399; classtype:trojan-activity; sid:2003399; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spylocked Fake Anti-Spyware User-Agent (SpyLocked)"; flow:to_server,established; content:"User-Agent|3a| SpyLocked"; nocase; http_header; classtype:trojan-activity; sid:2005322; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster.com Spyware User-Agent (fetcher)"; flow:to_server,established; content:"User-Agent|3a| fetcher|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2005318; classtype:trojan-activity; sid:2005318; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (sureseeker)"; flow: established,to_server; content:"sureseeker"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+sureseeker\.com/iH"; reference:url,doc.emergingthreats.net/2001868; classtype:trojan-activity; sid:2001868; rev:27; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Surfplayer Spyware User-Agent (SurferPlugin)"; flow: established,to_server; content:"SurferPlugin"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SurferPlugin/iH"; reference:url,doc.emergingthreats.net/2001870; classtype:trojan-activity; sid:2001870; rev:24; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet)"; flow: to_server,established; content:"UtilMind HTTPGet"; http_header; fast_pattern:only; content:!"Host|3a| www.blueocean.com"; nocase; http_header; content:!"Host|3a 20|www.backupmaker.com"; http_header; nocase; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.websearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002402; classtype:trojan-activity; sid:2002402; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Informer from RBC)"; flow:to_server,established; content:"Informer from RBC"; http_header; fast_pattern:only;  reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003205; classtype:trojan-activity; sid:2003205; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; content:"User-Agent|3a| Download Agent"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; classtype:trojan-activity; sid:2003243; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Autoupdate)"; flow:to_server,established; content:"User-Agent|3a| Autoupdate"; nocase; http_header; content:!"Host|3a| update.nai.com"; nocase; http_header; content:!"McAfeeAutoUpdate"; nocase; http_header; content:!"nokia.com"; nocase; http_header; content:!"sophosupd.com"; nocase; http_header; content:!"sophosupd.net"; nocase; http_header; content:!" Creative AutoUpdate v"; http_header; content:!"wholetomato.com"; http_header; content:!".acclivitysoftware.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003337; classtype:trojan-activity; sid:2003337; rev:16; metadata:created_at 2010_07_30, updated_at 2017_01_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware"; flow:to_server,established; content:"User-Agent|3a| Toolbar"; http_header; content:!"cf.icq.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003463; classtype:trojan-activity; sid:2003463; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (ms)"; flow:to_server,established; content:"User-Agent|3a| ms|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; classtype:trojan-activity; sid:2003497; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (DIALER)"; flow:to_server,established; content:"User-Agent|3a| DIALER"; nocase; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003566; classtype:trojan-activity; sid:2003566; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (update)"; flow:to_server,established; content:"User-Agent|3a| update|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003583; classtype:trojan-activity; sid:2003583; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent|3a| Windows Updates Manager"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003585; classtype:trojan-activity; sid:2003585; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; content:!"User-Agent|3A| SogouMobileTool"; nocase; http_header; content:!".lge.com|3a|80|0d 0a|"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:10; metadata:created_at 2010_07_30, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; content:"User-Agent|3a| TEST|0d 0a|"; http_header; content:!"Host|3a 20|messagecenter.comodo.com"; content:!"symantec.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:trojan-activity; sid:2006357; rev:9; metadata:created_at 2010_07_30, updated_at 2017_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; content:"User-Agent|3a| Huai_Huai|0d 0a|"; http_header; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:trojan-activity; sid:2006361; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (006)"; flow:established,to_server; content:"User-Agent|3a| 00"; http_header; pcre:"/User-Agent\: 00\d+\x0d\x0a/H"; reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:trojan-activity; sid:2006388; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Dummy)"; flow: established,to_server; content:"User-Agent|3a| Dummy"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007570; classtype:trojan-activity; sid:2007570; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AntiSpyware) - Likely 2squared.com related"; flow: established,to_server; content:"User-Agent|3a| AntiSpyware"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007575; classtype:trojan-activity; sid:2007575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (XXX)"; flow:established,to_server; content:"User-Agent|3a| XXX|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007648; classtype:trojan-activity; sid:2007648; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (QdrBi Starter)"; flow:established,to_server; content:"User-Agent|3a| QdrBi Starter|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007659; classtype:trojan-activity; sid:2007659; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (install_s)"; flow:established,to_server; content:"User-Agent|3a| install_"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007666; classtype:trojan-activity; sid:2007666; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (count)"; flow:established,to_server; content:"User-Agent|3a| count|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007667; classtype:trojan-activity; sid:2007667; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet Explorer (compatible))"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer (compatible)|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007772; classtype:trojan-activity; sid:2007772; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla) - Possible Spyware Related"; flow:to_server,established; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; content:!"smartcom.com|0d 0a|"; http_header; content:!"iscoresports.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007854; classtype:trojan-activity; sid:2007854; rev:10; metadata:created_at 2010_07_30, updated_at 2017_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (microsoft) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| microsoft|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007859; classtype:trojan-activity; sid:2007859; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer 6.0|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007860; classtype:trojan-activity; sid:2007860; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Firefox) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| Firefox|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007868; classtype:trojan-activity; sid:2007868; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Example)"; flow:to_server,established; content:"User-Agent|3a| Example|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:trojan-activity; sid:2007884; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader)"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:trojan-activity; sid:2007885; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP_CONNECT)"; flow:to_server,established; content:"User-Agent|3a| HTTP_CONNECT|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007899; classtype:trojan-activity; sid:2007899; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Explorer)"; flow:to_server,established; content:"User-Agent|3a| Explorer|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007921; classtype:trojan-activity; sid:2007921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| )|0d 0a|"; fast_pattern:19,20; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007929; classtype:trojan-activity; sid:2007929; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP)"; flow:to_server,established; content:"User-Agent|3a| HTTP|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:trojan-activity; sid:2007943; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (popup)"; flow:to_server,established; content:"User-Agent|3a| popup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007946; classtype:trojan-activity; sid:2007946; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (single dash)"; flow:to_server,established; content:"User-Agent|3a| |2d 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007880; classtype:trojan-activity; sid:2007880; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (double dashes)"; flow:to_server,established; content:"User-Agent|3a| |2d 2d 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007948; classtype:trojan-activity; sid:2007948; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (2 spaces)"; flow:to_server,established; content:"User-Agent|3a 20 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007993; classtype:trojan-activity; sid:2007993; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:!".doubleclick.net"; http_header; content:!".pingstart.com"; http_header; content:!".colis-logistique.com"; http_header; content:!"android-lrcresource.wps.com"; http_header; content:!"track.package-buddy.com"; http_header; content:!"talkgadget.google.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:20; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2018_04_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet)"; flow:to_server,established; content:"User-Agent|3a| Internet|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008013; classtype:trojan-activity; sid:2008013; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Win95)"; flow:to_server,established;  content:"Win95"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Win95/H"; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:trojan-activity; sid:2008015; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Mozilla/4.0 (compatible ICS))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| ICS)"; http_header; fast_pattern:21,20; content:!".iobit.com|0d 0a|"; http_header; content:!".microsoft.com|0d 0a|"; http_header; content:!".cnn.com|0d 0a|"; http_header; content:!".wunderground.com"; http_header; content:!".weatherbug.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2008038; classtype:trojan-activity; sid:2008038; rev:12; metadata:created_at 2010_07_30, updated_at 2017_12_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet Explorer)"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:!"Host|3a| pnrws.skype.com|0d 0a|"; http_header; content:!"iecvlist.microsoft.com"; http_header; content:!".lenovo.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008052; classtype:trojan-activity; sid:2008052; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:trojan-activity; sid:2008066; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Misspelled Mozilla User-Agent (Mozila)"; flow:to_server,established; content:"User-Agent|3a| Mozila"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008210; classtype:trojan-activity; sid:2008210; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (FTP)"; flow: to_server,established; content:"User-Agent|3a| Ftp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008735; classtype:trojan-activity; sid:2008735; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:trojan-activity; sid:2008742; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (bdsclk) - Possible Admoke Admware"; flow: to_server,established; content:"User-Agent|3a| bdsclk"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008743; classtype:trojan-activity; sid:2008743; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; content:!"/?rnd="; depth:6; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:14; metadata:created_at 2010_07_30, updated_at 2017_01_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (IE_6.0)"; flow:to_server,established; content:"User-Agent|3a| IE_6.0"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009021; classtype:trojan-activity; sid:2009021; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (FileDownloader)"; flow:to_server,established; content:"User-Agent|3a| FileDownloader"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009027; classtype:trojan-activity; sid:2009027; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (get_site1)"; flow:to_server,established; content:"User-Agent|3a| get_site"; http_header; reference:url,doc.emergingthreats.net/2009111; classtype:trojan-activity; sid:2009111; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (GETJOB)"; flow:to_server,established; content:"User-Agent|3a| GETJOB"; http_header; reference:url,doc.emergingthreats.net/2009124; classtype:trojan-activity; sid:2009124; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.8 ru)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.8 [ru] (Windows NT 6.0|3b| U)|0d 0a|"; fast_pattern:12,17; http_header; reference:url,doc.emergingthreats.net/2009438; classtype:trojan-activity; sid:2009438; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HelpSrvc)"; flow:established,to_server; content:"User-Agent|3a| HelpSrvc|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009439; classtype:trojan-activity; sid:2009439; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AgavaDwnl) - Possibly Xema"; flow:established,to_server; content:"User-Agent|3a| AgavaDwnl|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009445; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (_TEST_)"; flow: to_server,established; content:"User-Agent|3a| _TEST_"; nocase; http_header; reference:url,doc.emergingthreats.net/2009545; classtype:trojan-activity; sid:2009545; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (User Agent) - Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| User Agent"; http_header; reference:url,doc.emergingthreats.net/2009930; classtype:trojan-activity; sid:2009930; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (MyIE/1.0)"; flow:established,to_server; content:"User-Agent|3a| MyIE/"; http_header; reference:url,doc.emergingthreats.net/2009991; classtype:trojan-activity; sid:2009991; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (ONANDON)"; flow:established,to_server; content:"User-Agent|3a| ONANDON|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009995; classtype:trojan-activity; sid:2009995; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake Wget User-Agent (wget 3.0) - Likely Hostile"; flow:to_server,established; content:"User-Agent|3a| wget 3.0|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007961; classtype:trojan-activity; sid:2007961; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Sme32)"; flow: established, to_server; content:"User-Agent|3a| Sme32|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010137; classtype:trojan-activity; sid:2010137; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (M0zilla)"; flow:established,to_server; content:"User-Agent|3A 20|M0zilla/4.0|20|(compatible)"; http_header;  reference:url,doc.emergingthreats.net/2010265; classtype:trojan-activity; sid:2010265; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html; reference:url,doc.emergingthreats.net/2010333; classtype:trojan-activity; sid:2010333; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (ie) - Possible Trojan Downloader"; flow:established,to_server; content:"User-Agent|3a| ie|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007827; classtype:trojan-activity; sid:2007827; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (MSIE7 na)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| na|3b| )"; http_header; fast_pattern:37,14; reference:url,doc.emergingthreats.net/2010461; classtype:trojan-activity; sid:2010461; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (???)"; flow:established,to_server; content:"User-Agent|3a| ???"; http_header; content:!"|20|Sparkle|2f|"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2010595; classtype:trojan-activity; sid:2010595; rev:5; metadata:created_at 2010_07_30, updated_at 2017_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent Mozilla/3.0"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Internet Explorer)"; http_header; fast_pattern:12,20; reference:url,doc.emergingthreats.net/2010599; classtype:trojan-activity; sid:2010599; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; http_header; fast_pattern:11,11; reference:url,doc.emergingthreats.net/2010904; classtype:bad-unknown; sid:2010904; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake Mozilla UA Outbound (Mozilla/0.xx)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern:11,11; http_header; reference:url,doc.emergingthreats.net/2010905; classtype:bad-unknown; sid:2010905; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Download Master) - Possible Malware Downloader"; flow:established,to_server; content:"User-Agent|3a| Download Master"; http_header; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.httpuseragent.org/list/Download+Master-n727.htm; reference:url,www.westbyte.com/dm/; reference:url,doc.emergingthreats.net/2011146; classtype:policy-violation; sid:2011146; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (webcount)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| webcount"; http_header; reference:url,doc.emergingthreats.net/2011149; classtype:trojan-activity; sid:2011149; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP_Query)"; flow:to_server,established; content:"User-Agent|3a| HTTP_Query|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011678; classtype:trojan-activity; sid:2011678; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (dbcount)"; flow:to_server,established; content:"User-Agent|3a| dbcount|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011679; classtype:trojan-activity; sid:2011679; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE User-Agent (RangeCheck/0.1)"; flow:established,to_server; content:"User-Agent|3a| RangeCheck/0.1|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011718; classtype:trojan-activity; sid:2011718; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogou Toolbar Checkin"; flow:to_server,established; content:"/seversion.txt"; http_uri; content:"User-Agent|3a| SeFastSetup"; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:trojan-activity; sid:2011226; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Suggestion)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| Suggestion|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011229; classtype:trojan-activity; sid:2011229; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (SP3 WINLD))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 |28|SP3 WINLD|29 0d 0a|"; http_header; fast_pattern:23,14; reference:url,doc.emergingthreats.net/2011238; classtype:trojan-activity; sid:2011238; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Target Saver Spyware User-Agent (TSA)"; flow: established,to_server; content:"User-Agent|3a| TSA/"; http_header; reference:url,doc.emergingthreats.net/2001871; classtype:trojan-activity; sid:2001871; rev:22; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TryMedia Spyware User-Agent (TryMedia_DM_2.0.0)"; flow:established,to_server; content:"User-Agent|3a| TryMedia_DM_"; nocase; http_header; reference:url,doc.emergingthreats.net/2007600; classtype:trojan-activity; sid:2007600; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware User-Agent (UCmore) "; flow: to_server,established; content:" UCmore"; http_header; pcre:"/User-Agent\:[^\n]+UCmore/iH"; reference:url,doc.emergingthreats.net/2001736; classtype:trojan-activity; sid:2001736; rev:271; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware User-Agent (EI)"; flow: to_server,established; content:"User-Agent|3a| EI|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2001996; classtype:trojan-activity; sid:2001996; rev:14; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE www.vaccinekiller.com Related Spyware User-Agent (VaccineKillerIU)"; flow:established,to_server; content:"User-Agent|3a| VaccineKiller"; http_header; reference:url,doc.emergingthreats.net/2009993; classtype:trojan-activity; sid:2009993; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Visicom Spyware User-Agent (Visicom)"; flow: established,to_server; content:"Visicom"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Visicom/iH"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001872; classtype:trojan-activity; sid:2001872; rev:31; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vombanetwork Spyware User-Agent (VombaProductsInstaller)"; flow:to_server,established; content:"User-Agent|3a| Vomba"; http_header; reference:url,doc.emergingthreats.net/2007869; classtype:trojan-activity; sid:2007869; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webbuying.net Spyware Install User-Agent (wbi_v0.90)"; flow:to_server,established; content:" wbi_v0."; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+wbi_v\d/iH"; reference:url,doc.emergingthreats.net/2003441; classtype:trojan-activity; sid:2003441; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WTRecover)"; flow:established,to_server; content:"User-Agent|3a| WTRecover"; http_header; reference:url,doc.emergingthreats.net/2006392; classtype:trojan-activity; sid:2006392; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WTInstaller)"; flow:established,to_server; content:"User-Agent|3a| WTInstaller"; http_header; reference:url,doc.emergingthreats.net/2006393; classtype:trojan-activity; sid:2006393; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WinTouch)"; flow:established,to_server; content:"User-Agent|3a| WinTouch"; http_header; reference:url,doc.emergingthreats.net/2008141; classtype:trojan-activity; sid:2008141; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WinButler User-Agent (WinButler)"; flow:to_server,established; content:"User-Agent|3a| WinButler|0d 0a|"; http_header; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; reference:url,doc.emergingthreats.net/2008190; classtype:trojan-activity; sid:2008190; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; content:"User-Agent|3a| WinFixMaster"; nocase; http_header; reference:url,doc.emergingthreats.net/2003544; classtype:trojan-activity; sid:2003544; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor)"; flow:to_server,established; content:"User-Agent|3a| DNS Extractor"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:trojan-activity; sid:2003567; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003470; classtype:trojan-activity; sid:2003470; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; content:"User-Agent|3a| WinSoftware"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:trojan-activity; sid:2003527; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WinSoftware.com Spyware User-Agent (NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| NetInstaller"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003528; classtype:trojan-activity; sid:2003528; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (XieHongWei-HttpDown/2.0)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| XieHongWei"; http_header; reference:url,doc.emergingthreats.net/2011248; classtype:trojan-activity; sid:2011248; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE XupiterToolbar Spyware User-Agent (XupiterToolbar)"; flow: to_server,established; content:"XupiterToolbar"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+XupiterToolbar/iH"; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; reference:url,doc.emergingthreats.net/2002071; classtype:trojan-activity; sid:2002071; rev:17; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Yodao Desktop Dict)"; flow:to_server,established; content:"User-Agent|3a| Yodao"; http_header; reference:url,doc.emergingthreats.net/2011123; classtype:trojan-activity; sid:2011123; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Spyware User-Agent (Hotbar)"; flow: established,to_server; content:"|3b| Hotbar"; http_header; pcre:"/User-Agent\:[^\n]+Hotbar/iH"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001858; classtype:trojan-activity; sid:2001858; rev:29; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Spyware User-Agent (host)"; flow: to_server,established; content:"User-Agent|3a| host"; nocase; http_header; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/iH"; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; reference:url,doc.emergingthreats.net/2002164; classtype:trojan-activity; sid:2002164; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a.+ZangoToolbar.+\r$/Hmi"; reference:url,doc.emergingthreats.net/2003365; classtype:trojan-activity; sid:2003365; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Tools Spyware User-Agent (hbtools)"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:"|3b| HbTools"; http_header; fast_pattern; within:80; reference:url,doc.emergingthreats.net/2003383; classtype:trojan-activity; sid:2003383; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; content:"Seekmo"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Seekmo/iH"; threshold:type both, count 1, seconds 300, track by_src; classtype:trojan-activity; sid:2003397; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Cash Spyware User-Agent (ZC-Bridgev26)"; flow:established,to_server; content:"User-Agent|3a| ZC-Bridgev"; http_header; reference:url,doc.emergingthreats.net/2006780; classtype:trojan-activity; sid:2006780; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Cash Spyware User-Agent (ZC XML-RPC C++ Client)"; flow:established,to_server; content:"User-Agent|3a| ZC XML-RPC"; http_header; reference:url,doc.emergingthreats.net/2006781; classtype:trojan-activity; sid:2006781; rev:37; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent User-Agent (PinballCorp)"; flow:to_server,established; content:"User-Agent|3a| PinballCorp"; nocase; http_header; reference:url,doc.emergingthreats.net/2011691; classtype:trojan-activity; sid:2011691; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZenoSearch Spyware User-Agent"; flow:to_server,established; content:"User-Agent|3a| ["; http_header; pcre:"/User-Agent\: \[.*\][A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}/iH"; reference:url,doc.emergingthreats.net/2008279; classtype:trojan-activity; sid:2008279; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (gomtour)"; flow:to_server,established; content:"User-Agent|3a| gomtour|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011087; classtype:trojan-activity; sid:2011087; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (i-scan)"; flow:to_server,established; content:"User-Agent|3a| i-scan"; nocase; http_header; reference:url,doc.emergingthreats.net/2011105; classtype:trojan-activity; sid:2011105; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iWon Spyware (iWonSearchAssistant)"; flow:to_server,established; content:"User-Agent|3a| iWonSearch"; http_header; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,doc.emergingthreats.net/2002169; classtype:trojan-activity; sid:2002169; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE User-Agent (iexplore)"; flow:established,to_server; content:"User-Agent|3a| iexplore|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2000466; classtype:attempted-recon; sid:2000466; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)"; flow:established,to_server; content:"User-Agent|3a| iWin "; http_header; reference:url,doc.emergingthreats.net/2008558; classtype:trojan-activity; sid:2008558; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (lineguide)"; flow:to_server,established; content:"User-Agent|3a| lineguide"; nocase; http_header; reference:url,doc.emergingthreats.net/2011106; classtype:trojan-activity; sid:2011106; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Download UBAgent) - lop.com and other spyware"; flow:to_server,established; content:"Download UBAgent"; http_header; fast_pattern:only; reference:url,www.spywareinfo.com/articles/lop/; reference:url,doc.emergingthreats.net/2003345; classtype:trojan-activity; sid:2003345; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"User-Agent|3a| ZCOM"; http_header; classtype:policy-violation; sid:2008503; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MSIL.Amiricil.gen HTTP Checkin"; flow:established,to_server; content:"/registerSession.py?"; http_uri; nocase; content:"proj="; http_uri; nocase; content:"&country="; http_uri; nocase; content:"&lang="; http_uri; nocase; content:"&channel="; http_uri; nocase; content:"source="; http_uri; nocase; content:"User-Agent|3a| NSIS_Inetc (Mozilla)"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=af0bbdf6097233e8688c5429aa97bbed; reference:url,doc.emergingthreats.net/2011677; classtype:trojan-activity; sid:2011677; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin"; flow:established,to_server; content:"?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; fast_pattern:only; http_uri; content:"&err="; http_uri; reference:url,doc.emergingthreats.net/2008282; classtype:trojan-activity; sid:2008282; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader Checkin - Downloads Rogue Adware "; flow:established,to_server; content:"GET"; nocase; http_method; content:"AreaID="; nocase; http_uri; content:"MediaID="; nocase; http_uri; content:"AdNo="; nocase; http_uri; content:"OriginalityID="; nocase; http_uri; content:"Url"; nocase; http_uri; content:"Mac="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"ValidateCode="; nocase; http_uri; content:"ParentName="; nocase; http_uri; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009526; classtype:trojan-activity; sid:2009526; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2010_07_30, updated_at 2017_09_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:trojan-activity; sid:2008839; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:trojan-activity; sid:2008840; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sality Virus User Agent Detected (KUKU)"; flow:established,to_server; content:"User-Agent|3a| KUKU"; nocase; http_header; reference:url,doc.emergingthreats.net/2003636; classtype:trojan-activity; sid:2003636; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.FakeAV.SystemDefender Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php?"; nocase; http_uri; content:"action=stat&wmid="; nocase; http_uri; content:"&event="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&i1"; nocase; http_uri; content:"&i2"; nocase; http_uri; reference:url,doc.emergingthreats.net/2008732; reference:md5,4d1df7240837832853c8b87606f3dfc2; classtype:trojan-activity; sid:2008732; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Adware/Antivirus360 Config to client"; flow:established,to_client; content:"[InstallerIni]"; nocase; depth:300; content:"|0d 0a|Pid="; nocase; within:6; content:"|0d 0a|Product="; nocase; content:"|0d 0a|FID="; nocase; content:"|0d 0a|Title="; nocase; reference:url,doc.emergingthreats.net/2009809; classtype:trojan-activity; sid:2009809; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Yokbar User-Agent Detected (YOK Agent)"; flow:established,to_server; content:"User-Agent|3a| YOK Agent|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008752; classtype:trojan-activity; sid:2008752; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2010_07_30, updated_at 2017_09_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Yokbar Checkin URL"; flow:established,to_server; content:"?p="; http_uri; content:"&v="; http_uri; content:"&m="; http_uri; content:"&d=200"; http_uri; content:"&x="; http_uri; content:"&t="; http_uri; reference:url,doc.emergingthreats.net/2008753; classtype:trojan-activity; sid:2008753; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Worm.Pyks HTTP C&C Traffic User-Agent (skw00001)"; flow:established,to_server; content:"User-Agent|3a| skw000"; http_header; reference:url,doc.emergingthreats.net/2003588; classtype:trojan-activity; sid:2003588; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)"; http_header; nocase; fast_pattern:48,20; classtype:trojan-activity; sid:2011517; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)"; http_header; nocase; fast_pattern:48,20; classtype:trojan-activity; sid:2011518; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (browserbob.com)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made with www.browserbob.com|29|"; fast_pattern:68,20; http_header; classtype:trojan-activity; sid:2011279; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (TALWinInetHTTPClient)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)|0d 0a|"; fast_pattern:17,20; http_header; classtype:trojan-activity; sid:2011283; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (GabPath)"; flow:to_server,established; content:"User-Agent|3a| GabPath"; http_header; classtype:trojan-activity; sid:2011293; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent|3a| KRMAK"; http_header; classtype:trojan-activity; sid:2011297; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (C\\WINDOWS\\system32\\NetLogom.exe)"; flow:established,to_server; content:"User-Agent|3a| C|3a 5c|WINDOWS|5c|system32|5c|NetLogom.exe"; http_header; classtype:bad-unknown; sid:2011334; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE web shell detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a 0d 0a|command="; fast_pattern; content:"&result="; within:12; classtype:trojan-activity; sid:2011391; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent|3a| http-get-demo"; http_header; classtype:trojan-activity; sid:2011392; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Microsoft Internet Explorer 6.0) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Explorer 6.0"; http_header; classtype:trojan-activity; sid:2011393; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Kraddare Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"strID="; http_uri; content:"strPC="; http_uri; metadata: former_category TROJAN; classtype:trojan-activity; sid:2011492; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2010_09_28, updated_at 2017_09_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=de1adb1df396863e7e3967271e7db734; classtype:trojan-activity; sid:2011856; rev:3; metadata:created_at 2010_10_26, updated_at 2010_10_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Gbot)"; flow:established,to_server; content:"User-Agent|3a| gbot"; http_header; classtype:trojan-activity; sid:2011872; rev:2; metadata:created_at 2010_10_29, updated_at 2010_10_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; fast_pattern; content:"Host|3a 20|"; http_header; distance:0; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:trojan-activity; sid:2011938; rev:2; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; fast_pattern; content:"Host|3a 20|"; http_header; distance:0; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:trojan-activity; sid:2011939; rev:3; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ASKTOOLBAR.DLL Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/toolbarv/askBarCfg?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"e="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=3f6413475b1466964498c8450de4062f; classtype:trojan-activity; sid:2012000; rev:3; metadata:created_at 2010_12_07, updated_at 2010_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AdVantage)"; flow:established,to_server; content:"User-Agent|3A| AdVantage"; http_header; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012104; rev:3; metadata:created_at 2011_12_27, updated_at 2011_12_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdVantage Malware URL Infection Report"; flow:established,to_server; content:"cfg_ver="; http_uri; nocase; content:"hwd="; http_uri; nocase; content:"campaign="; http_uri; nocase; content:"ver="; http_uri; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012105; rev:2; metadata:created_at 2011_12_27, updated_at 2011_12_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:trojan-activity; sid:2012172; rev:3; metadata:created_at 2011_01_12, updated_at 2011_01_12;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Lookup of Malware Domain twothousands.cm Likely Infection"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|twothousands|02|cm"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012176; rev:1; metadata:created_at 2011_01_12, updated_at 2011_01_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; fast_pattern:only; classtype:misc-activity; sid:2012228; rev:1; metadata:created_at 2011_01_25, updated_at 2011_01_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; fast_pattern:only; classtype:misc-activity; sid:2012229; rev:5; metadata:created_at 2011_01_25, updated_at 2011_01_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (0xa10xa1HttpClient)"; flow:established,to_server; content:"User-Agent|3a 20 a1 a1|HttpClient|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2012298; rev:3; metadata:created_at 2011_02_06, updated_at 2011_02_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .cn Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; nocase; fast_pattern; content:!"|03|360"; distance:-8; within:4; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02cn\x00/i"; classtype:misc-activity; sid:2012327; rev:4; metadata:created_at 2011_02_21, updated_at 2011_02_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:misc-activity; sid:2012328; rev:6; metadata:created_at 2011_02_21, updated_at 2011_02_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mozilla 3.0 and Indy Library User-Agent Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; classtype:trojan-activity; sid:2012536; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:trojan-activity; sid:2012615; rev:2; metadata:created_at 2011_03_31, updated_at 2011_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Lowercase mozilla/2.0 User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent|3a 20|mozilla/2.0"; http_header; fast_pattern:11,12; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B; classtype:trojan-activity; sid:2012642; rev:5; metadata:created_at 2011_04_06, updated_at 2011_04_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*?[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; content:!"101.ru"; http_header; content:!"9366858.ru"; http_header; metadata: former_category MALWARE; classtype:misc-activity; sid:2012649; rev:4; metadata:created_at 2011_04_08, updated_at 2017_06_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE overtls.com adware request"; flow:to_server,established; content:"/sidebar.asp?bn=0&qy="; http_uri; content:"EmbeddedWB"; http_header; classtype:trojan-activity; sid:2012693; rev:2; metadata:created_at 2011_04_19, updated_at 2011_04_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible FakeAV Binary Download"; flow:established,to_client; content:"filename=|22|"; http_header; nocase; content:"antiv"; fast_pattern; nocase; http_header; within:50; pcre:"/filename\x3D\x22[^\r\n]*antiv[^\n]+\.exe/Hi"; classtype:trojan-activity; sid:2012753; rev:3; metadata:created_at 2011_04_29, updated_at 2011_04_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; file_data; content:"4d5a"; within:4; nocase; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; classtype:trojan-activity; sid:2012804; rev:3; metadata:created_at 2011_05_13, updated_at 2011_05_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related"; flow:to_server,established; content:"User-Agent|3a| x|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; reference:url,doc.emergingthreats.net/2009987; classtype:trojan-activity; sid:2013017; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_06_13, updated_at 2017_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE RogueAntiSpyware.AntiVirusPro Checkin"; flow:established,to_server; content:"php?type=stats&affid="; http_uri; content:"&subid="; http_uri; content:"&version="; http_uri; content:"&adwareok"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; classtype:trojan-activity; sid:2013149; rev:1; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidetab or Related Trojan Checkin"; flow:established,to_server; content:"/install.asp?"; http_uri; content:"version="; http_uri; content:"&id="; http_uri; content:"&mac="; http_uri; content:".co.kr|0d 0a|"; http_header; classtype:trojan-activity; sid:2013182; rev:2; metadata:created_at 2011_07_04, updated_at 2011_07_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.EZula Adware Reporting Successful Install"; flow:established,to_server; content:"/installer.cfc?res=success&hwid="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FEzula.F; classtype:trojan-activity; sid:2013195; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Unknown Malware patchlist.xml Request"; flow:established,to_server; content:"/update/patchlist.xml"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013200; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SweetIM Install in Progress"; flow:established,to_server; content:"/download/install/silent/SSweetIMSetup.CIS"; nocase; http_uri; classtype:trojan-activity; sid:2013243; rev:1; metadata:created_at 2011_07_11, updated_at 2011_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zugo.com SearchToolbar User-Agent (SearchToolbar)"; flow:established,to_server; content:"User-Agent|3a| Search Toolbar"; http_header; reference:url,www.zugo.com/faq/; reference:url,plus.google.com/109412257237874861202/posts/FXL1y8qG7YF; classtype:trojan-activity; sid:2013333; rev:4; metadata:created_at 2011_07_28, updated_at 2011_07_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; content:"User-Agent|3A| MM "; http_header; pcre:"/User-Agent\x3a MM \d\.\d+\x0d\x0a/H"; classtype:trojan-activity; sid:2013388; rev:3; metadata:created_at 2011_08_10, updated_at 2011_08_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:trojan-activity; sid:2013389; rev:1; metadata:created_at 2011_08_10, updated_at 2011_08_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:trojan-activity; sid:2013405; rev:2; metadata:created_at 2011_08_11, updated_at 2011_08_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTTP Connection to go2000.cn - Common Malware Checkin Server"; flow:established,to_server; content:"go2000.cn"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*go2000\x2Ecn/Hi"; reference:url,www.mywot.com/en/scorecard/go2000.cn; classtype:trojan-activity; sid:2013422; rev:1; metadata:created_at 2011_08_18, updated_at 2011_08_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSideKick Activity (iinfo)"; flow:established,to_server; content:"/iinfo.htm?host="; http_uri; content:"&action=update"; http_uri; content:"&ver="; http_uri; content:"&bundle="; http_uri; content:"&client="; http_uri; content:"&bp_id="; http_uri; content:"&prmerr="; http_uri; content:"&ir="; http_uri; classtype:trojan-activity; sid:2013448; rev:4; metadata:created_at 2011_08_22, updated_at 2011_08_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (go-diva)"; flow:to_server,established; content:"User-Agent|3a| go-diva"; http_header; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:trojan-activity; sid:2013452; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_08_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; content:".php?pi="; fast_pattern:only; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 6.0)|0d 0a|"; http_header; classtype:trojan-activity; sid:2013540; rev:7; metadata:created_at 2011_09_06, updated_at 2011_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UBar Trojan/Adware Checkin 1"; flow:established,to_server; content:"?gname="; http_uri; content:"&pid="; http_uri; content:"&m="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category TROJAN; reference:url,www.threatexpert.com/report.aspx?md5=81a119f7f47663c03053e76146f54fe9; classtype:trojan-activity; sid:2013556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_09, updated_at 2017_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UBar Trojan/Adware Checkin 2"; flow:established,to_server; content:"inst.php?"; http_uri; content:"pcode="; http_uri; content:"&ucode="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013557; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_10, updated_at 2017_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UBar Trojan/Adware Checkin 3"; flow:established,to_server; content:"size.php?"; http_uri; content:"file="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013558; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_10, updated_at 2017_09_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:bad-unknown; sid:2013658; rev:1; metadata:created_at 2011_09_15, updated_at 2011_09_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013729; rev:1; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; content:"/LogProc.php?"; fast_pattern:only; http_uri; content:"mac="; http_uri; content:"mode="; http_uri; content:"&pCode="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:trojan-activity; sid:2013797; rev:4; metadata:created_at 2011_10_24, updated_at 2011_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5217 (msg:"ET MALWARE W32/SmartPops Adware Outbound Off-Port MSSQL Communication"; flow:established,to_server; content:"S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; content:"D|00|B|00|_|00|S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; distance:0; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013956; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_11_23, updated_at 2017_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Win32/EoRezo Reporting"; flow:established,to_server;  content:"/advert/get"; nocase; http_uri; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/Ui"; reference:url,threatexpert.com/report.aspx?md5=b5708efc8b478274df4b03d8b7dbbb26; classtype:trojan-activity; sid:2013983; rev:5; metadata:created_at 2011_12_02, updated_at 2011_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SWInformer.B Checkin"; flow:to_server,established; content:"log.php?"; http_uri; content:"User-Agent|3a| FDMuiless|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014004; rev:3; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def)"; flow:established,to_server; content:"User-Agent|3A 20|ic Windows NT 5.1 MSIE 6.0 Firefox/ Def"; http_header; classtype:trojan-activity; sid:2013999; rev:1; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tool.InstallToolbar.24 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cr_confirm.asmx/GetXMLLog?"; nocase; http_uri; content:"TbId="; nocase; http_uri; content:"TUID="; nocase; http_uri; content:"Action_Type="; nocase; http_uri; reference:url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076; classtype:trojan-activity; sid:2014060; rev:3; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32-Adware.Hotclip.A Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/filetadak/app_check.php?"; nocase; http_uri; content:"kind="; nocase; http_uri; content:"pid=donkeys"; nocase; http_uri; reference:url,spydig.com/spyware-info/Win32-Adware-Hotclip-A.html; classtype:trojan-activity; sid:2014069; rev:3; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Gen5 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cmd/report.php?"; nocase; http_uri; content:"PartnerId="; nocase; http_uri; content:"OfferId="; nocase; http_uri; content:"action="; nocase; http_uri; content:"program="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=90410d783f6321c8684ccb9ff0613a51; classtype:trojan-activity; sid:2014071; rev:3; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ins_proc.asp?kind="; http_uri; fast_pattern; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8eaf3b7b72a9af5a85d01b674653ccac; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; classtype:trojan-activity; sid:2014117; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company|3a| "; http_header; content:"User-Agent|3A 20|EoAgence-"; http_header; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:trojan-activity; sid:2014120; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OpenCandy Adware Checkin"; flow:established,to_server; content:"clientv="; http_uri; content:"&cltzone="; http_uri; content:"&mstime="; http_uri; content:"&os="; http_uri; content:"&product_key="; http_uri; content:"opencandy.com"; fast_pattern; http_header; classtype:trojan-activity; sid:2014122; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Common Adware Library ISX User Agent Detected"; flow:established,to_server; content:"User-Agent|3A 20|ISX Download DLL"; fast_pattern:12,16; http_header; reference:url,www.dateiliste.com/d3files/tools/mphider/isxdl.htm; classtype:trojan-activity; sid:2014137; rev:2; metadata:created_at 2012_01_18, updated_at 2012_01_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; content:"/inst.php?"; http_uri; content:"User-Agent|3a| psi"; http_header; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:trojan-activity; sid:2014262; rev:3; metadata:created_at 2012_01_21, updated_at 2012_01_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious ad_track.php file Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad_track.php"; nocase; http_uri; content:"etekey="; nocase; http_uri; content:"track.ete.cn"; nocase; http_header; classtype:trojan-activity; sid:2014183; rev:3; metadata:created_at 2012_02_06, updated_at 2012_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OpenTrio User-Agent (Open3)"; flow:established,to_server; content:"User-Agent|3A 20|Open3"; http_header; classtype:trojan-activity; sid:2014190; rev:1; metadata:created_at 2012_02_06, updated_at 2012_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/MediaGet Checkin"; flow:established,to_server; content:"<mediagetInstaller statVersion="; http_client_body; content:"mediagetIsAlreadyInstalled="; http_client_body; distance:0; classtype:trojan-activity; sid:2014192; rev:4; metadata:created_at 2012_02_06, updated_at 2012_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameplayLabs.Adware Installer Checkin"; flow:established,to_server; content:"/install.xml?pid="; http_uri; content:"gameplaylabs.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014249; rev:3; metadata:created_at 2012_02_20, updated_at 2012_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PlaySushi User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|psi "; http_header; reference:md5,039815a7cb0b7ee52b753a9b79006f97; classtype:trojan-activity; sid:2014261; rev:1; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:policy-violation; sid:2014286; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_02_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:policy-violation; sid:2014287; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_02_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance Adware Checkin"; flow:established,to_server; content:"/inst.asp?d="; http_uri; content:"&cl="; http_uri; content:"&l="; http_uri; content:"&e="; http_uri; content:"&v="; http_uri; content:"&uid="; http_uri; content:"&time="; http_uri; content:"&win="; http_uri; content:"&ac="; http_uri; content:"&ti="; http_uri; content:"&xv="; http_uri; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014339; rev:1; metadata:created_at 2012_03_08, updated_at 2012_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance Adware User Agent"; flow:established,to_server; content:"User-Agent|3a| zz_"; http_header; pcre:"/^User-Agent\x3a zz_[a-z0-9]{1,3}\s*[0-9]\.[0-9]{1,2}\.[0-9]{2,4}/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014340; rev:4; metadata:created_at 2012_03_08, updated_at 2012_03_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/MediaGet.Adware Installer Download"; flow:established,to_client; content:"Set-Cookie|3A 20 |MediagetDownloaderInfo=installer"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182; reference:md5,39c1769c39f61dd2ec009de8374352c6; classtype:trojan-activity; sid:2014353; rev:4; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/SoftonicDownloader.Adware User Agent"; flow:established,to_server; content:"User-Agent|3A 20|Softonic Downloader/"; http_header; reference:md5,1047b186bb2822dbb5907cd743069261; classtype:trojan-activity; sid:2014355; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/LoudMo.Adware Checkin"; flow:established,to_server; content:"/?aff="; http_uri; content:"Host|3A 20|www.gamebound.com"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo; reference:md5,fc06c613e83f0d3271beba4fdcda987f; classtype:trojan-activity; sid:2014400; rev:2; metadata:created_at 2012_03_19, updated_at 2012_03_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:trojan-activity; sid:2014403; rev:1; metadata:created_at 2012_03_19, updated_at 2012_03_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; file_data; content:"BitcoinPlusMiner("; fast_pattern:only; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:bad-unknown; sid:2014535; rev:3; metadata:created_at 2012_04_09, updated_at 2012_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/FakeAV.Kraddare Checkin UA"; flow:established,to_server; content:"pcsetup_"; http_header; pcre:"/User-Agent\x3a \w+pcsetup_\w+/H"; metadata: former_category TROJAN; reference:url,www.scumware.org/report/update.best-pc.co.kr; classtype:trojan-activity; sid:2014583; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2012_04_16, updated_at 2017_09_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Pdfjsc.XD Related Checkin (microsoft_predator_client header field)"; flow:established,to_server; content:"|0d 0a|microsoft_predator_client|0d 0a|"; nocase; reference:url,www.fourteenforty.jp/products/yarai/CVE2011-0609/; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; reference:md5,3d91d9df315ffeb9bb1c774452b3114b; classtype:bad-unknown; sid:2014584; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance User-Agent (aw v3)"; flow:established,to_server; content:"User-Agent|3A 20|aw v3"; http_header; classtype:trojan-activity; sid:2014606; rev:3; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin"; flow:established,to_client; file_data; content:"cfgint="; within:7; content:"cid="; within:30; content:"eus="; within:30; content:"esint="; within:30; content:"sc2dcnt="; within:30; content:"domfqcap="; within:30; content:"domtm="; within:30; content:"css="; within:30; classtype:trojan-activity; sid:2014605; rev:4; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Dialer.Adultchat Checkin"; flow:established,to_server; content:"/getclientid.wnk?srv="; http_uri; content:"&ver="; http_uri; content:"&pin="; http_uri; content:"&OSInfo2="; http_uri; content:"&cinfo="; http_uri; content:"retryattempt="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDluca.AN&ThreatID=-2147365813; reference:md5,fd2c949dc20b651a53326a3d571641ec; classtype:trojan-activity; sid:2014667; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:trojan-activity; sid:2014735; rev:2; metadata:created_at 2012_05_11, updated_at 2012_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; content:"POST"; http_method; content:"/rdc/rnd.php"; http_uri; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:trojan-activity; sid:2014767; rev:5; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:bad-unknown; sid:2014798; rev:1; metadata:created_at 2012_05_21, updated_at 2012_05_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:trojan-activity; sid:2014810; rev:3; metadata:created_at 2012_05_25, updated_at 2012_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OnlineGames Checkin"; flow:established,to_server; content:"/game"; http_uri; content:"/diary/item/"; http_uri; content:"User-Agent|3A| getURLDown|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015017; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015018; rev:1; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Toolbar.CrossRider.A Checkin"; flow:to_server,established; content:".gif?action="; http_uri; content:"&browser="; http_uri; content:"&ver="; http_uri; content:"&bic="; fast_pattern:only; http_uri; content:"&app="; http_uri; content:"&appver="; http_uri; content:"&verifier="; http_uri; reference:md5,55668102739536c1b00bce9e02d8b587; classtype:trojan-activity; sid:2018301; rev:2; metadata:created_at 2012_10_05, updated_at 2012_10_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 1"; flow:established,to_server; content:"/get_xml?"; http_uri; fast_pattern; content:"User-Agent|3a| tiny-dl"; http_header; pcre:"/\/get_xml\?(?:file_id|stb)=/Ui"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024250; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2012_12_19, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 2"; flow:established,to_server; content:"/download.php?id="; http_uri; fast_pattern; content:"&f="; http_uri; content:"User-Agent|3a| tiny-dl"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024251; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2012_12_19, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE suspicious User-Agent (vb   wininet)"; flow:established,to_server; content:"User-Agent|3a 20|vb|20 20 20|wininet|0d 0a|"; http_header; classtype:bad-unknown; sid:2016069; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2012_12_20, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Eorezo.Adware CnC Beacon"; flow:established,to_server; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern:8,20; http_uri; content:"&x_format="; http_uri; content:"&x_pub_id="; http_uri; content:"&tag="; http_uri; content:"User-Agent|3A| Mozilla/4.0  (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-061213-2441-99; classtype:trojan-activity; sid:2016546; rev:1; metadata:created_at 2013_03_06, updated_at 2013_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Win32/SProtector.A Client Checkin"; flow:established,to_server; content:"?data="; http_uri; content:"&version="; http_uri; distance:0; content:"User-Agent|3a| win32|0D 0A|"; http_header; fast_pattern:only; reference:md5,38f61d046e575971ed83c4f71accd132; classtype:trojan-activity; sid:2016780; rev:1; metadata:created_at 2013_04_22, updated_at 2013_04_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 3"; flow:to_server,established; content:"/get_download_xml_"; fast_pattern:only; http_uri; content:"?id="; http_uri; content:"User-Agent|3a| tiny-dl"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024252; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_05_03, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.MSIL.Solimba.b GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/dmr/access/"; http_uri; content:"User-Agent|3a| DownloadMR"; nocase; http_header; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016905; rev:2; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.MSIL.Solimba.b POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/dmr/exception"; http_uri; content:"User-Agent|3a| DownloadMR"; nocase; http_header; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016906; rev:2; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent Smart-RTP"; flow: established,to_server; content:"User-Agent|3A| Smart-RTP"; nocase; http_header; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; classtype:trojan-activity; sid:2016915; rev:3; metadata:created_at 2013_05_22, updated_at 2013_05_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA"; flow: established,to_server; content:"User-Agent|3A| Custom_56562_HttpClient/VER_STR_COMMA"; nocase; http_header; classtype:trojan-activity; sid:2016916; rev:2; metadata:created_at 2013_05_22, updated_at 2013_05_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware pricepeep Adware.Shopper.297"; flow: established,to_server; content:"GET"; nocase; http_method; content:"/logger/software/hit/"; nocase; http_uri; content:"/?v."; nocase; http_uri; reference:url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/; reference:url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html; reference:md5,0564e603f9ed646553933cb0d271f906; classtype:trojan-activity; sid:2016917; rev:1; metadata:created_at 2013_05_22, updated_at 2013_05_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 4"; flow:to_server,established; content:"/get_file_info.php?id="; fast_pattern; http_uri; content:"User-Agent|3a| tiny-dl"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_05_22, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Ezula Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/UVid.asp?"; fast_pattern:only; http_uri; reference:md5,dede600f1e78fd20e4515bea1f2bdf61; classtype:trojan-activity; sid:2016938; rev:2; metadata:created_at 2013_05_28, updated_at 2013_05_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Gamevance.AV Checkin"; flow:established,to_server; content:"/aj/"; http_uri; fast_pattern:only; content:".php?p="; http_uri; content:!"Referer|3a|"; http_header; reference:url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/; reference:md5,0134997dff945fbfe62f343bcba782bc; classtype:trojan-activity; sid:2017136; rev:3; metadata:created_at 2013_07_11, updated_at 2013_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Crossrider Spyware Checkin"; flow:established,to_server; content:"/updater/"; http_uri; depth:9; content:"/update.json?rnd="; http_uri; distance:32; within:18; content:!"User-Agent"; http_header; classtype:trojan-activity; sid:2017196; rev:2; metadata:created_at 2013_07_25, updated_at 2013_07_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 6"; flow:to_server,established; content:"/get_xml?story="; fast_pattern:only; http_uri; content:"&file"; http_uri; content:"User-Agent|3a| Downloader"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024254; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_09_11, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 7"; flow:to_server,established; content:"/info?story="; fast_pattern:only; http_uri; content:"&file="; http_uri; content:"User-Agent|3a| Downloader"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024255; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_09_16, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Wajam.Adware Successful Install"; flow:established,to_server; content:"/wajam_install.exe?aid="; http_uri; content:"User-Agent|3A 20|NSIS_Inetc"; http_header; classtype:trojan-activity; sid:2017561; rev:3; metadata:created_at 2013_10_04, updated_at 2013_10_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 5"; flow:to_server,established; content:"/getspfile.php?id="; fast_pattern:only; http_uri; content:"User-Agent|3a| tiny-dl"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024256; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_11_19, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OptimizerPro Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/op?sid="; http_uri; content:"&dt="; http_uri; distance:0; content:"&gid="; http_uri; distance:0; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,eba3a996f5b014b2d410f4bf32b8530b; classtype:trojan-activity; sid:2018742; rev:2; metadata:created_at 2013_12_11, updated_at 2013_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Linkular.Adware Successful Install Beacon"; flow:established,to_server; content:"/api/success/?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&cv="; http_uri; content:"&context="; http_uri; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017880; rev:3; metadata:created_at 2013_12_17, updated_at 2013_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Linkular.Adware Icons.dat Second Stage Download"; flow:established,to_server; content:"/downloads/icons.dat"; fast_pattern:only; http_uri; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017881; rev:2; metadata:created_at 2013_12_17, updated_at 2013_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GMUnpackerInstaller.A Checkin"; flow:to_server,established; content:"/new/rar.xml"; fast_pattern:only; nocase; http_uri; content:!"User-Agent|3a| "; nocase; http_header; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:trojan-activity; sid:2017892; rev:1; metadata:created_at 2013_12_19, updated_at 2013_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallRex.Adware Initial CnC Beacon"; flow:established,to_server; content:"/?step_id="; http_uri; content:"&publisher_id="; http_uri; content:"&page_id="; http_uri; content:"&country_code="; http_uri; content:"&browser_id="; http_uri; content:"&download_id="; http_uri; content:"&hardware_id="; http_uri; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017911; rev:1; metadata:created_at 2014_12_30, updated_at 2014_12_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?report_version="; http_uri; content:"data="; http_client_body; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017912; rev:1; metadata:created_at 2014_12_30, updated_at 2014_12_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.PUQD Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/debug/Version/"; fast_pattern:only; http_uri; content:"/trace/"; http_uri; pcre:"/^\/debug\/Version\/\d_\d_\d_\d\d{1,2}?\/trace\/(?:mostrarFailed(?:EndLoading|ReadyState)|Get(?:XmlDataRequisites|BinaryData)|(?:DownloadRequisites|down_)Finish|Re(?:cievedXml|adyState)|PreDownloadRequisites|EndLoading|UserAdmin|Start)$/U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,e44962d7dec79c09a767a1d3e8ce02d8; reference:url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/; classtype:trojan-activity; sid:2017945; rev:2; metadata:created_at 2014_01_08, updated_at 2014_01_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Potentially Unwanted Application AirInstaller"; flow:to_server,established; urilen:>31; content:"GET"; http_method; content:"/launch/?c="; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"&m="; http_uri; content:"&l="; http_uri; content:"&b="; http_uri; content:"&sid="; http_uri; content:"&os="; http_uri; reference:md5,3eaaf0de35579e5af89ae3dd81d0c592; reference:md5,ac030896aad1b6b0eeb00952dee24c3f; classtype:trojan-activity; sid:2018095; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.NSIS.OutBrowse.b Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/Installer/Flow?pubid="; nocase; depth:22; http_uri; fast_pattern; content:"&distid="; distance:0; http_uri; content:"&productid="; distance:0; http_uri; content:"&subpubid="; distance:0; http_uri; content:"&campaignid="; distance:0; http_uri; content:"&networkid="; distance:0; http_uri; content:"&dfb="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"Chrome/18.0.1025.142 Safari/535.19|0d 0a|Host|3a|"; http_header; reference:md5,38eeed96ade6037dc299812eeadee164; reference:url,sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx; classtype:trojan-activity; sid:2018617; rev:4; metadata:created_at 2014_01_13, updated_at 2016_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BetterInstaller"; flow:to_server,established; content:"GET"; http_method; content:"?v="; http_uri; content:"&uid="; http_uri; content:"&muid="; http_uri; pcre:"/[a-f0-9]{32}\?v=/Ui"; reference:md5,efa0bed2695446eab679083a9f0f89c6; classtype:trojan-activity; sid:2018195; rev:3; metadata:created_at 2014_01_15, updated_at 2014_01_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent 100 non-printable char"; flow:to_server,established; content:"User-Agent|3a 20|"; pcre:"/^([\x7f-\xff]){100}/Ri"; reference:md5,176638536e926019e3e79370777d5e03; classtype:trojan-activity; sid:2017982; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_01_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/OutBrowse.G Variant Checkin"; flow:to_server,established; content:"/dmresources/instructions"; fast_pattern; http_uri; content:".dat"; http_uri; content:"|20|HTTP/1.0|0d 0a|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; reference:md5,d75055c45e2c5293c3e0fbffb299ea6d; reference:url,www.virustotal.com/en/file/95e0eaaee080f2c167464ed6da7e4b7a27937ac64fd3e1792a1aa84c1aed488e analysis/; classtype:trojan-activity; sid:2017992; rev:5; metadata:created_at 2014_01_20, updated_at 2014_01_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/BettrExperience.Adware Initial Checkin"; flow:established,to_server; content:"/updater/"; http_uri; content:"User-Agent|3A 20|UpdaterResponse"; http_header; fast_pattern:12,15; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018024; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/BettrExperience.Adware POST Checkin"; flow:established,to_server; content:"POST"; content:"User-Agent|3A 20|UpdaterResponse"; http_header; fast_pattern:12,15; pcre:"/^\x2F[A-F0-9]{25,40}$/U"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018025; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/BettrExperience.Adware Update Checkin"; flow:established,to_server; content:"/Check.ashx?"; depth:12; http_uri; content:"&e="; http_uri; content:"&n="; http_uri; content:"&mv="; http_uri; content:!"Referer|3a 20|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018026; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/AdLoad.Downloader Download"; flow:established,to_server; content:"/v"; http_uri; content:"&product_name="; http_uri; content:"&installer_file_name="; http_uri; pcre:"/\x2Fv[0-9]{3,4}[\x2F\x3F]/U"; reference:url,malwaretips.com/blogs/trojandownloader-win32-adload-da-virus/; classtype:trojan-activity; sid:2018048; rev:2; metadata:created_at 2014_01_31, updated_at 2014_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent EXE2"; flow: established,to_server; content:"User-Agent|3A| EXE2|0d 0a|"; nocase; http_header; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018049; rev:1; metadata:created_at 2014_01_31, updated_at 2014_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Magania"; flow: established,to_server; flowbits:set,EXE2; flowbits:noalert; content:"GET"; http_method; content:".txt"; http_uri; content:"User-Agent|3a| EXE2"; fast_pattern; nocase; http_header; content:!"Accept|3a| "; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; content:!"Connection|3a| "; nocase; http_header; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018050; rev:2; metadata:created_at 2014_01_31, updated_at 2014_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent Mozi11a"; flow: established,to_server; content:"User-Agent|3A| Mozi11a|0d 0a|"; http_header; reference:md5,3cf3d4d5de51a8c37e11595159179571; classtype:trojan-activity; sid:2018051; rev:2; metadata:created_at 2014_01_31, updated_at 2014_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (gettingAnswer)"; flow: established,to_server; content:"User-Agent|3A| gettingAnswer"; nocase; http_header; reference:md5,c305a0af3fe84525a993130b7854e3e0; classtype:trojan-activity; sid:2018084; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_02_06, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Safekeeper.Adware CnC Beacon"; flow:established,to_server; content:"/app_version/solution/cfg/exn.php?pid="; http_uri; content:".dll|0D 0A|"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*\x2Edll\x0D\x0A/H"; reference:md5,9a1c669203b5e9ebb68e2c2cfc964daa; classtype:trojan-activity; sid:2018099; rev:1; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; fast_pattern:12,20; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&pubid="; http_client_body; distance:0; content:"&BundleVersionID="; http_client_body; distance:0;  classtype:trojan-activity; sid:2018148; rev:2; metadata:created_at 2014_02_17, updated_at 2014_02_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; fast_pattern:12,20; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:trojan-activity; sid:2018149; rev:1; metadata:created_at 2014_02_17, updated_at 2014_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.AdWare.iBryte.C Install "; flow:established,to_server; content:"/offers.json?version="; http_uri; content:"&pid=installer&ts="; http_uri; reference:md5,2fae46d1a71a893834a01ed3106b8036; classtype:trojan-activity; sid:2018197; rev:1; metadata:created_at 2014_02_28, updated_at 2014_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Yotoon.hs Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/product-am.php?id="; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&offer["; distance:0; http_uri; content:"User-Agent|3a 20|NSISDL/1.2 (Mozilla)"; http_header; content:!"Referer|3a|"; http_header; reference:md5,20c7226185ed7999e330a46d3501dccb; classtype:trojan-activity; sid:2018307; rev:2; metadata:created_at 2014_03_19, updated_at 2014_03_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Linkular.Adware Successful Install Beacon (2)"; flow:established,to_server; content:"/api/software/?s="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&output="; http_uri; content:"&v="; http_uri; content:"&l="; http_uri; content:"&np="; http_uri; content:"&osv="; http_uri; content:"&b="; http_uri; content:"&bv="; http_uri; content:"&c="; http_uri; content:"&cv="; http_uri; reference:url,webroot.com/blog/2014/03/25/deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications/; classtype:trojan-activity; sid:2018323; rev:2; metadata:created_at 2014_03_26, updated_at 2014_03_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SoundCloud Downloader Install Beacon"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Slv="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&admin="; http_client_body; content:"&browser="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltUser="; http_client_body; content:"&ver="; http_client_body; content:"&ts="; http_client_body; reference:url,blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/; reference:md5,2e20e446943ecd01d3a668083d81d1fc; classtype:trojan-activity; sid:2018324; rev:1; metadata:created_at 2014_03_26, updated_at 2014_03_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Amonetize.Downloader Executable Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/bundle/"; http_uri; content:"/?p="; http_uri; content:"User-Agent|3A| zz_afi"; http_header; reference:md5,23246f740cffc0bd9eb5be2e7703568a; classtype:trojan-activity; sid:2018333; rev:2; metadata:created_at 2014_03_28, updated_at 2014_03_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadAdmin.Adware CnC Beacon"; flow:established,to_server; content:"/dl?gclid="; fast_pattern:only; http_uri; content:"&source="; http_uri; content:"&c="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:trojan-activity; sid:2018338; rev:2; metadata:created_at 2014_03_31, updated_at 2014_03_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadAdmin.Adware Executable Download Request"; flow:established,to_server; content:"/download/"; http_uri; content:"/dl?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&brand="; http_uri; content:"&pid="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; content:"&cb="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:trojan-activity; sid:2018339; rev:2; metadata:created_at 2014_03_31, updated_at 2014_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/iBryte.Adware Affiliate Campaign Executable Download"; flow:established,to_server; content:"GET"; http_method; content:".exe?mode="; fast_pattern:only; http_uri; content:"&subid="; http_uri; content:"&filedescription="; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,65e5b8e84772f55d761a85bf53c14169; reference:md5,cfda690ebe7bccc5c3063487f6e54086; classtype:trojan-activity; sid:2018367; rev:5; metadata:created_at 2014_04_07, updated_at 2014_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PullUpdate.Adware CnC Beacon"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"?v="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/^\/[a-z]{2}\x3Fv\x3D[0-9]$/U"; reference:md5,129563c2ab034af094422db408d7d74f; classtype:trojan-activity; sid:2018368; rev:4; metadata:created_at 2014_04_07, updated_at 2014_04_07;)

#alert tcp $HOME_NET any -> 54.218.7.114 $HTTP_PORTS (msg:"ET MALWARE DomainIQ Check-in"; flow:established,to_server; content:"User-Agent|3a 20|NSISDL/1.2|20 28|Mozilla|29 0d 0a|"; http_header; fast_pattern:14,20; reference:md5,00699af9bb10af100563adbb767bcee0; classtype:trojan-activity; sid:2018458; rev:1; metadata:created_at 2014_05_09, updated_at 2014_05_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.MultiInstaller"; flow:established, to_server; content:"GET"; http_method; content:"?s1="; http_uri; fast_pattern:only; pcre:"/^\/(?:info|entrance|start|debug)\?s1=[a-f0-9]{100,}$/U"; content:!"Referer|3a|"; http_header; reference:md5, 26973eeddb4781225b7c23d2d9cce996; reference:md5,a74b1602a50b9c7d3262e3f80a6a2e68; classtype:trojan-activity; sid:2018512; rev:4; metadata:created_at 2014_06_02, updated_at 2014_06_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/DownloadGuide.A"; flow:established, to_server; content:"POST"; http_method; content:"/1/dg/3"; http_uri; fast_pattern; content:"Content-Type|3a| application/json"; http_header; content:!"Referer|3a|"; http_header; content:"{|22|BuildId|22 3a|"; http_client_body; content:"|22|Campaign|22|"; http_client_body; content: "|22|TrackBackUrl|22|"; http_client_body; reference:md5,37b91123a58a48975770241445392aeb; classtype:trojan-activity; sid:2018513; rev:2; metadata:created_at 2014_06_02, updated_at 2014_06_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32.SoftPulse Checkin"; flow: established, to_server; content:"POST"; http_method; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29|"; http_header; content:"|7b 22|event_type|22 3a 22|SPidentifier|22 2c 20 22|environment|22 3a 22|"; depth:45; http_client_body; content:"|22|machine_ID|22 3a 22|"; distance:0; http_client_body; reference:md5,9aa08a2700074c7a8a81e49dc8396e00; reference:md5,50f1fc1085f18a25c09c08566fc1a457; classtype:trojan-activity; sid:2018557; rev:4; metadata:created_at 2014_06_11, updated_at 2014_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/evt/?nexcb="; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; distance:0; pcre:"/^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$/U"; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:trojan-activity; sid:2018565; rev:2; metadata:created_at 2014_06_16, updated_at 2014_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.MultiInstaller checkin 2"; flow:established, to_server; content:"GET"; http_method; content:"/entrance?s1="; depth:13; http_uri; pcre:"/^\/entrance\?s1=[a-f0-9]{100,}$/Ui"; content:!"Referer|3a|"; http_header; reference:md5,c610d46d97c1b80f027f56d227a003f7; classtype:trojan-activity; sid:2018590; rev:1; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Optimizer Pro Adware Download"; flow:established,to_server; content:"GET"; http_method; content:"/OptimizerPro.exe"; nocase; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/OptimizerPro\.exe$/Ui"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:trojan-activity; sid:2018743; rev:1; metadata:created_at 2014_07_21, updated_at 2014_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Optimizer Pro Adware GET or POST to C2"; flow:established,to_server; content:"GET"; http_method; content:"/?q="; offset:4; depth:8; http_uri; content:"optpro"; http_header; fast_pattern:only; pcre:"/^\/(?:get|install)\/\?q=/U"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:trojan-activity; sid:2018744; rev:3; metadata:created_at 2014_07_21, updated_at 2014_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32.SoftPulse Retrieving data"; flow:established,to_server; content:"GET"; http_method; content:"/maxpower-static/templates/"; depth:27; http_uri; content:!"Referer|3a|"; http_header; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5; classtype:trojan-activity; sid:2019143; rev:3; metadata:created_at 2014_07_22, updated_at 2014_07_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/SearchSuite Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:23; content:"/install_statistics.php"; fast_pattern; http_uri; depth:23; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE|3B| Win32)"; http_header; content:"XML="; http_client_body; depth:4; content:!"Referer|3a|"; http_header; reference:md5,7203a56c3888e819c602e758fce823fa; reference:md5,77e33e8a53e2a0dbc06c921de9b71142; classtype:trojan-activity; sid:2018753; rev:1; metadata:created_at 2014_07_23, updated_at 2014_07_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/BrowseFox.H Checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:3; content:"/rs"; http_uri; content:"alpha="; http_client_body; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^alpha=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:md5,437a5cb57567c2691ce61a700682eab7; classtype:trojan-activity; sid:2018899; rev:2; metadata:created_at 2014_07_29, updated_at 2014_07_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MultiPlug.A checkin"; flow:to_server,established; content:"get/?ver="; http_uri; content:"&aid="; http_uri; distance:0; content:"&hid="; http_uri; distance:0; content:"&rid="; http_uri; distance:0; content:"&data="; http_uri; distance:0; content:"&report="; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; pcre:"/^\/get\/\?ver=.+?\&aid=\d{8,12}\&hid=[a-f0-9]{15,17}&rid=\d{13}\&data=.*?&report=/U"; reference:md5,f9556acf36168414ad7d5650eeee7972; reference:md5,69e28b658520528a1473f51e62698c87; classtype:trojan-activity; sid:2018867; rev:1; metadata:created_at 2014_08_01, updated_at 2014_08_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney.A Checkin 8"; flow:established,to_server; content:"GET"; http_method; content:"&chromeLog="; http_uri; fast_pattern; content:"&ffLog="; distance:0; http_uri; content:"&operaLog="; distance:0; http_uri; content:"&notAdmin="; distance:0; http_uri; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024257; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2014_08_05, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MAC/Conduit Component Download"; flow:established,to_server; content:"GET"; http_method; content:"/installer?dp="; http_uri; content:"&sdp="; http_uri; content:"&f="; http_uri; content:"&id="; http_uri; content:"&v="; http_uri; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:trojan-activity; sid:2019144; rev:1; metadata:created_at 2014_09_09, updated_at 2014_09_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Stan Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"Proxy-Authorization|3A| Basic"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3A| stan|2E|"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{50,}$/U"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:trojan-activity; sid:2019145; rev:1; metadata:created_at 2014_09_09, updated_at 2014_09_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Kyle Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"Host|3A| kyle|2E|"; http_header; fast_pattern:only; pcre:"/^\/[\w-]{50,}$/U"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:trojan-activity; sid:2019156; rev:1; metadata:created_at 2014_09_10, updated_at 2014_09_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SoftPulse.H Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/__dmp__/"; http_uri; fast_pattern:only; content:"data={"; depth:6; http_client_body; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6424fb3317b4be3d00e4d489122c9a48; classtype:trojan-activity; sid:2019228; rev:2; metadata:created_at 2014_09_24, updated_at 2014_09_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.InstallCore.B Checkin"; flow:established,to_server; urilen:14<>17; content:"POST"; http_method; content:"/?pcrc="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/^\/\?pcrc=[0-9]{7,10}$/U"; content:"0A0Czut"; depth:7; http_client_body; reference:md5,d933bef7e1118b181add31eb5edc5c73; classtype:trojan-activity; sid:2019511; rev:4; metadata:created_at 2014_10_27, updated_at 2014_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/DealPly Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/pxl/"; http_uri; fast_pattern:only; content:"e=-1"; http_uri; content:"&c="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,c6ebffb418813ed68ac5ed9f51f83946; classtype:trojan-activity; sid:2019622; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/ELEX Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/v"; depth:2; http_uri; content:"?update"; http_uri; fast_pattern; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\?update[0-9]?=[a-z]+/Ui"; reference:md5, 2fed7fe9d055ebb63897bc2c8996676d; reference:md5,e2fd0d2c44e96cab5017bb8a68ca92a6; classtype:trojan-activity; sid:2019779; rev:5; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/CloudScout Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/QualityCheck/"; http_uri; fast_pattern; content:".php"; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:"dp="; http_client_body; depth:3; content:"&sdp="; http_client_body; distance:0; content:"&a="; http_client_body; distance:0; pcre:"/\.php$/U"; reference:md5,c732b52b245444e3f568d372ce399911; classtype:trojan-activity; sid:2019780; rev:6; metadata:created_at 2014_11_24, updated_at 2016_05_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/DomaIQ Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&X64="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltSys="; http_client_body; content:"&lang_DfltUser="; http_client_body; reference:md5,9befc43d2019c5614e7372a16e3a5ce5; classtype:trojan-activity; sid:2019944; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP W32/DownloadGuide.D"; flow:established,to_server; content:"POST"; http_method; content:"/config-from-production"; http_uri; content:"{|22|os|22 3A 22|"; http_client_body; depth:7; content:"|22|lang|22 3A 22|"; http_client_body; distance:0; content:"|22|uid|22 3A 22|"; http_client_body; distance:0; content:"|22|prod|22 3A 22|"; http_client_body; distance:0; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; classtype:trojan-activity; sid:2019974; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/iBryte.Adware Installer Download"; flow:established,to_server; content:"GET"; http_method; content:".exe?mode="; http_uri; content:"&sf="; http_uri; content:"&browser="; http_uri; content:"&useragent="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,4c80e5f72a2ab8324b981e37b3b0e5d1; classtype:trojan-activity; sid:2020197; rev:3; metadata:created_at 2015_01_16, updated_at 2015_01_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP.Win32.BoBrowser User-Agent (LogEvents)"; flow:established,to_server; content:"User-Agent|3a 20|LogEvents|0d 0a|"; http_header; fast_pattern:12,11; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:trojan-activity; sid:2020238; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP.Win32.BoBrowser User-Agent (VersionDwl)"; flow:established,to_server; content:"User-Agent|3a 20|VersionDwl|0d 0a|"; http_header; fast_pattern:12,12; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:trojan-activity; sid:2020239; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP.Win32.BoBrowser User-Agent (BoBrowser)"; flow:established,to_server; content:"User-Agent|3a 20|"; http_header; content:" BoBrowser/"; http_header; distance:0; fast_pattern; threshold:type limit,track by_src,count 1,seconds 180; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:trojan-activity; sid:2020240; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"POST"; http_method; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r?$/Hi"; reference:md5,64482895a11d120a9f17ded96aa43cd3; reference:md5,a108ae58850e8f48428070d3193e5c11; classtype:trojan-activity; sid:2020422; rev:16; metadata:created_at 2015_02_13, updated_at 2016_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/MultiPlug.Adware Adfraud Traffic"; flow:established,to_server; content:"GET"; http_method; content:"/sync"; http_uri; depth:5; content:"/?rmbs="; within:8; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17|0d 0a|"; http_header; content:!"Referer|3A|"; http_header; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:trojan-activity; sid:2020457; rev:1; metadata:created_at 2015_02_17, updated_at 2015_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney Checkin 1"; flow:established,to_server; content:"POST"; http_method; urilen:8; content:"/ppu.php"; http_uri; fast_pattern:only; content:"xml_req="; depth:8; http_client_body; content:"system"; distance:0; http_client_body; content:"os+version"; distance:0; http_client_body; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024258; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_02_17, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/WinWrapper.Adware Initial Install Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/api.cgi?act="; http_uri; fast_pattern:only; content:"&appid="; http_uri; content:"&ts="; http_uri; content:"&dlip="; http_uri; content:"&dlid="; http_uri; content:"&proto="; http_uri; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29 0d 0a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020627; rev:2; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MALWARE W32/WinWrapper.Adware POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/api.cgi?act="; http_uri; fast_pattern:only; content:"&appid="; http_uri; content:"&proto="; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|WinWrapper|0d 0a|"; http_header; content:"{|22|appId|22 3a 22|"; http_client_body; content:"|22|uuId|22 3a 22|"; http_client_body; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020628; rev:1; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MALWARE W32/WinWrapper.Adware User-Agent"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|WinWrapper|0d 0a|"; http_header; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020629; rev:1; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney Checkin 2"; flow:to_server,established; content:"POST"; http_method; urilen:12; content:"/launch_info"; http_uri; content:"User-Agent|3a 20|Downloader "; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024259; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_03_13, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney User Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader "; http_header; fast_pattern:12,11; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024249; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_03_13, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Potentially Unwanted Application AirInstaller CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"/log/?"; http_uri; fast_pattern; content:"="; distance:1; within:1; http_uri; content:"&d="; distance:0; http_uri; content:"&o="; http_uri; content:"&r="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; pcre:"/^\/(?:[^\x2f]+\/)*log\/\?[bc]=/U"; reference:md5,e89ec5e8f89ee6ae4a6b65157c886614; classtype:trojan-activity; sid:2020701; rev:1; metadata:created_at 2015_03_16, updated_at 2015_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b 2a|.tr553.com"; distance:1; within:12; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:trojan-activity; sid:2020712; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a 20|image/jpeg"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2020757; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2015_03_26, performance_impact Low, updated_at 2017_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/AdWare.Sendori User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Sendori-Client"; http_header; fast_pattern:6,20; reference:url,isc.sans.edu/forums/diary/Suspect+Sendori+software/16466; reference:md5,aee8ddf3b36d60d33c571ee798b6bad6; classtype:trojan-activity; sid:2020881; rev:1; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney Checkin 3"; flow:established,to_server; content:"/get_json?"; http_uri; fast_pattern:only; content:"&name="; http_uri; content:"rnd="; http_uri; content:"User-Agent|3a 20|Downloader|20|"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024261; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_04_09, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PicColor Adware CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"?d="; http_uri; content:"&format=json"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/&format=json$/U"; reference:md5,6b173406ffccaa6d0287b795f8de2073; classtype:trojan-activity; sid:2020948; rev:1; metadata:created_at 2015_04_20, updated_at 2015_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Softpulse PUP Install Failed Beacon"; flow:established,to_server; content:"GET"; http_method; content:"?sentry_version="; http_uri; content:"&sentry_client="; distance:0; http_uri; content:"&sentry_key=84ce05510b844b75acc37de959560a65&sentry_secret=1c9aa912021b4626a5b7a7e589cba678&sentry_data="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,bb9f26d52327979fb9b4d467408eba25; classtype:trojan-activity; sid:2021027; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Toolbar.Conduit.AG Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29 0d 0a|"; http_header; content:"postInstallReport"; http_client_body; fast_pattern; content:"machineId|22 3a 22|"; http_client_body; reference:md5,8fc00c6696268ae42411a5ebf9d2576f; classtype:trojan-activity; sid:2021094; rev:2; metadata:created_at 2015_05_13, updated_at 2015_05_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP.GigaClicks Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/ver/"; http_uri; content:"/sid/"; http_uri; content:"instlog="; http_client_body; fast_pattern; content:!"User-Agent|3a|"; http_header; reference:md5,942fd71fb26b874502f3ba8546e6c164; classtype:trojan-activity; sid:2021099; rev:1; metadata:created_at 2015_05_15, updated_at 2015_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/Conduit.SearchProtect.O CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/?uid="; http_uri; content:"&affid="; distance:0; http_uri; content:"&inst_date="; distance:0; http_uri; fast_pattern; content:"&prod="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,525917c79e22fa9bc54da36b94437a46; classtype:trojan-activity; sid:2021173; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/DownloadAssistant.A PUP CnC"; flow:established,to_server; content:"POST"; http_method; content:"/v2/"; http_uri; depth:4; fast_pattern; content:"X-Crypto-Version|3A|"; http_header; content:!"User-Agent|3A|"; http_header; pcre:"/^\/v2\/(?:(?:(?:intro_impr|s)ession|l(?:aunch|og)|exit)/$|c(?:(?:dn_(?:success|check)|ancel)/$|lick/))/U"; reference:md5,a54f78d0fe6d1a1a09c22a71646c24b3; classtype:trojan-activity; sid:2021282; rev:1; metadata:created_at 2015_06_16, updated_at 2015_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP Win32/DownloadAssistant.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/launch/"; http_uri; content:"X-Crypto-Version|3a|"; http_header; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/launch\/$/U"; reference:md5,62a4d32dcb1c495c5583488638452ff9; classtype:trojan-activity; sid:2021283; rev:4; metadata:created_at 2015_06_16, updated_at 2015_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP TheSZ AutoUpdate CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/update.php?p="; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&id="; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|AutoUpdate|0d 0a|"; http_header; reference:md5,76e54deb6f81edd6b47c854c847d590d; classtype:trojan-activity; sid:2021401; rev:1; metadata:created_at 2015_07_10, updated_at 2015_07_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX ADWARE/Mackeeper Checkin"; flow:established,to_server; content:"/landings/"; depth:10; http_uri; content:"Macintosh|3b|"; http_header; content:"Host|3a| mackeeper"; http_header; content:"ldrBrowser=|25|22Safari|25|22|3b|"; http_cookie; content:"ldrOs=|25|22Mac+OS+X|25|22|3b|"; http_cookie; classtype:trojan-activity; sid:2021548; rev:1; metadata:created_at 2015_07_29, updated_at 2015_07_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadAdmin.Adware User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Installer|28|ref=|5b|"; http_header; fast_pattern:7,20; content:"|3b|windows="; http_header; distance:0; content:"|3b|uac="; http_header; distance:0; content:"|3b|elevated="; http_header; distance:0; content:"|3b|dotnet="; http_header; distance:0; content:"|3b|startTime="; http_header; distance:0; content:"|3b|pid="; http_header; distance:0; classtype:trojan-activity; sid:2021564; rev:1; metadata:created_at 2015_07_31, updated_at 2015_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DealPly Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?pcrc="; http_uri; depth:7; fast_pattern; content:"&v="; http_uri; pcre:"/^\/\?pcrc=\d+&v=[\d.]+$/U"; content:!"Referer|3a 20|"; http_header; reference:md5,a34236628ea04e10430e20ac2b9d7ad2; classtype:trojan-activity; sid:2021618; rev:3; metadata:created_at 2015_08_12, updated_at 2015_08_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DealPly Adware CnC Beacon 2"; flow:established,to_server; content:"/?v="; http_uri; depth:4; content:"&pcrc="; http_uri; distance:0; content:"&LSVRDT="; http_uri; distance:0; fast_pattern; content:"&ty="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021619; rev:2; metadata:created_at 2015_08_12, updated_at 2015_08_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DealPly Adware CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; http_uri; depth:4; content:"&pcrc="; http_uri; content:"&LUDT="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; classtype:trojan-activity; sid:2021643; rev:1; metadata:created_at 2015_08_17, updated_at 2015_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUA Boxore User-Agent"; flow:to_server,established; content:"User-Agent|3a 20|BoxoreClent"; http_header; content:!"Referer|3a|"; http_header; reference:md5,5cb2e8a9b6935f228623c69f1b17669d; classtype:trojan-activity; sid:2021700; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Loadmoney Checkin 4"; flow:established,to_server; content:"/data_files="; depth:12; fast_pattern; http_uri; content:"&rnd="; distance:0; http_uri; content:"User-Agent|3a 20|Downloader 1"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024262; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_08_24, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Fake Flash Player Download Oct 20"; flow:established,to_server; content:"GET"; http_method; content:"/download/"; http_uri; content:"/FMP.dmg?download_browser="; distance:0; http_uri; fast_pattern; content:"&app_id="; http_uri; distance:0; content:"&campaign="; http_uri; distance:0; content:"&cargoType="; http_uri; distance:0; content:"&oname=FMP.dmg"; http_uri; distance:0; classtype:trojan-activity; sid:2021984; rev:1; metadata:created_at 2015_10_20, updated_at 2015_10_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PPI User-Agent (InstallCapital)"; flow:to_server,established; content:"User-Agent|3a 20|InstallCapital"; http_header; metadata: former_category TROJAN; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022246; rev:2; metadata:created_at 2015_12_11, updated_at 2018_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DealPly Adware CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; http_uri; depth:4; fast_pattern; content:"&pcrc="; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept-"; http_header; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/U"; reference:md5,038da581f99c88a4ee6700de440a54ca; classtype:trojan-activity; sid:2022354; rev:1; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SmartTab PUP Install Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/v"; http_uri; depth:2; content:".asp"; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b| Indy Library|29 0d 0a|"; http_header; fast_pattern:32,20; pcre:"/\/v\d\/[^.]+\.asp$/Ui"; reference:md5,84fcdf1cd6dc3ee71686835f9489752c; classtype:trojan-activity; sid:2022694; rev:1; metadata:created_at 2016_04_01, updated_at 2016_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Adware.Pirrit CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".sh?do="; http_uri; content:"&d="; http_uri; content:"&inj="; http_uri; content:"&cl="; http_uri; content:"&cs="; http_uri; content:"&id="; http_uri; content:"&se="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; http_header; fast_pattern:5,20; content:!"Referer|3a|"; http_header; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022716; rev:1; metadata:created_at 2016_04_08, updated_at 2016_04_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Adware.Pirrit CnC Activity 1"; flow:established,to_server; content:"GET"; http_method; content:"?mid="; http_uri; fast_pattern; content:"User-Agent|3a 20|curl/"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/(cld|update-effect)\?mid=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&(ct|st)=[a-z0-9]+$/Ui"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022717; rev:1; metadata:created_at 2016_04_08, updated_at 2016_04_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Adware.Pirrit CnC Activity 2"; flow:established,to_server; content:"POST"; http_method; content:!"."; http_uri; content:"User-Agent|3a 20|curl/"; http_header; content:"vs_mid="; http_client_body; depth:7; fast_pattern; content:"&br_mid="; http_client_body; content:"&event_type="; http_client_body; content:"diss URL"; http_client_body; nocase; content:!"Referer|3a|"; http_header; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022718; rev:1; metadata:created_at 2016_04_08, updated_at 2016_04_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX/Adware.Pirrit Web Injects"; flow:established,to_server; content:"GET"; http_method; content:"/mu?id="; http_uri; fast_pattern; content:"&d="; http_uri; content:"&cl="; http_uri; pcre:"/\/mu\?id=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&d=[A-Za-z]+&cl=\d+$/Ui"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022719; rev:1; metadata:created_at 2016_04_08, updated_at 2016_04_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 3"; flow:established,to_server; content:"HEAD"; http_method; content:"/u/?"; depth:4; http_uri; fast_pattern; content:"&c="; http_uri; distance:0; content:"&r="; http_uri; distance:0; pcre:"/^\/u\/\?[a-z]=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&r=[0-9]{17,}$/U"; reference:url,blog.malwarebytes.org/cybercrime/2016/01/trojan-dnschanger-circumvents-powershell-restrictions/; classtype:trojan-activity; sid:2022722; rev:1; metadata:created_at 2016_04_11, updated_at 2016_04_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 4"; flow:established,to_server; content:"POST"; http_method; content:"/u/"; depth:3; http_uri; fast_pattern; content:"Connection|3a| Close|0d 0a|"; nocase; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; content:!"Accept"; http_header; content:!"Referer|3a|"; nocase; http_header; content:"a="; depth:2; http_client_body; content:"&c="; http_client_body; distance:0; content:"&r="; http_client_body; distance:0; pcre:"/^a=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&h=[a-zA-Z0-9_-]+&r=[0-9]{15,}$/P"; reference:md5,3ea75d62966f8c52de16d7849eeb3691; classtype:trojan-activity; sid:2022723; rev:1; metadata:created_at 2016_04_11, updated_at 2016_04_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/InstallCore Initial Install Activity 1"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; depth:4; http_uri; content:"&subver="; fast_pattern; distance:0; http_uri; content:"&pcrc="; distance:0; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/\?v=[\d\.]{3,4}&subver=[\d\.]{4,5}&pcrc=\d+$/U"; reference:md5,0a6a0baf77b80706cab665754ecadac9; classtype:trojan-activity; sid:2022807; rev:2; metadata:created_at 2016_05_16, updated_at 2016_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Successful QuizScope Installation"; flow:established,to_server; content:"GET"; http_method; content:"/qscope/ithankyou"; depth:17; fast_pattern; http_uri; reference:md5,4dae2a394b792c36936a88cfc296f9b9; classtype:trojan-activity; sid:2022812; rev:1; metadata:created_at 2016_05_17, updated_at 2016_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SearchProtect PUA User-Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|SearchProtect|3b|"; fast_pattern; http_header; reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87; classtype:trojan-activity; sid:2022813; rev:1; metadata:created_at 2016_05_17, updated_at 2016_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Conduit Trovi Adware/PUA"; flow:established,to_server; content:"GET"; http_method; content:"/?gd="; http_uri; depth:5; fast_pattern; content:"&ctid="; http_uri; distance:0; content:"&octid="; http_uri; distance:0; content:"&SSPV="; http_uri; distance:0; reference:md5,069ce8c2a553f9bc5a9599d7541943ce; classtype:trojan-activity; sid:2022814; rev:1; metadata:created_at 2016_05_17, updated_at 2016_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore PUA/Adware Activity M1"; flow:established,to_server; content:"/gettrk_l?partner="; depth:18; http_uri; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022821; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore PUA/Adware Activity M2"; flow:established,to_server; content:"/install-report?"; http_uri; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022822; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore PUA/Adware Activity M3"; flow:established,to_server; content:"/event-report?"; http_uri; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022823; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore PUA/Adware Activity M4"; flow:established,to_server; content:"?type=off"; http_uri; content:"&topic="; http_uri; distance:0; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022824; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toolbar User-Agent (BrandThunderHelper)"; flow:established,to_server; content:"User-Agent|3a 20|BrandThunderHelper|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022825; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Toolbar.WIDGI User-Agent (WidgiToolbar-)"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a 20|WidgiToolbar-"; http_header; reference:md5,1785f9784cb4e7400ed6f2c8f0e421c2; classtype:trojan-activity; sid:2022826; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP/DriverRestore Sending System Information to Affiliate"; flow:established,to_server; content:".jsp?leadTrackerId="; http_uri; content:"|22|ComputerName|22|"; http_uri; distance:0; content:"|22|UserName|22|"; http_uri; distance:0; content:"|22|IsAdmin|22|"; http_uri; distance:0; content:"User-Agent|3a 20|DriverRestore/"; http_header; fast_pattern:6,20; content:!"Referer|3a 20|"; http_header; reference:md5,4f7f497668e3e716a6f4a53af0924a25; classtype:trojan-activity; sid:2022827; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCAcceleratePro PUA/Adware User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|PCAcceleratePro|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022828; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopTools PUP Install Activity"; flow:established,to_server; content:"POST"; http_method; content:"_install.cgi"; http_uri; content:"User-Agent|3a 20|BIDUI18N|0d 0a|"; http_header; content:"name=|22|ufile01|22 3b 20|filename=|22|boundary|22|"; http_client_body; fast_pattern; content:"Content-Type|3a 20|application/octet-stream"; http_client_body; distance:0; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3e464cff8690c7a2f57542688a278c62; classtype:trojan-activity; sid:2022829; rev:1; metadata:created_at 2016_05_19, updated_at 2016_05_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; content:"GET"; http_method; content:"?alpha="; http_uri; content:"User-Agent|3a 20|NSIS_Inetc"; http_header; fast_pattern; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/U"; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:trojan-activity; sid:2022850; rev:1; metadata:created_at 2016_06_02, updated_at 2016_06_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MSIL/Adload.AT Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern; content:"source="; http_uri; content:"&event="; http_uri; content:"&implementation_id="; http_uri; content:"user_id="; http_uri; content:"&useragent="; http_uri; content:"&sgn="; http_uri; content:"&subid2="; http_uri; content:"&ts="; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; metadata: former_category MALWARE; reference:md5,d15069e44ec849ab26bcefffe6867f10; reference:md5,4ececc2f027a096c2100ec1125d0d151; classtype:trojan-activity; sid:2022893; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Adware, signature_severity Major, created_at 2016_06_13, malware_family MSIL_Adload, updated_at 2018_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LoadMoney Checkin 5"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Downloader|20|"; http_header; content:"|0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 0d 0a|"; http_client_body; pcre:"/^User-Agent\x3a Downloader\s\d+\.\d+$/Hm"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2022987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2016_07_27, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious Chrome Extension"; flow:established,to_server; content:"page?url="; http_uri; fast_pattern; content:"/user/"; http_uri; content:"iframe="; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2023015; rev:1; metadata:affected_product Web_Browser_Plugins, affected_product Google_Chrome, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_05, performance_impact Low, updated_at 2016_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern; depth:4; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:"+"; http_raw_uri; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\n\r?$/H"; reference:md5,6b95ddc5238cc0576db7b206af13339e; classtype:trojan-activity; sid:2023707; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_09, malware_family PUA, performance_impact Low, updated_at 2017_01_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M3"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/png"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2023750; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_19, performance_impact Low, updated_at 2017_12_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.LoadMoney User Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader "; http_header; fast_pattern:12,11; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024260; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2017_04_27, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/LoadMoney Adware Activity"; flow:to_server,established; content:"POST"; http_method; content:".htm?v="; http_uri; fast_pattern; content:"&eh="; distance:0; http_uri; content:"&ts="; distance:0; http_uri; content:"&u2="; distance:0; http_uri; content:"Cookie|3a 20|a=h+"; content:!"Referer|3a 20|"; http_header; flowbits:set,ETPTadmoney; metadata: former_category MALWARE; reference:md5,681501695c12112aaf2129ab614481bd; reference:md5,1282b899c41b06dac0adb17e0e603d30; classtype:trojan-activity; sid:2024693; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_12, malware_family Neshta, performance_impact Low, updated_at 2017_09_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE InstallCore Variant CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; content:"|7c|"; http_client_body; depth:40; content:"POST|20|/|20|HTTP/1.1|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|Host|3a|"; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x7c/P"; metadata: former_category MALWARE; reference:md5,42374945061c7941d6690793ae393d3a; classtype:trojan-activity; sid:2024428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_26, performance_impact Moderate, updated_at 2017_09_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ProxyGearPro Proxy Tool PUA"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a 20|Proxy|20|Gear|20|Pro/"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; metadata: former_category MALWARE; reference:md5,b8889db7b4ef74c9302c12781a92a23a; classtype:policy-violation; sid:2024484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_20, performance_impact Moderate, updated_at 2017_07_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|89 50 4e 47 0d 0a 1a 0a|"; depth:8; byte_jump:2,8,from_beginning,little; isdataat:20,relative; isdataat:!21,relative; content:!"IHDR"; offset:12;depth:4; flowbits:isset,ETPTadmoney; metadata: former_category MALWARE; classtype:trojan-activity; sid:2024699; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, signature_severity Major, created_at 2017_09_11, performance_impact Moderate, updated_at 2017_09_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (startupfraction)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|startupfraction|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024722; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (search.feedvertizus)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|search|0c|feedvertizus|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (go.querymo)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|go|07|querymo|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (opurie)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opurie|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious Adware Chrome Extension Detected (1)"; flow:to_server,established; content:"/hostedsearch?"; http_uri; fast_pattern; content:"subid"; distance:0; http_uri; content:"&keyword="; distance:0; http_uri; content:"User-Agent|3a 20|"; http_header; content:"Upgrade-Insecure-Requests|3a 20|"; http_header; content:"Accept"; http_header; content:"Connection|3a 20|"; http_header; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024726; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious Adware Chrome Extension Detected (2)"; flow:to_server,established; content:"/?keyword="; http_uri; fast_pattern; content:"&id="; distance:0; http_uri; content:"&sysid="; distance:0; http_uri; content:"User-Agent|3a 20|"; http_header; content:"Upgrade-Insecure-Requests|3a 20|"; http_header; content:"Accept"; http_header; content:"Connection|3a 20|"; http_header; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] WebToolbar.Win32.Searchbar.k HTTP JSON Artifact"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|7b 22|lib_version|22 3a 22|"; depth:16; content:"|22 2c 22|lib_url|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|bin_version|22 3a 22|"; distance:0; content:"|22 2c 22|bin_url|22 3a 22|"; distance:0; metadata: former_category MALWARE; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:trojan-activity; sid:2024761; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_22, performance_impact Low, updated_at 2017_09_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Adware.SearchGo (start_page)"; flow:established,to_server; urilen: >100; content:"/%f3%07%27%f6%46%d3"; http_raw_uri; depth:19; content:"GET"; http_method; content:"User-Agent|3a 20|start_page"; http_header; fast_pattern; content:!"Content-Length|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category MALWARE; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:trojan-activity; sid:2024762; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_22, malware_family Searchgo, performance_impact Low, updated_at 2017_09_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] DeathBot.Java (Minecraft Spambot)"; flow:established, to_server; dsize:<256; content:"|00 00 00|"; depth:3; content:"|01 78 9c|"; distance:1; within:3; fast_pattern; byte_jump:1,3,from_beginning,post_offset 2; isdataat:1, relative;  isdataat:!2,relative; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category MALWARE; classtype:misc-activity; sid:2024793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_02, malware_family Spambot, performance_impact Moderate, updated_at 2017_10_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Java.Deathbot Requesting Proxies"; flow:established,to_server; content:"GET"; http_method; content:"/Socks"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|Java/1."; http_header; pcre:"/\/Socks[45]\.txt$/U"; metadata: former_category MALWARE; classtype:trojan-activity; sid:2024794; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_02, malware_family Spambot, updated_at 2017_10_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Adware.FileFinder Activity"; flow:established, to_server; content:"POST"; http_method; content:"/?i="; http_uri; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"report=AAA"; http_client_body; depth:20; fast_pattern; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category MALWARE; classtype:trojan-activity; sid:2024904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_10_23, performance_impact Moderate, updated_at 2017_10_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 5"; flow:established,to_server; content:"POST"; http_method; content:"/q/"; depth:3; http_uri; fast_pattern; content:"Connection|3a| Close|0d 0a|"; nocase; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; content:!"Accept"; http_header; content:!"Referer|3a|"; nocase; http_header; content:"q="; depth:2; http_client_body; pcre:"/^q=[a-zA-Z0-9_-]+$/P"; metadata: former_category MALWARE; reference:md5,f0e02ba660cfcb122b89bc780a6555ac; classtype:trojan-activity; sid:2025094; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, tag Adware, signature_severity Major, created_at 2017_12_01, malware_family Adposhel, performance_impact Moderate, updated_at 2017_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.LoadMoney User Agent 2"; flow:established,to_server; content:"User-Agent|3a 20|s|20|2.8"; fast_pattern:only; pcre:"/^User-Agent\x3a\x20s\x202\.8\d\r?$/Hm"; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2025302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, malware_family Loadmoney, performance_impact Moderate, updated_at 2018_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/LoadMoney Adware Activity M2"; flow:to_server,established; content:"GET"; http_method; content:"/software_install?sid="; http_uri; fast_pattern; content:"&sub_id="; distance:0; http_uri; content:"&hash="; distance:0; http_uri; content:"&mid="; distance:0; http_uri; content:"&fname="; distance:0; http_uri; content:!"Referer|3a 20|"; http_header; flowbits:set,ETPTadmoney; metadata: former_category MALWARE; reference:md5,844e53381099d572c3864c7a42ddbbf1; classtype:trojan-activity; sid:2025303; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, malware_family Loadmoney, performance_impact Moderate, updated_at 2018_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rogue.WinPCDefender Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?machine_id={"; http_uri; depth:14; fast_pattern; content:"}"; http_uri; distance:0; pcre:"/\/\?machine_id=\x7b[A-F0-9-]+\x7d/U"; content:!"Referer"; http_header; content:"Host|3a 20|anti"; http_header; metadata: former_category MALWARE; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:trojan-activity; sid:2025358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_14, performance_impact Moderate, updated_at 2018_02_14;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Calender 2 Mining)"; flow:established,to_client; content:"|55 04 03|"; content:"|0a|*.qbix.com"; distance:1; within:11; fast_pattern; metadata: former_category MALWARE; reference:url,objective-see.com/blog/blog_0x2B.html; classtype:trojan-activity; sid:2025424; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_12, performance_impact Moderate, updated_at 2018_03_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (maraukog .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0d|maraukog.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (acinster .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0d|acinster.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025488; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (aclassigned .info in TLS SNI)"; flow:established,to_server; content:"|00 00 10|aclassigned.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (efishedo .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0d|efishedo.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (enclosely .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0e|enclosely.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (insupposity .info in TLS SNI)"; flow:established,to_server; content:"|00 00 10|insupposity.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Observed Win32/Foniad Domain (suggedin .info in TLS SNI)"; flow:established,to_server; content:"|00 00 0d|suggedin.info|00|"; fast_pattern; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Observed Win32/Foniad Domain (suggedin .info in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|suggedin|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category MALWARE; reference:md5,dc2c0b6a8824f5ababf18913ad6d0793; classtype:trojan-activity; sid:2025531; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_17, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Lavasoft PUA/Adware Client Install"; flow:established,to_server; content:"POST"; http_method; content:"/event-stat?ProductID="; http_uri; fast_pattern; content:"&Type=StubStart"; http_uri; distance:0; content:"lavasoft.com|0d 0a|"; http_header; metadata: former_category MALWARE; classtype:trojan-activity; sid:2025537; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Adware, signature_severity Minor, created_at 2018_04_26, updated_at 2018_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WiseCleaner Installed (PUA)"; flow:established,to_server; content:"POST"; http_method; content:".php?p=install_statistics"; nocase; http_uri; content:"Host|3a 20|wisecleaner.net|0d 0a|"; http_header; fast_pattern; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|Maxthon)"; http_header; metadata: former_category MALWARE; reference:url,wisecleaner.com; reference:md5,cd6e96207ea60b3e6e46c393fdcc9e0c; classtype:trojan-activity; sid:2025589; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_12, updated_at 2018_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antibody Software Installed (PUA)"; flow:established,to_server; content:"GET"; http_method; content:"version.php?ver="; nocase; http_uri; content:"&newinstall="; nocase; http_uri; distance:0; content:"Host|3a 20|antibody-software.com|0d 0a|"; http_header; fast_pattern; content:"User-Agent|3a 20|Embarcadero URI Client/1.0"; http_header; metadata: former_category MALWARE; reference:url,antibody-software.com; reference:md5,8e22d630b992f9cb4d7f6b0aceebb37f; classtype:trojan-activity; sid:2025590; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_12, updated_at 2018_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE [eSentire] Win32/Adware.Adposhel.lgvk CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/inst?data="; http_uri; nocase; content:"User-Agent|3a 20|Installer event sender/"; http_header; fast_pattern:13,20; content:"|0d 0a|"; http_header; distance:2; within:4; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category MALWARE; reference:md5,e7c2c1b796dad6210165110b7e8cda7d; classtype:trojan-activity; sid:2025645; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_10, malware_family Adposhel, performance_impact Low, updated_at 2018_07_10;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"ET MISC HP Web JetAdmin ExecuteFile admin access"; flow: to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; reference:url,doc.emergingthreats.net/2001055; classtype:attempted-admin; sid:2001055; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL MISC Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:2100449; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:2101627; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:2100523; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL MISC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102186; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL MISC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102187; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL MISC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102188; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"GPL MISC return code buffer overflow attempt"; flow:to_client,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:2101792; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:2100504; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:2100488; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:2100616; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:2101538; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC nntp SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2103078; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; isdataat:1024,relative; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2102927; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2102432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102427; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; isdataat:21,relative; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102430; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102431; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102429; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102424; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102425; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102426; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:2101323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:2100602; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:2100603; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:2100606; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:2100608; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:2100609; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:2100610; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:2100328; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:2100326; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:2100327; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2102549; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2102547; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2102548; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2102561; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2102048; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2102523; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2102159; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102010; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102011; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2102013; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2102009; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2102008; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2102012; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102317; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"GPL MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:2100511; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp any any <> any 179 (msg:"GPL MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2102158; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; classtype:attempted-recon; sid:2100517; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:2101917; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:2103089; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:2101939; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:2101940; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"GPL MISC Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:2100281; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:2100270; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET MISC RuggedCom factory account backdoor"; flow:to_server,established; content:"factory"; fast_pattern:only; flowbits:isset,ET.RUGGED.BANNER; pcre:"/factory[\r\n\x00]+[0-9]{9}/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:3; metadata:created_at 2012_04_27, updated_at 2012_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_01_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; content:"/push/androidxml/"; depth:200; nocase; content:"sim="; depth:200; nocase; content:"tel="; depth:200; nocase; content:"imsi="; depth:200; content:"pid="; depth:200; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; content:".log"; depth:200; nocase; content:"id="; depth:200; nocase; content:"softid="; depth:200; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/GMServer/GMServlet"; nocase; http_uri; content:"|0d 0a|User-Agent|3a| Dalvik"; http_header; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"request"; depth:200; nocase; content:".php"; depth:200; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; content:"req.php"; nocase; depth:200; content:"pid="; depth:200; nocase; content:"ver="; depth:200; nocase; content:"area="; depth:200; nocase; content:"insttime="; depth:200; nocase; content:"first="; depth:200; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; content:"StartUpdata.ini"; nocase; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:1; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; content:"active.txt"; nocase; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; fast_pattern:only; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012844; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012845; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012846; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012847; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012851; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012852; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012853; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"?id="; http_uri; content:"&time="; http_uri; content:"&imei="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:1; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:1; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; content:"/talktome.asmx"; nocase; http_uri; content:"cell"; http_client_body; nocase; content:"opname"; nocase; http_client_body; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:trojan-activity; sid:2012924; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_02, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/search/sayhi.php"; distance:0; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"search/rpty.php"; distance:0; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:1; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0E|gongfu-android|03|com"; distance:0; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013023; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_13, updated_at 2016_07_01;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; file_data; content:"url=http|3A|//"; nocase; within:11; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/search/getty.php"; distance:0; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:1; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?im="; http_uri; content:"User-Agent|3A| J2ME/UCWEB"; http_header; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; content:"/ss/attachments/files/URLshorter.apk"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; content:"POST"; http_method; content:"<IMEI>"; http_client_body; nocase; content:"<|2F|IMEI>"; nocase; distance:0; http_client_body; content:!".blackberry.com|0d 0a|"; http_header; content:!".nokia.com|0d 0a|"; http_header; content:!".sonyericsson.com|0d 0a|"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:6; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMSI>"; http_client_body; nocase; content:"<|2F|IMSI"; nocase; http_client_body; distance:0; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013140; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType=";  http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013142; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013143; rev:1; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; content:"/flash/test.xml"; http_uri; fast_pattern:only; flowbits:set,ET.And.CruseWin; flowbits:noalert; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013193; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; file_data; content:"<connect>http|3A|//"; nocase; distance:0; content:"<send number="; nocase; distance:0; content:"<insms>http|3A|//"; nocase; distance:0; content:"<delete number="; nocase; distance:0; content:"<clean app="; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013194; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Mobile Device Posting Phone Number"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&Phone"; fast_pattern; nocase; http_uri; content:"Number="; nocase; http_uri; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/Ui"; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2013208; rev:2; metadata:created_at 2011_07_06, updated_at 2017_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; content:"/wat.php"; nocase; http_uri; content:"incorporateapps.com"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*incorporateapps\x2Ecom/Hi"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:trojan-activity; sid:2013209; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/Coop/request"; within:15; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:trojan-activity; sid:2013210; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.asp"; fast_pattern:only; http_uri; nocase; content:"?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; content:"/upload/UploadFiles.aspx?askId="; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:1; metadata:created_at 2011_07_13, updated_at 2011_07_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013265; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013266; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; content:"/clientRequest.htm?method="; http_uri; nocase; content:"&os="; http_uri; content:"&brand="; nocase; http_uri; content:"&sdkVersion="; nocase; http_uri; pcre:"/method\x3D(update|startcharge)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:trojan-activity; sid:2013299; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; content:"/Submit.aspx?ver="; http_uri; content:"&sys="; http_uri; content:"&imei="; http_uri; content:"&ua="; http_uri; content:"&pro="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013316; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:"<cmdsystem>"; content:"<mobile>"; content:"<|2F|mobile>"; fast_pattern; within:50; content:"<killprocess>"; distance:0; content:"<killinstall>"; distance:0; content:"<killuninst>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013317; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"f0="; http_client_body; depth:3; content:"&b0="; distance:0; http_client_body; content:"&pid="; distance:0; http_client_body; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/netsend/nmsm_json.jsp"; fast_pattern:only; http_uri; content:"User-Agent|3a| Apache-HttpClient/"; http_header; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_09_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; content:"/android_notifier/notifier.php?app="; http_uri; content:"&deviceId="; http_uri; content:"&mobile="; http_uri; content:"&country="; http_uri; content:"&carrier="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern:only; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_header; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; content:"/ProtocolGW/protocol/commands"; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:trojan-activity; sid:2014215; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_02_07, updated_at 2016_07_01;)

#alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; content:"GET "; depth:4; content:"/kspp/do?imei="; distance:0; content:"&wid="; distance:0; content:"&type="; distance:0; content:"&step="; distance:0;  reference:md5,e6d9776113b29680aec73ac2d1445946; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; classtype:trojan-activity; sid:2016318; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; content:"/phone_getinfokou_android.php"; http_uri; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; content:"POST"; http_method; content:"/geturl.aspx?email="; http_uri; content:"&lat="; http_uri; content:"&lon="; http_uri; content:"&mobile="; http_uri; content:"&group="; http_uri; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:trojan-activity; sid:2016209; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_01_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; content:"/controls.php"; http_uri; content:"User-Agent|3a| Dalvik/"; http_header; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&online="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"User-Agent|3a| Dalvik/"; http_header; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET /search/"; content:".php?i="; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:3; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; content:"/Android_SMS/installing.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/Android_SMS/receiving.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016513; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; file_data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:1; metadata:created_at 2013_07_17, updated_at 2013_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/srev.asp"; http_uri; content:"action="; http_client_body; depth:7; content:"&b_name="; http_client_body; distance:0; content:"&b_conter="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:trojan-activity; sid:2017466; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_09_16, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; content:"/getTask.php?"; fast_pattern:only; nocase; http_uri; content:"imei="; http_uri; content:"balance="; http_uri; content:!"Referer|3a 20|"; http_header; metadata: former_category MOBILE_MALWARE; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017587; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"co"; http_uri; content:"untry="; http_uri; content:"phone="; http_uri; content:"&op="; http_uri; content:"imei="; fast_pattern:only; http_uri; content:"User-Agent|3a| Apache-HttpClient/"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017588; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/send_sim_no.php|20|HTTP/1."; fast_pattern; content:!"Referer|3a 20|"; http_header; content:"_no="; http_client_body; depth:16; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017787; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2017_04_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017788; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; content:"POST /getLastVersion "; depth:21; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2017999; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; content:"POST /register "; depth:15; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018000; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; content:"POST /login "; depth:12; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018001; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; content:"POST /report "; depth:13; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018002; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; content:"POST /getTask "; depth:14; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018003; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; content:"POST /reportMessage "; depth:20;  pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018004; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request"; flow:established,to_server; content:"/iconfig.txt"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible)|0D 0A|"; http_header; reference:url,nakedsecurity.sophos.com/2014/01/31/android-banking-malware-with-a-twist-in-the-delivery/; classtype:trojan-activity; sid:2018071; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; content:"POST"; http_method; content:"androidbugreport.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&token="; depth:7; http_client_body; content:"&target="; depth:8; http_client_body; content:"&rd="; depth:4; http_client_body; content:"&fo="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"filter.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; content:"POST"; http_method; content:"history.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&ds="; depth:4; http_client_body; content:"&sg="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; content:"GET"; http_method; content:"/bookmark/getServiceCode?price="; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Dalvik"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:2; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; metadata: former_category MOBILE_MALWARE; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_04_17, malware_family Android_Hqwar, updated_at 2017_07_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; content:"device_id="; http_uri; pcre:"/device_id=\d{10,20}&imsi=\d{10,15}&device_name=/Ui"; content:"&app_id="; http_uri; pcre:"/&app_id=[a-f0-9]{30,35}&app_package_name=/Ui"; content: "screen_density="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_04, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern:only; content:"User-Agent|3a| meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi|0d 0a|"; http_header; depth:65; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; content:"POST"; http_method; content:"/youxi_up.php"; fast_pattern:only; http_uri; content:"--*****|0d 0a|Content-Disposition|3a| form-data|3b| name=|22|npki|22|"; depth:52; http_client_body; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:3; metadata:created_at 2014_06_19, updated_at 2014_06_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/n/"; http_uri; content:!"Referer|3a 20|"; http_header; content:"content=eyJ"; http_client_body; depth:11; fast_pattern; content:!"Accept|3a|"; http_header; pcre:"/\/n\/\d{15}$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:trojan-activity; sid:2018630; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_03, updated_at 2017_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; content:"POST /webviewAdReq"; nocase; depth:18; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; content:"POST"; http_method; content:"/flash/api.php?id="; http_uri; fast_pattern:only; pcre:"/^\/flash\/api\.php\?id=\d/U"; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/api33/api.php"; http_uri; fast_pattern:only; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/1/?1"; http_uri; fast_pattern:only; content:"{|22|n|22 3a 22|"; depth:6; http_client_body; content:"|22 2c 22|d|22 3a 22|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/message.php"; http_uri; fast_pattern:only; content:"|20|Android|20|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_28, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/path/DeviceManager.php"; nocase; depth:23; http_uri; content:"func="; depth:5; http_client_body; content:"&deviceid="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=counter&app_key="; depth:23; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=devicestatus"; http_client_body; fast_pattern:only; content:"&app_key="; offset:19; http_client_body; content:"&imei="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/report/install"; http_uri; fast_pattern:only; content:"data="; http_client_body; depth:5; content:"os="; http_client_body; distance:0; content:"mac="; http_client_body; distance:0; content:"sign="; http_client_body; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:trojan-activity; sid:2019125; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; content:"/updatesrv.aspx?f=1"; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:1; metadata:created_at 2014_09_15, updated_at 2014_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; content:"/updatesrv.aspx?f=2&uuid="; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:1; metadata:created_at 2014_09_15, updated_at 2014_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetConnect.aspx"; http_uri; content:"&tIMEI="; http_uri; content:"&tIMSI="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:1; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetUploadGps.aspx"; http_uri; content:"tmac="; http_uri; content:"&JZ="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:1; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/TargetUploadFile.aspx"; http_uri; content:"tmac="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:1; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; content:"GET"; http_method; nocase; urilen:18; content:"/CheckLibrary.aspx"; http_uri; content:!"Referer|3a|"; http_header; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:1; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; content:".php?v="; http_uri; content:"&brok="; fast_pattern:only; http_uri; content:"&u="; http_uri; content:"&id="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&id=\d{15}$/U"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_10_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/SGCommand.aspx?sgcommand="; fast_pattern:6,20; http_uri; content:"&uid="; http_uri; distance:0; content:"&sid="; http_uri; distance:0; content:"&value="; http_uri; distance:0; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"|20|Android|20|"; http_header; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_11_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; content:"/dmp/api/"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|UAC/"; http_header; content:"|28|Android|20|"; distance:0; http_header; content:"dmp."; http_header; pcre:"/\/dmp\/api\/[a-z]+$/U"; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019958; rev:1; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|UAC/"; http_header; content:"|28|Android|20|"; distance:0; http_header; content:"name=|22|softwareVersion|22|"; nocase; http_client_body; content:"name=|22|isEnc|22|"; nocase; distance:0; http_client_body; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019959; rev:1; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE CoolReaper User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|UAC/"; http_header; fast_pattern; content:"|28|Android|20|"; distance:0; http_header; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019960; rev:1; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,4646] (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; content:"POST /contacts|20|"; depth:15; content:"User-Agent|3a| Apache-HttpClient/"; distance:0; content:"|0d 0a 0d 0a|contact|25|26="; fast_pattern; distance:0; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_02, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; content:"/input_data_get_contact.asp?user="; http_uri; content:"&pwd="; http_uri; content:"&addr="; http_uri; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:trojan-activity; sid:2020353; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_03, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; content:"User-Agent|3a 20|XAgent/1."; http_header; fast_pattern:12,9; content:!"Referer|3a|"; http_header; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:1; metadata:created_at 2015_02_04, updated_at 2015_02_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; content:"User-Agent|3a 20|XAgent/1."; http_header; fast_pattern:12,9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:1; metadata:created_at 2015_02_04, updated_at 2015_02_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; content:"/api/log.html|3f|"; http_uri; fast_pattern; content:"c="; http_uri; content:"&o="; http_uri; content:"&n="; http_uri; content:"User-Agent|3a| Apache-HttpClient"; http_header; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_03_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; content:"/pha?android_version="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&phone_number="; http_uri; content:"&client_version="; http_uri; content:"&imei="; http_uri; content:"&name="; http_uri; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_01, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; content:"content=eyJmaW5nZXJwcmludCI"; depth:27; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_04, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 5.2|29 20|"; http_header; content:"appid="; depth:6; http_client_body; content:"&model="; http_client_body; content:"&imei="; fast_pattern:only; http_client_body; content:"&connect="; http_client_body; content:"&dpi="; http_client_body; content:"&width="; http_client_body; content:"&cpu="; http_client_body; content:"&phoneno="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [8011,8013] (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; content:"uuid="; depth:800; content:"language="; content:"appkey"; content:"model="; content:"operatorsname="; fast_pattern:only; content:"networkname="; content:"networktype="; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; content:"/landing?c="; fast_pattern:only; http_uri; content:"&g="; http_uri; content:"&a="; http_uri; content:"&s1="; http_uri; content:"&s2="; http_uri; content:"&s3="; http_uri; content:"&s4="; http_uri; content:"&s5="; http_uri; content:"&s6="; http_uri; content:"&s7="; http_uri; content:"&s8="; http_uri; content:"&s9="; http_uri; content:"&s10="; http_uri; content:"&s11="; http_uri; content:"|20|Android|20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tinduongpho|03|com|00|"; fast_pattern; distance:0; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:14000] (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; content:"GET /gac/"; fast_pattern:4,5; depth:9; pcre:"/^[a-f0-9]{15}\s/R"; content:"|20|Android|20|"; distance:0; content:"|0d 0a|Connection|3a| Keep-Alive|0d 0a|Accept-Encoding|3a| gzip|0d 0a|"; distance:0; content:!"Referer|3a 20|"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_08_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; content:"/data.php?table="; fast_pattern:only; http_uri; content:"&game="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&game=[a-f0-9]{40}$/U"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:1; metadata:created_at 2015_08_31, updated_at 2015_08_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cert.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; depth:3; http_client_body; content:"&cert="; http_client_body; content:"&priv="; fast_pattern:only; http_client_body; content:"&flag="; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:1; metadata:created_at 2015_08_31, updated_at 2015_08_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; content:"GET"; http_method; content:".plist"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/\.plist$/U"; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:2; metadata:created_at 2015_10_05, updated_at 2015_10_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; content:"GET"; http_method; content:"/itms-services|3a|"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:2; metadata:created_at 2015_10_05, updated_at 2015_10_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|aps|06|kemoge|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:25; content:"/getInstalledPackages.jsp"; http_uri; fast_pattern:only; content:"sdCardFree="; http_client_body; depth:11; content:"&imei="; http_client_body; distance:0; content:"&hasSd="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/v1.jsp?e="; http_uri; fast_pattern; depth:10; content:"&s="; http_uri; distance:0; content:"&g="; http_uri; distance:0; content:"&versionCode="; http_uri; distance:0; content:"&osVersion="; http_uri; distance:0; content:"&countryCode="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host"; flow:to_server,established; content:"Host|3a| download.cloudsota.com"; http_header; reference:url,www.cmcm.com/blog/en/security/2015-11-09/842.html; classtype:trojan-activity; sid:2022081; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c  Checkin"; flow:to_server,established; content:"POST /|20|"; depth:7; nocase; content:!"Referer|3a 20|"; distance:0; content:"|0d 0a 0d 0a|{|22|type|22 3a|"; distance:0; content:",|22|text|22 3a|"; content:",|22|code|22 3a|"; fast_pattern:only; content:",|22|from|22 3a|"; content:"|22|}"; distance:0; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EP HTTP Host"; flow:to_server,established; content:"Host|3a 20|jackdojacksgot.ru"; http_header; nocase; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; classtype:trojan-activity; sid:2022144; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; content:"{|22|"; depth:2; pcre:"/^(?:os|type)\x22\x3a/R"; content:",|22|model|22 3a|"; content:",|22|apps|22 3a 5b 22|"; content:",|22|imei|22 3a|"; fast_pattern:only; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pc35hiptpcwqezgs"; nocase; distance:0; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_12, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yuwurw46taaep6ip"; nocase; distance:0; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|voooxrrw2wxnoyew"; nocase; distance:0; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmdxiawceahpbhmb|03|com"; nocase; distance:0; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_07_18, performance_impact Low, updated_at 2016_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; content:"/i_info_proxy.php?cmd="; fast_pattern:only; http_uri; content:"&data="; http_uri; content:"|3b 20|iPhone|20|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/I"; metadata: former_category MOBILE_MALWARE; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:1; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, performance_impact Low, updated_at 2017_03_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|info2t|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_10_24, malware_family AndroRAT, performance_impact Low, updated_at 2016_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Adware.Adwo.A"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; content:!"&ComPut="; http_uri; content:!"User-Agent|3a 20|"; http_header; reference:md5,bbb0aa6c9f84963dacec55345fe4c47e; classtype:trojan-activity; sid:2023475; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending Credit Card Info"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cards_json.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"bot_id="; depth:7; fast_pattern; http_client_body; content:"&info="; http_client_body; content:"cardNum"; http_client_body; pcre:"/^bot_id=[a-f0-9]{32}&/P"; pcre:"/\.php$/U"; reference:md5,78c2444fe15a8e58c629076781d9442a; reference:url,blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps; classtype:trojan-activity; sid:2023483; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_03, performance_impact Low, updated_at 2016_11_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/RequestActionsToExecute"; fast_pattern; http_uri; content:"|20|Android|20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"{|22|CommandLine|22 3a|"; depth:15; http_client_body; content:",|22|CurrentDirectory|22 3a|"; http_client_body; pcre:"/\/RequestActionsToExecute$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/NotifyLog"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"{|22|ClientId|22 3a|"; depth:12; http_client_body; content:",|22|Date|22 3a|"; http_client_body; pcre:"/\/NotifyLog$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:trojan-activity; sid:2023509; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; content:"lm="; http_uri; content:"/watch/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"lm="; http_uri; content:"/search/?"; fast_pattern:only; http_uri; content:!"&clid="; http_uri; content:!"&banerid="; http_uri; content:!"&win="; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2018_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; content:"lm="; http_uri; content:"/find/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; content:"lm="; http_uri; content:"/results/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; content:"lm="; http_uri; content:"/open/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; content:"lm="; http_uri; content:"/close/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023708; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|rockybalboa|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|storegoogle|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"|3b 20|Android|20|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http_header; content:!"Referer|3a 20|"; http_header; content:"&method="; fast_pattern:only; http_client_body; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/P"; pcre:"/\.php$/U"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023933; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/functions.php"; fast_pattern:only; http_uri; content:"|3b 20|Android|20|"; http_header; content:"apslst="; depth:7; http_client_body; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|androidbak|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|droidback|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|endpointup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|siteanalysto|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|goodydaddy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/stat/locker|20|HTTP/1."; fast_pattern:only; content:"User-Agent|3A| Apache-HttpClient/"; http_header; content:!"Referer|3a 20|"; http_header; content:"type="; http_client_body; depth:5; content:"&version="; http_client_body; content:"&lid="; http_client_body; content:"&c="; http_client_body; content:"&i="; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:trojan-activity; sid:2024123; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/support.aspx|20|HTTP/1."; content:"SessionId1|3a 20|"; http_header; content:"SessionId2|3a 20|"; fast_pattern:only; http_header; content:"|3b 20|Android|20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024171; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/adinfo?gi="; fast_pattern:only; http_uri; content:"&bf="; http_uri; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024172; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/sdk_api.php?id="; fast_pattern:only; http_uri; content:"&type="; http_uri; content:"User-Agent|3a| Apache-HttpClient/"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/ad-"; http_uri; content:"|3b 20|Android|20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"RgQ7"; depth:4; fast_pattern; http_client_body; pcre:"/\/ad-(?:strat|devi)\/$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android_07012016, signature_severity Major, created_at 2017_06_19, updated_at 2017_06_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; content:"/inj/injek-1.php?id="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:trojan-activity; sid:2024426; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_06_26, malware_family Android_Marcher, updated_at 2017_06_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|updatmaster|03|top|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_02, updated_at 2017_08_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|axclick|05|store|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_28, malware_family Android_WireX, updated_at 2017_08_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b1k51|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|b1j3aas|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|wechaatt|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|10as05|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ch0ck4|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fatur1s|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b5k31|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|erd0|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1v2a5|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1502b|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|elsssee|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|kvp41|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|servertestapi|03|ltd|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|taxii|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|p0w3r|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|4r3a|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,7878] (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/gt|20|HTTP/1."; distance:0; fast_pattern; content:"|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Type|3a 20|application/json|0d 0a|"; distance:0; content:"|3b 20|Android|20|"; distance:0; content:!"Referer|3a 20|"; metadata: former_category MOBILE_MALWARE; reference:md5,b66010a9c91b17f4d26dc973a97419ac; reference:url,info.phishlabs.com/blog/redalert2-mobile-banking-trojan-actively-updating-its-techniques; classtype:trojan-activity; sid:2024765; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_25, malware_family Android_RedAlert, updated_at 2017_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon"; flow:to_server,established; dsize:<500; content:"@!MyID|3a|"; depth:7; content:"IMEI|3a|"; distance:0; content:"Mobile|20|ID|3a|"; content:"SIM|3a|"; content:"IMSI|3a|"; content:"Android|20|version|3a|"; content:"Model|3a|"; content:"All|20|SD|20|Size|3a|"; fast_pattern:only; content:"Free|20|SD|20|Size|3a|"; content:"Network|20|type|3a|"; metadata: former_category MOBILE_MALWARE; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:trojan-activity; sid:2024895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_23, malware_family Android_JadeRAT, updated_at 2017_10_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2"; flow:to_server,established; dsize:22; content:"@!hi|3a|"; depth:5; fast_pattern; pcre:"/^\d{15}\r\n$/R"; metadata: former_category MOBILE_MALWARE; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:trojan-activity; sid:2024896; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_23, malware_family Android_JadeRAT, updated_at 2017_10_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Raiffeisen Bank Targeting (set)"; flow:to_server,established; content:"GET"; http_method; content:"banking.raiffeisen.at."; http_header; fast_pattern; pcre:"/^Host\x3a\x20banking\.raiffeisen\.at\.[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Hmi"; flowbits:set,ET.marcherphish; flowbits:noalert; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2024950; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_11_03, updated_at 2017_11_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Sparkasse Bank Targeting (set)"; flow:to_server,established; content:"GET"; http_method; content:"netbanking.sparkasse.at."; http_header; fast_pattern; pcre:"/^Host\x3a\x20netbanking\.sparkasse\.at\.[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Hmi"; flowbits:set,ET.marcherphish; flowbits:noalert; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2024951; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_11_03, updated_at 2017_11_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - BankAustria Targeting (set)"; flow:to_server,established; content:"GET"; http_method; content:"online.bankaustria.at."; http_header; fast_pattern; pcre:"/^Host\x3a\x20online\.bankaustria\.at\.[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Hmi"; flowbits:set,ET.marcherphish; flowbits:noalert; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2024952; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_11_03, updated_at 2017_11_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Austrian Bank Targeting"; flow:to_client,established; flowbits:isset,ET.marcherphish; content:"200"; http_stat_code; content:"application/vnd.android.package-archive"; http_header; fast_pattern; content:"Content-Description|3a 20|File Transfer"; http_header; file_data; content:"PK"; depth:2; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2024953; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_11_03, updated_at 2017_11_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 1"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|12|loaderclientarea24|02|ru|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025014; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2017_11_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 2"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|12|loaderclientarea22|02|ru|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025015; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2017_11_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 3"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|12|loaderclientarea20|02|ru|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025016; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2017_11_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 4"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|12|loaderclientarea15|02|ru|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025017; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2017_11_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android.Trojan.Marcher.U DNS Lookup"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|sagdzusghcsh|03|top|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,ccefe18d7b9bc31a8673b9bf82104f48; classtype:trojan-activity; sid:2025273; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2018_01_30, malware_family Android_Marcher, updated_at 2018_01_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 1"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|goldncup|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025639; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2018_07_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 2"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|glancelove|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025640; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2018_07_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 3"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|autoandroidup|07|website|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025641; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2018_07_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 4"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|11|mobilestoreupdatp|07|website|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025642; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2018_07_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 5"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|updatemobapp|07|website|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025643; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_05, malware_family Android_Glancelove, updated_at 2018_07_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|16|ios-certificate-update|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025727; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, tag iOS, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2018_07_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 2"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|al-enayah|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025728; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, tag iOS, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2018_07_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 3"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|voguextra|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025729; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2018_07_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 4"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|techwach|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025730; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, tag iOS, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2018_07_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 5"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|wpitcher|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025731; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, tag iOS, signature_severity Critical, created_at 2018_07_17, malware_family iOS_Bahamut, updated_at 2018_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Golden Rat Checkin"; flow:to_server,established; content:"<HmzaPacket>|3e 0a 20 20|<Command>"; depth:25; fast_pattern; content:"<MSG>"; within:40; content:"</MSG>|3e 0a 20 20|"; distance:0; content:"</HmzaPacket></HAMZA_DELIMITER_STOP>"; distance:0; metadata: former_category MOBILE_MALWARE; reference:url,csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf; reference:md5,6296586cf9a59b25d1b8ab3eeb0c2a33; classtype:trojan-activity; sid:2025895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_25, malware_family Android_GoldenRat, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 6"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|18|ios-certificate-whatsapp|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025896; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 7"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|hytechmart|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025897; rev:1; metadata:created_at 2018_07_25, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 8"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|appswonder|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025898; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 9"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|referfile|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025899; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 10"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|hiltrox|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025900; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 11"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|scrollayer|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025901; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 12"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|twitck|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025902; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 13"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|32player|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025903; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 14"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|nfinx|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025904; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 15"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|metclix|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025905; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 16"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|capsnit|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025906; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2018_07_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS Remote SMB2.0 DoS Exploit"; flow:to_server,established; content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00 00|"; within:2; reference:url,securityreason.com/exploitalert/7138; reference:url,doc.emergingthreats.net/2009886; classtype:attempted-dos; sid:2009886; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000046; reference:cve,2003-0533; classtype:misc-activity; sid:2000046; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000033; reference:cve,2003-0533; classtype:misc-activity; sid:2000033; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference:cve,CAN-2003-0818; reference:url,doc.emergingthreats.net/bin/view/Main/2001944; classtype:attempted-admin; sid:2001944; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"ET NETBIOS ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; reference:bugtraq,12484; reference:url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002064; classtype:attempted-admin; sid:2002064; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002186; classtype:attempted-admin; sid:2002186; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002199; classtype:protocol-command-decode; sid:2002199; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002200; classtype:protocol-command-decode; sid:2002200; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002201; classtype:attempted-admin; sid:2002201; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002202; classtype:protocol-command-decode; sid:2002202; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002203; classtype:attempted-admin; sid:2002203; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003081; classtype:misc-attack; sid:2003081; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003082; classtype:misc-attack; sid:2003082; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008690; classtype:attempted-admin; sid:2008690; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008691; classtype:attempted-admin; sid:2008691; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008692; classtype:attempted-admin; sid:2008692; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008693; classtype:attempted-admin; sid:2008693; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008694; classtype:attempted-admin; sid:2008694; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008696; classtype:attempted-admin; sid:2008696; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008697; classtype:attempted-admin; sid:2008697; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008698; classtype:attempted-admin; sid:2008698; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008699; classtype:attempted-admin; sid:2008699; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance"; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; fast_pattern:only; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008700; classtype:attempted-admin; sid:2008700; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008701; classtype:attempted-admin; sid:2008701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008702; classtype:attempted-admin; sid:2008702; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008703; classtype:attempted-admin; sid:2008703; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008704; classtype:attempted-admin; sid:2008704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008705; classtype:attempted-admin; sid:2008705; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008706; classtype:attempted-admin; sid:2008706; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008707; classtype:attempted-admin; sid:2008707; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008708; classtype:attempted-admin; sid:2008708; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008709; classtype:attempted-admin; sid:2008709; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008710; classtype:attempted-admin; sid:2008710; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008712; classtype:attempted-admin; sid:2008712; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008713; classtype:attempted-admin; sid:2008713; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008714; classtype:attempted-admin; sid:2008714; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008715; classtype:attempted-admin; sid:2008715; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008717; classtype:attempted-admin; sid:2008717; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008718; classtype:attempted-admin; sid:2008718; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008719; classtype:attempted-admin; sid:2008719; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008720; classtype:attempted-admin; sid:2008720; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2)"; flow:established,to_server; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; fast_pattern:only; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008721; classtype:attempted-admin; sid:2008721; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; fast_pattern:only; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2000017; classtype:bad-unknown; sid:2000017; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS LSA exploit"; flow: to_server,established; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000032; classtype:misc-activity; sid:2000032; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1;depth:1;  content:"|01 00|";distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103159; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103275; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103276; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102192; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103198; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; byte_test:1,&,16,3,relative; content:"|5C 5C|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103197; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103238; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103239; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102508; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102507; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102524; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102190; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103236; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot little endian bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103237; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103156; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103157; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata: former_category NETBIOS; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103195; rev:5; metadata:created_at 2010_09_23, updated_at 2017_11_10;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:2100292; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:2100529; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:2100530; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:2101239; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100532; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102473; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2100533; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102470; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:2100534; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:2100535; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103429; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103180; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103425; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103430; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103181; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103426; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103177; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103176; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103431; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103182; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103427; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103183; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103428; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103179; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103178; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100536; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102467; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102511; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102510; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102525; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102509; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102309; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102308; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103381; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103382; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103378; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103383; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103379; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103384; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103380; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100537; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100538; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103397; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103393; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103398; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103394; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103399; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103395; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103400; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103396; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102942; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102993; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102943; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102994; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102944; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102995; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102945; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103260; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103256; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103261; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103257; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103262; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103258; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103263; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103259; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102964; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102965; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102946; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102936; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102966; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102967; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102947; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102937; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103034; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103026; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103035; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103027; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103043; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103051; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103019; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103042; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103050; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103018; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103036; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103028; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103037; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103029; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103045; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103053; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103021; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103044; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103052; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103020; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102384; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103222; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103223; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103219; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103218; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103224; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103225; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103221; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103220; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103413; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103409; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103414; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103410; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103415; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103411; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103416; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103412; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; reference:nessus,11110; classtype:denial-of-service; sid:2102102; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2102101; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102403; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102401; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103001; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102382; rev:22; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103002; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103000; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103244; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103240; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103245; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103241; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103246; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103242; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103247; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103243; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103118; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103119; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103115; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103114; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103120; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103121; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103117; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103116; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103102; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; classtype:protocol-command-decode; sid:2103092; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103098; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|llsrpc|00|"; within:8; distance:78; nocase; classtype:protocol-command-decode; sid:2103090; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103103; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103099; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103104; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2103093; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103100; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase;  classtype:protocol-command-decode; sid:2103091; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103105; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103101; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103164; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103160; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103165; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103161; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103166; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103162; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103167; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103163; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102960; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102956; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102932; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102928; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102961; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102957; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102933; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102929; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp any any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2102176; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2102177; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103206; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102988; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102984; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103202; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102940; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102174; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103207; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103203; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103208; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102989; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102985; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103204; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102941; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102175; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103209; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103205; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102191; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102982; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102474; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102983; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102475; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102978; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102471; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102979; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102472; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103437; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103188; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103433; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103438; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103189; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103434; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103185; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103184; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103439; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103190; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103435; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103440; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103191; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103436; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103187; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103186; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102974; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102468; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102975; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102469; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102514; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102512; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102526; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102513; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102311; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102310; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; fast_pattern; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2102349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2102348; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103389; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103385; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103390; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103386; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103391; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103387; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103392; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103388; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102954; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102465; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102955; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102466; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103405; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103401; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103406; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103402; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103407; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103403; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103408; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103404; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102996; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102482; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102997; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102483; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102998; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102480; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; within:1; distance:4; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102999; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102481; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103264; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103269; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103265; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103270; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103266; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103271; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103267; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102968; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102969; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102948; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102938; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102970; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102949; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102939; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103038; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103030; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103039; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103031; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103047; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103055; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103023; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103046; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103054; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103022; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103040; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103032; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103041; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103033; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103049; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103057; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103025; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103048; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103056; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103024; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103230; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103231; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103227; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103226; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103232; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103233; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103229; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103228; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103421; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103417; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103422; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103418; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103423; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103419; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103424; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103420; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102404; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102402; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103004; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102383; rev:21; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103005; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103003; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103142; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103252; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103248; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103253; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103249; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103254; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103250; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103255; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103251; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103126; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103127; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103123; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103122; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103128; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103129; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103125; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103124; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103110; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; classtype:protocol-command-decode; sid:2103096; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103106; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|llsrpc|00|"; within:8; distance:78; nocase; classtype:protocol-command-decode; sid:2103094; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103111; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103107; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103112; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2103097; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103108; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103095; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103113; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103109; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103172; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103168; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103173; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103169; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103174; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103170; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103175; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103171; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102962; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102934; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102930; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102959; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102935; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102931; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102951; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103214; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102990; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102986; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103210; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102478; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102476; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103215; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103211; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103216; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102991; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102987; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103212; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102479; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102477; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103217; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103213; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100689; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100686; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102923; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102924; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"GPL NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; metadata: former_category NETBIOS; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2102563; rev:6; metadata:created_at 2010_09_23, updated_at 2017_08_24;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:2103234; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:2103235; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103196; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL NETBIOS WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103200; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; fast_pattern:only; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FFakerecy.A; reference:url,support.microsoft.com/kb/971029; classtype:suspicious-filename-detect; sid:2011526; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler .exe request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; content:"|00 2E 00 65 00 78 00 65|"; distance:0; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; classtype:suspicious-filename-detect; sid:2011527; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:to_client,established; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; distance:0; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:2; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow"; flow:to_server,established; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00|"; distance:30; within:2; content:"|00 03 00|"; distance:19; within:3; reference:url,www.exploit-db.com/exploits/14607/; reference:url,seclists.org/fulldisclosure/2010/Aug/122; reference:cve,2010-2550; reference:bid,42224; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx; classtype:attempted-user; sid:2012094; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt"; content:"|42 4F 00|"; content:"BROWSER"; nocase; distance:0; content:"|08 09 A8 0F 01 20|"; fast_pattern; distance:0; isdataat:65,relative; content:!"|0A|"; within:65; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=22457; reference:bid,46360; classtype:attempted-admin; sid:2012317; rev:2; metadata:created_at 2011_02_17, updated_at 2011_02_17;)

#alert tcp any any -> any [139,445] (msg:"ET NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert;  metadata: former_category NETBIOS; reference:cve,2006-4691; classtype:protocol-command-decode; sid:2025090; rev:1; metadata:created_at 2016_06_14, updated_at 2017_11_29;)

alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB ASCII"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,!&,0x80,7,relative; content:"puiframeworkproresenu|2E|dll"; nocase; distance:0; fast_pattern; reference:url, exploit-db.com/exploits/44985/; metadata: former_category NETBIOS; reference:cve,2018-12589; classtype:attempted-user; sid:2025790; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, created_at 2018_07_06, updated_at 2018_07_18;)

alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB Unicode"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,&,0x80,7,relative; content:"p|00|u|00|i|00|f|00|r|00|a|00|m|00|e|00|w|00|o|00|r|00|k|00|p|00|r|00|o|00|r|00|e|00|s|00|e|00|n|00|u|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; reference:url, exploit-db.com/exploits/44985/; metadata: former_category NETBIOS; reference:cve,2018-12589; classtype:attempted-user; sid:2025791; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, created_at 2018_07_06, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows RRAS SMB Remote Code Execution"; flow:established,to_server; content:"|21 00 00 00 10 27 00 00 a4 86 01 00 41 41 41 41 04 00 00 00 41 41 41 41 a4 86 01 00 ad 0b 2d 06 d0 ba 61 41 41 90 90 90 90 90|"; metadata: former_category NETBIOS; reference:cve,2017-11885; reference:url,exploit-db.com/exploits/44616/; classtype:attempted-user; sid:2025824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2018_07_11, performance_impact Low, updated_at 2018_07_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0)"; flow:to_server,established; content:"User-Agent|3a| ABC/ABC"; nocase; http_header; reference:url,pingpong-abc.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003475; classtype:trojan-activity; sid:2003475; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares traffic"; flow:established,to_server; content:"User-Agent|3a| Ares"; http_header; reference:url,www.aresgalaxy.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001059; classtype:policy-violation; sid:2001059; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares over UDP"; content:"Ares "; offset:36; depth:7; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003437; classtype:policy-violation; sid:2003437; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET P2P Ares Server Connection"; flow:established,to_server; dsize:<70; content:"r|be|bloop|00|dV"; content:"Ares|00 0a|"; distance:16; reference:url,aresgalaxy.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008591; classtype:policy-violation; sid:2008591; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Azureus P2P Client User-Agent"; flow:to_server,established; content:"User-Agent|3a| Azureus"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007799; classtype:policy-violation; sid:2007799; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BTSP)"; flow:to_server,established; content:"User-Agent|3a| BTSP/"; http_header; reference:url,doc.emergingthreats.net/2011713; classtype:policy-violation; sid:2011713; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x)"; flow:to_server,established; content:"User-Agent|3a| BearShare "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006371; classtype:trojan-activity; sid:2006371; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P BearShare P2P Gnutella Client HTTP Request "; flow:to_server,established; content:"/gnutella/"; nocase; http_uri; content:"?client=BEAR"; nocase; http_uri; content:"&version="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006379; classtype:trojan-activity; sid:2006379; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BitComet)"; flow:to_server,established; content:"User-Agent|3a| BitComet/"; http_header; reference:url,www.bitcomet.com; reference:url,doc.emergingthreats.net/2011710; classtype:policy-violation; sid:2011710; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BitTornado)"; flow:to_server,established; content:"User-Agent|3a| BitTornado/"; http_header; reference:url,www.bittornado.com; reference:url,doc.emergingthreats.net/2011702; classtype:policy-violation; sid:2011702; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !7680 (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; depth:8; threshold: type limit, count 1, seconds 120, track by_src; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000357; classtype:policy-violation; sid:2000357; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"ET P2P BitTorrent Announce"; flow: to_server,established; content:"/announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000369; classtype:policy-violation; sid:2000369; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x)"; flow:to_server,established; content:"User-Agent|3a| Bittorrent"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006372; classtype:trojan-activity; sid:2006372; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client HTTP Request "; flow:to_server,established; content:"/trackerphp/announce.php?"; nocase; http_uri; content:"?port="; nocase; http_uri; content:"&peer_id="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006375; classtype:trojan-activity; sid:2006375; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P possible torrent download"; flow:to_server,established; content:".torrent"; nocase; http_uri; pcre:"/\.torrent$/Ui"; content:!"mapfactor.com"; http_header; metadata: former_category P2P; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:7; metadata:created_at 2010_07_30, updated_at 2017_11_27;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008581; classtype:policy-violation; sid:2008581; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT find_node request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; depth:24; content:"6|3a|target20|3a|"; nocase; distance:20; content:"e1|3a|q9|3a|find_node1|3a|"; nocase; distance:20; content:"e1|3a|q9|3a|find_node1|3a|"; distance:20; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008582; classtype:policy-violation; sid:2008582; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT nodes reply"; content:"d1|3a|rd2|3a|id20|3a|"; nocase; depth:12; content:"5|3a|nodes"; nocase; distance:20; within:7; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008583; classtype:policy-violation; sid:2008583; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT get_peers request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; offset:12; content:"9|3a|info_hash20|3a|"; nocase; distance:20; within:14; content:"e1|3a|q9|3a|get_peers1|3a|"; nocase; distance:20; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008584; classtype:policy-violation; sid:2008584; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT announce_peers request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; depth:14; content:"e1|3a|q13|3a|announce_peer1|3a|"; nocase; distance:55; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008585; classtype:policy-violation; sid:2008585; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)"; flow:to_server,established; content:"User-Agent|3a| Deluge "; http_header; reference:url,deluge-torrent.org; reference:url,doc.emergingthreats.net/2011704; classtype:policy-violation; sid:2011704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Direct Connect Traffic (client-server)"; flow:from_client,established; content:"$MyINFO"; depth:7; reference:url,en.wikipedia.org/wiki/Direct_connect_file-sharing_application; reference:url,doc.emergingthreats.net/bin/view/Main/2002814; classtype:policy-violation; sid:2002814; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k connection to server"; flow: to_server,established; content:"|e3|"; depth:1; content:"|00 00 00 01|"; distance:2; within:4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000330; classtype:policy-violation; sid:2000330; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k request part"; flow: to_server,established; content:"|e3|"; offset: 1; content:"|00 00 00 47|"; distance: 2; within: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000332; classtype:policy-violation; sid:2000332; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k file request answer"; flow: to_server,established; content:"|e3|"; offset: 1; content:"|00 00 00 59|"; distance: 2; within: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000333; classtype:policy-violation; sid:2000333; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey File Status"; flow: to_server,established; content:"|e3 14|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001296; classtype:policy-violation; sid:2001296; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey File Status Request"; flow: to_server,established; content:"|e3 11|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001297; classtype:policy-violation; sid:2001297; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey Server Status Request"; content:"|e3 96|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001298; classtype:policy-violation; sid:2001298; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 4660:4799 -> $EXTERNAL_NET any (msg:"ET P2P eDonkey Server Status"; content:"|e3 97|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001299; classtype:policy-violation; sid:2001299; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey IP Request"; dsize:4; content:"|e3 1b|"; depth:2; flowbits:set,BEedk.ip.requestect; flowbits:noalert; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003308; classtype:policy-violation; sid:2003308; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey IP Reply"; flowbits:isset,BEedk.ip.requestect; dsize:<20; content:"|e3 1c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003309; classtype:policy-violation; sid:2003309; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey IP Query End"; dsize:<20; content:"|e3 1d|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003316; classtype:policy-violation; sid:2003316; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File ACK"; dsize:<20; content:"|e3 0d|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003311; classtype:policy-violation; sid:2003311; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Connect Request"; dsize:25; content:"|e3 0a|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003312; classtype:policy-violation; sid:2003312; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Search Request (by file hash)"; dsize:19; content:"|e3 0e 14|"; depth:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003314; classtype:policy-violation; sid:2003314; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Search Reply"; dsize:>200; content:"|e3 0f|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003315; classtype:policy-violation; sid:2003315; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Get Sources Request (by hash)"; dsize:19; content:"|e3 9a|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003318; classtype:policy-violation; sid:2003318; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003319; classtype:policy-violation; sid:2003319; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server Message"; flow:established; dsize:>10; content:"|e3|"; depth:1; content:"|38|"; distance:4; within:5; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003321; classtype:policy-violation; sid:2003321; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server List"; flow:established; dsize:>12; content:"|e3|"; depth:1; content:"|32|"; distance:4; within:5; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003322; classtype:policy-violation; sid:2003322; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 4660:4799 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Client to Server Hello"; flow:established; dsize:>5; content:"|e3|"; offset:1; content:"|01|"; distance:4; within:5; content:"|02 01 00 01|"; distance:26; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003323; classtype:policy-violation; sid:2003323; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server Status"; flow:established; dsize:14; content:"|e3 09 00 00 00 34|"; depth:6; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003324; classtype:policy-violation; sid:2003324; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Enhanced CTorrent 3.x)"; flow:to_server,established; content:"User-Agent|3a| Enhanced-CTorrent"; fast_pattern:11,18; http_header; reference:url,www.rahul.net/dholmes/ctorrent; reference:url,doc.emergingthreats.net/2011703; classtype:policy-violation; sid:2011703; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (FDM 3.x)"; flow:to_server,established; content:"User-Agent|3a| FDM 3."; http_header; reference:url,www.freedownloadmanager.org; reference:url,doc.emergingthreats.net/2011712; classtype:policy-violation; sid:2011712; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET P2P MS Foldershare Login Detected"; flow:established,to_client; content:"|0b|FolderShare|30 81 9f 30|"; nocase; offset:392; depth:18; reference:url,www.foldershare.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002673; classtype:policy-violation; sid:2002673; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella Connect"; flow: established,to_server; content:"GNUTELLA CONNECT/"; nocase; depth:17; reference:url,www.gnutella.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001664; classtype:policy-violation; sid:2001664; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P GnucDNA UDP Ultrapeer Traffic"; content:"SCP@|83|DNA@"; threshold: type both,track by_src,count 10,seconds 600; reference:url,doc.emergingthreats.net/bin/view/Main/2002760; classtype:policy-violation; sid:2002760; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella TCP Ultrapeer Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"X-Ultrapeer|3a| True"; nocase; threshold: type both,track by_src,count 5,seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002761; classtype:policy-violation; sid:2002761; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any 1024: -> any 1024: (msg:"ET P2P Gnutella TCP Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"200 OK|0d 0a|"; within:15; threshold: type both,track by_src,count 5,seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2007801; classtype:policy-violation; sid:2007801; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Kazaa over UDP"; content:"KaZaA"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; reference:url,www.kazaa.com/us/index.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001796; classtype:policy-violation; sid:2001796; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent/3.x.x)"; flow:to_server,established; content:"User-Agent|3a| KTorrent/3"; http_header; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011700; classtype:policy-violation; sid:2011700; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent 2.x)"; flow:to_server,established; content:"User-Agent|3a| ktorrent/2"; http_header; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011711; classtype:policy-violation; sid:2011711; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P KuGoo P2P Connection"; dsize:<30; content:"|64|"; depth:1; content:"|70|"; distance:5; content:"|50 37|"; distance:4; reference:url,koogoo.com; reference:url,doc.emergingthreats.net/2009966; classtype:policy-violation; sid:2009966; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"User-Agent|3a| LimeWire"; nocase; http_header; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001808; classtype:policy-violation; sid:2001808; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"Server|3a| LimeWire"; nocase; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007800; classtype:policy-violation; sid:2007800; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Limewire P2P UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001809; classtype:policy-violation; sid:2001809; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET 41170 -> $HOME_NET any (msg:"ET P2P Manolito Connection (1)"; dsize:<48; content:"|3d 4a d9|"; depth:3; reference:url,doc.emergingthreats.net/2009097; classtype:policy-violation; sid:2009097; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 41170 (msg:"ET P2P Manolito Ping"; dsize:<24; content:"|3d|"; depth:1; content:"|d9|"; distance:1; content:"|ed bb|"; distance:13; threshold: type limit, track by_src, seconds 300, count 1; reference:url,doc.emergingthreats.net/2009098; classtype:policy-violation; sid:2009098; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Morpheus Install"; flow: to_server,established; content:"/morpheus/morpheus.exe"; nocase; http_uri; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001035; classtype:policy-violation; sid:2001035; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Morpheus Install ini Download"; flow: to_server,established; content:"/morpheus/morpheus_sm.ini"; nocase; http_uri; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001036; classtype:policy-violation; sid:2001036; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Morpheus Update Request"; flow: to_server,established; content:"/gwebcache/gcache.asg?hostfile="; nocase; http_uri; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001037; classtype:policy-violation; sid:2001037; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 8247 -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape UDP Session"; threshold: type both, count 2, seconds 60, track by_src; reference:url,msmvps.com/blogs/bradley/archive/2009/01/20/peer-to-peer-on-cnn.aspx; reference:url,doc.emergingthreats.net/2009986; classtype:trojan-activity; sid:2009986; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape P2P streaming media"; content:"POST / HTTP/1."; depth:64; content:"Oshtcp-streamtype|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,doc.emergingthreats.net/2010008; classtype:policy-violation; sid:2010008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Opera/10.x)"; flow:to_server,established; content:"User-Agent|3a| Opera BitTorrent, Opera/"; fast_pattern:11,15; http_header; reference:url,www.opera.com; reference:url,doc.emergingthreats.net/2011701; classtype:policy-violation; sid:2011701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET P2P Overnet (Edonkey) Server Announce"; content:"|00 00 02 03 00 6c 6f 63|"; offset: 36; content:"|00 62 63 70 3a 2f 2f|"; distance: 1; reference:url,www.overnet.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000335; classtype:policy-violation; sid:2000335; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows U) Pando/1.xx)"; flow:established,to_server; content:" Pando/"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (Windows|3b| U) Pando/"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008625; classtype:policy-violation; sid:2008625; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any any (msg:"ET P2P Phatbot Control Connection"; flow: established; content:"Wonk-"; content:"|00|#waste|00|"; within: 15; reference:url,www.lurhq.com/phatbot.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000015; classtype:trojan-activity; sid:2000015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Client User-Agent (Shareaza 2.x)"; flow:to_server,established; content:"User-Agent|3a| Shareaza 2."; http_header; reference:url,shareaza.sourceforge.net; reference:url,doc.emergingthreats.net/2011707; classtype:policy-violation; sid:2011707; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET P2P Soulseek"; flow: established; content:"slsknet"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001188; classtype:policy-violation; sid:2001188; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg:"ET P2P Soulseek Filesearch Results"; flow: from_server,established; content:"|09 00 00 00 78|"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001187; classtype:policy-violation; sid:2001187; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 2240 (msg:"ET P2P SoulSeek P2P Server Connection"; flow:established,to_server; content:"|01 00 00 00|"; offset:4; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/2008595; classtype:policy-violation; sid:2008595; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 2240 -> $HOME_NET 1024: (msg:"ET P2P SoulSeek P2P Login Response"; flow:from_server,established; content:"|5c 01 00 00 01 00 00 00|"; depth:8; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/2008611; classtype:policy-violation; sid:2008611; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P ThunderNetwork UDP Traffic"; dsize:<38; content:"|32 00 00 00|"; depth:4; content:"|00 00 00 00|"; distance:1; threshold:type limit, track by_src, count 1, seconds 300; reference:url,xunlei.com; reference:url,en.wikipedia.org/wiki/Xunlei; reference:url,doc.emergingthreats.net/2009099; classtype:policy-violation; sid:2009099; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)"; flow:to_server,established; content:"User-Agent|3a| Transmission/"; http_header; metadata: former_category P2P; reference:url,www.transmissionbt.com; reference:url,doc.emergingthreats.net/2011699; classtype:policy-violation; sid:2011699; rev:5; metadata:created_at 2010_07_30, updated_at 2017_11_27;)

alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Vuze BT Connection"; flow:established; content:"|00 00|"; depth:2; content:"|05|AZVER|01|"; distance:5; within:7; content:"appid"; within:10; threshold:type limit, track by_src, count 10, seconds 600; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010139; classtype:policy-violation; sid:2010139; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024: (msg:"ET P2P Vuze BT UDP Connection"; dsize:<80; content:!"|00 22 02 00|"; depth: 4; content:"|00 00 04|"; distance:8; within:3; content:"|00 00 00 00 00|"; distance:6; within:5; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010140; classtype:policy-violation; sid:2010140; rev:7; metadata:created_at 2010_07_30, updated_at 2016_11_01;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (2)"; dsize:94; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|ff ff ff ff 00 00 00 00 02 05 21|"; distance:8; within:11; content:"|00 00 00 00 00 00|"; distance:25; within:6; content:"|00 00|"; distance:20; within:2; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010141; classtype:policy-violation; sid:2010141; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (3)"; dsize:80; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|02 05 21 04|"; distance:4; within:4; threshold:type limit, track by_dst, count 10, seconds 600; reference:url,doc.emergingthreats.net/2010142; classtype:policy-violation; sid:2010142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (4)"; dsize:<300; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|ff ff ff ff|"; distance:8; within:4; reference:url,doc.emergingthreats.net/2010143; classtype:policy-violation; sid:2010143; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (5)"; dsize:<20; content:"|00 00 04 17 27 10 19 80 00 00 00 00|"; depth:12; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010144; classtype:policy-violation; sid:2010144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"|e4 21|"; depth:2; threshold: type limit, count 1, seconds 300, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009967; classtype:policy-violation; sid:2009967; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request(2)"; dsize:35; content:"|e4 20|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009968; classtype:policy-violation; sid:2009968; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Firewalled Request"; dsize:35; content:"|e4 50|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009969; classtype:policy-violation; sid:2009969; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule Kademlia Hello Request"; dsize:<48; content:"|e4 11|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009970; classtype:policy-violation; sid:2009970; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Server Status Request"; dsize:44; content:"|8c 97|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009972; classtype:policy-violation; sid:2009972; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Send Username"; flow:established; content:"|e3|"; depth:1; content:"|00 00 00 01|"; distance:1; within:4; byte_test:1,<,51,37; threshold: type limit, count 5, seconds 600, track by_src; reference:url, emule-project.net; reference:url,doc.emergingthreats.net/2009973; classtype:policy-violation; sid:2009973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (rTorrent)"; flow:to_server,established; content:"User-Agent|3a| rtorrent/"; http_header; reference:url,libtorrent.rakshasa.no; reference:url,doc.emergingthreats.net/2011705; classtype:policy-violation; sid:2011705; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (uTorrent)"; flow:to_server,established; content:"User-Agent|3a| uTorrent"; http_header; reference:url,www.utorrent.com; reference:url,doc.emergingthreats.net/2011706; classtype:policy-violation; sid:2011706; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Server Key Retrieval"; flow:established,to_server; content:"GET /tor/server/"; depth:16; threshold:type limit, track by_src, count 1, seconds 30; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002950; classtype:policy-violation; sid:2002950; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Status Update"; flow:established,to_server; content:"GET /tor/status/"; depth:16; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002951; classtype:policy-violation; sid:2002951; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET P2P TOR 1.0 Inbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002952; classtype:policy-violation; sid:2002952; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Outbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002953; classtype:policy-violation; sid:2002953; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Tor Get Server Request"; flow:established,to_server; content:"/tor/server/"; http_uri; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008113; classtype:policy-violation; sid:2008113; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Tor Get Status Request"; flow:established,to_server; content:"/tor/status/"; http_uri; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008115; classtype:policy-violation; sid:2008115; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P p2p Related User-Agent (eChanblard)"; flow:to_server,established; content:"User-Agent|3a| eChanblard|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011232; classtype:trojan-activity; sid:2011232; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET P2P JoltID Agent New Code Download"; flow: established; content:"PeerEnabler"; fast_pattern:only;  reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/2001652; classtype:trojan-activity; sid:2001652; rev:39; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"GPL P2P eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; content:"|01|SENDLINK|7c|"; distance:0; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2102584; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp any 4711 -> $HOME_NET any (msg:"GPL P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule"; reference:url,www.emule-project.net; classtype:policy-violation; sid:2102587; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"GPL P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2102181; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P BitTorrent announce request"; flow:to_server,established; content:"GET /announce"; depth:13; content:"info_hash="; distance:0; content:"event=started"; distance:0; classtype:policy-violation; sid:2102180; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET "; depth:4; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:2101699; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:2100557; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:2101432; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:2100556; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P BTWebClient UA uTorrent in use"; flow:established,to_server; content:"User-Agent|3a| BTWebClient"; http_header; classtype:policy-violation; sid:2012247; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Libtorrent User-Agent"; flow:to_server,established; content:"libtorrent"; nocase; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a [^\r\n]+?libtorrent/Hmi"; classtype:trojan-activity; sid:2012390; rev:2; metadata:created_at 2011_02_27, updated_at 2011_02_27;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET P2P Ocelot BitTorrent Server in Use"; flow:established,from_server; content:"HTTP/1.1 200 |0d 0a|Server|3a| Ocelot "; depth:30; classtype:policy-violation; sid:2012467; rev:4; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Torrent Client User-Agent (Solid Core/0.82)"; flow:to_server,established; content:"User-Agent|3a| Solid Core/"; http_header; reference:url,sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=4a9f376e8d01cb5f7990576ed927869b; classtype:policy-violation; sid:2013869; rev:7; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (tcp)"; flow:established,from_client; content:"POST /service HTTP/1"; depth:20; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:policy-violation; sid:2014459; rev:1; metadata:created_at 2012_04_03, updated_at 2012_04_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET P2P BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8|3a|announce"; within:11; content:!"mapfactor.com"; classtype:policy-violation; sid:2014734; rev:3; metadata:created_at 2012_05_10, updated_at 2012_05_10;)

#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) beacon"; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:42; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015966; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;)

#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) payload"; content:"QVOD"; depth:32; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015967; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;)

#alert udp $HOME_NET any -> any 53 (msg:"ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tracker"; fast_pattern; distance:0; threshold: type both, count 3, seconds 10, track by_src; classtype:policy-violation; sid:2016662; rev:3; metadata:created_at 2013_03_25, updated_at 2013_03_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Vagaa peer-to-peer (Transfer)"; flow:from_client,established; content:"|0d 0a|VAGAA-OPERATION|3a| Transfer|0d 0a|"; reference:url,en.wikipedia.org/wiki/Vagaa; classtype:policy-violation; sid:2018012; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P zzima_loader"; flow:established, to_server; content: "GET"; http_method; content:"/zzima_loader/"; fast_pattern:only; http_uri; content:"User-Agent|3a| zzima-nloader/ 1.0.3.1"; http_header; content:!"Referer|3a|"; http_header; reference:md5,810b4464785d8d007ca0c86c046ac0ef; classtype:trojan-activity; sid:2018532; rev:1; metadata:created_at 2014_06_05, updated_at 2014_06_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 7680 (msg:"ET P2P MS WUDO Peer Sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq; classtype:policy-violation; sid:2022371; rev:1; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,587,6666:7000,8076] (msg:"ET POLICY IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:15; metadata:created_at 2010_07_30, updated_at 2017_01_03;)

alert tcp $HOME_NET any -> any !6666:7000 (msg:"ET POLICY IRC DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; depth:8; content:" |3a|.DCC SEND"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; classtype:non-standard-protocol; sid:2000349; rev:13; metadata:created_at 2010_07_30, updated_at 2016_05_12;)

alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET POLICY Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established, only_stream; content:"220-"; depth:4; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Weatherbug Activity"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:"weatherbug.com|0d 0a|"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001267; classtype:misc-activity; sid:2001267; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Weatherbug Activity"; flow:established,to_server; content:"/WeatherWindow/WeatherWindow"; nocase; http_uri; content:"?rnd="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003420; classtype:trojan-activity; sid:2003420; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Weatherbug Command Activity"; flow:established,to_server; content:"/connection/connectionv"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003422; classtype:trojan-activity; sid:2003422; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Toolbar User-Agent (AOLToolbar)"; flow:to_server,established; content:"AOLToolbar"; http_header; fast_pattern:only; nocase; pcre:"/User-Agent\x3a[^\n]+AOLToolbar/Hi"; reference:url,doc.emergingthreats.net/bin/view/Main/2003469; classtype:policy-violation; sid:2003469; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Webmail Message Send"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/compose_frame.adp"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000571; classtype:policy-violation; sid:2000571; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Webmail Login"; flow: to_server,established; content:"/login/login.psp?siteId="; http_uri; content:"triedAimAuth"; reference:url,doc.emergingthreats.net/bin/view/Main/2000572; classtype:policy-violation; sid:2000572; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY External Unencrypted Connection To Aanval Console"; flow:established,to_server; content:"/aanval/flex/AanvalFlex"; http_uri; nocase; reference:url,www.aanval.com; reference:url,doc.emergingthreats.net/bin/view/Main/2008561; classtype:misc-activity; sid:2008561; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris HelpDesk"; flow:to_server,established; content:"/aexhd/worker/"; http_uri; nocase; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009696; classtype:misc-activity; sid:2009696; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris Console"; flow:to_server,established; content:"/altiris/ns/"; http_uri; nocase; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009697; classtype:misc-activity; sid:2009697; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] !53 -> $HOME_NET !53 (msg:"ET POLICY Incoming UDP Packet From Amazon EC2 Cloud";  reference:url,doc.emergingthreats.net/2010816; classtype:misc-activity; sid:2010816; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY ApacheBenchmark Tool User-Agent Detected"; flow:to_server,established; content:"User-Agent|3a| ApacheBench"; http_header; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,httpd.apache.org/docs/2.0/programs/ab.html/; reference:url,doc.emergingthreats.net/2010725; classtype:attempted-recon; sid:2010725; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; content:"User-Agent|3a| AutoIt"; http_header; flowbits:set,ET.autoit.ua; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; classtype:policy-violation; sid:2008350; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Unencrypted Connection to BASE Console"; flow:to_server,established; content:"/base_main.php"; http_uri; reference:url,base.secureideas.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008570; classtype:misc-activity; sid:2008570; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established;  content:"|7F|ELF"; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2000418; rev:16; metadata:created_at 2010_07_30, updated_at 2017_02_03;)

#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download Non-HTTP"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:20; metadata:created_at 2010_07_30, performance_impact Significant, updated_at 2018_01_09;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 4 download"; flow:established; content:"REGEDIT4"; content:"|0D 0A|"; distance:0; content:"["; distance:0; content:"HKEY_"; distance:0; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000420; classtype:misc-activity; sid:2000420; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 download"; flow: established; content:"Windows Registry Editor Version 5.00"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000421; classtype:misc-activity; sid:2000421; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 Unicode download"; flow: established; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| |00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000422; classtype:misc-activity; sid:2000422; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY EXE compressed PKWARE Windows file download"; flow: established; content:"MZ"; isdataat: 28,relative; content:"PKLITE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000426; classtype:misc-activity; sid:2000426; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ZIP file download"; flow: established; content:"PK|0304|"; byte_test:1, <=, 0x14, 0, string, hex; content:"|00 00 00|"; distance: 0; reference:url,zziplib.sourceforge.net/zzip-parse.print.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000428; classtype:misc-activity; sid:2000428; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000489; classtype:misc-activity; sid:2000489; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM 2"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000429; classtype:misc-activity; sid:2000429; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MSI (microsoft installer file) download"; flow:established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001115; classtype:bad-unknown; sid:2001115; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip [0.0.0.0/8,192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"ET POLICY Unallocated IP Space Traffic - Bogon Nets"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002749; classtype:bad-unknown; sid:2002749; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip [10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Reserved Internal IP Traffic"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002752; classtype:bad-unknown; sid:2002752; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc)"; flow:to_server,established; content:"User-Agent|3a| boitho.com"; http_header; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003653; classtype:trojan-activity; sid:2003653; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY CCProxy in use remotely - Possibly Hostile/Malware"; flow:established,from_server; content:" 200 Connection established|0d 0a|Proxy-agent|3a| CCProxy "; depth:58; reference:url,www.youngzsoft.net; reference:url,doc.emergingthreats.net/bin/view/Main/2007576; classtype:trojan-activity; sid:2007576; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; reference:url,doc.emergingthreats.net/2009798; classtype:policy-violation; sid:2009798; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software Leaking MAC Address"; flow:established,to_server; content:"GET"; http_method; content:"/manage.old/sun/signup.aspx?MACAddresses=MAC"; nocase; http_uri; content:"ShowCount="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009800; classtype:policy-violation; sid:2009800; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Carbonite Installer|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009801; classtype:policy-violation; sid:2009801; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Centralops.net Domain Dossier Utility Probe"; flow:established,to_server; content:"USER-Agent|3a| Domain Dossier utility (http|3a|//CentralOps.net/)"; nocase; http_header; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003623; classtype:policy-violation; sid:2003623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Centralops.net Probe"; flow:established,to_server; content:"CentralOps.net/)"; http_header; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003631; classtype:policy-violation; sid:2003631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device in Config Mode"; flow: established; content:"Enter configuration commands, one per line"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001239; classtype:not-suspicious; sid:2001239; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device New Config Built"; flow: established; content:"Building configuration..."; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001240; classtype:not-suspicious; sid:2001240; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication)"; flow:to_server,established; content:"/ap_home.html"; http_uri; reference:url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP; reference:url,doc.emergingthreats.net/bin/view/Main/2008862; classtype:misc-activity; sid:2008862; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET POLICY Club World Casino Client in Use"; flow:established,to_server; dsize:23; content:"Club World Casinos"; reference:url,doc.emergingthreats.net/2007754; classtype:policy-violation; sid:2007754; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001375; classtype:policy-violation; sid:2001375; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001376; classtype:policy-violation; sid:2001376; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001377; classtype:policy-violation; sid:2001377; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001378; classtype:policy-violation; sid:2001378; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001379; classtype:policy-violation; sid:2001379; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001380; classtype:policy-violation; sid:2001380; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001381; classtype:policy-violation; sid:2001381; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001382; classtype:policy-violation; sid:2001382; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001383; classtype:policy-violation; sid:2001383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{6} \d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009293; classtype:policy-violation; sid:2009293; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{6}-\d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009294; classtype:policy-violation; sid:2009294; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"|00 10 00 01 00 00 29 08|"; within:255; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; reference:url,doc.emergingthreats.net/2002676; classtype:bad-unknown; sid:2002676; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Dameware Remote Control Service Install"; flow: to_server,established; content:"DWRCK.DLL"; nocase; reference:url,doc.emergingthreats.net/2001294; classtype:successful-admin; sid:2001294; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"Windows 98"; http_header; content:"GtekClient"; fast_pattern:only; http_header; pcre:"/User-Agent\x3a[^\n]+Windows 98[^\n]+GtekClient/iH"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Dell MyWay Remote control agent"; flow:established,to_server; content:"Referer|3a| http|3a|//dell"; http_header; content:"Host|3a| "; http_header; content:"myway.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/2008051; classtype:not-suspicious; sid:2008051; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Dlink Soho Router Config Page Access Attempt"; flow:established,to_server; content:"/dlink/hwiz.html"; http_uri; reference:url,doc.emergingthreats.net/2008942; classtype:attempted-admin; sid:2008942; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Badongo file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/file/"; http_uri; content:"Host|3a| "; nocase; http_header; content:"badongo.com"; nocase; http_header; content:"badongoL="; http_cookie; reference:url,doc.emergingthreats.net/2009302; classtype:policy-violation; sid:2009302; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY MediaFire file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/?"; http_uri; content:"Host|3a|"; nocase; http_header; content:"mediafire.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2009303; classtype:policy-violation; sid:2009303; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gigasize file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/get.php"; http_uri; content:"Host|3a| "; nocase; http_header; content:"gigasize.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2009304; classtype:policy-violation; sid:2009304; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer Dyngate User-Agent"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| DynGate)"; fast_pattern:37,17; http_header; threshold: type limit, count 1, seconds 120, track by_src; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; classtype:policy-violation; sid:2009475; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET POLICY SMTP Executable attachment"; flow:established,to_server; content:"filename="; nocase; content:".exe"; nocase; distance:0; pcre:"/filename=\s*[^\n]+\.exe/i"; reference:url,doc.emergingthreats.net/2003325; classtype:policy-violation; sid:2003325; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (Win exe under 128)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download via HTTP - Informational"; flow:established,to_server; content:".exe"; http_uri; nocase; content:"GET"; http_method; nocase; pcre:"/\.exe\b/Ui"; reference:url,doc.emergingthreats.net/2003595; classtype:policy-violation; sid:2003595; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible Ecard Trojan download"; flow:established,to_server; content:".exe"; nocase; http_uri; pcre:"/(gif|car(d|tao)|jpe?g)\.exe$/Ui"; reference:url,doc.emergingthreats.net/2006434; classtype:trojan-activity; sid:2006434; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; content:!"User-Agent|3a|"; http_header; content:!"download.windowsupdate.com"; http_header; content:!"mms|3a|//"; nocase; pcre:"/\.exe$/Ui"; reference:url,doc.emergingthreats.net/2003179; classtype:policy-violation; sid:2003179; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Bid Placed"; flow: to_server,established; content:"/ws/eBayISAPI.dll/"; http_uri; nocase; content:"maxbid="; nocase; content:"offer.ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001898; classtype:policy-violation; sid:2001898; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Placing Item for sale"; flow: to_server,established; content:"/ws2/eBayISAPI.dll"; http_uri; nocase; content:".ebay.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2001907; classtype:policy-violation; sid:2001907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay View Item"; flow: to_server,established; content:"/ws/eBayISAPI.dll"; http_uri; nocase; content:"ViewItem"; nocase; content:".ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001908; classtype:policy-violation; sid:2001908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Watch This Item"; flow: to_server,established; content:"/ws/eBayISAPI.dll"; http_uri; nocase; content:"MakeTrack&Item="; nocase; content:".ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001909; classtype:policy-violation; sid:2001909; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Eurobarre.us Setup User-Agent"; flow:established,to_server; content:"User-Agent|3a| eurobarre "; http_header; nocase; reference:url,doc.emergingthreats.net/2008336; classtype:policy-violation; sid:2008336; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 3306 -> $HOME_NET any (msg:"ET POLICY External MYSQL Server Connection"; flow:from_server,established; content:"|00|"; depth:1; offset:3; reference:url,doc.emergingthreats.net/2008572; classtype:trojan-activity; sid:2008572; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Login Attempt (non-anonymous)"; flow:to_server,established; content:"USER"; content:!"PASS "; nocase; pcre:!"/^USER\s+(anonymous|ftp)/smi"; reference:url,doc.emergingthreats.net/2003303; classtype:misc-activity; sid:2003303; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 21 -> any any (msg:"ET POLICY FTP Login Successful"; flow:from_server,established; flowbits:isset,ET.ftp.user.login; flowbits:isnotset,ftp.user.logged_in; flowbits:set,ftp.user.logged_in; content:"230 "; depth:4; reference:url,doc.emergingthreats.net/2003410; classtype:misc-activity; sid:2003410; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Administrator Login Attempts"; flow:to_server,established; content:"USER Administrator|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; reference:url,doc.emergingthreats.net/2009667; classtype:attempted-admin; sid:2009667; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Admin Login Attempts"; flow:to_server,established; content:"USER Admin|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; reference:url,doc.emergingthreats.net/2009668; classtype:attempted-admin; sid:2009668; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (TYPE A)"; flow:established,to_server; dsize:6; content:"TYPE "; depth:5; reference:url,doc.emergingthreats.net/2008589; classtype:trojan-activity; sid:2008589; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (PASV)"; flow:established,to_server; dsize:4; content:"PASV"; reference:url,doc.emergingthreats.net/2008590; classtype:trojan-activity; sid:2008590; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FOX,ABC On-demand UA"; flow:to_server,established; content:"User-Agent|3a| QSP"; nocase; http_header; reference:url,doc.emergingthreats.net/2007639; classtype:policy-violation; sid:2007639; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 31 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008744; classtype:policy-violation; sid:2008744; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 32 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008745; classtype:policy-violation; sid:2008745; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 33 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008746; classtype:policy-violation; sid:2008746; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 34 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008747; classtype:policy-violation; sid:2008747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 35 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 3, seconds 30; reference:url,doc.emergingthreats.net/2008748; classtype:policy-violation; sid:2008748; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY docs.google.com Activity"; flow:established,to_server; content:"Host|3a| docs.google.com|0d 0a|"; http_header; nocase; reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003121; classtype:policy-violation; sid:2003121; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Calendar in Use"; flow:established,to_server; content:"/calendar/"; http_uri; content:"Host|3a| www.google.com"; http_header; nocase; threshold:type both, count 1, seconds 60, track by_src; reference:url,www.computerworld.com.au/index.php?id=1687889918&eid=-255; reference:url,doc.emergingthreats.net/2003597; classtype:policy-violation; sid:2003597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Desktop User-Agent Detected"; flow:to_server,established; content:"(compatible|3b| Google Desktop)"; http_header; fast_pattern:13,15; nocase; threshold: type limit, count 1, seconds 360, track by_src; reference:url,news.com.com/2100-1032_3-6038197.html; reference:url,doc.emergingthreats.net/2002801; classtype:policy-violation; sid:2002801; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Search Appliance browsing the Internet"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3A| gsa-crawler"; http_header; nocase; reference:url,www.google.com/enterprise/gsa/index.html; reference:url,doc.emergingthreats.net/2002838; classtype:web-application-activity; sid:2002838; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Inbox Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/HoTMaiL?curmbox="; nocase; http_uri; reference:url,doc.emergingthreats.net/2000035; classtype:policy-violation; sid:2000035; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/getmsg?msg=MSG"; http_uri; reference:url,doc.emergingthreats.net/2000036; classtype:policy-violation; sid:2000036; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; http_uri; nocase; content:"hotmail.msn.com"; http_header; nocase; content:"/cgi-bin/compose?/"; nocase; http_uri; reference:url,doc.emergingthreats.net/2000037; classtype:policy-violation; sid:2000037; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Submit"; flow: to_server,established; content:"hotmail.msn.com"; nocase; http_header; content:"/cgi-bin/premail/"; http_uri; reference:url,doc.emergingthreats.net/2000038; classtype:policy-violation; sid:2000038; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Submit Data"; flow: to_server,established; content:"curmbox="; nocase; content:"login="; nocase; content:"msghdrid"; nocase; content:"sigflag="; nocase; reference:url,doc.emergingthreats.net/2000039; classtype:policy-violation; sid:2000039; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Inbox Access"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; content:"/mail/InboxLight.aspx"; http_uri; depth:21; reference:url,doc.emergingthreats.net/2008238; classtype:policy-violation; sid:2008238; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Message Access"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; content:"/mail/ReadMessageLight.aspx"; http_uri; reference:url,doc.emergingthreats.net/2008239; classtype:policy-violation; sid:2008239; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Access"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; nocase; content:"/mail/EditMessageLight.aspx"; http_uri; reference:url,doc.emergingthreats.net/2008240; classtype:policy-violation; sid:2008240; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Access Full Mode"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; content:"/mail/ApplicationMain"; http_uri; reference:url,doc.emergingthreats.net/2008242; classtype:policy-violation; sid:2008242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Telnet to HP JetDirect Printer With No Password Set"; flow:to_client,established; content:"HP JetDirect"; content:"Password is not set"; offset:40; depth:30; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999#A3; reference:url,doc.emergingthreats.net/2009535; classtype:misc-activity; sid:2009535; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET POLICY External FTP Connection TO Local HP JetDirect Printer"; flow:to_client,established; content:"Hewlett-Packard FTP Print Server Version"; content:"To print a file, use the command|3a| put <filename> [portx]"; offset:40; depth:190; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj06165; reference:url,doc.emergingthreats.net/2009536; classtype:misc-activity; sid:2009536; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; classtype:bad-unknown; sid:2009243; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY HTTP Redirect to IPv4 Address"; flow:established,from_server; content:"302"; http_stat_code; content:"Found"; nocase; content:"Location|3a| "; nocase; http_header; pcre:"/Location\: (http\:\/\/)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\//i"; reference:url,doc.emergingthreats.net/2011085; classtype:misc-activity; sid:2011085; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET !$HTTP_PORTS (msg:"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port"; flow:to_server,established; content:"CONNECT "; nocase; depth:8; content:" HTTP/1."; nocase; within:1000; reference:url,doc.emergingthreats.net/2008284; classtype:misc-activity; sid:2008284; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Inbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|443"; within: 5; distance: -12; reference:url,doc.emergingthreats.net/2000560; classtype:misc-activity; sid:2000560; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Outbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|443"; within: 5; distance: -12; reference:url,doc.emergingthreats.net/2008330; classtype:misc-activity; sid:2008330; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access"; flow:established,to_server; content:"GET /login/FetchProtocolVersion2.htm"; depth:36; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008842; classtype:policy-violation; sid:2008842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download)"; flow:established,to_server; content:"GET login/fetchFreeServersVersion2.aspx"; depth:39; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008843; classtype:policy-violation; sid:2008843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET [81:8079,8081:65535] (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; content:"GET "; nocase; depth:4; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET [81:8079,8081:65535] (msg:"ET POLICY HTTP POST on unusual Port Possibly Hostile"; flow:established,to_server; content:"POST "; nocase; depth:5; reference:url,doc.emergingthreats.net/2006409; classtype:policy-violation; sid:2006409; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> [64.34.106.33,64.94.18.67] 12975 (msg:"ET POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.hamachi.cc; reference:url,doc.emergingthreats.net/2002729; classtype:policy-violation; sid:2002729; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hi5.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.hi5.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003455; classtype:policy-violation; sid:2003455; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Login Attempt"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"login_username"; reference:url,doc.emergingthreats.net/2007627; classtype:policy-violation; sid:2007627; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/"; http_uri; reference:url,doc.emergingthreats.net/2007628; classtype:policy-violation; sid:2007628; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/messages/"; http_uri; reference:url,doc.emergingthreats.net/2007629; classtype:policy-violation; sid:2007629; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"index.php?l1=mg"; http_uri; reference:url,doc.emergingthreats.net/2007630; classtype:policy-violation; sid:2007630; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/"; http_uri; content:"POST"; http_method; content:"/messages/"; http_uri; content:"postman_secret"; reference:url,doc.emergingthreats.net/2007631; classtype:policy-violation; sid:2007631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Internet Explorer 6 in use - Significant Security Risk"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|"; http_header; threshold: type limit, track by_src, seconds 180, count 1; classtype:policy-violation; sid:2010706; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports"; flow:established,to_server; content:"/friendship/email_thank_you.php?"; http_uri; nocase; content:"folder_id="; http_uri; nocase; content:"&params_count="; http_uri; nocase; content:"&nick_name="; http_uri; nocase; content:"&user_email="; http_uri; nocase; content:"&user_uin="; http_uri; nocase; content:"&friend_nickname="; http_uri; nocase; content:"&friend_contact="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008351; classtype:policy-violation; sid:2008351; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002330; classtype:policy-violation; sid:2002330; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic Windows client user sign-on"; flow:to_server; content:"ms|3a|xml|3a|ns|3a|xmpp-s"; content:"X-GOOGLE-TOKEN"; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002332; classtype:policy-violation; sid:2002332; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic friend invited"; flow:to_server; content:"><invitati"; content:"on xmlns=\"google"; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002333; classtype:policy-violation; sid:2002333; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection"; flow:established,to_server; content:"/automation/n09230945.asp"; http_uri; reference:url,doc.emergingthreats.net/2008985; classtype:attempted-recon; sid:2008985; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|Host|3a| "; http_header; content:"whatismyip."; within:15; http_header; classtype:attempted-recon; sid:2008986; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:"showip."; http_header; pcre:"/^Host\x3a[^\r\n]+showip\.[a-z]+(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,doc.emergingthreats.net/2008987; classtype:attempted-recon; sid:2008987; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:"cmyip."; http_header; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:"showmyip."; http_header; reference:url,doc.emergingthreats.net/2008989; classtype:attempted-recon; sid:2008989; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:".ipchicken.com"; http_header; reference:url,doc.emergingthreats.net/2009020; classtype:attempted-recon; sid:2009020; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; reference:url,doc.emergingthreats.net/2000356; classtype:misc-activity; sid:2000356; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; reference:url,doc.emergingthreats.net/2002658; classtype:policy-violation; sid:2002658; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY iTunes User Agent"; flow: established,to_server; content:"User-Agent|3a| iTunes"; nocase; http_header; threshold: type limit, count 1, seconds 360, track by_src; reference:url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/; reference:url,doc.emergingthreats.net/2002878; classtype:policy-violation; sid:2002878; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Multiple Levels of Javascript Encoding & Compression Filters in PDF, Possibly Hostile PDF"; flow:established,to_client; file_data; content:"PDF-"; depth:300; content:"/Filter"; nocase; distance:0; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; reference:url,www.symantec.com/connect/blogs/journey-center-pdf-stream; reference:url,doc.emergingthreats.net/2011008; classtype:misc-activity; sid:2011008; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"ET POLICY JBOSS/JMX port 80 access from outside"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010377; classtype:web-application-attack; sid:2010377; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET POLICY JBOSS/JMX port 8080 access from outside"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010378; classtype:web-application-attack; sid:2010378; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; content:"GET"; http_method; content:"/myrahost/list.aspx?"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007765; classtype:policy-violation; sid:2007765; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; content:"GET"; http_method; content:"/update.logmein.com/"; nocase; http_uri; content:!"Host|3a| "; reference:url,doc.emergingthreats.net/2007766; classtype:policy-violation; sid:2007766; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MP3 File Transfer Outbound"; flow:established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002722; classtype:policy-violation; sid:2002722; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MP3 File Transfer Inbound"; flow: established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002723; classtype:policy-violation; sid:2002723; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"ET POLICY Microsoft TEREDO IPv6 tunneling"; content:"|FE 80 00 00 00 00 00 00 80 00|TEREDO"; offset:21; depth:16; reference:url,doc.emergingthreats.net/2003155; classtype:misc-activity; sid:2003155; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY McAfee Update User Agent (McAfee AutoUpdate)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; nocase; content:"McAfee AutoUpdate"; http_header; pcre:"/User-Agent\x3a[^\n]+McAfee AutoUpdate/i"; reference:url,doc.emergingthreats.net/2003381; classtype:not-suspicious; sid:2003381; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Rapidshare auth cookie download"; flow:to_server,established; content:"GET"; http_method; content:"/files/"; http_uri; nocase; content:"rapidshare.com"; nocase; http_header; content:"user="; nocase; http_cookie; reference:url,en.wikipedia.org/wiki/RapidShare; reference:url,doc.emergingthreats.net/2006369; classtype:policy-violation; sid:2006369; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Metacafe.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.metacafe.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003457; classtype:policy-violation; sid:2003457; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Mozilla XPI install files download"; flow: from_server,established; content:"content-type|3a| application/x-xpinstall"; http_header; nocase; reference:url,doc.emergingthreats.net/2001114; classtype:bad-unknown; sid:2001114; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Myspace Login Attempt"; flow:established,to_server; content:"secure.myspace.com"; http_header; content:"/index.cfm?fuseaction=login"; http_uri; reference:url,doc.emergingthreats.net/2002872; classtype:policy-violation; sid:2002872; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Nagios HTTP Monitoring Connection"; flow:established,to_server; content:"User-Agent|3a| check_http/"; http_header; nocase; content:"(nagios-plugins "; http_header; nocase; reference:url,doc.emergingthreats.net/2006779; classtype:not-suspicious; sid:2006779; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Nessus Vulnerability Scanner Plugins Update"; flow:to_client,established; content:"plugins.nessus.org"; content:"https|3a|//www.thawte.com/repository/index.html"; offset:432; depth:88; reference:url,www.nessus.org/nessus/; reference:url,www.nessus.org/plugins/; reference:url,doc.emergingthreats.net/2009706; classtype:policy-violation; sid:2009706; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netflix On-demand User-Agent"; flow:to_server,established; content:"User-Agent|3a| WmpHostInternetConnection"; http_header; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> any any (msg:"ET POLICY Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; reference:url,doc.emergingthreats.net/2001597; classtype:policy-violation; sid:2001597; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; content:"POST"; http_method; content:"/nvserver"; http_uri; content:"cmd="; http_client_body; content:"&params="; http_client_body;  content:"Netviewer Proxy Test"; http_client_body; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Newzbin Usenet Reader License Check"; flow:established,to_server; content:"/internal/"; http_uri; content:"prodID=nl&licID="; http_uri; content:"&prodVer="; http_uri; content:"Host|3A| www.newsleecher.com"; http_header; reference:url,doc.emergingthreats.net/2009095; classtype:policy-violation; sid:2009095; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001973; classtype:misc-activity; sid:2001973; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001974; classtype:misc-activity; sid:2001974; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001975; classtype:misc-activity; sid:2001975; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001976; classtype:misc-activity; sid:2001976; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys detected on Expected Port"; flowbits:noalert; flowbits:isset,is_ssh_client_kex; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001977; classtype:misc-activity; sid:2001977; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any <> any $SSH_PORTS (msg:"ET POLICY SSH session in progress on Expected Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emergingthreats.net/2001978; classtype:misc-activity; sid:2001978; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001979; classtype:misc-activity; sid:2001979; rev:7; metadata:created_at 2010_07_30, updated_at 2017_02_01;)

#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001981; classtype:misc-activity; sid:2001981; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001983; classtype:misc-activity; sid:2001983; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any !$SSH_PORTS -> any !$SSH_PORTS (msg:"ET POLICY SSH session in progress on Unusual Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emergingthreats.net/2001984; classtype:misc-activity; sid:2001984; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Unencrypted Connection to Ossec WUI"; flow:established,to_server; content:"/ossec/"; http_uri; content:"js/calendar-setup.js"; http_uri; reference:url,www.ossec.net; reference:url,doc.emergingthreats.net/2008569; classtype:misc-activity; sid:2008569; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; file_data; content:"var g_szURL = |22|http|3a 2f 2f|"; distance:0; content:"var g_szFolder = |22|"; content:"varg_szVirtualRoot = |22|http|3a 2f 2f|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 16680 (msg:"ET POLICY OperaUnite URL Registration"; flow:to_server,established; content:"REGISTER"; offset:0; depth:8; content:"operaunite.com"; within:109; reference:url,unite.opera.com; reference:url,doc.emergingthreats.net/2009895; classtype:policy-violation; sid:2009895; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Orkut.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.orkut.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003458; classtype:policy-violation; sid:2003458; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PDF File Containing Javascript"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/JavaScript"; nocase; distance:0; pcre:"/\x3C\x3C[^>]*\x2FJavaScript/smi"; threshold:type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2010882; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PDF File Containing arguments.callee in Cleartext - Likely Hostile"; flow:established,to_client; file_data; content:"PDF-"; within:300; content:"arguments.callee"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=1519; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010883; classtype:misc-activity; sid:2010883; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 1723 -> $EXTERNAL_NET any (msg:"ET POLICY PPTP Requester is not authorized to establish a command channel"; flow:to_client,established,no_stream; content:"|00 01|"; offset:2; depth:4; content:"|00 02|"; offset:8; depth:10; content:"|04|"; offset:12; depth:13; reference:url,tools.ietf.org/html/rfc2637; reference:url,doc.emergingthreats.net/2009387; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-June/002705.html; classtype:attempted-admin; sid:2009387; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in URI"; flow:established,to_server; content:"username="; nocase; http_uri; content:"password="; http_uri; nocase; reference:url,doc.emergingthreats.net/2009001; classtype:policy-violation; sid:2009001; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in POST Data"; flow:established,to_server; content:"POST"; http_method; content:"username="; http_client_body; nocase; content:"password="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009004; classtype:policy-violation; sid:2009004; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring detected"; flow:to_server,established; content:"User-Agent|3a| Pingdom"; nocase; http_header; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003214; classtype:attempted-recon; sid:2003214; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring Node Active"; flow:to_server,established; content:"User-Agent|3a| Pingdom"; http_header; nocase; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003215; classtype:attempted-recon; sid:2003215; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy GET Request"; flow: to_server,established; content:"GET http|3a|//"; nocase; depth: 11; reference:url,doc.emergingthreats.net/2001669; classtype:bad-unknown; sid:2001669; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http|3a|//"; nocase; depth: 12; reference:url,doc.emergingthreats.net/2001670; classtype:bad-unknown; sid:2001670; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy POST Request"; flow: to_server,established; content:"POST http|3a|//"; nocase; depth: 12; reference:url,doc.emergingthreats.net/2001674; classtype:bad-unknown; sid:2001674; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy CONNECT Request"; flow: to_server,established; content:"CONNECT "; nocase; depth: 8; reference:url,doc.emergingthreats.net/2001675; classtype:bad-unknown; sid:2001675; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy TRACE Request - inbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; reference:url,doc.emergingthreats.net/2010766; classtype:bad-unknown; sid:2010766; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TRACE Request - outbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; reference:url,doc.emergingthreats.net/2010767; classtype:bad-unknown; sid:2010767; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible ProxyShell Anonymous Access Connection"; flow:established,to_server; content:"/services/get_proxies/"; http_uri; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010969; classtype:policy-violation; sid:2010969; rev:3; metadata:created_at 2010_07_30, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible ProxyShell Hide IP Installation file download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/proxyshell_hide_ip_setup.exe"; http_uri; nocase; reference:url,www.browserdefender.com/file/484661/site/putas18.info/; reference:url,doc.emergingthreats.net/2010792; classtype:policy-violation; sid:2010972; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"; flow: established,to_server; content:"/prxjdg.cgi"; nocase; http_uri; reference:url,doc.emergingthreats.net/2003047; classtype:policy-violation; sid:2003047; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)"; flow: established,to_server; content:"/proxyjudge.cgi"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003048; classtype:policy-violation; sid:2003048; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file)"; flow:established,from_server; content:"Content-Type|3a| application|2f|octet-stream"; http_header; content:"|0d 0a 0d 0a 52 61 72 21|"; content:!"|1A 07|"; within:2; reference:url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008782; classtype:trojan-activity; sid:2008782; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001329; classtype:misc-activity; sid:2001329; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"ET POLICY RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001330; classtype:misc-activity; sid:2001330; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !3389 (msg:"ET POLICY Remote Desktop Connection via non RDP Port"; flow:established,to_server; content:"|03|"; depth:1; content:"|e0|"; distance:4; within:1; content:"Cookie|3a|"; distance:5; within:7; reference:url,doc.emergingthreats.net/2007571; classtype:policy-violation; sid:2007571; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,ET.BE.Radmin.Challenge; metadata: former_category POLICY; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003479; classtype:not-suspicious; sid:2003479; rev:6; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; metadata: former_category POLICY; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003481; classtype:not-suspicious; sid:2003481; rev:5; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; metadata: former_category POLICY; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003482; classtype:not-suspicious; sid:2003482; rev:6; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Successful"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSvnc.auth.agreed; flowbits:unset,BSis.vnc.setup; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002922; classtype:not-suspicious; sid:2002922; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Failure"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 01|"; depth:4; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002920; classtype:attempted-admin; sid:2002920; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY RemoteSpy.com Upload Detect"; flow:established,to_server; content:"POST"; http_method; content:"upload.php"; http_uri; content:"Host|3a| www.remotespy.com"; http_header; reference:url,doc.emergingthreats.net/2008406; classtype:trojan-activity; sid:2008406; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003026; classtype:not-suspicious; sid:2003026; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 9001 (msg:"ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2004598; classtype:not-suspicious; sid:2004598; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003027; classtype:not-suspicious; sid:2003027; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003028; classtype:not-suspicious; sid:2003028; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8200 (msg:"ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003029; classtype:not-suspicious; sid:2003029; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8443 (msg:"ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003030; classtype:not-suspicious; sid:2003030; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 2967 (msg:"ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003033; classtype:not-suspicious; sid:2003033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128 (msg:"ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003035; classtype:not-suspicious; sid:2003035; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003036; classtype:not-suspicious; sid:2003036; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8292 (msg:"ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003037; classtype:not-suspicious; sid:2003037; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8294 (msg:"ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003038; classtype:not-suspicious; sid:2003038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1521 (msg:"ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003934; classtype:not-suspicious; sid:2003934; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 995 (msg:"ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2008543; classtype:not-suspicious; sid:2008543; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port TLS"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|01|"; within:6; content:"|03 01|"; within:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003002; classtype:unusual-client-port-connection; sid:2003002; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 00|"; depth:3; content:"|01|"; within:2; content:"|03 00|"; within:3; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003003; classtype:unusual-client-port-connection; sid:2003003; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port Case 2"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 01|"; depth:5; offset:2; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003004; classtype:unusual-client-port-connection; sid:2003004; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 00|"; depth:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003005; classtype:unusual-client-port-connection; sid:2003005; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|10|"; within:6; reference:url,doc.emergingthreats.net/2003006; classtype:unusual-client-port-connection; sid:2003006; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|10|"; within:6; flowbits:noalert; reference:url,doc.emergingthreats.net/2003007; classtype:unusual-client-port-connection; sid:2003007; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 01 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; reference:url,doc.emergingthreats.net/2003008; classtype:unusual-client-port-connection; sid:2003008; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 00 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; reference:url,doc.emergingthreats.net/2003009; classtype:unusual-client-port-connection; sid:2003009; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; depth:3; content:"|02|"; within:6; content:"|03 01|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003010; classtype:unusual-client-port-connection; sid:2003010; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; depth:3; content:"|02|"; within:6; content:"|03 00|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003011; classtype:unusual-client-port-connection; sid:2003011; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003012; classtype:unusual-client-port-connection; sid:2003012; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003013; classtype:unusual-client-port-connection; sid:2003013; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; reference:url,doc.emergingthreats.net/2003014; classtype:unusual-client-port-connection; sid:2003014; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; reference:url,doc.emergingthreats.net/2003015; classtype:unusual-client-port-connection; sid:2003015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 01 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; reference:url,doc.emergingthreats.net/2003018; classtype:unusual-client-port-connection; sid:2003018; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 00 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; reference:url,doc.emergingthreats.net/2003019; classtype:unusual-client-port-connection; sid:2003019; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003020; classtype:unusual-client-port-connection; sid:2003020; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 00|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003021; classtype:unusual-client-port-connection; sid:2003021; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (dashed)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} /"; reference:url,doc.emergingthreats.net/2001328; classtype:policy-violation; sid:2001328; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (spaced)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4} /"; reference:url,doc.emergingthreats.net/2001384; classtype:policy-violation; sid:2001384; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN )"; content:"SSN "; nocase; pcre:"/SSN ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; reference:url,doc.emergingthreats.net/2007971; classtype:policy-violation; sid:2007971; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN# )"; content:"SSN# "; nocase; pcre:"/SSN# ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; reference:url,doc.emergingthreats.net/2007972; classtype:policy-violation; sid:2007972; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY PsExec service created"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY RemoteControlX rctrlx service created"; flow:to_server,established; content:"|5c 00 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-rctrlx.html; reference:url,doc.emergingthreats.net/2010782; classtype:suspicious-filename-detect; sid:2010782; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"HTTP/1"; depth:6; file_data; content:"MZ"; within:2; fast_pattern; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Smilebox Spyware Download"; flow:established,to_server; content:"GET"; http_method; content:"/smilebox/SmileboxInstaller.exe"; nocase; http_uri; reference:url,www.smilebox.com/info/privacy.html; reference:url,doc.emergingthreats.net/2009998; classtype:policy-violation; sid:2009998; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY CBS Streaming Video"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a|"; nocase; http_header; content:"cbs.com"; nocase; http_header; content:"/innertube/player.php?"; http_uri; reference:url,doc.emergingthreats.net/2007763; classtype:policy-violation; sid:2007763; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY NBC Streaming Video"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|video.nbcuni.com"; nocase; http_header; pcre:"/(\.smil)$/Ui"; reference:url,doc.emergingthreats.net/2007764; classtype:policy-violation; sid:2007764; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET POLICY Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both, count 30, seconds 10, track by_src; reference:url,doc.emergingthreats.net/2003330; classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"ET POLICY TeamViewer Keep-alive outbound"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:set,ET.teamviewerkeepaliveout; flowbits:noalert; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008794; classtype:misc-activity; sid:2008794; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 5938 -> $HOME_NET any (msg:"ET POLICY TeamViewer Keep-alive inbound"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.teamviewerkeepaliveout; threshold: type limit, count 1, seconds 120, track by_src; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008795; classtype:misc-activity; sid:2008795; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...)"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010570; classtype:policy-violation; sid:2010570; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...)"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010571; classtype:policy-violation; sid:2010571; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (The Call to Global...)"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010572; classtype:policy-violation; sid:2010572; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Knights under the...)"; flow: to_client,established; content:"Knights under the Prophet's Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010573; classtype:policy-violation; sid:2010573; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad against...)"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010574; classtype:policy-violation; sid:2010574; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...)"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010575; classtype:policy-violation; sid:2010575; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...)"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010576; classtype:policy-violation; sid:2010576; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...)"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010577; classtype:policy-violation; sid:2010577; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain)"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010578; classtype:policy-violation; sid:2010578; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir)"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010579; classtype:policy-violation; sid:2010579; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara)"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010580; classtype:policy-violation; sid:2010580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) SMTP"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010581; classtype:policy-violation; sid:2010581; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) SMTP"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010582; classtype:policy-violation; sid:2010582; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) SMTP"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010583; classtype:policy-violation; sid:2010583; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Knights under the...) SMTP"; flow: to_client,established; content:"Knights under the Prophet's Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010584; classtype:policy-violation; sid:2010584; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad against...) SMTP"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010585; classtype:policy-violation; sid:2010585; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) SMTP"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010586; classtype:policy-violation; sid:2010586; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) SMTP"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010587; classtype:policy-violation; sid:2010587; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) SMTP"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010588; classtype:policy-violation; sid:2010588; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) SMTP"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010589; classtype:policy-violation; sid:2010589; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010590; classtype:policy-violation; sid:2010590; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara) SMTP"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010591; classtype:policy-violation; sid:2010591; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection|3a| "; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg:"ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from|3a|"; nocase; threshold: type limit, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2003864; classtype:misc-activity; sid:2003864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Wget User Agent"; flow:established,to_server; content:"User-Agent|3A| "; http_header; nocase; content:"Wget"; nocase; fast_pattern; http_header; reference:url,www.gnu.org/software/wget; reference:url,doc.emergingthreats.net/2002822; classtype:attempted-recon; sid:2002822; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY POSSIBLE Web Crawl using Wget"; flow:established,to_server; content:"User-Agent|3A| "; nocase; http_header; content:"Wget"; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.gnu.org/software/wget/; reference:url,doc.emergingthreats.net/2002823; classtype:attempted-recon; sid:2002823; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY CURL User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"curl"; within:100; nocase; http_header; fast_pattern; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002824; classtype:attempted-recon; sid:2002824; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY POSSIBLE Web Crawl using Curl"; flow:established,to_server; content:"User-Agent|3a| curl"; http_header; nocase; fast_pattern:only; threshold: type both, track by_src, count 10, seconds 60; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002825; classtype:attempted-recon; sid:2002825; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY fetch User Agent"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:"fetch"; nocase; http_header; fast_pattern; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002826; classtype:attempted-recon; sid:2002826; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY POSSIBLE Crawl using Fetch"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"fetch"; distance:0; within:50; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002827; classtype:attempted-recon; sid:2002827; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User Agent"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:"libwww-perl/"; nocase; http_header; fast_pattern; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002934; classtype:attempted-recon; sid:2002934; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Possible Web Crawl - libwww-perl User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"libwww-perl/"; within:50; fast_pattern; nocase; http_header; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002935; classtype:attempted-recon; sid:2002935; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"googlebot"; nocase; http_header; fast_pattern; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002828; classtype:not-suspicious; sid:2002828; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"googlebot"; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002829; classtype:attempted-recon; sid:2002829; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; fast_pattern; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002830; classtype:not-suspicious; sid:2002830; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; fast_pattern; distance:0;  threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; fast_pattern; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002832; classtype:not-suspicious; sid:2002832; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002833; classtype:attempted-recon; sid:2002833; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY python.urllib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"python.urllib/"; nocase; http_header; fast_pattern; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002944; classtype:attempted-recon; sid:2002944; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY python.urllib User Agent Web Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"python.urllib/"; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002943; classtype:attempted-recon; sid:2002943; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+Java\/\d\.\d/Hmi"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+Java/\d\.\d/Hi"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail Message Send"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000044; classtype:policy-violation; sid:2000044; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail General Page View"; flow:to_server,established; content:"/ym/login"; http_uri; nocase; content:".rand="; nocase; reference:url,doc.emergingthreats.net/2000341; classtype:policy-violation; sid:2000341; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Briefcase Upload"; flow:to_server,established; content:"briefcase.yahoo.com"; http_header; content:"/process_bcmultipart_form"; http_uri; nocase; reference:url,doc.emergingthreats.net/2001044; classtype:policy-violation; sid:2001044; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winamp Streaming User Agent"; flow:established,to_server; content:"Winamp"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Winamp/Hi"; reference:url,doc.emergingthreats.net/2003168; classtype:policy-violation; sid:2003168; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"User-Agent|3a 20|"; content:"Windows 3.1"; fast_pattern:only; http_header; content:!"Cisco AnyConnect VPN Agent"; http_header; pcre:"/User-Agent\:[^\n]+Windows 3.1/Hi"; reference:url,doc.emergingthreats.net/2011694; classtype:policy-violation; sid:2011694; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\n]+Windows 98/Hmi"; content:!"X-Trend-ActiveUpdate"; http_header; content:!"HTTrack"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:21; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (Win98)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"Win98"; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\n]+Win98/Hi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008070; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a| "; http_header; nocase;  pcre:"/User-Agent|3a|[^\n]+Windows-Update-Agent/Hsmi"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002948; classtype:policy-violation; sid:2002948; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; within:20; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002949; classtype:policy-violation; sid:2002949; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winpcap Installation in Progress"; flow:established,to_server; content:"/install/banner/"; http_uri; nocase; pcre:"/\d/\d+.jpg/Ui"; content:"Host|3a| www.winpcap.org"; nocase; http_header; content:"User-Agent|3a| NSISDL"; nocase; http_header; reference:url,www.winpcap.org; reference:url,doc.emergingthreats.net/2002866; classtype:policy-violation; sid:2002866; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET POLICY X-Box Live Connecting"; content:"<Xbox Version="; content:" Title=0x"; distance:4; within:32; reference:url,www.microsoft.com/xbox/; reference:url,doc.emergingthreats.net/2002796; classtype:policy-violation; sid:2002796; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo 360 Social Site Access"; flow:established,to_server; content:"Host|3a| 360.yahoo.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003454; classtype:policy-violation; sid:2003454; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET POLICY ZIPPED DOC in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".doc"; nocase; reference:url,doc.emergingthreats.net/2001402; classtype:not-suspicious; sid:2001402; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET POLICY ZIPPED XLS in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".xls"; nocase; reference:url,doc.emergingthreats.net/2001403; classtype:not-suspicious; sid:2001403; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET POLICY ZIPPED EXE in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".exe"; nocase; reference:url,doc.emergingthreats.net/2001404; classtype:not-suspicious; sid:2001404; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET POLICY ZIPPED PPT in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".ppt"; nocase; reference:url,doc.emergingthreats.net/2001405; classtype:not-suspicious; sid:2001405; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY Possible hidden zip extension .cpl"; flow:established; content:"|20 20 2E 63 70 6C 50 4B|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2001406; classtype:suspicious-filename-detect; sid:2001406; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".pif"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".scr"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Baidu.com Agent User-Agent (Desktop Web System)"; flow:to_server,established; content:"User-Agent|3a| Desktop Web System"; nocase; http_header; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2003604; classtype:trojan-activity; sid:2003604; rev:7; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent|3a| iexp|0d 0a|"; http_header; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2003608; classtype:trojan-activity; sid:2003608; rev:9; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User-Agent (Launcher)"; flow: to_server,established; content:"Launcher"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Launcher/iH"; reference:url,doc.emergingthreats.net/2010645; classtype:trojan-activity; sid:2010645; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Maxthon Browser Background Agent UA (MxAgent)"; flow:to_server,established; content:"User-Agent|3a| MxAgent"; nocase; http_header; reference:url,doc.emergingthreats.net/2011125; classtype:not-suspicious; sid:2011125; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent (XXX) Often Sony Update Related"; flow:established,to_server; content:"User-Agent|3a| XXX|0d 0a|"; http_header; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2010157; classtype:not-suspicious; sid:2010157; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2010_07_30, updated_at 2017_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent (InetURL)"; flow:established,to_server; content:"User-Agent|3a| InetURL"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; classtype:trojan-activity; sid:2008374; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2010_07_30, updated_at 2017_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:policy-violation; sid:2008489; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2010_07_30, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY trymedia.com User-Agent (Macrovision_DM)"; flow:established,to_server; content:"User-Agent|3a| Macrovision_DM"; http_header; content:"trymedia.com|0d 0a|"; http_header; pcre:"/Host\x3a.+trymedia\.com\r$/Hm"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009446; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; content:"User-Agent|3a| SOGOU_UPDATER|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User Agent (AskInstallChecker)"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| AskInstall"; nocase; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:policy-violation; sid:2011225; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers"; flow:to_server,established; content:"User-Agent|3a| NSIS|5f|Inetc |28|Mozilla|29|"; http_header; reference:url,doc.emergingthreats.net/2011227; classtype:trojan-activity; sid:2011227; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User-Agent Recuva (Recuva)"; flow:to_server,established; content:"User-Agent|3a| Recuva|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011090; reference:url,www.piriform.com/; classtype:trojan-activity; sid:2011090; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY ASProtect/ASPack Packed Binary"; flow:from_server,established; flowbits:isnotset,ET.http.binary; content:"|2E 61 73 70 61 63 6B|"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,www.aspack.com/downloads.aspx; reference:url,bits.packetninjas.org/eblog/; reference:url,doc.emergingthreats.net/2008575; classtype:trojan-activity; sid:2008575; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?(?<!__utm)\.gif HTTP\/1\./"; content:!".tealiumiq.com"; http_header; content:!"snackly.co"; http_header; content:!"otf.msn.com"; http_header; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:13; metadata:created_at 2010_07_30, updated_at 2018_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; content:"POST"; http_method; content:".jpg"; http_uri; content:!"upload.wikimedia.org"; http_uri; pcre:"/\.jpg$/U"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpeg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpeg"; nocase; http_uri; content:".jpeg HTTP"; nocase; pcre:"/\.jpeg$/i"; reference:url,doc.emergingthreats.net/2010068; classtype:trojan-activity; sid:2010068; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (bmp)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".bmp"; nocase; http_uri; content:".bmp HTTP"; nocase; pcre:"/\.bmp$/i"; reference:url,doc.emergingthreats.net/2010069; classtype:trojan-activity; sid:2010069; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (png)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".png"; nocase; http_uri; content:".png HTTP"; nocase; pcre:"/\.png$/Ui"; reference:url,doc.emergingthreats.net/2010070; classtype:trojan-activity; sid:2010070; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; ip_proto:!17; classtype:non-standard-protocol; sid:2101620; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL POLICY Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; http_header; classtype:policy-violation; sid:2101438; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/Hmi"; classtype:policy-violation; sid:2101437; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:2100615; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"GPL POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2102044; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL POLICY MS Remote Desktop Request RDP"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:2101447; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"GPL POLICY Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2102124; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:2100507; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"GPL POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:2101846; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL POLICY Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A| OmFkbWlu"; nocase; reference:nessus,10999; classtype:default-login-attempt; sid:2101860; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL POLICY Linksys router default username and password login attempt"; flow:to_server,established; content:"Authorization|3A| YWRtaW46YWRtaW4"; nocase; reference:nessus,10999; classtype:default-login-attempt; sid:2101861; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"GPL POLICY Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:2101859; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:2100560; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:2100524; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"GPL POLICY PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:2100512; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:2101771; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"GPL POLICY PCAnywhere server response"; content:"ST"; depth:2; classtype:misc-activity; sid:2100566; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"GPL POLICY AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; reference:nessus,10441; classtype:misc-activity; sid:2101504; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY udp port 0 traffic";  reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:2100525; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp any any -> any 53 (msg:"GPL POLICY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:2100208; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY route1.com SSL certificate for remote access detected"; flow:established,to_client; content:"Route1 Security Corporation"; nocase; metadata: former_category POLICY; classtype:bad-unknown; sid:2011579; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2010_09_27, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; content:" Java/1.4."; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011584; rev:10; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, tag EOL, signature_severity Audit, created_at 2010_09_27, performance_impact Low, updated_at 2018_04_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011581; rev:10; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, tag EOL, signature_severity Audit, created_at 2010_09_27, performance_impact Low, updated_at 2018_04_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"201"; within:3; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/articles/javase/overview-156328.html; classtype:bad-unknown; sid:2011582; rev:51; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Audit, created_at 2010_09_27, performance_impact Low, updated_at 2018_07_17;)

#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (CN)"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"PCA"; within:50; classtype:not-suspicious; sid:2011539; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50;  metadata: former_category POLICY; classtype:not-suspicious; sid:2011540; rev:6; metadata:created_at 2010_09_27, updated_at 2017_11_27;)

#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN)"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"Test PCA (1024 bit)"; within:50; classtype:trojan-activity; sid:2011541; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (O)"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"CryptSoft Pty Ltd"; within:50; classtype:bad-unknown; sid:2011542; rev:8; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PDF With Embedded File"; flow:established,to_client; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/EmbeddedFile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedFile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2011507; rev:7; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY request for hide-my-ip.com autoupdate"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/auto_update/HideMyIP/update.dat"; http_uri; nocase; classtype:policy-violation; sid:2011311; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host|3A|"; nocase; content:"hide|2d|my|2d|ip|2e|com"; nocase; within:20; content:"cmd|3d|"; nocase; content:"ver|3d|"; nocase; content:"hcode|3d|"; nocase; content:"product|3d|"; nocase; content:"year|3d|"; nocase; content:"xhcode|3d|"; nocase; classtype:policy-violation; sid:2011312; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.co.cc domain"; flow: to_server,established; content:".co.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2011374; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.cz.cc domain"; flow: to_server,established; content:".cz.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2011375; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY eval(function(p a c k e d) JavaScript from nginx Detected - Likely Hostile"; flow:established,to_client; content:"Server|3a| nginx"; nocase; http_header; content:"Content-Type|3a| text/html"; nocase; http_header; content:"eval(function(p,a,c,k,e,d)"; nocase; reference:url,doc.emergingthreats.net/2011765; classtype:bad-unknown; sid:2011765; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo Cert Exchange"; flow:established,to_client; ssl_version:sslv2,sslv3,tls1.0,tls1.1,tls1.2; content:"|16|"; content:"|0b|"; within:8; content:"|00 a6 ed b9 1e 40 75 6f 88 0a 30 85 7b 68 b1 8d 48 89 27 33 36 20 ac 1e e8 d6 44 31 78 37 f7 e1 d0 d5 44 cf 4e 67 cb 64 ba 6c fa b6 5f a2 51 c3 5e e4 4a 31 76 c6 15 d4 85 d2 75 d8 ce 8b 4f 0b 38 bb 19 ab b0 10 94 d9 ca bd bb 65 98 c0 d4 2e 9a a4 64 90 f4 6c ee c0 db d9 e2 b0 97 ca cb 55 11 a8 00 4b c3 90 e0 7d c3 e1 d5 92 d7 b6 60 df 52 02 6f 9a 38 13 9a f4 cf 4f 68 fd 4c f8 ea ed 15|"; classtype:not-suspicious; sid:2011525; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; nocase; fast_pattern:only; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"masterconn.qq.com"; http_header; content:!"Konfabulator"; http_header; content:!"QQPCMgr"; http_header; content:!"QQPCMgr"; http_header; metadata: former_category POLICY; classtype:trojan-activity; sid:2011800; rev:11; metadata:created_at 2010_10_12, updated_at 2017_10_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Zero Content-Length HTTP POST with data (outbound)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|"; distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819; rev:1; metadata:created_at 2010_10_14, updated_at 2010_10_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java JAR file download"; flow:from_server,established; file_data; content:"PK"; depth:500; content:"META-INF/"; within:100; content:"MANIFEST"; within:100; classtype:not-suspicious; sid:2011854; rev:2; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Java JAR Download Attempt"; flow:established,to_server; content:".jar"; http_uri; reference:url,blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx; classtype:bad-unknown; sid:2011855; rev:2; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage"; flow:established,to_server; content:"/SubmitWTF.asmx"; http_uri; content:"codeSubmission"; reference:url,thedailywtf.com/Articles/Submit-WTF-Code-Directly-From-Your-IDE.aspx; reference:url,code.google.com/p/submittotdwtf/source/browse/trunk/; classtype:policy-violation; sid:2011871; rev:1; metadata:created_at 2010_10_29, updated_at 2010_10_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY NSPlayer User-Agent Windows Media Player streaming detected"; flow:established,to_server; content:"User-Agent|3A 20|NSPlayer|2F|"; http_header; threshold: type limit, track by_src, seconds 300, count 1; reference:url,msdn.microsoft.com/en-us/library/cc234851; classtype:policy-violation; sid:2011874; rev:2; metadata:created_at 2010_10_29, updated_at 2010_10_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,from_server; content:"|16 03|"; depth:2; content:"|55 04 0a|"; distance:0; content:"|0d|LogMeIn, Inc."; distance:1; within:14; content:".app"; classtype:policy-violation; sid:2014756; rev:5; metadata:created_at 2010_10_31, updated_at 2010_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Outbound"; flow:established; content:"|16 03 00|"; content:"|00 5c|"; distance:0; content:"|c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012078; rev:5; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2"; flow:established; content:"|16 03 00|"; content:"|00 26|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012079; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 3"; flow:established; content:"|16 03 00|"; content:"|00 34|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012080; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active"; ip_proto:41; threshold:type both,track by_dst, count 1, seconds 60; reference:url,en.wikipedia.org/wiki/6in4; classtype:policy-violation; sid:2012141; rev:2; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.cx.cc domain"; flow: to_server,established; content:".cx.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012321; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Apple iDisk Sync Unencrypted"; flow:established,to_server; content:"|0d 0a|Host|3a| idisk.mac.com|0d 0a|"; http_header; nocase; content:"User-Agent|3a| DotMacKit-like, File-Sync-Direct"; http_header; nocase; classtype:policy-violation; sid:2012331; rev:2; metadata:created_at 2011_02_21, updated_at 2011_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Akamai NetSession Interface PUTing data"; flow:established,to_server; content:"PUT|20|"; depth:4; content:"user-agent|3a|netsession_win_"; fast_pattern; reference:url,www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html; classtype:policy-violation; sid:2012508; rev:1; metadata:created_at 2011_03_16, updated_at 2011_03_16;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|xxx|00|"; fast_pattern; nocase; distance:0; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012523; rev:4; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012524; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.gv.vg domain"; flow:established,to_server; content:".gv.vg|0d 0a|"; http_header; classtype:bad-unknown; sid:2012542; rev:4; metadata:created_at 2011_03_24, updated_at 2011_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.ce.ms domain"; flow:established,to_server; content:".ce.ms|0d 0a|"; http_header; classtype:bad-unknown; sid:2012593; rev:4; metadata:created_at 2011_03_29, updated_at 2011_03_29;)

alert tcp [108.160.162.0/24,108.160.165.0/24,108.160.166.0/24] 443 -> $HOME_NET any (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|*.dropbox.com"; distance:1; within:14; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:4; metadata:created_at 2011_04_07, updated_at 2011_04_07;)

alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client Broadcasting"; content:"{|22|host_int|22 3a| "; depth:13; content:" |22|version|22 3a| ["; distance:0; content:"], |22|displayname|22 3a| |22|"; distance:0; threshold:type limit, count 1, seconds 3600, track by_src; classtype:policy-violation; sid:2012648; rev:3; metadata:created_at 2011_04_07, updated_at 2011_04_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY LoJack asset recovery/tracking - not malicious"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"TagId|3a 20|"; http_header; fast_pattern; content:".namequery.com|0d 0a|"; http_header; threshold: type limit, count 2, seconds 300, track by_src; reference:url,www.absolute.com/en/lojackforlaptops/home.aspx; classtype:attempted-recon; sid:2012689; rev:5; metadata:created_at 2011_04_14, updated_at 2011_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host visiting Showmyipaddress.com - Possible Trojan"; flow:established,to_server; content:"Host|3a| www.showmyipaddress.com"; nocase; http_header; classtype:policy-violation; sid:2012691; rev:1; metadata:created_at 2011_04_18, updated_at 2011_04_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; file_data; content:"<p>Your current User-Agent string appears to be from an automated process,"; distance:0; classtype:trojan-activity; sid:2012692; rev:7; metadata:created_at 2011_04_19, updated_at 2011_04_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"|2E|xxx|0D 0A|"; fast_pattern; http_header; within:100; reference:url,en.wikipedia.org/wiki/.xxx; classtype:policy-violation; sid:2012694; rev:4; metadata:created_at 2011_04_20, updated_at 2011_04_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Administrator Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=admin"; distance:0; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012709; rev:5; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Terminal Server Root login"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=root|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012710; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Service User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=service|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012712; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop POS User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=pos|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012711; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)"; flow:to_server,established; content:"User-Agent|3a| Babylon"; http_header; fast_pattern:12,7; reference:md5,54e482d6c0344935115d04b411afdb27; reference:md5,54dfd618401a573996b2b32bdd21b2d4; reference:md5,546888f8a18ed849058a5325015c29ef; reference:url,www.babylon.com; classtype:policy-violation; sid:2012735; rev:5; metadata:created_at 2011_04_28, updated_at 2011_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.cw.cm domain"; flow:established,to_server; content:".cw.cm|0d 0a|"; http_header; classtype:bad-unknown; sid:2012737; rev:3; metadata:created_at 2011_04_28, updated_at 2011_04_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"EnableExecuteProtectionSupport"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012777; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious IAT SetKeyboardState - Can Be Used for Keylogging"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"SetKeyboardState"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012780; rev:4; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.tk domain"; flow:to_server,established; content:"Host|3a|"; http_header; content:".tk|0d 0a|"; fast_pattern; within:50; http_header; content:!".tcl.tk|0d 0a|"; http_header; content:!"Host|3a 20|tcl.tk|0d 0a|"; http_header; metadata: former_category POLICY; classtype:bad-unknown; sid:2012810; rev:9; metadata:created_at 2011_05_15, updated_at 2017_03_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.vv.cc domain"; flow:to_server,established; content:".vv.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012827; rev:3; metadata:created_at 2011_05_19, updated_at 2011_05_19;)

alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Cleartext WordPress Login"; flow:established,to_server; content:"log="; http_client_body; content:"&pwd="; http_client_body; content:"&wp-submit="; http_client_body; metadata: former_category POLICY; classtype:policy-violation; sid:2012843; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Audit, created_at 2011_05_25, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible Mobile Malware POST of IMSI International Mobile Subscriber Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imsi="; nocase; http_uri; metadata: former_category POLICY; classtype:bad-unknown; sid:2012849; rev:3; metadata:created_at 2011_05_25, updated_at 2017_09_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Outbound Request containing a password"; flow:established,to_server; content:"password|3a|"; nocase; http_header; classtype:policy-violation; sid:2012868; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Outbound Request containing a pass field"; flow:established,to_server; content:"pass|3a| "; nocase; http_header; classtype:policy-violation; sid:2012869; rev:1; metadata:created_at 2011_05_26, updated_at 2011_05_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Outbound Request contains pw"; flow:established,to_server; content:"pw|3a| "; nocase; http_header; classtype:policy-violation; sid:2012870; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Http Client Body contains password= in cleartext"; flow:established,to_server; content:"password="; nocase; http_client_body; classtype:policy-violation; sid:2012885; rev:2; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains passwd= in cleartext"; flow:established,to_server; content:"passwd="; nocase; http_client_body; classtype:policy-violation; sid:2012886; rev:2; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains pass= in cleartext"; flow:established,to_server; content:"pass="; nocase; http_client_body; classtype:policy-violation; sid:2012887; rev:2; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains pwd= in cleartext"; flow:established,to_server; content:"pwd="; nocase; http_client_body; classtype:policy-violation; sid:2012888; rev:2; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains passphrase= in cleartext"; flow:established,to_server; content:"passphrase="; nocase; http_client_body; classtype:policy-violation; sid:2012890; rev:2; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains pword= in cleartext"; flow:established,to_server; content:"pword="; nocase; http_client_body; classtype:policy-violation; sid:2012891; rev:2; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.ae.am domain"; flow:to_server,established; content:".ae.am|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012896; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.noc.su domain"; flow:to_server,established; content:".noc.su|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012897; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.be.ma domain"; flow:to_server,established; content:".be.ma|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012898; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.qc.cx domain"; flow:to_server,established; content:".qc.cx|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012899; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY URL Contains password Parameter"; flow:established,to_server; content:"password="; nocase; http_uri; pcre:"/(?<=(\?|&))password=(?!&)/Ui"; classtype:policy-violation; sid:2012911; rev:1; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY URL Contains passwd Parameter"; flow:established,to_server; content:"passwd="; nocase; http_uri; pcre:"/(?<=(\?|&))passwd=(?!&)/Ui"; classtype:policy-violation; sid:2012912; rev:1; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY URL Contains pass Parameter"; flow:established,to_server; content:"pass="; nocase; http_uri; pcre:"/(?<=(\?|&))pass=(?!&)/Ui"; classtype:policy-violation; sid:2012913; rev:1; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY URL Contains pwd Parameter"; flow:established,to_server; content:"pwd="; nocase; http_uri; pcre:"/(?<=(\?|&))pwd=(?!&)/iU"; classtype:policy-violation; sid:2012914; rev:1; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY URL Contains pw Parameter"; flow:established,to_server; content:"pw="; nocase; http_uri; pcre:"/(?<=(\?|&))pw=(?!&)/Ui"; classtype:policy-violation; sid:2012915; rev:1; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY URL Contains passphrase Parameter"; flow:established,to_server; content:"passphrase="; http_uri; nocase; pcre:"/(?<=(\?|&))passphrase=(?!&)/Ui"; classtype:policy-violation; sid:2012916; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY URL Contains pword Parameter"; flow:established,to_server; content:"pword="; nocase; http_uri; pcre:"/(?<=(\?|&))pword=(?!&)/Ui"; classtype:policy-violation; sid:2012917; rev:1; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Smilebox Software/Adware Checkin"; flow:established,to_server; content:"/trackClientAction.jsp?beacon="; http_uri; content:"&os="; http_uri; content:"&partner="; http_uri; reference:url,www.smilebox.com/privacy-policy.html; classtype:policy-violation; sid:2012933; rev:2; metadata:created_at 2011_06_06, updated_at 2011_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Music Streaming"; flow:established,to_server; content:"GET"; http_method; content:"/stream?id="; http_uri; content:"googleusercontent.com|0d 0a|"; http_header; reference:url,music.google.com/about; classtype:policy-violation; sid:2012935; rev:5; metadata:created_at 2011_06_06, updated_at 2011_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.co.tv domain"; flow:to_server,established; content:".co.tv|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012955; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY StumbleUpon Submission Detected"; flow:established,to_server; content:"X-SU-Version|3a| "; http_header; threshold: type both, count 2, seconds 300, track by_src; classtype:policy-violation; sid:2013013; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to Illegal Drug Sales Site (SilkRoad)"; flow:established,to_server; content:"ianxz6zefk72ulzz.onion|0d 0a|"; http_header; nocase; classtype:policy-violation; sid:2013015; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTMLGET User Agent Detected - Often Linux utility based"; flow:established,to_server; content:"User-Agent|3A| HTMLGET "; http_header; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013018; rev:4; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| curl/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:2; metadata:created_at 2011_06_14, updated_at 2011_06_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User-Agent"; flow:established,to_server; content:"User-Agent|3a| libwww-perl/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:2; metadata:created_at 2011_06_14, updated_at 2011_06_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; content:"User-Agent|3a| Python-urllib/"; nocase; http_header; content:!"dropbox.com|0d0a|"; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:2; metadata:created_at 2011_06_14, updated_at 2011_06_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; content:" Java/1."; http_header; flowbits:set,ET.http.javaclient; flowbits:noalert; classtype:misc-activity; sid:2013035; rev:1; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; content:"POST"; http_method; content:"/ProtocolGW/protocol/"; nocase; http_uri; pcre:"/(?:(?:command(?:statu)?|bookmark|shortcut)s|h(?:omepage|istory)|eula(?:status)?|installation|activate|dumplog)/Ui"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:6; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body"; flow:established,to_server; content:"POST"; http_method; content:"action=get&applicationID="; http_client_body; nocase; depth:25; content:"&developerId="; http_client_body; nocase; distance:0; content:"&deviceId="; http_client_body; nocase; distance:0; content:"android.permission"; http_client_body; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013043; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Peach C++ Library User Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| Peach"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013055; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Peach"; nocase; http_header; content:!"User-Agent|3a| PeachTree"; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013056; rev:3; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BitCoin"; flow:established,to_server; content:"/api/work/getwork?"; http_uri; depth:18; content:"bitcoinplus.com"; http_header; threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown; sid:2013059; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.co.be domain"; flow: to_server,established; content:".co.be|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013123; rev:4; metadata:created_at 2011_06_28, updated_at 2011_06_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.cu.cc domain"; flow:established,to_server; content:".cu.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013170; rev:2; metadata:created_at 2011_07_02, updated_at 2011_07_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping)"; flow:to_server,established; content:"User-Agent|3a| Installer Ping"; http_header; classtype:trojan-activity; sid:2013190; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP Via myip.ozymo.com"; flow:established,to_server; content:"myip.ozymo.com"; fast_pattern:only; nocase; http_header; classtype:attempted-recon; sid:2013217; rev:1; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe|0d 0a|"; fast_pattern:only; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; content:!"vsee.exe|0d 0a|"; nocase; http_header; content:!"CTX_"; http_uri; content:!"gfi.com|0d 0a|"; http_header; content:!"pandasoftware.com"; http_header; content:!"lnssatt.exe"; http_header; metadata: former_category POLICY; classtype:trojan-activity; sid:2013224; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2011_07_07, updated_at 2017_10_12;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header;  classtype:policy-violation; sid:2013253; rev:3; metadata:created_at 2011_07_12, updated_at 2011_07_12;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Majestic12 User-Agent Request Inbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013255; rev:3; metadata:created_at 2011_07_12, updated_at 2011_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Majestic12 User-Agent Request Outbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013256; rev:2; metadata:created_at 2011_07_12, updated_at 2011_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard"; flow:established,to_server; content:" CFNetwork/"; http_header; fast_pattern:only; content:" Darwin/"; http_header; content:"UDID"; nocase; http_client_body; pcre:"/[0-9a-f]{40}[^0-9a-f]/P"; metadata: former_category POLICY; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013289; rev:4; metadata:created_at 2011_07_19, updated_at 2017_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET"; flow:established,to_server; content:" CFNetwork/"; http_header; fast_pattern:only; content:" Darwin/"; http_header; content:"UDID"; http_uri; pcre:"/[0-9a-f]{40}[^0-9a-f]/U"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013290; rev:2; metadata:created_at 2011_07_19, updated_at 2011_07_19;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Persona Not Validated)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Persona Not Validated"; metadata: former_category POLICY; classtype:policy-violation; sid:2013294; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2011_07_21, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Snake Oil CA)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Snake Oil CA"; metadata: former_category POLICY; classtype:policy-violation; sid:2013295; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2011_07_21, updated_at 2017_10_12;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"StartCom Class 1 Primary Intermediate Server CA"; metadata: former_category POLICY; classtype:policy-violation; sid:2013296; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2011_07_21, updated_at 2017_10_12;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Free SSL Certificate (StartCom Free Certificate Member)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"StartCom Free Certificate Member"; metadata: former_category POLICY; classtype:policy-violation; sid:2013297; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2011_07_21, updated_at 2017_10_12;)

alert tcp any [$HTTP_PORTS,443,8834] -> $HOME_NET any (msg:"ET POLICY Nessus Server SSL certificate detected"; flow:established,to_client; content:"|16 03 01|"; content:"|0b|"; within:6; content:"Nessus Certification Authority"; nocase; metadata: former_category POLICY; classtype:bad-unknown; sid:2013298; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2011_07_21, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|30 2b 06 03 55 04 03 13 24|DivX, Inc. Certificate Authority"; distance:0; metadata: former_category POLICY; classtype:policy-violation; sid:2013300; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2011_07_23, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.dlinkddns.com domain"; flow:established,to_server; content:".dlinkddns.com|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013311; rev:3; metadata:created_at 2011_07_25, updated_at 2011_07_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; content:"Mozilla/5.0 (iPhone"; http_header; content:" OS 4_"; http_header; distance:0; content:!"OS 4_2_1 like"; http_header; pcre:"/OS 4_2_[0-9] like/H"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013336; rev:3; metadata:created_at 2011_07_29, updated_at 2011_07_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User Agent Ryeol HTTP Client Class"; flow:established,to_server; content:"User-Agent|3A 20|Ryeol HTTP Client Class"; http_header; classtype:trojan-activity; sid:2013387; rev:2; metadata:created_at 2011_08_10, updated_at 2011_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Request to Suspicious Games at pcgame.gamedia.cn"; flow:established,to_server; content:"GET"; http_method; content:"|2e|html|3f|GameID|3d|0|2c|Path|3d|c|3a|"; http_uri; classtype:policy-violation; sid:2013400; rev:2; metadata:created_at 2011_08_10, updated_at 2011_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; content:"Mozilla/5.0 |28|iPhone"; http_header; content:" OS 4_"; http_header; distance:0; content:!"OS 4_2_1 like"; http_header; pcre:"/OS 4_2_[0-9] like/H"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013408; rev:5; metadata:created_at 2011_08_12, updated_at 2011_08_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3; metadata:created_at 2011_08_15, updated_at 2011_08_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET POLICY Outbound MSSQL Connection to Standard port (1433)"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013410; rev:4; metadata:created_at 2011_08_15, updated_at 2011_08_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:5; metadata:created_at 2011_08_16, updated_at 2011_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY CNET Custom Installer Possible Bundled Bloatware"; flow:established,to_server; content:"GET"; http_method; content:"/rest/"; http_uri; content:"/softwareProductLink?"; http_uri; content:"productSetId="; http_uri; content:!"User-Agent|3a| "; http_header; content:!"Referer|3a| "; http_header; reference:url,www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations; classtype:policy-violation; sid:2013453; rev:2; metadata:created_at 2011_08_23, updated_at 2011_08_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY CNET TechTracker Software Manager request"; flow:established,to_server; content:"GET"; http_method; content:"/rest/"; http_uri; content:"Report?"; http_uri; content:"Id="; http_uri; content:!"User-Agent: "; http_header; content:!"Referer: "; http_header; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2013454; rev:2; metadata:created_at 2011_08_23, updated_at 2011_08_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BitCoin User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_header; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]*BitCoin/Hi"; metadata: former_category POLICY; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:trojan-activity; sid:2013457; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Audit, created_at 2011_08_24, updated_at 2017_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Facebook Like Button Clicked (1)"; flow:to_server,established; content:"/uiserver.php?social_plugin=like"; http_uri; content:"external_page_url="; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013458; rev:1; metadata:created_at 2011_08_25, updated_at 2011_08_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Facebook Like Button Clicked (2)"; flow:to_server,established; content:"/plugins/like.php?"; http_uri; content:"href="; http_uri; content:"action=like"; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013459; rev:1; metadata:created_at 2011_08_25, updated_at 2011_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SUSPICIOUS *.doc.exe in HTTP URL"; flow:to_server,established; content:".doc.exe"; http_uri; nocase; classtype:bad-unknown; sid:2013475; rev:1; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SUSPICIOUS *.pdf.exe in HTTP URL"; flow:to_server,established; content:".pdf.exe"; http_uri; nocase; classtype:bad-unknown; sid:2013476; rev:1; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS *.doc.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:".doc.exe"; nocase; distance:0; http_header; classtype:bad-unknown; sid:2013477; rev:6; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS *.pdf.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:".pdf.exe"; nocase; distance:0; http_header; fast_pattern; classtype:bad-unknown; sid:2013478; rev:5; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

#alert udp $HOME_NET 137 -> $EXTERNAL_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Outbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013490; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

#alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Inbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013491; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netflix Streaming Player Access"; flow:to_server,established; content:"/WiPlayer?movieid="; http_uri; content:"Host|3a| movies.netflix.com|0d 0a|"; http_header; nocase; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:1; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; content:"POST"; http_method; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; fast_pattern; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY OS X Software Update Request Outbound"; flow:established,to_server; content:"User-Agent|3A| Software Update|2F|"; http_header; content:" Darwin|2F|"; http_header; within:48; reference:url,www.apple.com/softwareupdate/; classtype:policy-violation; sid:2013503; rev:3; metadata:created_at 2011_08_31, updated_at 2011_08_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; content:"APT-HTTP|2F|"; http_header; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:not-suspicious; sid:2013504; rev:3; metadata:created_at 2011_08_31, updated_at 2011_08_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management"; flow:established,to_server; content:"|20|yum|2F|"; http_header; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.phy.duke.edu/~rgb/General/yum_HOWTO/yum_HOWTO/; classtype:policy-violation; sid:2013505; rev:1; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"SomeOrganizationalUnit"; metadata: former_category POLICY; classtype:policy-violation; sid:2013659; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2011_09_15, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen"; flow:to_server,established; content:"/do/SDM"; nocase; http_uri; content:"action="; nocase; http_uri; content:"User-Agent|3a| AHTTPConnection"; nocase; http_header; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:6; metadata:created_at 2011_09_28, updated_at 2011_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BingBar ToolBar User-Agent (BingBar)"; flow:established,to_server; content:"User-Agent|3A 20|BingBar|20|"; http_header; classtype:policy-violation; sid:2013715; rev:2; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GridinSoft.com Software Version Check"; flow:established,to_server; content:"User-Agent|3A 20|GridinSoft"; http_header; classtype:trojan-activity; sid:2013719; rev:2; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY VMware User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3A 20|vmware"; http_header; reference:url,www.vmware.com; classtype:policy-violation; sid:2013749; rev:4; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows Mobile 7.0 User-Agent detected"; flow:to_server,established; content:"User-Agent|3A| ZDM/4.0|3B| Windows Mobile 7.0|3B|"; http_header; classtype:not-suspicious; sid:2013784; rev:2; metadata:created_at 2011_10_20, updated_at 2011_10_20;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Outgoing Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013800; rev:3; metadata:created_at 2011_10_25, updated_at 2016_08_09;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013801; rev:4; metadata:created_at 2011_10_25, updated_at 2016_08_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Bomgar Remote Assistance Tool Download"; flow:established,from_server; content:"filename="; http_header; content:"bomgar-scc-"; http_header; nocase; distance:0; fast_pattern; content:".exe"; http_header; nocase; distance:0; reference:url,www.bomgar.com; classtype:policy-violation; sid:2013867; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; content:"User-Agent|3a| Install Stub"; http_header; content:"stats.norton.com|0d 0a|"; http_header; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:3; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Cnet App Download and Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/v"; http_uri; content:"/?v="; http_uri; content:"&c="; http_uri; pcre:"/\/v\d\.\d\.\d/U"; pcre:"/\/\?v=\d/U"; classtype:trojan-activity; sid:2013888; rev:6; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY APT User-Agent to BackTrack Repository"; flow:established,to_server; content:"User-Agent|3A| Ubuntu APT-HTTP|2F|"; http_header; content:"|0d 0a|Host|3a| "; http_header; content:"repository.backtrack-linux.org"; http_header; within:40; reference:url,www.backtrack-linux.org; classtype:policy-violation; sid:2013914; rev:3; metadata:created_at 2011_11_16, updated_at 2011_11_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY external cPanel login"; flow:to_server,established; content:"/password.cgi?sptPassword="; http_uri; classtype:not-suspicious; sid:2013919; rev:1; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY external cPanel password change"; flow:to_server,established; content:"pwdOld="; http_client_body; content:"pwNew="; http_client_body; content:"pwCfm="; http_client_body; classtype:not-suspicious; sid:2013920; rev:1; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (POST)"; flow:to_server,established; content:"POST "; depth:5; content:!".etrade.com|3a|443|0d 0a|"; classtype:bad-unknown; sid:2013926; rev:3; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (HEAD)"; flow:to_server,established; content:"HEAD "; depth:5; classtype:bad-unknown; sid:2013927; rev:2; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PROPFIND)"; flow:to_server,established; content:"PROPFIND "; depth:9; classtype:bad-unknown; sid:2013928; rev:2; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (OPTIONS)"; flow:to_server,established; content:"OPTIONS "; depth:8; classtype:bad-unknown; sid:2013929; rev:2; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PUT)"; flow:to_server,established; content:"PUT "; depth:4; classtype:bad-unknown; sid:2013930; rev:2; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (DELETE)"; flow:to_server,established; content:"DELETE "; depth:7; classtype:bad-unknown; sid:2013931; rev:2; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (TRACE)"; flow:to_server,established; content:"TRACE "; depth:6; classtype:bad-unknown; sid:2013932; rev:2; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; content:"CONNECT "; depth:8; classtype:bad-unknown; sid:2013933; rev:2; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,from_server; content:"SSH-"; depth:4; flowbits:set,ET.is_ssh_server_banner; classtype:bad-unknown; sid:2013936; rev:6; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious Invalid HTTP Accept Header of ?"; flow:established,to_server; content:"Accept|3a 20|?"; http_header; classtype:trojan-activity; sid:2013974; rev:2; metadata:created_at 2011_11_30, updated_at 2011_11_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Rebate Informer User-Agent (REBATEINF)"; flow: established,to_server; content:"User-Agent|3a| REBATEINF"; http_header; fast_pattern:only; reference:url,www.rebategiant.com; classtype:trojan-activity; sid:2014030; rev:1; metadata:created_at 2011_12_19, updated_at 2011_12_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Bluecoat Proxy in use"; flow:established,to_server; content:"X-BlueCoat-Via|3A|"; http_header; classtype:not-suspicious; sid:2014049; rev:1; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Spyware.Agent.elbb lava.cn Game Exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/LavaGame_"; http_uri; nocase; content:".exe"; nocase; http_uri; reference:url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1; reference:md5,c2b4f8abc742bf048f3856525c1b2800; reference:md5,4937dc6e111996dbe331327e7e9a4a12; reference:url,www.amada.abuse.ch/?search=download.lava.cn; classtype:trojan-activity; sid:2014059; rev:7; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Dyndns Client IP Check"; flow:established,to_server; content:"User-Agent|3a| DynDNS-Client"; http_header; content:" checkip.dyndns."; http_header; classtype:not-suspicious; sid:2014091; rev:1; metadata:created_at 2012_01_03, updated_at 2012_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Dyndns Client User-Agent"; flow:established,to_server; content:"User-Agent|3a| DynDNS-Client"; http_header; classtype:not-suspicious; sid:2014092; rev:1; metadata:created_at 2012_01_03, updated_at 2012_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; content:"|3b| Silk/"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a [^\n]+ Silk\/\d+\.\d/Hi"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:2; metadata:created_at 2012_01_04, updated_at 2012_01_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FACEBOOK user id in http_client_body, lookup with fb.com/profile.php?id="; flow:established,to_server; content:".facebook.com|0D 0A|"; http_header; content:"&__user="; http_client_body; threshold: type limit, count 1, seconds 600, track by_src; classtype:not-suspicious; sid:2014102; rev:2; metadata:created_at 2012_01_06, updated_at 2012_01_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Softango.com Installer Checking For Update"; flow:established,to_server; content:"/service/updater.php"; http_uri; content:".smartiengine.com|0D 0A|"; http_header; classtype:policy-violation; sid:2014123; rev:1; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Softango.com Installer POSTing Data"; flow:established,to_server; content:"POST"; http_method; content:"/service/bootstrap.php"; http_uri; content:".smartiengine.com|0D 0A|"; http_header; classtype:policy-violation; sid:2014124; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

alert tcp $HOME_NET 1024: -> any 6783 (msg:"ET POLICY Splashtop Remote Control Checkin"; flow:established,to_server; dsize:12; content:"|00 01 00 08 00 00 00 00 00 02 01 00|"; fast_pattern:only; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014127; rev:1; metadata:created_at 2012_01_16, updated_at 2012_01_16;)

alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Start Request"; flow:established,to_server; dsize:4; content:"|01 00 34 12|"; fast_pattern:only; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014128; rev:1; metadata:created_at 2012_01_16, updated_at 2012_01_16;)

alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Keepalive"; flow:established,to_server; dsize:4; content:"|00 00 34 12|"; fast_pattern:only; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014129; rev:1; metadata:created_at 2012_01_16, updated_at 2012_01_16;)

alert tcp any 6784 -> $HOME_NET 1024: (msg:"ET POLICY Splashtop Remote Control Session Keepalive Response"; flow:established,from_server; dsize:4; content:"|31 00|"; offset:2; depth:2; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014130; rev:2; metadata:created_at 2012_01_16, updated_at 2012_01_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IP Geo Location Request"; flow:to_server,established; content:"/geo/txt/city.php"; http_uri; flowbits:set,ETPRO.IP.geo.loc; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014264; rev:5; metadata:created_at 2012_01_19, updated_at 2012_01_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY IP geo location service response"; flow:established,from_server; flowbits:isset,ETPRO.IP.geo.loc; content:"city_name="; http_cookie; content:"state="; http_cookie; content:"country_"; http_cookie; content:"latitude="; http_cookie; content:"longitude="; http_cookie; file_data; content:"document.write(|22|"; within:16; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014265; rev:6; metadata:created_at 2012_01_19, updated_at 2012_01_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; content:".su|0d 0a|"; fast_pattern:only; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x2Esu\x0D\x0A/H"; reference:url,www.abuse.ch/?p=3581; classtype:trojan-activity; sid:2014170; rev:1; metadata:created_at 2012_01_31, updated_at 2012_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outbound HTTP Connection From Cisco IOS Device"; flow:established,to_server; content:"User-Agent|3A 20|cisco-IOS"; http_header; nocase; classtype:misc-activity; sid:2014201; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY File Being Uploaded to SendSpace File Hosting Site"; flow:established,to_server; content:"POST"; http_method; content:"processupload.html"; http_uri; content:".sendspace.com|0d 0a|"; fast_pattern; http_header; classtype:misc-activity; sid:2014202; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY InstallIQ Updater Software request"; flow:to_server,established; content:"/api/detectionrequest.aspx?keyid=1&shortname="; http_uri; content:"&langid="; http_uri; content:".installiq.com|0d 0a|"; http_header; classtype:policy-violation; sid:2018222; rev:3; metadata:created_at 2012_02_13, updated_at 2012_02_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; content:"User-Agent|3a| asafaweb.com|0d 0a|"; http_header; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:2; metadata:created_at 2012_02_16, updated_at 2012_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query for try2check.me Carder Tool"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|try2check|02|me|00|"; fast_pattern; nocase; reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort; classtype:bad-unknown; sid:2014277; rev:3; metadata:created_at 2012_02_24, updated_at 2012_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup"; flow:established,to_server; content:"/getip.php?action=getip&ip_url="; http_uri; classtype:policy-violation; sid:2014292; rev:1; metadata:created_at 2012_02_29, updated_at 2012_02_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_"; http_header; content:!"191"; within:3; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html; classtype:bad-unknown; sid:2014297; rev:52; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Audit, created_at 2012_03_01, performance_impact Low, updated_at 2018_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup Attempt To Wipmania"; flow:established,to_server; content:"Host|3A 20|api.wipmania.com|0d 0a|"; http_header; reference:md5,b318988249cd8e8629b4ef8a52760b65; classtype:policy-violation; sid:2014304; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; content:"Server|3A 20|dbws|0d 0a|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:not-suspicious; sid:2014313; rev:4; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Coral Web Proxy/Content Distribution Net Use"; flow:to_server,established; content:"Host|3a|"; http_header; content:".nyud.net|0d 0a|"; fast_pattern; http_header; within:100; reference:url,en.wikipedia.org/wiki/Coral_Content_Distribution_Network; classtype:policy-violation; sid:2014332; rev:2; metadata:created_at 2012_03_07, updated_at 2012_03_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; content:"User-Agent|3A 20|toys|3A 3A|file"; http_header; reference:md5,6b712c6dbc3cd87bbaeb955ea1d2d24f; classtype:trojan-activity; sid:2014341; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|SnadBoy"; http_header; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User Agent UpdateSoft"; flow:established,to_server; content:"User-Agent|3A 20|UpdateSoft"; http_header; reference:md5,254efc77c18eb2f427d2a3920e07c2e8; classtype:trojan-activity; sid:2014345; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; http_header; classtype:trojan-activity; sid:2014359; rev:7; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; content:"post"; http_method; nocase; content:!"POST"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014380; rev:3; metadata:created_at 2012_03_14, updated_at 2016_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; content:"head"; http_method; nocase; content:!"HEAD"; http_method; metadata: former_category POLICY; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:3; metadata:created_at 2012_03_14, updated_at 2018_06_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP OPTIONS invalid method case outbound"; flow:established,to_server; content:"options "; depth:8; nocase; content:!"OPTIONS "; depth:8; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014382; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable;  flowbits:isset,ET.http.javaclient; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3;  metadata: former_category POLICY; classtype:trojan-activity; sid:2014471; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Audit, created_at 2012_04_04, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY CNET TechTracker User-Agent (CNET TechTracker)"; flow:established,to_server; content:"User-Agent|3a 20|CNET TechTracker|0d 0a|"; http_header; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2014574; rev:1; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBook Generator User-Agent (EBook)"; flow:established,to_server; content:"User-Agent|3a 20|EBook|0d 0a|"; http_header; reference:url,malwr.com/analysis/a04b28e21adc70837eb7de811556ff4e/; reference:url,www.ebookgenerator.com/; classtype:policy-violation; sid:2014576; rev:2; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"ET POLICY Cisco IOS Self Signed Certificate Served to External Host"; flow:established,to_client; content:"|16 03|"; content:"|0b|"; within:7; content:"IOS-Self-Signed-Certificate-"; distance:0; classtype:misc-activity; sid:2014617; rev:1; metadata:created_at 2012_04_19, updated_at 2012_04_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Flash Version M1"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:!"30,0,0,134|0d 0a|"; distance:0; within:12; http_header; threshold: type limit, count 1, seconds 60, track by_src; metadata: former_category POLICY; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:108; metadata:affected_product Adobe_Flash, signature_severity Audit, created_at 2012_05_09, performance_impact Low, updated_at 2018_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Getting External IP Address - ip2city.asp"; flow:established,to_server; content:"/ip2city.asp"; http_uri; classtype:misc-activity; sid:2014761; rev:1; metadata:created_at 2012_05_17, updated_at 2012_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; content:"Host|3a| swupdate.openvpn.net|0d 0a|"; fast_pattern:14,14; http_header; content:"User-Agent|3a| Twisted PageGetter|0d 0a|"; http_header; classtype:policy-violation; sid:2014799; rev:1; metadata:created_at 2012_05_22, updated_at 2012_05_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:2; metadata:created_at 2012_06_18, updated_at 2012_06_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:2; metadata:created_at 2012_06_18, updated_at 2012_06_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY DynDNS CheckIp External IP Address Server Response"; flow:established,to_client; content:"Server|3A 20|DynDNS-CheckIP/"; http_header; classtype:bad-unknown; sid:2014932; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|00|"; fast_pattern; distance:0; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014939; rev:1; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY TOR .exit Pseudo TLD DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|exit|00|"; fast_pattern; distance:0; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014941; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pandora Usage"; flow:established,to_server; content:"POST"; http_method; content:"/radio/xmlrpc/"; http_uri; content:"pandora.com|0d 0a|"; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,www.pandora.com; classtype:policy-violation; sid:2014997; rev:2; metadata:created_at 2012_07_02, updated_at 2012_07_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Download Request to Hotfile.com"; flow:established,to_server; content:"GET"; http_method; content:"/dl/"; http_uri; content:"hotfile.com|0d 0a|"; fast_pattern:only; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2015015; rev:1; metadata:created_at 2012_07_03, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TuneIn Internet Radio Usage Detected"; flow:established,to_server; content:"/tuner/?StationId="; http_uri; fast_pattern:only; content:"tunein.com|0d 0a|"; http_header; reference:url,tunein.com/support/get-started; classtype:policy-violation; sid:2015485; rev:1; metadata:created_at 2012_07_17, updated_at 2012_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Geo Location IP info online service (geoiptool.com)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"/"; http_uri; content:"Host|3A| "; http_header; content:"geoiptool.com|0d 0a|"; within:20; http_header; reference:md5,04f02d7fea812ef78d2340015c5d768e; classtype:policy-violation; sid:2015500; rev:2; metadata:created_at 2012_07_20, updated_at 2012_07_20;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2web)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tor2web"; fast_pattern; nocase; distance:0; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2015576; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2012_08_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:1; metadata:created_at 2012_08_07, updated_at 2012_08_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:1; metadata:created_at 2012_08_07, updated_at 2012_08_07;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"|16 03 01|"; depth:3; content:"|02|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"|16 03 01|"; within:3; content:"|0b|"; distance:2; within:2; content:"|30 82|"; distance:9; within:2; content:"|30 82|"; distance:2; within:2; content:"|a0 03 02 01 02 02|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:2; metadata:created_at 2012_09_07, updated_at 2012_09_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Inbound /uploadify.php Access"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2015687; rev:1; metadata:created_at 2012_09_07, updated_at 2012_09_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AskSearch Toolbar Spyware User-Agent (AskTBar) 2"; flow:to_server,established; content:"User-Agent|3a| AskTb"; http_header; classtype:policy-violation; sid:2015757; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2012_10_04, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY archive.org heritix Crawler User-Agent (Outbound)"; flow:established,to_server; content:"heritrix"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?heritrix/Hmi"; reference:md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b; reference:url,crawler.archive.org/index.html; classtype:trojan-activity; sid:2015791; rev:3; metadata:created_at 2012_10_11, updated_at 2012_10_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Maxmind geoip check to /app/geoip.js"; flow:established,to_server; content:"/app/geoip.js"; http_uri; fast_pattern:only; content:"maxmind.com|0d 0a|"; http_header; classtype:policy-violation; sid:2015878; rev:1; metadata:created_at 2012_11_13, updated_at 2012_11_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible BitCoin Miner User-Agent (miner)"; flow:established,to_server; content:"miner"; nocase; http_header; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]*miner[^a-z]/Hi"; metadata: former_category POLICY; reference:url,abcpool.co/mining-software-comparison.php; classtype:trojan-activity; sid:2016067; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Audit, created_at 2012_12_20, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY poclbm BitCoin miner"; flow:established,to_server; content:"User-Agent|3a| poclbm/"; nocase; http_header; metadata: former_category POLICY; reference:url,abcpool.co/mining-software-comparison.php; classtype:trojan-activity; sid:2016068; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Audit, created_at 2012_12_20, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY NSISDL Iplookup.php IPCheck"; flow:established,to_server; content:"/iplookup.php"; http_uri; fast_pattern; content:"User-Agent|3A| NSISDL/1.2 (Mozilla)"; http_header; classtype:policy-violation; sid:2016744; rev:2; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com"; flow:established,to_server; content:"Host|3a 20|myip.dnsomatic.com|0d 0a|"; http_header; nocase; metadata: former_category POLICY; classtype:attempted-recon; sid:2016754; rev:3; metadata:deployment Perimeter, signature_severity Audit, created_at 2013_04_12, performance_impact Low, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Bitcoin Mining Extensions Header"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|X-Mining-Extensions|3a|"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; classtype:policy-violation; sid:2016758; rev:3; metadata:created_at 2013_04_16, updated_at 2013_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET POLICY Java Client on Common Sakura Ports"; flow:established,to_server; content:" Java/1."; fast_pattern:only; content:"|0d 0a|User-Agent|3a| Mozilla/"; pcre:"/^[^\r\n]+?Java\/1\./R"; flowbits:set,ET.http.javaclient.SakuraPorts; flowbits:noalert; classtype:misc-activity; sid:2016783; rev:4; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Android Dalvik Executable File Download"; flow:established,to_client; file_data; content:"dex|0A|"; within:4; reference:url,source.android.com/tech/dalvik/dex-format.html; classtype:policy-violation; sid:2016856; rev:1; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

alert tcp $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:to_server,established; content:" MSIE 5."; fast_pattern:only; http_header; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s5\./Hmi"; content:!".microsoft.com|0d 0a|"; http_header; content:!".trendmicro.com|0d 0a|"; http_header; content:!".sony.net|0d 0a|"; http_header; content:!".weather.com|0d 0a|"; http_header; content:!".yahoo.com|0d 0a|"; http_header; content:!".dellfix.com|0d 0a|"; http_header; content:!"GeoVision"; http_header; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016870; rev:11; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4."; flow:to_server,established; content:" MSIE 4."; http_header; fast_pattern:only; nocase; content:!".weatherbug.com|0d 0a|"; http_header; content:!".wxbug.com|0d 0a|"; http_header;  pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s4\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016871; rev:3; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3."; flow:to_server,established; content:" MSIE 3."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s3\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016872; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2."; flow:to_server,established; content:" MSIE 2."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s2\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016873; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1."; flow:to_server,established; content:" MSIE 1."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s1\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016874; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake FireFox Version 0."; flow:to_server,established; content:" Firefox/0."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sFirefox\/0\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016875; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake FireFox Version 1."; flow:to_server,established; content:" Firefox/1."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sFirefox\/1\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016876; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake FireFox Version 2."; flow:to_server,established; content:" Firefox/2."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sFirefox\/2\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016877; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Windows NT Version 4."; flow:to_server,established; content:" Windows NT 4."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sWindows NT 4\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016878; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Windows NT Version 5.0"; flow:to_server,established; content:" Windows NT 5.0"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sWindows NT 5\.0/Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016879; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP connection to net78.net Free Web Hosting (Used by Various Trojans)"; flow:established,to_server; content:".net78.net|0d 0a|"; http_header; fast_pattern:only; nocase; reference:url,www.net78.net; classtype:bad-unknown; sid:2016944; rev:1; metadata:created_at 2013_05_29, updated_at 2013_05_29;)

#alert ip $HOME_NET any -> 1.1.1.0/24 any (msg:"ET POLICY Connection to previously unallocated address space 1.1.1.0/24"; threshold:type limit,track by_src,seconds 3600,count 1; metadata: former_category POLICY; classtype:trojan-activity; sid:2017000; rev:3; metadata:created_at 2013_06_10, updated_at 2018_04_24;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,from_server; content:"|55 04 03|"; content:"|18|*.dropboxusercontent.com"; nocase; distance:1; within:25; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)

alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival RAKP message 1 with default BMC usernames (Admin|root|Administrator|USERID)"; content:"|06 12|"; offset:4; depth:2; pcre:"/((\x0d|\x05)Admin(istrator)?|\x04root|\x06USERID)/Ri"; classtype:protocol-command-decode; sid:2017120; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pirate Browser Download"; flow:established,to_server; content:"/PirateBrowser"; http_uri; content:".exe"; http_uri; reference:url,piratebrowser.com; classtype:policy-violation; sid:2017329; rev:1; metadata:created_at 2013_08_14, updated_at 2013_08_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection"; flow:established,to_server; content:"icanhazip.com"; http_header; fast_pattern:only; pcre:"/^Host\x3a\s*?(?:[^\r\n]+?\.)?icanhazip\.com(?:\x3a\d{1,5})?\r$/Hmi"; classtype:attempted-recon; sid:2017398; rev:2; metadata:created_at 2013_08_30, updated_at 2013_08_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3A|"; content:"|22|mining."; within:9; content:"|22|params|22|"; within:50; pcre:"/\x22mining\x2E(subscribe|authorize)\x22/"; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:trojan-activity; sid:2017871; rev:4; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"|22|result|22 3A| [[|22|mining.notify|22|"; depth:120; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:trojan-activity; sid:2017872; rev:1; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"|22|params|22 3A| [|22|"; depth:120; content:"|22|method|22 3A| |22|mining.notify|22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:trojan-activity; sid:2017873; rev:2; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3A| |22|getblocktemplate|22|"; within:40; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:trojan-activity; sid:2017878; rev:3; metadata:created_at 2013_12_17, updated_at 2013_12_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response"; flow:established,to_client; content:"|22|result|22 3A| {"; depth:50; content:"|22|coinbasetxn|22 3A| {"; within:30; content:"|22|data|22 3A| |22|"; within:30; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:trojan-activity; sid:2017879; rev:2; metadata:created_at 2013_12_17, updated_at 2013_12_17;)

alert udp any any -> any 53 (msg:"ET POLICY External IP Lookup / Tor Checker Domain (bridges.torproject .org in DNS lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|bridges|0a|torproject|03|org|00|"; nocase; metadata: former_category POLICY; reference:url,www.torproject.org/docs/bridges.html.en; reference:md5,2e3f7f9b3b4c29aceccab693aeccfa5a; classtype:policy-violation; sid:2017925; rev:4; metadata:tag IP_address_lookup_website, created_at 2014_01_03, updated_at 2017_11_02;)

alert udp any any -> any 53 (msg:"ET POLICY External IP Lookup / Tor Checker Domain (check.torproject .org in DNS lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|check|0a|torproject|03|org|00|"; nocase; metadata: former_category POLICY; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:policy-violation; sid:2017926; rev:3; metadata:tag IP_address_lookup_website, created_at 2014_01_03, updated_at 2017_11_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over HTTP"; flow:established,to_server; content:"check.torproject.org"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a\s*?check\.torproject\.org(?:\x3a\d{1,5})?\r?$/Hmi"; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:policy-violation; sid:2017927; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI"; flow:established,to_server; content:"|00 14|check.torproject.org"; nocase; classtype:policy-violation; sid:2017928; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY bridges.torproject.org over TLS with SNI"; flow:established,to_server; content:"|00 16|bridges.torproject.org"; nocase; reference:url,www.torproject.org/docs/bridges.html.en; classtype:policy-violation; sid:2017929; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TraceMyIP IP lookup"; flow:established,to_server; content:"tracemyip.org"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a\s*?([^\r\n]+?\.)?tracemyip.org(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:policy-violation; sid:2017933; rev:1; metadata:created_at 2014_01_06, updated_at 2014_01_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header"; flow:established,to_client; content:"X-Stratum|3A|"; http_header; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:policy-violation; sid:2017960; rev:1; metadata:created_at 2014_01_11, updated_at 2014_01_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080: (msg:"ET POLICY PrimeCoinMiner.Protominer"; flow:established,to_server; content:"|01 27 00 00 05 00 00 00 09|"; depth:9; content:"node"; nocase; distance:0; within:4; content:"Protominer"; distance:14; within:10; reference:md5,4cab48eec2b882ec33db2e2a13ecffe6; classtype:policy-violation; sid:2018014; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY myip.ru IP lookup"; flow:established,to_server; content:"myip.ru"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a\s*?(?:[^\r\n]+?\.)?myip\.ru(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:policy-violation; sid:2018021; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Application Crash Report Sent to Microsoft"; flow:to_server,established; content:"User-Agent|3a 20|MSDW|0d 0a|"; http_header; content:"Host|3a 20|watson.microsoft.com|0d 0a|"; http_header; classtype:policy-violation; sid:2018170; rev:1; metadata:created_at 2014_02_24, updated_at 2014_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY W32/Installiq.Adware Install Information Beacon"; flow:established,to_server; content:"/ping/installping.aspx"; http_uri; fast_pattern:only; content:"shortname="; http_uri; content:"&os="; http_uri; content:"&parents="; http_uri; content:"&browserNames="; http_uri; content:"&DefaultBrowserName="; http_uri; content:"&langid="; http_uri; content:"&installdate="; http_uri; content:".installiq.com|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept|0d 0a|"; http_header; reference:md5,d28e9e62c83ef2308ddcdbad91fe9cb9; classtype:policy-violation; sid:2018210; rev:2; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Possible Grams DarkMarket Search DNS Domain Lookup"; content:"|10|grams7enufi7jmdl"; nocase; fast_pattern:only; classtype:policy-violation; sid:2018406; rev:3; metadata:created_at 2014_04_21, updated_at 2014_04_21;)

alert tcp any ![21,25,110,143,443,465,587,636,989:995,5061,5222,8443] -> any any (msg:"ET POLICY TLS possible TOR SSL traffic"; flow:established,from_server; content:"|06 03 55 04 03|"; pcre:"/^.{2}www\.[0-9a-z]{8,20}\.com[01]/Rs"; content:"|06 03 55 04 03|"; distance:0; pcre:"/^.{2}www\.[0-9a-z]{8,20}\.net/Rs"; metadata: former_category POLICY; classtype:misc-activity; sid:2018789; rev:3; metadata:created_at 2014_07_28, updated_at 2017_03_21;)

alert udp any any -> any 53 (msg:"ET POLICY tor4u tor2web .onion Proxy DNS  lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|tor4u|03|net|00|"; nocase; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018875; rev:1; metadata:created_at 2014_08_01, updated_at 2014_08_01;)

alert udp any any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.cab)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|03|cab|00|"; fast_pattern; nocase; metadata: former_category POLICY; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018876; rev:3; metadata:created_at 2014_08_01, updated_at 2018_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY tor4u tor2web .onion Proxy domain in SNI"; flow:established,to_server; content:".tor4u.net"; fast_pattern:only; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018878; rev:1; metadata:created_at 2014_08_01, updated_at 2014_08_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY onion.cab tor2web .onion Proxy domain in SNI"; flow:established,to_server; content:".onion.cab"; fast_pattern:only; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018879; rev:1; metadata:created_at 2014_08_01, updated_at 2014_08_01;)

alert udp any any -> any 53 (msg:"ET POLICY possible Xiaomi phone data leakage DNS"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|api|07|account|06|xiaomi|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018918; rev:1; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY possible Xiaomi phone data leakage HTTP"; flow:to_server,established; content:"Host|3a 20|api.account.xiaomi.com|0d 0a|"; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018919; rev:1; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:3; metadata:created_at 2014_08_19, updated_at 2017_02_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 4899 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate OUTBOUND"; flow:to_server,established; dsize:10; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; classtype:policy-violation; sid:2019101; rev:2; metadata:created_at 2014_09_02, updated_at 2014_09_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup"; flow:established,to_server; content:"GET"; http_method; content:"/iplookup/iplookup.php?format="; http_uri; fast_pattern:10,20; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:policy-violation; sid:2019126; rev:1; metadata:created_at 2014_09_05, updated_at 2014_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup maxmind.com"; flow:established,to_server; content:"GET"; http_method; content:"/locate_my_ip"; http_uri; fast_pattern:only; content:"maxmind.com"; http_header; reference:md5,0559c56d6dcf6ffe9ca18f43e225e3ce; classtype:policy-violation; sid:2019140; rev:1; metadata:created_at 2014_09_08, updated_at 2014_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download Over HTTP"; flow:established; flowbits:isnotset,ET.ELFDownload; file_data; content:"|7F|ELF"; within:4; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2019240; rev:13; metadata:created_at 2014_09_25, updated_at 2017_02_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY 2Downloadz.com File Sharing User-Agent"; flow:established,to_server; content:"User-Agent|3a| 2Downloadz.com Agent|0d 0a|"; http_header; classtype:policy-violation; sid:2019366; rev:1; metadata:created_at 2014_10_08, updated_at 2014_10_08;)

alert udp $HOME_NET any -> $EXTERNAL_NET 3653 (msg:"ET POLICY gogo6/Freenet6 Authentication Attempt"; content:"AUTHENTICATE|20|"; offset:8; pcre:"/^(?:ANONYMOUS|PASSDSS-3DES-1)\r\n/R"; threshold: type both, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2019383; rev:1; metadata:created_at 2014_10_09, updated_at 2014_10_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL Certificate IRC GEEKS Likely Encrypted IRC or CnC"; flow:established,from_server; content:"|16 03 00|"; content:"|0b|"; within:7; content:"|13 09|IRC geeks"; distance:0; metadata: former_category POLICY; classtype:misc-activity; sid:2019387; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2014_10_10, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; content:" Java/1.8.0_"; http_header; content:!"181"; within:3; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html; classtype:bad-unknown; sid:2019401; rev:24; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Audit, created_at 2014_10_15, performance_impact Low, updated_at 2018_07_17;)

alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Possible IP Check api.ipify.org"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|api.ipify.org"; distance:1; within:14; classtype:policy-violation; sid:2019512; rev:1; metadata:created_at 2014_10_27, updated_at 2014_10_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern:only; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IP Check wtfismyip.com"; flow:to_server,established; content:"GET"; http_method; content:"wtfismyip.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/(?:text|json|xml)?$/U"; classtype:policy-violation; sid:2019737; rev:1; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8444 (msg:"ET POLICY Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:url,bitmessage.org; classtype:policy-violation; sid:2019746; rev:2; metadata:created_at 2014_11_19, updated_at 2014_11_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Cryptexplorer API Check - Potential CoinMiner Traffic"; flow:established,to_server; content:"/api/"; http_uri; content:"coin/balance/"; http_uri; pcre:"/^\x2Fapi\x2F(bit|lite)coin\x2Fbalance\x2F/U"; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:policy-violation; sid:2019825; rev:2; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY I2P Retrieving reseed info"; flow:established,to_server; content:"GET"; http_method; content:"/netdb/"; nocase; depth:7; http_uri; fast_pattern; content:"User-Agent|3a 20|Wget/1.11.4|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; classtype:policy-violation; sid:2019898; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to WebDAV CloudMe Service"; flow:established,to_server; content:"webdav.cloudme.com"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+?webdav\.cloudme\.com[^\r\n]*?\r?$/Hmi"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:policy-violation; sid:2019914; rev:2; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible IP Check myexternalip.com"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|myexternalip.com|0d 0a|"; http_header; classtype:policy-violation; sid:2019980; rev:1; metadata:created_at 2014_12_19, updated_at 2014_12_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torpovider.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|torpovider|03|org"; fast_pattern; nocase; distance:0; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019981; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2014_12_19, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (way2tor)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|way2tor"; fast_pattern; nocase; distance:0; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019982; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2014_12_19, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|torgateway|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019983; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2014_12_19, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query for Invisible Internet Project Domain (I2P)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|i2p|00|"; distance:0; fast_pattern; reference:url,geti2p.net; classtype:policy-violation; sid:2019988; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible IP Check ip-addr.es"; flow:established,to_server; content:"GET"; http_method; content:"ip-addr.es|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?ip-addr\.es(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020105; rev:1; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible IP Check curlmyip.com"; flow:established,to_server; content:"GET"; http_method; content:"curlmyip.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?curlmyip\.com(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020106; rev:1; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (bladetor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|bladetor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020107; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (bonytor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|bonytor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020108; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (bortor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|bortor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020109; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (browsetor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|browsetor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020110; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (door2tor.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|door2tor|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020111; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (enter2tor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|enter2tor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020112; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (jamator.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|jamator|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020113; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion2web.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|onion2web|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020114; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.lt)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|02|lt|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020115; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.to)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|02|to|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020116; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2017_09_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (pay2tor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pay2tor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020117; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (pay4tor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pay4tor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020118; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (payrobotor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|payrobotor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020119; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (poltornik.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|poltornik|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020120; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (slavetor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|slavetor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020121; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tanktor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tanktor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020122; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2pay.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tor2pay|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020123; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2www.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tor2www|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020124; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4life.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tor4life|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020125; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4pay.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tor4pay|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020126; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2017_09_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (toralpacho.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|toralpacho|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020127; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torbama.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|torbama|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020128; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torchek.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|torchek|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020129; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torexplorer.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|torexplorer|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020130; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torforlove.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|torforlove|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020131; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torjam.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|torjam|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020132; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torminater.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|torminater|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020133; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2017_09_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torpacho.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torpacho|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020134; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycash.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|torpaycash|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020135; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycnf.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|torpaycnf|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020136; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayeur.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|torpayeur|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020137; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayusd.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|torpayusd|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020138; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torprivatebrowsing.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|torprivatebrowsing|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020139; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torsanctions.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|torsanctions|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020140; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torsona.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|torsona|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020141; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torvsusd.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torvsusd|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020142; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torwild.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|torwild|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020143; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torwinner.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|torwinner|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020144; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (totortoweb.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|totortoweb|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020145; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (vtorchike.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|vtorchike|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020146; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (walterwtor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|walterwtor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020147; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torforall.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|torforall|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020183; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_14, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torman2.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|torman2|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020184; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_14, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torwoman.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torwoman|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020185; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_14, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torroadsters.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|torroadsters|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020186; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_14, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY I2P Reseed Domain Lookup (i2p-netdb.innovatio.no)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|i2p-netdb|09|innovatio|02|no|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2020189; rev:1; metadata:created_at 2015_01_15, updated_at 2015_01_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY I2P Reseed Domain Lookup (i2p.mooo.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|i2p|04|mooo|03|com|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2020190; rev:1; metadata:created_at 2015_01_15, updated_at 2015_01_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY I2P Reseed Domain Lookup (netdb.i2p2.no)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|netdb|04|i2p2|02|no|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2020191; rev:1; metadata:created_at 2015_01_15, updated_at 2015_01_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY I2P Reseed Domain Lookup (reseed.i2p-projekt.de)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|reseed|0b|i2p-projekt|02|de|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2020192; rev:1; metadata:created_at 2015_01_15, updated_at 2015_01_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY I2P Reseed Domain Lookup (uk.reseed.i2p2.no)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|uk|06|reseed|04|i2p2|02|no|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2020193; rev:1; metadata:created_at 2015_01_15, updated_at 2015_01_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY I2P Reseed Domain Lookup (us.reseed.i2p2.no)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|us|06|reseed|04|i2p2|02|no|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2020194; rev:1; metadata:created_at 2015_01_15, updated_at 2015_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exploitpack.com tool checkin"; flow:established,to_server; content:"GET"; http_method; content:"/changelog/"; http_uri; fast_pattern:only; pcre:"/^\/changelog\/(?:appversion|changelog|help)$/U"; content:"User-Agent|3a 20|Java/1"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,www.exploitpack.com; classtype:bad-unknown; sid:2020195; rev:1; metadata:created_at 2015_01_15, updated_at 2015_01_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Terse Named Filename EXE Download - Possibly Hostile"; flow:established,to_client; content:"filename="; http_header; content:".exe"; http_header; within:8; fast_pattern; pcre:"/filename\x3d[\x27\x22][a-z0-9]{1,3}\x2Eexe/Hi"; classtype:trojan-activity; sid:2020202; rev:1; metadata:created_at 2015_01_16, updated_at 2015_01_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.gq)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|02|gq|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020211; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_01_19, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Onion2Web Tor Proxy Cookie"; flow:established,to_server; content:"onion2web_confirmed="; fast_pattern:only; content:"onion2web_confirmed="; http_cookie; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,github.com/starius/onion2web; classtype:policy-violation; sid:2020324; rev:1; metadata:created_at 2015_01_28, updated_at 2015_01_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaysolutions.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|torpaysolutions|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020374; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayoptions.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|torpayoptions|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020375; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torinvestment2.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|torinvestment2|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020376; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torwillsmith.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|torwillsmith|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020377; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SUSPICIOUS *.rar.exe in HTTP URL"; flow:to_server,established; content:".rar.exe"; fast_pattern:only; http_uri; nocase; pcre:"/\.rar\.exe$/Ui"; classtype:bad-unknown; sid:2020386; rev:1; metadata:created_at 2015_02_09, updated_at 2015_02_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstorpay22.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|optionstorpay22|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020390; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_10, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (bananator.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|bananator|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020391; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_10, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (monsterbbc.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|monsterbbc|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020395; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_10, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tostotor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tostotor|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020400; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_11, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (trusteetor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|trusteetor|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020401; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_11, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionstopaytor33.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|solutionstopaytor33|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020402; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_11, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.am)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|02|am|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020404; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_11, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (batmantor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|batmantor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020405; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_11, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (dogotor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|dogotor|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020406; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_11, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY I2P Seeds File Request"; flow:established,to_server; content:"/i2pseeds.su3"; http_uri; fast_pattern:only; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020415; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY I2P Seeds File Download"; flow:established,to_client; file_data; content:"I2Psu3"; within:6; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020416; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Middle Earth Illegal Marketplace Tor Hidden Service DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mango7u3rivtwxy7"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2020417; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.city)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|04|city|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020430; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_16, updated_at 2017_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Metasploit Framework Checking For Update"; flow:established,to_server; content:"POST"; http_method; urilen:13; content:"/updateserver"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|MSFX/"; http_header; content:!"Referer|3a 20|"; http_header; classtype:misc-activity; sid:2020475; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_02_18, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|client-lb|07|dropbox|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,dropbox.com; classtype:policy-violation; sid:2020565; rev:1; metadata:created_at 2015_02_24, updated_at 2015_02_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.direct)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|06|direct|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020577; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_26, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.glass)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|05|glass|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020574; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_02_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Privdog Activation"; flow:established,to_server; content:"User-Agent|3a 20|ActivationRequestSendingSession|0d 0a|"; http_header; fast_pattern:10,20; content:"activation_api.php?"; http_uri; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020578; rev:1; metadata:created_at 2015_02_27, updated_at 2015_02_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Privdog Checkin"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| MSIE 7.0|3b| Windows NT 6.0|3b| en-US|29 0d 0a|"; http_header; fast_pattern:20,20; content:"/safecontent.php?"; http_uri; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020579; rev:1; metadata:created_at 2015_02_27, updated_at 2015_02_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Privdog Update check"; flow:established,to_server; content:"X-TA-ClientVer|3a 20|"; http_header; fast_pattern:only; content:"X-TA-ClientOS|3a 20|"; http_header; content:"/update.inf"; http_uri; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020580; rev:1; metadata:created_at 2015_02_27, updated_at 2015_02_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion Proxy Domain (connect2tor.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|connect2tor|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020617; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_04, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torstorm.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torstorm|03|org|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020618; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_04, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (bolistatapay.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|bolistatapay|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020619; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_04, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (sshowmethemoney.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|sshowmethemoney|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020620; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_04, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 03|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020634; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 06|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020635; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 08|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020636; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0E|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020637; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstopaytos.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|optionstopaytos|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020639; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (cheetosnotburitos.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|cheetosnotburitos|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020640; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (optionsketchupay.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|optionsketchupay|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020641; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionsaccountor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|solutionsaccountor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020642; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_06, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020672; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 11|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020673; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 14|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020674; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 17|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020675; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 19|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020676; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 26|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020677; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 27|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020678; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 28|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020679; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 29|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020680; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2A|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020681; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020682; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4free.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tor4free|03|org|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020686; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_12, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tordomain.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|tordomain|03|org"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020703; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_18, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (welcome2tor.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|welcome2tor|03|org"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020704; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_03_18, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible External IP Lookup ipinfo.io"; flow:established,to_server; content:"Host|3a 20|ipinfo.io|0d 0a|"; http_header; fast_pattern:only; content:!"Referer|3a|"; http_header;  classtype:policy-violation; sid:2020716; rev:2; metadata:created_at 2015_03_19, updated_at 2015_03_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Remote Access - RView - Host - *.rview.com"; flow:established,to_server; content:".rview.com|0D 0A|"; http_header; classtype:policy-violation; sid:2020804; rev:1; metadata:created_at 2015_03_30, updated_at 2015_03_30;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Remote Access - RView - SSL Certificate Seen"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|*.rview.com"; distance:1; within:12; metadata: former_category POLICY; classtype:policy-violation; sid:2020805; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2015_03_30, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - Bravica"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a 20|www.bravica.net|0d 0a|"; http_header; content:"name="; http_client_body; content:"&cmd="; http_client_body; distance:0; classtype:policy-violation; sid:2020830; rev:2; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - ip-whois"; flow:established,to_server; content:"Host|3A 20|ip-whois.net|0d 0a|"; http_header; classtype:policy-violation; sid:2020831; rev:2; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Exe32Pack Packed Executable Download"; flow:established,to_client; file_data; content:"Packed by exe32pack"; content:"SteelBytes All rights reserved"; distance:0; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:policy-violation; sid:2020914; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Petite Packed Binary Download"; flow:to_client,established; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|43 6F 6D 70 72 65 73 73 65 64 20 62 79 20 50 65 74 69 74 65 20 28 63 29 31 39 39 39 20 49 61 6E 20 4C 75 63 6B 2E 00 00|"; distance:-44; flowbits:set,ET.http.binary; reference:md5,fa2c0e8b486c879f4baee1d5bebdf0a2; classtype:trojan-activity; sid:2020973; rev:4; metadata:created_at 2015_04_22, updated_at 2015_04_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY WebRTC IP tracking Javascript"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; metadata: former_category POLICY; reference:url,github.com/diafygi/webrtc-ips; classtype:successful-recon-limited; sid:2021089; rev:2; metadata:created_at 2015_05_12, updated_at 2018_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Timezone Check (earthtools.org)"; flow:established,to_server; content:"Host|3a 20|www.earthtools.org|0d 0a|"; http_header; fast_pattern:6,20; content:"/timezone/"; depth:10; http_uri; content:!"Referer|3a|"; http_header; classtype:policy-violation; sid:2021120; rev:1; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - ip2location.com"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ip2location\.com\r?/Hmi"; content:"ip2location.com|0d 0a|"; http_header; fast_pattern:only; classtype:policy-violation; sid:2021162; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (clusterpaytor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|clusterpaytor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021190; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_06_05, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (statepaytor.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|statepaytor|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021191; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_06_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible External IP Lookup whoer.net"; flow:established,to_server; content:"Host|3a 20|whoer.net|0d 0a|"; http_header; fast_pattern:only; content:!"Referer|3a|"; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2021195; rev:2; metadata:tag IP_address_lookup_website, created_at 2015_06_08, updated_at 2017_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Xpopup Instant Messenger Downloading Configuration"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"/xpopinfo.dat"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.1 (compatible|3b 20|"; http_header; reference:md5,6c7abe2297ee64362e33584f9f654ebd; classtype:policy-violation; sid:2021205; rev:3; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible External IP Lookup ip.webmasterhome.cn"; flow:established,to_server; content:"Host|3a 20|ip.webmasterhome.cn|0d 0a|"; http_header; fast_pattern:only; content:!"Referer|3a|"; http_header; classtype:policy-violation; sid:2021250; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible External IP Lookup www.whatsmyip.us"; flow:established,to_server; content:"Host|3a 20|www.whatsmyip.us|0d 0a|"; http_header; fast_pattern:only; classtype:policy-violation; sid:2021371; rev:1; metadata:created_at 2015_06_30, updated_at 2015_06_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - checkip.dyndns.org"; flow:established,to_server; content:"Host|3A 20|checkip.dyndns.org|0d 0a|"; fast_pattern:only; http_header; classtype:policy-violation; sid:2021378; rev:1; metadata:created_at 2015_07_02, updated_at 2015_07_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup sina.com.cn"; flow:established,to_server; content:"GET"; http_method; content:"/iplookup.php"; http_uri; content:"dpool.sina.com.cn"; fast_pattern:only; http_header; classtype:policy-violation; sid:2021438; rev:1; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Edwards Packed proxy.pac from 724sky"; flow:established,from_server; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|baidu|7c|"; nocase; reference:md5,50bd21aac1f57d90c54683995ec102aa; classtype:trojan-activity; sid:2021511; rev:1; metadata:created_at 2015_07_22, updated_at 2015_07_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup myip.kz"; flow:established,to_server; content:"Host|3a 20|myip.kz|0d 0a|"; http_header; fast_pattern:only; classtype:policy-violation; sid:2021533; rev:1; metadata:created_at 2015_07_27, updated_at 2015_07_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup trackip.net"; flow:established,to_server; content:"GET"; http_method; content:"/ip?json"; http_uri; fast_pattern:only; content:"trackip.net"; http_header; classtype:policy-violation; sid:2021550; rev:1; metadata:created_at 2015_07_29, updated_at 2015_07_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - www.ip.cn"; flow:established,to_server; content:"Host|3A 20|www.ip.cn|0d 0a|"; fast_pattern:only; http_header; classtype:policy-violation; sid:2021600; rev:1; metadata:created_at 2015_08_06, updated_at 2015_08_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hola VPN Activity - X-Hola-* Headers"; flow:established,to_server; content:"|0d 0a|X-Hola-"; http_header; threshold:type limit,track by_src,seconds 300,count 1; classtype:policy-violation; sid:2021886; rev:1; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ethereum traffic"; flow:established,to_server; content:"POST"; depth:4; content:"|22|id|22 3a|"; nocase; distance:0; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22|method|22 3a|"; nocase; distance:0; pcre:"/^[^/s]*(?:eth_(?:g(?:et(?:B(?:lock(?:TransactionCountBy(?:Number|Hash)|By(?:Number|Hash))|alance)|Transaction(?:By(?:Block(?:Number|Hash)AndIndex|Hash)|(?:Receip|Coun)t)|Uncle(?:ByBlock(?:Number|Hash)AndIndex|CountByBlock(?:Number|Hash))|(?:Filter(?:Change|Log)|Log)s|Co(?:mpilers|de)|StorageAt|Work)|asPrice)|(?:(?:new(?:PendingTransaction|Block)?|uninstall)Filt|blockNumb)er|s(?:(?:end(?:Raw)?Transactio|ig)n|ubmit(?:Hashrate|Work)|yncing)|c(?:o(?:mpile(?:S(?:olidity|erpent)|LLL)|inbase)|all)|(?:estimateGa|account)s|protocolVersion|hashrate|mining)|shh_(?:new(?:Identity|Filter|Group)|get(?:FilterChan|Messa)ges|uninstallFilter|hasIdentity|addToGroup|version|post)|db_(?:get(?:String|Hex)|put(?:String|Hex))|net_(?:listening|peerCount|version)|web3_(?:clientVersion|sha3))/R"; reference:md5,447a1d3c345a1577ccd287abe91a3ca; classtype:policy-violation; sid:2021983; rev:1; metadata:created_at 2015_10_20, updated_at 2015_10_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup api.ipify.org"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"Host|3a 20|api.ipify.org"; http_header; fast_pattern:only; reference:md5,79809fd3e05a852581b897cc4b06aa32; classtype:policy-violation; sid:2021997; rev:1; metadata:created_at 2015_10_23, updated_at 2015_10_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (paypartnerstodo.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|paypartnerstodo|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022041; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_11_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (allepohelpto.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|allepohelpto|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022042; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_11_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (marketcryptopartners.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|marketcryptopartners|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022043; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_11_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (partnersinvestpayto.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|partnersinvestpayto|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022044; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_11_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (forkinvestpay.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|forkinvestpay|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022045; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_11_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (effectwaytopay.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|effectwaytopay|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022046; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2015_11_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup ip-api.com"; flow:established,to_server; content:"Host|3a 20|ip-api.com|0d 0a|"; http_header; fast_pattern:only; classtype:policy-violation; sid:2022082; rev:1; metadata:created_at 2015_11_13, updated_at 2015_11_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IP Lookup Geoip.co.uk"; flow:established,to_server; urilen:1; content:"Host|3a 20|www.geoip.co.uk"; http_header; reference:md5,fa05d4f1558a9581a14936c0ab3723f7; classtype:policy-violation; sid:2022123; rev:1; metadata:created_at 2015_11_20, updated_at 2015_11_20;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Lets Encrypt Free SSL Cert Observed"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; metadata: former_category POLICY; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2022218; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Audit, created_at 2015_12_03, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup ip2nation.com"; flow:established,to_server; content:"Host|3a 20|www.ip2nation.com|0d 0a|"; http_header; fast_pattern:only; classtype:policy-violation; sid:2022222; rev:3; metadata:created_at 2015_12_07, updated_at 2015_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IOS Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; content:".ipa"; nocase; http_uri; content:"appvv.com"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3a\x20(?:[^\r\n]*?\.)?appvv.com(?:\x3a\d{1,5})?\r\n/Hi"; classtype:policy-violation; sid:2022296; rev:1; metadata:created_at 2015_12_22, updated_at 2015_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Android Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; content:".apk"; nocase; http_uri; content:"appvv.com"; http_header; nocase; fast_pattern:only; pcre:"/Host\x3a\x20(?:[^\r\n]*?\.)?appvv.com(?:\x3a\d{1,5})?\r\n/Hi"; classtype:policy-violation; sid:2022297; rev:1; metadata:created_at 2015_12_22, updated_at 2015_12_22;)

alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ET POLICY FOX-SRT - Juniper ScreenOS SSH World Reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; reference:cve,2015-7755; reference:url,kb.juniper.net/JSA10713; classtype:policy-violation; sid:2022299; rev:2; metadata:created_at 2015_12_22, updated_at 2015_12_22;)

#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Expected Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,is_ssh_server_banner; flowbits: set,is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022325; rev:2; metadata:created_at 2016_12_31, updated_at 2016_12_31;)

#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Unusual Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,is_ssh_server_banner; flowbits: set,is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022326; rev:1; metadata:created_at 2016_12_31, updated_at 2016_12_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.link)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|04|link|00|"; nocase; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2022332; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2016_01_05, updated_at 2017_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=AfPr0xY|0d 0a|"; http_header; fast_pattern:35,18; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; http_client_body; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022342; rev:2; metadata:created_at 2016_01_07, updated_at 2016_01_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - ipecho.net"; flow:established,to_server; content:"Host|3a 20|ipecho.net|0d 0a|"; http_header; fast_pattern:only; metadata: former_category POLICY; classtype:policy-violation; sid:2022351; rev:1; metadata:created_at 2016_01_11, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - ip.tyk.nu"; flow:established,to_server; urilen:1; content:"Host|3a 20|ip.tyk.nu|0d 0a|"; http_header; fast_pattern:only; classtype:policy-violation; sid:2022368; rev:1; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - meuip.net.br"; flow:established,to_server; content:"Host|3a 20|meuip.net.br|0d 0a|"; http_header; fast_pattern:only; classtype:policy-violation; sid:2022405; rev:1; metadata:created_at 2016_01_25, updated_at 2016_01_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible HTA Application Download"; flow:established,to_server; content:"GET"; http_method; content:".hta"; http_uri; nocase; fast_pattern:only; pcre:"/\.hta$/Ui"; flowbits:set,ET.HTA.Download; content:!"kaspersky.com|0d 0a|"; http_header; reference:url,www.trustedsec.com/july-2015/malicious-htas/; classtype:bad-unknown; sid:2022520; rev:3; metadata:created_at 2016_02_15, updated_at 2016_02_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=AfPr0xY|0d 0a|"; http_header; fast_pattern:35,18; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; http_client_body; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022533; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,from_server; content:"|16 03|"; depth:2; content:"|55 04 0a|"; distance:0; content:"|0d|LogMeIn, Inc."; distance:1; within:14; content:"join.me"; classtype:policy-violation; sid:2022551; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Server Hello"; flow:from_server,established; content:"|04 00 01 00 02|"; offset:2; depth:5; byte_test:2,>,15,4,relative; byte_test:2,<,33,4,relative; flowbits:set,SSlv2.ServerHello; flowbits:noalert; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022583; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC4_128_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 01 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022584; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 03 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022585; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 04 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url, drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022586; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress ClientMaster Key SSL2_IDEA_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|0205 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022587; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_DES_64_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 06 00 40|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022588; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|ngrok|03|com|00|"; fast_pattern; distance:0; nocase; classtype:policy-violation; sid:2022641; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.io)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|ngrok|02|io|00|"; fast_pattern; distance:0; nocase; classtype:policy-violation; sid:2022642; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to a *.neokred domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|neokred|03|org|00|"; fast_pattern; distance:0; nocase; classtype:policy-violation; sid:2022643; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torgate.es)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|torgate|02|es|00|"; fast_pattern; distance:0; nocase; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022644; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2016_03_23, updated_at 2017_09_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (tormaster.fr)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|tormaster|02|fr|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022645; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2016_03_23, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.li)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|torgateway|02|li|00|"; fast_pattern; distance:0; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022646; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2016_03_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Length|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern:20,20; http_header; nocase; content:"Accept-Encoding|3a| gzip"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; content:!"Connection"; http_header; content:!"Cache-Control"; http_header; content:!"Accept|3a 20|"; http_header; content:"Cookie|3a 20|"; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?\r\n/R"; threshold:type threshold, track by_src, count 20, seconds 120; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:3; metadata:created_at 2016_03_28, updated_at 2016_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Address Lookup via dawhois.com"; flow:established,to_server; content:"Host|3a 20|www.dawhois.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2022687; rev:1; metadata:created_at 2016_03_30, updated_at 2016_03_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows Quicktime User-Agent EOL With Known Bugs"; flow:established,to_server; content:"User-Agent|3a 20|QuickTime"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a\x20QuickTime[^\r\n]+?os=Windows NT/Hm"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,www.us-cert.gov/ncas/alerts/TA16-105A; classtype:policy-violation; sid:2022738; rev:1; metadata:created_at 2016_04_18, updated_at 2016_04_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible SQLi Attempt in User Agent (Outbound)"; flow:established,from_client; content:"User-Agent|3a 20|"; http_header; content:"select"; nocase; distance:0; fast_pattern; http_header; content:"from"; nocase; http_header; within:20; pcre:"/User-Agent\x3a\x20[^\r\n]+select[^\r\n]+from/Hi"; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:trojan-activity; sid:2022815; rev:1; metadata:created_at 2016_05_17, updated_at 2016_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Crypto Coin Miner Login"; flow:to_server,established; content:"|7b 22|method|22 3a|"; depth:10; fast_pattern; content:"|22|login|22 2c|"; distance:0; within:9; content:"|22|params|22 3a|"; distance:0; within:10; content:"|7b 22|login"; nocase; distance:0; within:8; content:"agent|22 3a|"; nocase; distance:0; metadata: former_category POLICY; reference:md5,d1082e445f932938366a449631b82946; reference:md5,33d7a82fe13c9737a103bcc4a21f9425; reference:md5,ebe1aeb5dd692b222f8cf964e7785a55; classtype:trojan-activity; sid:2022886; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Bitcoin_Miner, signature_severity Audit, created_at 2016_06_09, malware_family CoinMiner, performance_impact Low, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup ip-score.com"; flow:established,to_server; content:"Host|3a 20|ip-score.com|0d 0a|"; fast_pattern:only; http_header; content:!"Referer|3a|"; http_header; classtype:policy-violation; sid:2022892; rev:1; metadata:created_at 2016_06_13, updated_at 2016_06_13;)

alert udp any 68 -> any 67 (msg:"ET POLICY Possible Kali Linux hostname in DHCP Request Packet"; content:"|63 82 53 63 35 01 03|"; content:"|0c 04|kali"; distance:0; nocase; metadata: former_category POLICY; reference:url,www.kali.org; classtype:policy-violation; sid:2022973; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Audit, created_at 2016_07_18, performance_impact Low, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Address Lookup - b4secure .com"; flow:established,to_server; urilen:12; content:"/index.shtml"; http_uri; content:"Host|3a 20|"; http_header; content:"b4secure.com|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+(?:www\.)?b4secure\.com\r$/Hmi"; metadata: former_category POLICY; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:policy-violation; sid:2023469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Audit, created_at 2016_10_31, malware_family Emissary, malware_family Lotus_Blossom, updated_at 2017_10_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|myip|07|opendns|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2023472; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Audit, created_at 2016_11_01, performance_impact Low, updated_at 2017_11_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Android Adups Firmware Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"{|22|dc_date|22 3a|"; depth:11; http_client_body; content:",|22|dc_type|22 3a|"; fast_pattern:only; http_client_body; content:",|22|keyword|22 3a|"; http_client_body; content:",|22|md5|22 3a|"; http_client_body; content:",|22|msg_date|22 3a|"; http_client_body; content:",|22|msg_type|22 3a|"; http_client_body; content:",|22|tell|22 3a|"; http_client_body; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023514; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Audit, created_at 2016_11_16, updated_at 2017_10_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Android Adups Firmware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|bigdata|05|adups|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023515; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Audit, created_at 2016_11_16, updated_at 2017_10_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Android Adups Firmware DNS Query 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|bigdata|0b|adsunflower|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023516; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Audit, created_at 2016_11_16, updated_at 2017_10_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Android Adups Firmware DNS Query 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|bigdata|08|adfuture|02|cn|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023517; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Audit, created_at 2016_11_16, updated_at 2017_11_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Android Adups Firmware DNS Query 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|bigdata|06|advmob|02|cn|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023518; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Audit, created_at 2016_11_16, updated_at 2017_10_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Android Adups Firmware DNS Query 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|rebootv5|0b|adsunflower|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023519; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Audit, created_at 2016_11_16, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup (tinytools.nu)"; flow:established,to_server; content:"Host|3a 20|www.tinytools.nu|0d 0a|"; http_header; fast_pattern:only; content:"/MyIPAddress/"; nocase; http_uri; metadata: former_category POLICY; classtype:policy-violation; sid:2023520; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Audit, created_at 2016_11_17, performance_impact Low, updated_at 2017_10_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (anonym.to)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|anonym|02|to|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2023597; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2016_12_09, performance_impact Low, updated_at 2017_10_12;)

#alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to Hamas Terrorist Propaganda TV Channel (aqsatv .ps)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aqsatv|02|ps|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2023873; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, cve url_nctc_gov_site_groups_hamas_html, signature_severity Audit, created_at 2017_02_06, performance_impact Low, updated_at 2018_01_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hamas Terrorist Propaganda TV Channel (aqsatv.ps)"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|aqsatv.ps"; http_header; metadata: former_category POLICY; reference:url,nctc.gov/site/groups/hamas.html; classtype:policy-violation; sid:2023874; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Audit, created_at 2017_02_06, performance_impact Low, updated_at 2017_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Flash Version M2"; flow:established,to_server; content:"X-Requested-With|3a 20|ShockwaveFlash/"; http_header; fast_pattern:18,15; content:!"30.0.0.134|0d 0a|"; distance:0; within:12; http_header; threshold: type limit, count 1, seconds 60, track by_src; metadata: former_category POLICY; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2024379; rev:20; metadata:affected_product Adobe_Flash, signature_severity Audit, created_at 2017_06_13, performance_impact Low, updated_at 2017_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP Address (monip.outils-rezo. info)"; flow:established,to_server; content:"GET"; http_method; content:"/text"; http_uri; content:"Host|3a 20|"; http_header; content:"monip.outils-rezo.info|0d 0a|"; http_header; distance:0; within:24; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2024526; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Audit, created_at 2017_08_08, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|ipapi|02|co|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2024527; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Audit, created_at 2017_08_08, performance_impact Low, updated_at 2017_11_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.guide)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|05|guide|00|"; nocase; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024662; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Audit, created_at 2017_09_05, performance_impact Low, updated_at 2017_09_05;)

alert udp any any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.top)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|03|top|00|"; fast_pattern; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2024665; rev:3; metadata:created_at 2017_09_06, updated_at 2017_09_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query For Browser Cryptocurrency Mining Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|static|0a|reasedoper|02|pw|00|"; fast_pattern; distance:0; nocase; metadata: former_category POLICY; reference:url,www.welivesecurity.com/2017/09/14/cryptocurrency-web-mining-union-profit/; classtype:trojan-activity; sid:2024779; rev:4; metadata:affected_product Web_Browsers, created_at 2017_09_27, malware_family CoinMiner, updated_at 2018_05_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|0a e1 e6 bd 51 fb 3d 8f 06 be 0d b5 5e bd e9 df|"; within:100; metadata: former_category POLICY; classtype:policy-violation; sid:2024786; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_09_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 e7 f9 b6 de a6 57 93 e2 44 6a 3b 95 c6 b3 ec df|"; within:100; metadata: former_category POLICY; classtype:policy-violation; sid:2024788; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_09_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS request for Monero mining pool"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|pool|07|minexmr|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2017_09_monero_malware.txt; reference:url,www.welivesecurity.com/2017/09/28/monero-money-mining-malware/; classtype:trojan-activity; sid:2024789; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_09_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; content:"|22|pass|22 3a 22|"; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2024792; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_10_02, updated_at 2018_06_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|formyip|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2024830; rev:2; metadata:created_at 2017_10_10, updated_at 2017_10_10;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|l2|02|io|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2024831; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Audit, created_at 2017_10_10, updated_at 2017_10_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in TLS SNI)"; flow:established,to_server; content:"|00 00 0b|formyip.com"; fast_pattern:only; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2024832; rev:1; metadata:created_at 2017_10_10, updated_at 2017_10_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)"; flow:established,to_server; content:"|00 00 05|l2.io"; fast_pattern:only; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2024833; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Audit, created_at 2017_10_10, performance_impact Moderate, updated_at 2017_10_10;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin Server Hello"; flow:established,to_client; dsize:9; stream_size:client,=,1; stream_size:server,=,10; content:"|05 00 00 00 00 ff ff ff ff|"; depth:9; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2025008; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_16, performance_impact Low, updated_at 2017_11_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin handshake"; flow:established,to_server; content:"|e1 00 00 00 00|"; depth:5; content:"|0b 00 00 d8 00 00 00 4d 49 47 64 4d 41|"; distance:1; within:13; fast_pattern; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category POLICY; classtype:policy-violation; sid:2025009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_16, performance_impact Low, updated_at 2017_11_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY .onion proxy Domain (onion .plus in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|onion|04|plus|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025095; rev:2; metadata:created_at 2017_12_01, updated_at 2017_12_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion .casa in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|onion|04|casa|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025096; rev:1; metadata:created_at 2017_12_01, updated_at 2017_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY localtunnel Connection Setup Attempt"; flow:established,to_server; content:"host|3a 20|"; http_header; depth:6; content:"localtunnel.me|0d 0a|"; http_header; fast_pattern; distance:0; content:!"User-Agent"; http_header; content:!"Host"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; metadata: former_category POLICY; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025116; rev:2; metadata:attack_target Client_and_Server, deployment Perimeter, signature_severity Minor, created_at 2017_12_04, updated_at 2017_12_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY localtunnel Sucessful Connection Setup"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|7b 22|port|22 3a|"; content:"|22|max_conn_count|22 3a|"; distance:0; content:"|22|id|22 3a|"; distance:0; content:"|22|url|22 3a|"; distance:0; content:"localtunnel.me|22 7d|"; distance:0; metadata: former_category POLICY; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025117; rev:2; metadata:attack_target Client_and_Server, deployment Perimeter, signature_severity Minor, created_at 2017_12_04, updated_at 2017_12_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY possible OnePlus phone data leakage DNS"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|open|07|oneplus|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025133; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_12_06, malware_family Android_OnePlus, updated_at 2017_12_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY OnePlus phone data leakage"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cloud/pushdata|20|HTTP/1."; fast_pattern; content:"okhttp/"; http_header; content:!"Referer|3a 20|"; http_header; content:"data="; depth:5; http_client_body; metadata: former_category POLICY; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025134; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_12_06, malware_family Android_OnePlus, updated_at 2017_12_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|localtunnel|02|me|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025138; rev:2; metadata:created_at 2017_12_06, updated_at 2017_12_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in TLS SNI)"; flow:established,to_server; content:".localtunnel.me"; fast_pattern:only; nocase; metadata: former_category POLICY; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025139; rev:2; metadata:created_at 2017_12_06, updated_at 2017_12_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IP Check (rl. ammyy. com)"; flow:to_server,established; urilen:1; content:"Host|3a 20|rl.ammyy.com|0d 0a|"; http_header; fast_pattern; content:"|0d 0a 0d 0a|"; isdataat:!1,relative; classtype:policy-violation; sid:2025149; rev:3; metadata:created_at 2017_12_13, updated_at 2017_12_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY IP Check Response (rl. ammyy. com)"; flow:to_client,established; file_data; content:"Your IP="; depth:8; content:", country = "; distance:0; isdataat:!3,relative; classtype:policy-violation; sid:2025150; rev:2; metadata:created_at 2017_12_13, updated_at 2017_12_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|curlmyip|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:md5,c375012865b94fa037d23c555e6c2772; classtype:policy-violation; sid:2025154; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_12_15, performance_impact Low, updated_at 2017_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 9.0.x Detected"; flow:established,to_server; content:" Java/9."; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/documentation/9u-relnotes-3704429.html; classtype:bad-unknown; sid:2025314; rev:4; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, tag EOL, signature_severity Audit, created_at 2018_02_05, performance_impact Low, updated_at 2018_07_17;)

#alert tcp $EXTERNAL_NET [443,4443,4433] -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^.\x04[^\x08\x10\x14\x20\x30\x40]/R"; threshold: type limit, track by_src, seconds 30, count 1; metadata: former_category POLICY; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025319; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_06, updated_at 2018_02_07;)

#alert tcp $EXTERNAL_NET [443,4433,4443] -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^[\x80-\xff]/R"; threshold: type limit, track by_src, seconds 30, count 1; metadata: former_category POLICY; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025320; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_06, updated_at 2018_02_07;)

alert tcp $EXTERNAL_NET [443,4433,4443] -> $HOME_NET any (msg:"ET POLICY Possible Windows Binary Observed in SSL/TLS Certificate"; flow:established,from_server; dsize:>768; content:"|16|"; content:"|0b|"; within:8; content:"This program cannot be run in DOS mode"; nocase; metadata: former_category POLICY; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025315; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_06, updated_at 2018_02_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0d|Let's|20|Encrypt"; distance:0; within:15; content:"|55 04 03|"; distance:0; content:"|09|ipinfo.io"; distance:1; within:10; metadata: former_category POLICY; classtype:policy-violation; sid:2025330; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_02_07, performance_impact Low, updated_at 2018_02_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)"; flow:to_server,established; content:"|16|"; depth:1; content:"|00 00 09|ipinfo.io"; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025331; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_02_07, performance_impact Low, updated_at 2018_02_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. sx)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|onion|02|sx|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025446; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_28, performance_impact Moderate, updated_at 2018_03_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. pw)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|onion|02|pw|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_30, performance_impact Moderate, updated_at 2018_03_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Monero Mining Pool DNS Lookup"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|xmr|04|pool|09|minergate|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:trojan-activity; sid:2025451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Coinminer, signature_severity Minor, created_at 2018_03_30, updated_at 2018_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 10.0.x Detected"; flow:established,to_server; content:" Java/10.0."; http_header; content:!"2"; within:1; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/10u-relnotes-4108739.html; classtype:bad-unknown; sid:2025518; rev:3; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Audit, created_at 2018_04_19, performance_impact Low, updated_at 2018_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTPie User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| HTTPie/"; nocase; http_header; metadata: former_category POLICY; reference:url,httpie.org; classtype:attempted-recon; sid:2025584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_23, updated_at 2018_05_23;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Executable File Transfer"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.smb.binary; metadata: former_category POLICY; classtype:bad-unknown; sid:2025699; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|exe|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025700; rev:2; metadata:attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Perimeter, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"temp\\"; nocase; distance:0; content:"|2E|exe|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025702; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"t|00|e|00|m|00|p|00|\\|00|"; nocase; distance:0; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|ps1|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|p|00|s|00|1|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025705; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|bat|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025706; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|b|00|a|00|t|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025707; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a DLL File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|dll|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025709; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|sys|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|s|00|y|00|s|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025711; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Remote AT Scheduled Job Create Request - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"atsvc|00|"; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 Remote AT Scheduled Job Create Request"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00|a|00|t|00|s|00|v|00|c|00|"; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025713; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp $HOME_NET 445 -> any any (msg:"ET POLICY SMB Remote AT Scheduled Job Pipe Creation"; flow:established,to_client; content:"SMB"; depth:8; content:"\\PIPE\\atsvc|00|"; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025714; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:trojan-activity; sid:2025719; rev:1; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|w|00|"; nocase; distance:0; content:"|00|h|00|i|00|d|00|d|00|e|00|n|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025720; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|e|00|n|00|c|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025721; rev:1; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|p|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025722; rev:1; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|e|00|x|00|e|00|c|00|"; nocase; distance:0; content:"|00|b|00|y|00|p|00|a|00|s|00|s|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025723; rev:1; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|n|00|i|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025724; rev:1; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY RunDll Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|r|00|u|00|n|00|d|00|l|00|l|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:trojan-activity; sid:2025725; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:trojan-activity; sid:2025726; rev:1; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2102409; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:2101635; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2101936; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102108; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2102121; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102111; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:2100286; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow 2"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:2100287; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100288; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:2100289; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:2101937; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102666; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:2101634; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102112; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102110; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102109; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2102122; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2102250; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:2101866; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:2101938; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:2101891; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101960; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101962; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101949; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2102014; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2101262; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2101263; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2101264; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101747; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2101265; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2100595; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102006; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2100598; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2102036; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2101267; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2102080; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2101268; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101922; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102093; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2101269; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102082; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2101270; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2101271; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101733; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2101272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2101273; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2102016; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101274; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2101275; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2101276; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL RPC rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102114; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL RPC rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:2100601; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102579; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102095; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101908; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:2101909; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101916; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101914; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102018; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2100574; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2101925; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2102184; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2101951; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102020; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102022; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102084; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:2101912; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:2101958; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; fast_pattern; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2102255; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101965; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102030; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102028; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102032; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102026; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"GPL RPC rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; reference:bugtraq,7459; classtype:unsuccessful-user; sid:2102104; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:2100605; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:2100611; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101959; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101961; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101950; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2102015; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2100575; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2100576; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2100577; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2100578; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2102017; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102005; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2101280; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:2100579; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102035; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2100580; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2102079; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2100581; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101923; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2100582; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102081; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2100583; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101732; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2100585; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2100586; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2100587; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100588; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2100589; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2100590; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101277; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL RPC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:2101867; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"GPL RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101281; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102094; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101907; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2101963; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101915; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101913; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP dump request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2102019; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP export request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101924; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101926; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2102185; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP mount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101952; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2102021; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102083; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:2101957; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; fast_pattern; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2102256; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101964; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102029; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102027; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102031; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102025; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2102033; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2102088; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"ET SCADA RealWin SCADA System Buffer Overflow"; flow:established,to_server; content:"|64 12 54 6a|"; depth:4; content:"|00 00 00 f4 1f 00 00|"; distance:1; within:7; isdataat:220; content:!"|0a|"; distance:0; pcre:"/\x64\x12\x54\x6a[\x20\x10\x02]\x00\x00\x00\xf4\x1f\x00\x00/"; reference:url,www.exploit-db.com/exploits/15337/; classtype:attempted-dos; sid:2011976; rev:1; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server Buffer Overflow"; flow:established,to_server; content:"|10 23 54 67 00 08 00 00|"; depth:8; content:"|e3 77 0a 00 05 00 04 00 00 00|"; distance:0; within:10; isdataat:744,relative; content:!"|0a|"; within:744; reference:url,www.securityfocus.com/bid/31418; reference:cve,2008-4322; reference:url,secunia.com/advisories/32055; classtype:attempted-user; sid:2012096; rev:1; metadata:created_at 2010_12_23, updated_at 2010_12_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA ICONICS WebHMI ActiveX Stack Overflow"; flow:to_client,established; file_data; content:"D25FCAFC-F795-4609-89BB-5F78B4ACAF2C"; nocase; distance:0; content:"SetActiveXGUID"; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D25FCAFC-F795-4609-89BB-5F78B4ACAF2C/si"; reference:url,www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf; reference:url,www.exploit-db.com/exploits/17240/; classtype:attempted-user; sid:2012787; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_05_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability"; flow:established,to_server; content:"GetFlexMLangIResourceBrowser"; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,exploit-db.com/exploits/17417/; classtype:denial-of-service; sid:2013074; rev:2; metadata:created_at 2011_06_21, updated_at 2011_06_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"ET SCADA Siemens FactoryLink 8 CSService Logging  Buffer Overflow Vulnerability"; flow:established,to_server; content:"CSService"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,packetstormsecurity.org/files/view/102579/factorylink_csservice.rb.txt; classtype:denial-of-service; sid:2013120; rev:1; metadata:created_at 2011_06_27, updated_at 2011_06_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"ET SCADA Golden FTP Server PASS Command Remote Buffer Overflow Attempt"; flow:established,to_server; content:"PASS"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:bugtraq,45957; classtype:denial-of-service; sid:2013235; rev:2; metadata:created_at 2011_07_08, updated_at 2011_07_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (AddPage)"; flow:to_client,established; file_data;  content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".AddPage"; nocase; content:"<OBJECT"; nocase; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*?083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013730; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (DeletePage)"; flow:to_client,established; file_data; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".DeletePage"; nocase; content:"<OBJECT"; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013731; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (SaveObject)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".SaveObject"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (LoadObject)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".LoadObject"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013733; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (GetExtendedColor)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".GetExtendedColor"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013734; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Vulnerability"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BD9E5104-2F20-4A9F-AB14-82D558FF374E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD9E5104-2F20-4A9F-AB14-82D558FF374E/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013735; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"3310FA24-A027-47B3-8C49-1091077317E9"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3310FA24-A027-47B3-8C49-1091077317E9/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PROMOTIC ActiveX Control Insecure method (SaveCfg)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".SaveCfg"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; classtype:attempted-user; sid:2013878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PROMOTIC ActiveX Control Insecure method (AddTrend)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".AddTrend"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; classtype:attempted-user; sid:2013879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET SCAN Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET SCAN Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010936; classtype:bad-unknown; sid:2010936; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET SCAN Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:2010938; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET SCAN Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:2010939; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"403"; http_stat_code; threshold: type threshold, track by_dst, count 35, seconds 60; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; classtype:attempted-recon; sid:2009749; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Absinthe SQL Injection Tool HTTP Header Detected"; flow:established,to_server; content:"User-Agent|3A| Absinthe"; fast_pattern:only; http_header; nocase; reference:url,0x90.org/releases/absinthe; reference:url,doc.emergingthreats.net/2009555; classtype:attempted-recon; sid:2009555; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix Version 6 Crawl/Scan Detected"; flow:to_server,established; content:"/acunetix-wvs-test-for-some-inexistent-file"; http_uri; threshold: type threshold, track by_dst, count 2, seconds 5; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2008571; classtype:attempted-recon; sid:2008571; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix Version 6 (Free Edition) Scan Detected"; flow:to_server,established; content:"(Acunetix Web Vulnerability Scanner"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2009646; classtype:attempted-recon; sid:2009646; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap TCP Service Scan Detected"; flow:to_server; flags:PA; content:"service|3A|thc|3A 2F 2F|"; depth:105; content:"service|3A|thc"; within:40; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010371; classtype:attempted-recon; sid:2010371; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap UDP Service Scan Detected"; dsize:<135; content:"THCTHCTHCTHCTHC|20 20 20|"; fast_pattern:only; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010372; classtype:attempted-recon; sid:2010372; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Watchfire AppScan Web App Vulnerability Scanner"; flow:established,to_server; content:"/appscan_fingerprint/mac_address"; fast_pattern:only; nocase; http_uri; reference:url,www.watchfire.com/products/appscan/default.aspx; reference:url,doc.emergingthreats.net/2008311; classtype:attempted-recon; sid:2008311; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Asp-Audit Web Scan Detected"; flow:to_server,established; content:"GET"; http_method; content:"STYLE=x|3a|e/**/xpression(alert('asp-audit'))>"; http_uri; reference:url,www.hacker-soft.net/Soft/Soft_2895.htm; reference:url,wiki.remote-exploit.org/backtrack/wiki/asp-audit; reference:url,doc.emergingthreats.net/2009479; classtype:attempted-recon; sid:2009479; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Automated Injection Tool User-Agent (AutoGetColumn)"; flow:established,to_server; content:"User-Agent|3a| AutoGetColumn"; fast_pattern:12,13; http_header; reference:url,doc.emergingthreats.net/2009154; classtype:attempted-recon; sid:2009154; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to_server; content:"User-Agent|3a| bsqlbf"; fast_pattern:only; http_header; nocase; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; classtype:web-application-activity; sid:2008362; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3127 (msg:"ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor"; flags: S,12; threshold: type both, track by_src, count 10 , seconds 60; reference:url,doc.emergingthreats.net/2002973; classtype:misc-activity; sid:2002973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET SCAN Cisco Torch TFTP Scan"; content:"|52 61 6E 64 30 6D 53 54 52 49 4E 47 00 6E 65 74 61 73 63 69 69|"; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008414; classtype:attempted-recon; sid:2008414; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; flow:to_server,established; content:"User-Agent|3a| Cisco-torch"; http_header; fast_pattern:12,10; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; classtype:attempted-recon; sid:2008415; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"User-Agent|3a| core-project/1.0"; fast_pattern:12,11; http_header; classtype:web-application-activity; sid:2008529; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN crimscanner User-Agent detected"; flow:established,to_server; content:"GET"; http_method; nocase; content:"User-Agent|3a| crimscanner/"; http_header; nocase; reference:url,doc.emergingthreats.net/2010954; classtype:network-scan; sid:2010954; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008312; classtype:attempted-recon; sid:2008312; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected"; flow:established,to_server; content:"PROPFIND"; http_method; content:"D|3A|propfind xmlns|3A|D=|22|DAV|3A 22|><D|3A|allprop/></D|3A|propfind>"; fast_pattern:only; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011088; classtype:attempted-recon; sid:2011088; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN DavTest WebDav Vulnerability Scanner Default User Agent Detected"; flow:established,to_server; content:"User-Agent|3a| DAV.pm/v"; http_header; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; classtype:attempted-recon; sid:2011089; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP Delphi Likely Precursor to Scan"; itype:8; icode:0; content:"Pinging from Delphi code written"; fast_pattern:only; metadata: former_category SCAN; reference:url,www.koders.com/delphi/fid942A4EAF946B244BD3CD9BC83FEAAC35BA1F38AB.aspx; reference:url,doc.emergingthreats.net/2010681; classtype:misc-activity; sid:2010681; rev:4; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DirBuster Web App Scan in Progress"; flow:to_server,established; content:"User-Agent|3a| DirBuster"; fast_pattern:only; http_header; reference:url,owasp.org; reference:url,doc.emergingthreats.net/2008186; classtype:web-application-attack; sid:2008186; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan"; content:"|00 00|"; content:"|06 0D 06 01 30 13 02 07 08|"; distance:40; within:10;  reference:url,sourceforge.net/projects/enumiax/; reference:url,doc.emergingthreats.net/2008606; classtype:attempted-recon; sid:2008606; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt response"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; classtype:unsuccessful-user; sid:2002383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"root"; within:15; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010642; classtype:attempted-recon; sid:2010642; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"administrator"; within:25; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010643; classtype:attempted-recon; sid:2010643; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected"; flow:established,to_server; content:"User-Agent|3A| pymills-spider/"; fast_pattern:only; http_header; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; classtype:attempted-recon; sid:2011721; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002992; classtype:misc-activity; sid:2002992; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002995; classtype:misc-activity; sid:2002995; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent - get-minimal - Possible Vuln Scan"; flow:established,to_server; content:"User-Agent|3a| get-minimal"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2003634; classtype:attempted-admin; sid:2003634; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Grabber.py Web Scan Detected"; flow:to_server,established; content:"User-Agent|3a| Grabber"; fast_pattern:only; http_header; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; classtype:attempted-recon; sid:2009483; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Grendel Web Scan - Default User Agent Detected"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Grendel-Scan"; fast_pattern:37,12; http_header; nocase; content:"http|3a|//www.grendel-scan.com"; http_header; nocase; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; classtype:attempted-recon; sid:2009480; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Grendel-Scan Web Application Security Scan Detected"; flow:to_server,established; content:"GET"; http_method; content:"/random"; nocase; http_uri; fast_pattern:only; pcre:"/\x2Frandom\w+?\x2E(?:c(?:f[cm]|gi)|ht(?:ml?|r)|(?:ws|x)dl|a(?:sp|xd)|p(?:hp3|l)|bat|swf|vbs|do)/Ui"; threshold: type threshold, track by_dst, count 20, seconds 40; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009481; classtype:attempted-recon; sid:2009481; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any 21 (msg:"ET SCAN Grim's Ping ftp scanning tool"; flow:to_server,established; content:"PASS "; content:"gpuser@home.com"; within:18; reference:url,archives.neohapsis.com/archives/snort/2002-04/0448.html; reference:url,grimsping.cjb.net; reference:url,doc.emergingthreats.net/2007802; classtype:network-scan; sid:2007802; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET"; http_method; content:"C|3a|/WINDOWS/system32/calc.exe"; fast_pattern:only; http_header; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; classtype:attempted-recon; sid:2011028; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; content:"GET"; nocase; http_method; content:"HTTP/1.0";  content:"User-Agent|3a| Mozilla"; content:"4.75 [en] (Windows NT 5.0"; http_header; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Httprecon Web Server Fingerprint Scan"; flow:to_server,established; content:"GET"; http_method; content:"/etc/passwd?format="; http_uri; content:"><script>alert('xss')"; http_uri; content:"traversal="; http_uri; reference:url,www.computec.ch/projekte/httprecon/; reference:url,doc.emergingthreats.net/2008627; classtype:attempted-recon; sid:2008627; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Httprint Web Server Fingerprint Scan"; flow:established,to_server; content:"GET"; http_method; content:"/antidisestablishmentarianism"; http_uri; reference:url,www.net-square.com/httprint/; reference:url,www.net-square.com/httprint/httprint_paper.html; reference:url,doc.emergingthreats.net/2008416; classtype:attempted-recon; sid:2008416; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN IBM NSA User Agent"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:"Network-Services-Auditor"; http_header; within:50; threshold: type limit, track by_src,count 1, seconds 60; reference:url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf; reference:url,doc.emergingthreats.net/2003171; classtype:attempted-recon; sid:2003171; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan"; itype:8; icode:0; content:"=XXXXXXXX"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010686; classtype:network-scan; sid:2010686; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP PING IPTools"; itype: 8; icode: 0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7|"; fast_pattern:only; reference:url,www.ks-soft.net/ip-tools.eng; reference:url,www.ks-soft.net/ip-tools.eng/index.htm; reference:url,doc.emergingthreats.net/2000575; classtype:misc-activity; sid:2000575; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP GET invalid method case"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011031; classtype:bad-unknown; sid:2011031; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP POST invalid method case"; flow:established,to_server; content:"post"; http_method; nocase; content:!"POST"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown; sid:2011032; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head"; http_method; nocase; content:!"HEAD"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; classtype:bad-unknown; sid:2011033; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP OPTIONS invalid method case"; flow:established,to_server; content:"options"; http_method; nocase; content:!"OPTIONS"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011034; classtype:bad-unknown; sid:2011034; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack"; content:"nng Snort (Snort)"; offset:90; threshold:type threshold, track by_dst, count 4, seconds 15; reference:url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html; reference:url,doc.emergingthreats.net/2008560; classtype:misc-activity; sid:2008560; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; flow:established,to_server; depth:6; threshold: type both, track by_src, count 100, seconds 10; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; reference:url,doc.emergingthreats.net/2009286; classtype:bad-unknown; sid:2009286; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.0 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:5; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-323.html; reference:url,doc.emergingthreats.net/2001906; classtype:protocol-command-decode; sid:2001906; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.1 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:32; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-Protocol.html; reference:url,doc.emergingthreats.net/2002842; classtype:protocol-command-decode; sid:2002842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 3306 -> any any (msg:"ET SCAN Non-Allowed Host Tried to Connect to MySQL Server"; flow:from_server,established; content:"|6A 04|Host|20 27|"; depth:70; content:"|27 20|is not allowed to connect to this MySQL server"; distance:0; reference:url,www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html; reference:url,doc.emergingthreats.net/2010493; classtype:attempted-recon; sid:2010493; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures Possible Brute Force Attempt"; flow:from_server,established; dsize:<251; byte_test:1,<,0xfb,0,little; content:"|ff 15 04 23 32 38 30 30 30|"; offset:4; threshold: type threshold, track by_src, count 5, seconds 120; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:5; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Mini MySqlatOr SQL Injection Scanner"; flow:to_server,established; content:"User-Agent|3a| prog.CustomCrawler"; http_header; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; classtype:attempted-recon; sid:2008729; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Default Mysqloit User Agent Detected - Mysql Injection Takover Tool"; flow:established,to_server; content:"User-Agent|3a| Mysqloit"; fast_pattern:only; http_header; reference:url,code.google.com/p/mysqloit/; classtype:attempted-recon; sid:2009882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected"; flow:established,to_server; content:"+UNION+select+'BENCHMARK(10000000,SHA1(1))"; http_uri; fast_pattern:only; reference:url,code.google.com/p/mysqloit/; reference:url,doc.emergingthreats.net/2009883; classtype:attempted-recon; sid:2009883; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 2048"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2000537; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sO"; dsize:0; ip_proto:21; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000536; classtype:attempted-recon; sid:2000536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009583; classtype:attempted-recon; sid:2009583; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009584; classtype:attempted-recon; sid:2009584; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (2)"; fragbits:!D; dsize:0; flags:A,12; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000540; classtype:attempted-recon; sid:2000540; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sF"; fragbits:!M; dsize:0; flags:F,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000543; classtype:attempted-recon; sid:2000543; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sN"; fragbits:!M; dsize:0; flags:0,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000544; classtype:attempted-recon; sid:2000544; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sV"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sX"; fragbits:!M; dsize:0; flags:FPU,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000546; classtype:attempted-recon; sid:2000546; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; content:"User-Agent|3a| Nmap NSE"; http_header; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; fast_pattern:38,20; http_header; nocase; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Nessus User Agent"; flow: established,to_server; content:"User-Agent|3a|"; http_header; nocase; content:"Nessus"; http_header; fast_pattern; nocase; pcre:"/^User-Agent\:[^\n]+Nessus/Hmi"; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; classtype:attempted-recon; sid:2002664; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Netsparker Default User-Agent"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" Netsparker)|0d 0a|"; http_header; fast_pattern; within:200; threshold:type limit,track by_src,count 1,seconds 60; reference:url,www.mavitunasecurity.com/communityedition/; classtype:attempted-recon; sid:2011029; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Netsparker Scan in Progress"; flow:to_server,established; content:"/Netsparker-"; http_uri; threshold:type limit,track by_src,count 1,seconds 60; reference:url,www.mavitunasecurity.com/communityedition/; reference:url,doc.emergingthreats.net/2011030; classtype:attempted-recon; sid:2011030; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:14; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 139 (msg:"ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001579; classtype:misc-activity; sid:2001579; rev:14; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 137 (msg:"ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001580; classtype:misc-activity; sid:2001580; rev:14; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001581; classtype:misc-activity; sid:2001581; rev:14; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 1434 (msg:"ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001582; classtype:misc-activity; sid:2001582; rev:14; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:2001583; rev:15; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

#alert udp $HOME_NET 137 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple NBTStat Query Responses to External Destination, Possible Automated Windows Network Enumeration"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21|"; depth:55; fast_pattern; threshold: type threshold, track by_dst, count 10, seconds 60; reference:url,technet.microsoft.com/en-us/library/cc940106.aspx; reference:url,doc.emergingthreats.net/2009767; classtype:attempted-recon; sid:2009767; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 137 -> $EXTERNAL_NET any (msg:"ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21|"; depth:55; reference:url,technet.microsoft.com/en-us/library/cc940106.aspx; reference:url,doc.emergingthreats.net/2009768; classtype:attempted-recon; sid:2009768; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,1024:2048] (msg:"ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND"; flow:established,to_server; content:"|05|"; content:"|80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 10 29 89|"; distance:31; reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf; reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf; reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html; reference:url,doc.emergingthreats.net/2009832; classtype:attempted-recon; sid:2009832; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Nikto Web App Scan in Progress"; flow:to_server,established; content:"(Nikto"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\(Nikto/Hmi"; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; classtype:web-application-attack; sid:2002677; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN PRO Search Crawler Probe"; flow:to_server,established; content:"PASS "; nocase; depth:5; content:"crawler"; nocase; within:30; pcre:"/^PASS\s+PRO(-|\s)*search\s+Crawler/smi"; reference:url,sourceforge.net/project/showfiles.php?group_id=149797; reference:url,doc.emergingthreats.net/2008179; classtype:not-suspicious; sid:2008179; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN pangolin SQL injection tool"; flow:established,to_server; content:"User-Agent|3a| pangolin"; fast_pattern:only; http_header; reference:url,www.lifedork.net/pangolin-best-sql-injection-tool.html; classtype:web-application-activity; sid:2010343; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Paros Proxy Scanner Detected"; flow:to_server,established; content:"Paros/"; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\n]+Paros\//H"; reference:url,www.parosproxy.org; reference:url,doc.emergingthreats.net/2008187; classtype:attempted-recon; sid:2008187; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis"; flow:established,to_server; content:"User-Agent|3a| pavuk"; http_header; nocase; reference:url,pavuk.sourceforge.net/about.html; reference:url,doc.emergingthreats.net/2009827; classtype:attempted-recon; sid:2009827; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot CONNECT method to Mail"; flow:established,to_server; content:"CONNECT "; depth:8; content:"|3A|25 HTTP/"; within:200; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2003869; classtype:misc-attack; sid:2003869; rev:10; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST"; http_method; content:"|3A|25 HTTP/"; fast_pattern; depth:200;  metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:8; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLBrute SQL Scan Detected"; flow:to_server,established; content:"AND not exists (select * from master..sysdatabases)"; offset:60; depth:60; reference:url,www.justinclarke.com/archives/2006/03/sqlbrute.html; reference:url,www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/; reference:url,doc.emergingthreats.net/2009477; classtype:attempted-recon; sid:2009477; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL Version Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28substring%28%28select%20%40%40version"; fast_pattern:only; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009038; classtype:attempted-recon; sid:2009038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL XPCmdShell Scan"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell"; fast_pattern:only; reference:url,sqlninja.sourceforge.net/index.html; classtype:attempted-recon; sid:2009039; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL User Scan"; content:"?param=a"; flow:to_server,established; content:"if%20ascii%28substring%28%28select%20system%5Fuser"; fast_pattern:only; threshold: type threshold, track by_src, count 20, seconds 10; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009040; classtype:attempted-recon; sid:2009040; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL Database User Rights Scan"; flow:to_server,established; content:"?param=a"; content:"if%20is%5Fsrvrolemember%28%27sysadmin"; fast_pattern:only; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009041; classtype:attempted-recon; sid:2009041; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL Authentication Mode Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28%28select%20serverproperty%28%27IsIntegratedSecurityOnly"; fast_pattern:only; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009042; classtype:attempted-recon; sid:2009042; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Esp%5Fconfigure%20%27show%20advanced%20options"; fast_pattern:only; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009043; classtype:attempted-admin; sid:2009043; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja Attempt To Create xp_cmdshell Session"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell%20%27cmd%20%2FC%20%25TEMP"; fast_pattern:only; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009044; classtype:attempted-admin; sid:2009044; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN SQL Injection Attempt (Agent uil2pn)"; flow:to_server,established; content:"User-Agent|3a| uil2pn|0d 0a|"; fast_pattern:only; http_header; reference:url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html; reference:url,doc.emergingthreats.net/2010215; classtype:web-application-attack; sid:2010215; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQL Power Injector SQL Injection User Agent Detected"; flow:to_server,established; content:"User-Agent|3a| SQL Power Injector"; fast_pattern:only; http_header; content:"Security tool (Make sure it is used with the administrator consent)"; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; classtype:attempted-recon; sid:2009769; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLix SQL Injection Vector Scan"; flow:established,to_server; content:"GET"; http_method; content:"myVAR=1234"; http_header; fast_pattern; content:"Windows 98"; distance:36; within:120; http_header; reference:url,www.owasp.org/index.php/Category%3aOWASP_SQLiX_Project; reference:url,doc.emergingthreats.net/2008654; classtype:attempted-recon; sid:2008654; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Sqlmap SQL Injection Scan"; flow:to_server,established; content:"User-Agent|3a| sqlmap"; fast_pattern:only; http_header; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; classtype:attempted-recon; sid:2008538; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET SCAN Potential SSH Scan OUTBOUND"; flags:S,12; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2003068; classtype:attempted-recon; sid:2003068; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:2006546; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET SCAN Possible SSL Brute Force attack or Site Crawl"; flow: established; flags: S; threshold: type threshold, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2001553; classtype:attempted-dos; sid:2001553; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipp SIP Stress Test Detected"; content:"sip|3a|sipp@"; content:"Subject|3a| Performance Test"; offset:90; depth:90; threshold: type threshold, track by_dst, count 20, seconds 15; reference:url,sourceforge.net/projects/sipp/; reference:url,doc.emergingthreats.net/2008579; classtype:attempted-recon; sid:2008579; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipsak SIP scan"; content:"sip|3a|sipsak@"; offset:90; reference:url,sipsak.org/; reference:url,doc.emergingthreats.net/2008598; classtype:attempted-recon; sid:2008598; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious Scan"; content:"From|3A 20 22|sipvicious"; threshold: type limit, count 1, seconds 10, track by_src; reference:url,blog.sipvicious.org; reference:url,doc.emergingthreats.net/2008578; classtype:attempted-recon; sid:2008578; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; fast_pattern:only; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d 0a|User-Agent|3A| sundayddr"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011766; classtype:attempted-recon; sid:2011766; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner <sip|3a|SIVuS"; offset:130; threshold:type threshold, track by_src, count 3, seconds 10; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008609; classtype:attempted-recon; sid:2008609; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan"; content:"sip|3a|sivus-discovery@vopsecurity.org"; offset:110; fast_pattern; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008610; classtype:attempted-recon; sid:2008610; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Skipfish Web Application Scan Detected"; flow:established,to_server; content:"User-Agent|3A| Mozilla/5.0 SF"; http_header; fast_pattern:6,20; threshold:type limit, count 10, seconds 60, track by_src; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; classtype:attempted-recon; sid:2010953; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Skipfish Web Application Scan Detected (2)"; flow:established,to_server; content:"GET"; http_method; content:".old"; http_uri; content:"User-Agent|3A| Mozilla/5.0 SF/"; http_header;  fast_pattern:only; content:"Range|3A| bytes=0-199999"; http_header; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; classtype:attempted-recon; sid:2010956; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Springenwerk XSS Scanner User-Agent Detected"; flow:to_server,established; content:"User-Agent|3a| Springenwerk"; http_header; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,springenwerk.org/; reference:url,doc.emergingthreats.net/2010508; classtype:attempted-recon; sid:2010508; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Stompy Web Application Session Scan"; flow:to_server,established; content:"Session Stomper"; offset:100; depth:25; reference:url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/; reference:url,doc.emergingthreats.net/2008605; classtype:attempted-recon; sid:2008605; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent inbound (bot)"; flow:to_server,established; content:"User-Agent|3a| bot/"; fast_pattern:only; http_header; nocase; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2008228; classtype:trojan-activity; sid:2008228; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force"; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2001904; classtype:misc-activity; sid:2001904; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force"; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2008230; classtype:misc-activity; sid:2008230; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:2001972; rev:19; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Toata Scanner User-Agent Detected"; flow:to_server,established; content:"User-Agent|3a| Toata dragostea"; http_header; threshold: type limit, count 1, seconds 60, track by_src; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/2009159; classtype:attempted-recon; sid:2009159; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (tomcat)"; flow:to_server,established; content:"Authorization|3a| Basic dG9tY2F0"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008454; classtype:web-application-attack; sid:2008454; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (manager)"; flow:to_server,established; content:"Authorization|3a| Basic bWFuYWdlcjp"; fast_pattern:15,17; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008455; classtype:web-application-attack; sid:2008455; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Tomcat admin-admin login credentials"; flow:to_server,established; content:"/manager/html"; fast_pattern:only; nocase; http_uri; content:"Authorization|3a| Basic YWRtaW46YWRtaW4="; http_header; flowbits:set,ET.Tomcat.login.attempt; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009217; classtype:attempted-admin; sid:2009217; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Tomcat admin-blank login credentials"; flow:to_server,established; content:"/manager/html"; fast_pattern:only; nocase; http_uri; content:"Authorization|3a| Basic YWRtaW46"; http_header; flowbits:set,ET.Tomcat.login.attempt; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009218; classtype:attempted-admin; sid:2009218; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Tomcat upload from external source"; flow:to_server,established; flowbits:isset,ET.Tomcat.login.attempt; content:"POST"; http_method; nocase; content:"/manager/html/upload"; nocase; http_uri; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009220; classtype:successful-admin; sid:2009220; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat Web Application Manager scanning"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/manager/html"; nocase; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"Authorization|3a| Basic"; http_header; reference:url,doc.emergingthreats.net/2010019; classtype:attempted-recon; sid:2010019; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent Containing SQL Inject/ion Likely SQL Injection Scanner"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"SQL"; http_header; nocase; content:"Inject"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3A[^\n]+sql[^\n]+inject/Hmi"; metadata: former_category SCAN; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2010087; classtype:attempted-recon; sid:2010087; rev:10; metadata:affected_product Web_Server_Applications, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag SQL_Injection, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent Containing Web Scan/er Likely Web Scanner"; flow:established,to_server; content:"User|2D|Agent|3A|"; http_header; content:"web"; http_header; nocase; content:"scan"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3A[^\n]+web[^\n]+scan/Hmi"; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010088; classtype:attempted-recon; sid:2010088; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent Containing Security Scan/ner Likely Scan"; flow:established,to_server; content:"User|2D|Agent|3A|"; http_header; content:"security"; http_header; nocase; content:"scan"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3A[^\n]+security[^\n]+scan/Hmi"; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010089; classtype:attempted-recon; sid:2010089; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:2008092; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET SCAN External to Internal UPnP Request udp port 1900"; content:"MSEARCH * HTTP/1.1"; depth:18; content:"MAN|3a| ssdp|3a|"; nocase; distance:0; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008094; classtype:attempted-recon; sid:2008094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:2002910; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:2002911; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Smap VOIP Device Scan"; content:"<sip|3a|smap@"; offset:80; depth:40; reference:url,www.go2linux.org/smap-find-voip-enabled-devices; reference:url,doc.emergingthreats.net/2008526; classtype:attempted-recon; sid:2008526; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Toolkit Torturer Scan"; content:"interesting-Method"; content:"sip|3a|1_unusual.URI"; fast_pattern:only; content:"to-be!sure"; offset:20; depth:60; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008568; classtype:attempted-recon; sid:2008568; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"; content:"sip|3a|tester@"; fast_pattern:only; content:"Via|3a| SIP/2.0"; offset:20; depth:60; threshold: type threshold, track by_dst, count 5, seconds 15; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008577; classtype:attempted-recon; sid:2008577; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User Agent"; flow: established,to_server;  content:"User-Agent|3a| w3af.sourceforge.net"; http_header; fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af Scan In Progress ARGENTINA Req Method"; flow:to_server,established; content:"ARGENTINA "; depth:10; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2011027; classtype:attempted-recon; sid:2011027; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN WSFuzzer Web Application Fuzzing"; flow:to_server,established; content:"/ServiceDefinition"; http_uri; fast_pattern; content:"User-Agent|3A| Python-urllib/"; http_header; reference:url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project; reference:url,doc.emergingthreats.net/2008628; classtype:attempted-recon; sid:2008628; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible WafWoof Web Application Firewall Detection Scan"; flow:established,to_server; content:"GET"; http_method; content:"/<invalid>hello.html"; http_uri; reference:url,code.google.com/p/waffit/; reference:url,doc.emergingthreats.net/2011720; classtype:attempted-recon; sid:2011720; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET"; http_method; content:"?http|3A|//www.google."; nocase; content:"User-Agent|3A 20|Python-httplib2"; http_header; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; classtype:attempted-recon; sid:2008417; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan"; flow:from_server,established; content:"400"; http_stat_code; threshold: type threshold, track by_dst, count 30, seconds 60; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html; reference:url,support.microsoft.com/kb/247249; reference:url,doc.emergingthreats.net/2009884; classtype:attempted-recon; sid:2009884; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack"; flow:from_server,established; content:"404"; http_stat_code; threshold: type threshold, track by_dst, count 30, seconds 60; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html; reference:url,en.wikipedia.org/wiki/HTTP_404; reference:url,doc.emergingthreats.net/2009885; classtype:attempted-recon; sid:2009885; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN WebHack Control Center User-Agent Inbound (WHCC/)"; flow:to_server,established; content:"WHCC"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\n]+WHCC/Hmi"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003924; classtype:trojan-activity; sid:2003924; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Open-Proxy ScannerBot (webcollage-UA) "; flow:established,to_server; content:"User-Agent|3a| webcollage/1.135a"; fast_pattern:only; http_header; nocase; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; classtype:bad-unknown; sid:2010768; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN WebShag Web Application Scan Detected"; flow:to_server,established; content:"User-Agent|3a| webshag"; fast_pattern:only; http_header; reference:url,www.scrt.ch/pages_en/outils.html; classtype:attempted-recon; sid:2009158; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; flow:established,to_server; content:"User-Agent|3A| WhatWeb/"; fast_pattern:only; http_header; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; classtype:attempted-recon; sid:2010960; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Wikto Scan"; flow:to_server,established; content:"GET"; http_method; content:"/.adSensePostNotThereNoNobook"; http_uri; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008617; classtype:attempted-recon; sid:2008617; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Wikto Backend Data Miner Scan"; flow:to_server,established; content:"GET"; http_method; content:"/actSensePostNotThereNoNotive"; http_uri; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008629; classtype:attempted-recon; sid:2008629; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN WITOOL SQL Injection Scan"; flow:to_server,established; content:"union+select"; http_raw_uri; content:"select+user"; http_raw_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|3b| MyIE2"; fast_pattern:48,20; http_header; threshold: type threshold, track by_dst, count 2, seconds 30; reference:url,witool.sourceforge.net/; reference:url,doc.emergingthreats.net/2009833; classtype:attempted-recon; sid:2009833; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan"; itype:3; dsize:>69; content:"securityfocus"; content:"securityfocus"; distance:50; within:15; reference:url,xprobe.sourceforge.net/; reference:url,doc.emergingthreats.net/2009298; classtype:attempted-recon; sid:2009298; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu exploit scanner"; flow:established,to_server; content:"User-Agent|3a| Made by ZmEu"; http_header; threshold: type limit, track by_src, seconds 180, count 1; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010715; classtype:web-application-attack; sid:2010715; rev:7; metadata:created_at 2010_07_30, updated_at 2018_02_14;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP @hello request Likely Precursor to Scan"; itype:8; icode:0; content:"@hello ???"; fast_pattern:only; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010641; classtype:misc-activity; sid:2010641; rev:4; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible jBroFuzz Fuzzer Detected"; flow:to_server,established; content:"Host|3a| localhost"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-GB|3b| rv|3b|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; threshold: type threshold, track by_src, count 3, seconds 6; reference:url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz; reference:url,doc.emergingthreats.net/2009476; classtype:attempted-recon; sid:2009476; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SIP erase_registrations/add registrations attempt"; content:"REGISTER "; depth:9; content:"User-Agent|3a| Hacker"; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008640; classtype:attempted-recon; sid:2008640; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN sipscan probe"; content:"sip|3a|thisisthecanary@"; content:"sip|3a|test@"; offset:30; depth:70; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008641; classtype:attempted-recon; sid:2008641; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN PHP Attack Tool Morfeus F Scanner"; flow:established,to_server; content:"User-Agent|3a| Morfeus"; fast_pattern:only; nocase; http_header; metadata: former_category WEB_SERVER; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2003466; rev:13; metadata:created_at 2010_07_30, updated_at 2018_04_17;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:2100465; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:2100467; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:2100483; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:2100372; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:2100469; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:2100484; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:2100471; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:2100474; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:2100476; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; nocase; classtype:network-scan; sid:2101918; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any <> 127.0.0.0/8 any (msg:"GPL SCAN loopback traffic";  reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:2100528; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:2100613; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; http_header; distance:0; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/smi"; reference:nessus,11737; classtype:default-login-attempt; sid:2102230; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL SCAN adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:2100353; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; nocase; classtype:network-scan; sid:2101638; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; fast_pattern:only; classtype:attempted-recon; sid:2100617; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:2100333; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:2103151; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger 0 Query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:2100332; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Account Enumeration Attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:2100321; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN cybercop query"; flow:to_server,established; content:"|0A|     "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:2100331; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:2100329; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Null Request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:2100324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Probe 0 Attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:2100325; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Redirection Attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:2100330; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Root Query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:2100323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Search Query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:2100322; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Version Query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:2101541; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:2100619; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:2100626; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:2100627; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:2100989; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:2101133; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop scan"; flow:to_server,established; content:"/cybercop"; http_uri; nocase; reference:arachnids,374; classtype:web-application-activity; sid:2101099; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN nessus 1.X 404 probe"; flow:to_server,established; content:"/nessus_is_probing_you_"; http_uri; reference:arachnids,301; classtype:web-application-attack; sid:2101102; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN nessus 2.x 404 probe"; flow:to_server,established; content:"/NessusTest"; http_uri; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2102585; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:2101139; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:2100612; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; classtype:attempted-recon; sid:2100637; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Hydra User-Agent"; flow: established,to_server; content:"User-Agent|3A| Mozilla/4.0 (Hydra)"; nocase; http_header; fast_pattern:23,8; threshold: type limit, track by_src,count 1, seconds 60; reference:url,freeworld.thc.org/thc-hydra; classtype:attempted-recon; sid:2011497; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN w3af Scan Remote File Include Retrieval"; flow:established,to_server; content:"/w3af/remoteFileInclude.html"; http_uri; nocase; content:"Host|3A| w3af.sourceforge.net"; http_header; nocase; reference:url,w3af.sourceforge.net; classtype:web-application-activity; sid:2011389; rev:3; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Nikto Scan Remote File Include Retrieval"; flow:established,to_server; content:"/rfiinc.txt"; http_uri; content:"Host|3A| cirt.net"; http_header; nocase; reference:url,cirt.net/nikto2; classtype:web-application-activity; sid:2011390; rev:2; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN FIN"; flags:SF; classtype:bad-unknown; sid:2011367; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN RST"; flags:SR; classtype:bad-unknown; sid:2011368; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected"; flow:established,to_server; content:"User-Agent|3A| inspath [path disclosure finder"; http_header; threshold:type limit, count 1, seconds 30, track by_src; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011808; rev:2; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Inspathx Path Disclosure Scan"; flow:established,to_server; content:"GET"; http_method; content:"varhttp|3A|/"; http_uri; nocase; content:"wwwhttp|3A|/"; http_uri; nocase; content:"htmlhttp|3A|/"; http_uri; nocase; threshold:type limit, count 1, seconds 30, track by_src; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011809; rev:4; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Medusa User-Agent"; flow: established,to_server; content:"User-Agent|3A| Teh Forest Lobster"; fast_pattern:10,20; nocase; http_header; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.foofus.net/~jmk/medusa/medusa.html; classtype:attempted-recon; sid:2011887; rev:1; metadata:created_at 2010_10_31, updated_at 2010_10_31;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DirBuster Scan in Progress"; flow:established,to_server; content:"/thereIsNoWayThat-You-CanBeThere"; nocase; http_uri; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.owasp.org/index.php/Category%3aOWASP_DirBuster_Project; classtype:attempted-recon; sid:2011914; rev:1; metadata:created_at 2010_11_09, updated_at 2010_11_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DotDotPwn User-Agent"; flow:established,to_server; content:"User-Agent|3A| DotDotPwn"; nocase; http_header; threshold:type limit, track by_src,count 1, seconds 60; reference:url,dotdotpwn.sectester.net; classtype:attempted-recon; sid:2011915; rev:1; metadata:created_at 2010_11_09, updated_at 2010_11_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2011924; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Metasploit WMAP GET len 0 and type"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|Content-Type|3A| text/plain|0d 0a|Content-Length|3A| 0|0d 0a|"; http_header; fast_pattern:25,20; threshold: type limit, track by_src,count 1,seconds 60; classtype:attempted-recon; sid:2011974; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_11_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN RatProxy in-use"; flow:established,to_server; content:"X-Ratproxy-Loop|3A| "; http_header; fast_pattern:only; threshold: type limit, track by_src,count 1, seconds 60; classtype:attempted-recon; sid:2011975; rev:1; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Goatzapszu Header from unknown Scanning Tool"; flow:established,to_server; content:"Goatzapszu|3a|"; nocase; http_header; classtype:attempted-recon; sid:2012077; rev:2; metadata:created_at 2010_12_18, updated_at 2010_12_18;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser)"; content:"From|3A 20 22|sipsscuser|22|"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,honeynet.org.au/?q=sunday_scanner; classtype:attempted-recon; sid:2012204; rev:4; metadata:created_at 2011_01_20, updated_at 2011_01_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; http_header; fast_pattern; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4; metadata:created_at 2011_04_26, updated_at 2011_04_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:"UNION ALL SELECT NULL, NULL, NULL, NULL"; http_uri; content:"-- AND"; http_uri; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012754; rev:1; metadata:created_at 2011_04_29, updated_at 2011_04_29;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:3; metadata:created_at 2011_04_29, updated_at 2011_04_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu Scanner User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| ZmEu"; http_header; classtype:trojan-activity; sid:2012936; rev:1; metadata:created_at 2011_06_06, updated_at 2011_06_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Internal Dummy Connection User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"(internal dummy connection)"; http_header; within:100; classtype:trojan-activity; sid:2012937; rev:1; metadata:created_at 2011_06_06, updated_at 2011_06_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Potential muieblackcat scanner double-URI and HTTP library"; flow:established,to_server; content:"GET //"; depth:6; fast_pattern; content:"HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Accept-Language|3a| en-us|0d 0a|Accept-Encoding|3a| gzip, deflate|0d 0a|Host|3a| "; http_header; content:"|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; distance:0; classtype:attempted-recon; sid:2013116; rev:5; metadata:created_at 2011_06_24, updated_at 2011_06_24;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN DominoHunter Security Scan in Progress"; flow:established,to_server; content:"User-Agent|3a| DominoHunter"; nocase; http_header; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:2013171; rev:1; metadata:created_at 2011_07_02, updated_at 2011_07_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Vega Web Application Scan"; flow:established,to_server; content:"Vega/"; http_header; pcre:"/User-Agent\x3A[^\r\n]+Vega\x2F/H"; detection_filter:track by_src, count 5, seconds 40; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; classtype:attempted-recon; sid:2013249; rev:2; metadata:created_at 2011_07_11, updated_at 2011_07_11;)

alert tcp any any -> $HOME_NET 21 (msg:"ET SCAN Nessus FTP Scan detected (ftp_anonymous.nasl)"; flow:to_server,established; content:"pass nessus@"; fast_pattern:only; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=10079; reference:url,osvdb.org/show/osvdb/69; classtype:attempted-recon; sid:2013263; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Nessus FTP Scan detected (ftp_writeable_directories.nasl)"; flow:to_server,established; content:"MKD"; nocase; depth:3; content:"Nessus"; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=19782; reference:url,osvdb.org/show/osvdb/76; classtype:attempted-recon; sid:2013264; rev:1; metadata:created_at 2011_07_13, updated_at 2011_07_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; content:"GET //"; fast_pattern; depth:6; content:"HTTP/1.1|0d 0a|TE|3a| deflate,gzip|3b|q=0.3|0d 0a|Connection|3a| TE, close|0d 0a|Host|3a| "; content:"User-Agent|3a| "; within:100; content:!"libwww-perl/"; http_header; pcre:"/^TE\x3a deflate,gzip\x3bq=0\.3\r\nHost\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n$/H"; threshold:type threshold, track by_dst, count 10,seconds 20; classtype:attempted-recon; sid:2013416; rev:6; metadata:created_at 2011_08_16, updated_at 2011_08_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Kingcope KillApache.pl Apache mod_deflate DoS attempt"; flow:established,to_server; content:"Range|3a|bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14"; http_header; fast_pattern:only; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013472; rev:2; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Apache mod_deflate DoS via many multiple byte Range values"; flow:established,to_server; content:"Range|3a|"; nocase; http_header; content:"bytes="; http_header; fast_pattern; nocase; distance:0; isdataat:10,relative; content:","; http_header; within:11; isdataat:10,relative; content:","; http_header; within:11; isdataat:10,relative; content:","; http_header; within:11; isdataat:70,relative; content:!"|0d 0a|"; within:12; http_header; pcre:"/Range\x3a\s?bytes=[-0-9,\x20]{100}/iH"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013473; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; metadata: former_category SCAN; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:4; metadata:created_at 2011_08_29, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN McAfee/Foundstone Scanner Web Scan"; flow:established,to_server; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| Windows NT 6.1|3B| en-US)|0D 0A|"; http_header; fast_pattern:20,20; content:"|0D 0A|Accept-Encoding|3A| text|0D 0A|"; http_header; threshold: type both, count 2, seconds 120, track by_src; reference:url,www.mcafee.com/us/products/vulnerability-manager.aspx; classtype:attempted-recon; sid:2013492; rev:3; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:1; metadata:created_at 2011_10_19, updated_at 2011_10_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; content:"PTX|0d 0a|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\n]+PTX\r$/Hm"; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:3; metadata:created_at 2011_10_19, updated_at 2011_10_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 1"; flow:established,to_server; content:"GET @"; depth:5; content:"@"; http_uri; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013791; rev:2; metadata:created_at 2011_10_24, updated_at 2011_10_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 2"; flow:established,to_server; content:"GET|20 3a|@"; depth:6; content:"|3a|@"; http_uri; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013792; rev:3; metadata:created_at 2011_10_24, updated_at 2011_10_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Gootkit Scanner User-Agent Inbound"; flow:established,to_server; content:"Gootkit auto-rooter scanner"; http_header; classtype:web-application-attack; sid:2014022; rev:1; metadata:created_at 2011_12_12, updated_at 2011_12_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN FHScan core User-Agent Detect"; flow:to_server,established; content:"FHScan Core 1."; http_header; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; classtype:attempted-recon; sid:2014541; rev:4; metadata:created_at 2012_04_12, updated_at 2012_04_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; content:"Arachni/"; http_header; pcre:"/User-Agent\x3a[^\r\n]+Arachni\/v?\d\.\d\.\d$/iH"; threshold: type limit, track by_src, count 1, seconds 300; reference:url,arachni-scanner.com; reference:url,github.com/Zapotek/arachni; classtype:attempted-recon; sid:2014869; rev:4; metadata:created_at 2012_06_07, updated_at 2012_06_07;)

#alert tcp [184.154.42.194,50.116.22.209,69.64.43.135,69.64.43.137,69.64.43.142,216.17.107.104,216.17.102.194,216.17.106.90,216.17.107.174,64.6.100.124,46.17.98.214] any -> $HOME_NET any (msg:"ET SCAN critical.io Scan"; flags:S; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,critical.io/; classtype:network-scan; sid:2014893; rev:4; metadata:created_at 2012_06_14, updated_at 2012_06_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User-Agent 2"; flow:established,to_server; content:"w3af.sf.net"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+?w3af\.sf\.net/Hmi"; classtype:attempted-recon; sid:2015484; rev:1; metadata:created_at 2012_07_17, updated_at 2012_07_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HTExploit Method"; flow:established,to_server; content:"POTATO "; depth:7; reference:url,www.mkit.com.ar/labs/htexploit/download.php; classtype:trojan-activity; sid:2015552; rev:1; metadata:created_at 2012_07_31, updated_at 2012_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Brutus Scan Outbound"; flow:established,to_server; content:"Brutus/AET"; http_header; classtype:attempted-recon; sid:2015702; rev:1; metadata:created_at 2012_09_17, updated_at 2012_09_17;)

alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern:only; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:2; metadata:created_at 2012_10_01, updated_at 2012_10_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SFTP/FTP Password Exposure via sftp-config.json"; flow:to_server,established; content:"/sftp-config.json"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html; classtype:attempted-recon; sid:2015940; rev:1; metadata:created_at 2012_11_26, updated_at 2012_11_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN JCE Joomla Scanner"; flow:established,to_server; content:"User-Agent|3a| BOT/0.1 (BOT for JCE)"; http_header; classtype:web-application-attack; sid:2016032; rev:2; metadata:created_at 2012_12_13, updated_at 2012_12_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Simple Slowloris Flooder"; flow:established,to_server; content:"POST"; http_method; content:"Content-length|3A| 5235|0D 0A|"; http_header; content:!"User-Agent|3a|"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN GET with HTML tag in start of URI seen with PHPMyAdmin scanning"; flow:established,to_server; content:"<title>"; http_uri; depth:7; content:"GET"; http_method; classtype:web-application-attack; sid:2016222; rev:1; metadata:created_at 2013_01_16, updated_at 2013_01_16;)

#alert tcp 188.95.234.6 any -> $HOME_NET [22,443] (msg:"ET SCAN Non-Malicious SSH/SSL Scanner on the run"; flags: S,12; threshold: type limit, track by_src, seconds 60, count 1; reference:url,pki.net.in.tum.de/node/21; reference:url,isc.sans.edu/diary/SSH%2bscans%2bfrom%2b188.95.234.6/15532; classtype:network-scan; sid:2016763; rev:7; metadata:created_at 2013_04_17, updated_at 2013_04_17;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Arachni Web Scan"; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:1; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:1; metadata:created_at 2013_07_17, updated_at 2013_07_17;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)

alert tcp $HOME_NET any -> any any (msg:"ET SCAN NETWORK Outgoing Masscan detected"; flow:established,to_server; content:"User-Agent|3A| masscan/"; http_header; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017615; rev:2; metadata:created_at 2013_10_18, updated_at 2013_10_18;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NETWORK Incoming Masscan detected"; flow:established,to_server; content:"User-Agent|3A| masscan/"; http_header; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017616; rev:2; metadata:created_at 2013_10_18, updated_at 2013_10_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN FOCA uri"; flow:established,to_server; content:"GET"; http_method; content:"/*F0C4~1*/foca.aspx?aspxerrorpath=/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017950; rev:2; metadata:created_at 2014_01_09, updated_at 2014_01_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NMAP SIP Version Detect OPTIONS Scan"; flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; sid:2018317; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060:5061 (msg:"ET SCAN NMAP SIP Version Detection Script Activity"; content:"Via|3A| SIP/2.0/TCP nm"; content:"From|3A| <sip|3A|nm@nm"; within:150; fast_pattern; classtype:attempted-recon; sid:2018318; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)

alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:3; metadata:created_at 2014_05_20, updated_at 2014_05_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible WordPress xmlrpc.php wp.getUsersBlogs Flowbit Set"; flow:established,to_server; content:"/xmlrpc.php"; http_uri; nocase; fast_pattern:only; flowbits:set,ET.XMLRPC.PHP; flowbits:noalert; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018754; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_07_23, updated_at 2016_07_01;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress - Response"; flow:established,from_server; flowbits:isset,ET.XMLRPC.PHP; file_data; content:"<name>faultCode</name>"; content:"<int>403</int>"; content:"<string>Incorrect username or password.</string>"; threshold:type both, track by_src, count 5, seconds 120; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018755; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Internet Scanning Project HTTP scan"; flow:established,to_server; content:"User-Agent|3a 20|research-scanner/"; http_header; content:"internetscanningproject.org"; distance:0; http_header; reference:url,www.internetscanningproject.org; classtype:attempted-recon; sid:2018782; rev:1; metadata:created_at 2014_07_25, updated_at 2014_07_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Chroot-apache0day Unknown Web Scanner User Agent"; flow:established,to_server; content:"User-Agent|3A| chroot-apach0day"; nocase; http_header; fast_pattern:12,16; reference:url,isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453; classtype:attempted-recon; sid:2018800; rev:3; metadata:created_at 2014_07_29, updated_at 2014_07_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category SCAN; classtype:network-scan; sid:2019876; rev:2; metadata:created_at 2014_12_05, updated_at 2017_12_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Acunetix Accept HTTP Header detected scan in progress"; flow:established,to_server; content:"Accept|3a 20|acunetix"; http_header; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; classtype:attempted-recon; sid:2019963; rev:1; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert tcp any any -> $HOME_NET 1720 (msg:"ET SCAN H.323 Scanning device"; flow:established,to_server; content:"|40 04 00 63 00 69 00 73 00 63 00 6f|"; fast_pattern; offset:55; depth:12; threshold: type limit, track by_src, count 1, seconds 60; reference:url,videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/; classtype:network-scan; sid:2020853; rev:2; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert tcp any any -> $HOME_NET any (msg:"ET SCAN Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021023; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert tcp $HOME_NET any -> any any (msg:"ET SCAN Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021024; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Xenu Link Sleuth Scanner Outbound"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a 20|Xenu Link Sleuth"; http_header; fast_pattern:12,16; classtype:attempted-recon; sid:2021058; rev:1; metadata:created_at 2015_05_05, updated_at 2015_05_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN abdullkarem Wordpress PHP Scanner"; flow:established,to_server; content:"GET"; http_method; content:".php?"; nocase; http_uri; content:"&php"; nocase; http_uri; distance:0; content:"&wphp"; nocase; http_uri; distance:0; content:"&abdullkarem="; nocase; http_uri; fast_pattern; distance:0; content:"|20|HTTP/1.0|0d 0a|Host|3a 20|"; classtype:web-application-attack; sid:2021949; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2015_10_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible Scanning for Vulnerable JBoss"; flow:established,to_server; content:"POST"; http_method; content:"/invoker/"; http_uri; depth:9; content:"servlet/"; http_uri; content:"Content-Type|3a 20|application/x-java-serialized-object|3b 0d 0a|"; http_header; content:"org.jboss.invocation.MarshalledValue"; http_client_body; reference:url,blog.imperva.com/2015/12/zero-day-attack-strikes-again-java-zero-day-vulnerability-cve-2015-4852-tracked-by-imperva.html; classtype:web-application-attack; sid:2022240; rev:1; metadata:created_at 2015_12_08, updated_at 2015_12_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN COMMIX Command injection scan attempt"; flow:to_server,established; content:"|55 73 65 72 2d 41 67 65 6e 74 3a 20 63 6f 6d 6d 69 78|"; fast_pattern:only; http_header; threshold: type limit, count 1, seconds 60, track by_src; reference:url,github.com/stasinopoulos/commix/blob/master/README.md; classtype:web-application-activity; sid:2022243; rev:1; metadata:created_at 2015_12_11, updated_at 2015_12_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET SCAN Redis SSH Key Overwrite Probing"; flow:to_server,established; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"dir"; distance:0; content:"/.ssh"; distance:0; isdataat:!5,relative; reference:url,antirez.com/news/96; classtype:misc-attack; sid:2023510; rev:2; metadata:attack_target Client_Endpoint, deployment Datacenter, tag SCAN_Redis_SSH, signature_severity Minor, created_at 2016_07_07, performance_impact Low, updated_at 2016_11_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Acunetix scan in progress acunetix_wvs_security_test in http_uri"; flow:established,to_server; content:"acunetix_wvs_security_test"; http_uri; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023687; rev:1; metadata:affected_product Any, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_12_28, performance_impact Low, updated_at 2016_12_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Acunetix scan in progress acunetix variable in http_uri"; flow:established,to_server; content:"|24|acunetix"; http_uri; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023688; rev:1; metadata:affected_product Any, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2016_12_28, performance_impact Low, updated_at 2016_12_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"ET SCAN MS Terminal Server Traffic on Non-standard Port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; classtype:attempted-recon; sid:2023753; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_01_23, performance_impact Low, updated_at 2017_02_23;)

alert tcp $HOME_NET any -> any any (msg:"ET SCAN Possible Nmap User-Agent Observed"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:"|20|Nmap"; http_header; fast_pattern; distance:0; metadata: former_category SCAN; classtype:web-application-attack; sid:2024364; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, signature_severity Audit, created_at 2017_06_08, performance_impact Low, updated_at 2017_06_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN struts-pwn User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|struts-pwn"; http_header; fast_pattern;metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical; metadata: former_category SCAN; reference:url,github.com/mazen160/struts-pwn_CVE-2017-9805/blob/master/struts-pwn.py; reference:cve,2017-9805; reference:url,paladion.net/paladion-cyber-labs-discovers-a-new-ransomware/; classtype:attempted-user; sid:2024843; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Minor, created_at 2017_10_16, performance_impact Moderate, updated_at 2017_10_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NYU Internet Census UA Inbound"; content:"User-Agent|3a 20|NYU Internet Census"; http_header; metadata: former_category SCAN; reference:url,scan.lol; classtype:network-scan; sid:2025461; rev:1; metadata:deployment Perimeter, deployment Datacenter, signature_severity Audit, created_at 2018_04_03, updated_at 2018_04_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HP Enterprise VAN SDN Controller"; flow:established,to_server; content:"/sdn/ui/app/rs/hpws/config"; http_uri; isdataat:!1,relative; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; fast_pattern; metadata: former_category SCAN; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-recon; sid:2025760; rev:2; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_28, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ntop-ng Authentication Bypass via Session ID Guessing"; flow:established,to_server; content:"/lua/network_load.lua"; http_uri; content:"session="; http_cookie; content:"user="; http_cookie; threshold: type threshold, track by_dst, count 255, seconds 10; metadata: former_category SCAN; reference:cve,2018-12520; reference:url,exploit-db.com/exploits/44973/; classtype:attempted-recon; sid:2025780; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, performance_impact Low, updated_at 2018_07_18;)

alert udp any any -> $HOME_NET 4070 (msg:"ET SCAN HID VertX and Edge door controllers discover"; dsize:<45; content:"discover|3b|013|3b|"; metadata: former_category SCAN; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-recon; sid:2025822; rev:2; metadata:attack_target IoT, deployment Datacenter, created_at 2018_07_10, updated_at 2018_07_18;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only; classtype:shellcode-detect; sid:2100640; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; fast_pattern:only; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; fast_pattern:only; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; fast_pattern:only; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; fast_pattern:only; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; fast_pattern:only; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; fast_pattern:only; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2102313; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; fast_pattern:only; classtype:shellcode-detect; sid:2102312; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2102314; rev:5; metadata:created_at 2010_09_23, updated_at 2016_09_09;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2100653; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:2100648; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata: former_category SHELLCODE; classtype:shellcode-detect; sid:2101390; rev:8; metadata:created_at 2010_09_23, updated_at 2017_09_08;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:10; metadata:created_at 2010_09_23, updated_at 2017_09_08;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; fast_pattern:only; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:1; metadata:created_at 2010_12_23, updated_at 2010_12_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:2; metadata:created_at 2010_12_23, updated_at 2016_09_16;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2; metadata:created_at 2010_12_23, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:1; metadata:created_at 2010_12_23, updated_at 2010_12_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:1; metadata:created_at 2010_12_23, updated_at 2010_12_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:2; metadata:created_at 2011_12_28, updated_at 2011_12_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:3; metadata:created_at 2011_12_28, updated_at 2011_12_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90"; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:2; metadata:created_at 2011_12_28, updated_at 2011_12_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; fast_pattern:only; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:1; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; fast_pattern; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:1; metadata:created_at 2011_01_17, updated_at 2011_01_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; fast_pattern; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:1; metadata:created_at 2011_01_17, updated_at 2011_01_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:1; metadata:created_at 2011_02_02, updated_at 2011_02_02;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:1; metadata:created_at 2011_02_02, updated_at 2011_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:1; metadata:created_at 2011_02_02, updated_at 2011_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:1; metadata:created_at 2011_02_02, updated_at 2011_02_02;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:1; metadata:created_at 2011_02_02, updated_at 2011_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:1; metadata:created_at 2011_02_02, updated_at 2011_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:1; metadata:created_at 2011_02_02, updated_at 2011_02_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:1; metadata:created_at 2011_02_02, updated_at 2011_02_02;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:1; metadata:created_at 2011_03_16, updated_at 2011_03_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:1; metadata:created_at 2011_06_02, updated_at 2011_06_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2012962; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2012963; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2012964; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2012965; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:1; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:1; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:1; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:1; metadata:created_at 2011_07_14, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:1; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:1; metadata:created_at 2011_07_27, updated_at 2011_07_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:1; metadata:created_at 2011_07_27, updated_at 2011_07_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:1; metadata:created_at 2013_04_03, updated_at 2013_04_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; metadata: former_category SHELLCODE; classtype:bad-unknown; sid:2016715; rev:1; metadata:created_at 2013_04_03, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:3; metadata:created_at 2013_08_19, updated_at 2013_08_19;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_16, performance_impact Low, updated_at 2017_03_16;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Execve(/bin/sh) Shellcode"; content:"|31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 53 89 e1 b0 0b cd 80|"; metadata: former_category SHELLCODE; classtype:shellcode-detect; sid:2025695; rev:1; metadata:affected_product Linux, attack_target Server, deployment Perimeter, created_at 2018_07_13, performance_impact Low, updated_at 2018_07_13;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; content:!"|0a|"; within:255; pcre:"/^EXPN[^\n]{255}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2102259; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2102590; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:2100654; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:2100631; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:2101450; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:2100632; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:2100659; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern; distance:0; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:2100660; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:2100672; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:2101446; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"GPL SMTP OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename"; distance:0; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2100721; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:2100567; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2102275; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP Potential Exim HeaderX with run exploit attempt"; flow:established,to_server; content:"|0d 0a|HeaderX|3a 20|"; nocase; content:"run{"; distance:0; reference:url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html; reference:url,eclists.org/fulldisclosure/2010/Dec/221; classtype:attempted-admin; sid:2012054; rev:3; metadata:created_at 2010_12_14, updated_at 2010_12_14;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt"; flow:to_server,established; content:"|0d 0a|ORGANIZER"; content:"mailto|3a|"; nocase; within:50; isdataat:2000,relative; content:!"|0a|"; within:2000; reference:url,www.exploit-db.com/exploits/15005/; reference:cve,2010-3407; classtype:attempted-user; sid:2012135; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Abuseat.org Block Message"; flow:established,from_server; content:"abuseat.org"; classtype:not-suspicious; sid:2012982; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Spamcop.net Block Message"; flow:established,from_server; content:"spamcop.net"; classtype:not-suspicious; sid:2012983; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sophos.com Block Message"; flow:established,from_server; content:"sophos.com"; classtype:not-suspicious; sid:2012984; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sorbs.net Block Message"; flow:established,from_server; content:"sorbs.net"; classtype:not-suspicious; sid:2012985; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Robtex.com Block Message"; flow:established,from_server; content:"robtex.com"; classtype:not-suspicious; sid:2012986; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP EXE - ZIP file with .pif filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnBpZ|5waW|ucGlm)/R"; classtype:bad-unknown; sid:2018144; rev:1; metadata:created_at 2014_02_14, updated_at 2014_02_14;)

alert tcp any any -> $SMTP_SERVERS [25,587] (msg:"ET SMTP Incoming SMTP Message with Possibly Malicious MIME Epilogue 2016-05-13 (BadEpilogue)"; flow:to_server,established; content:"|0d 0a|Content-Type|3a 20|multipart|2f|mixed|3b|"; fast_pattern:12,20; content:"|0d 0a 2d 2d|"; distance:0; pcre:"/^(?P<boundary>[\x20\x27-\x29\x2b-\x2f0-9\x3a\x3d\x3fA-Z\x5fa-z]{0,69}?[^\x2d])--(?:\x0d\x0a(?!--|\x2e|RSET)[^\r\n]*?)*\x0d\x0a--(?P=boundary)\x0d\x0a/R"; reference:url,www.certego.local/en/news/badepilogue-the-perfect-evasion/; classtype:bad-unknown; sid:2023255; rev:1; metadata:attack_target SMTP_Server, deployment Datacenter, signature_severity Major, created_at 2016_09_22, performance_impact Low, updated_at 2016_09_22;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002880; classtype:attempted-dos; sid:2002880; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002881; classtype:attempted-dos; sid:2002881; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002882; classtype:attempted-dos; sid:2002882; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002926; classtype:attempted-dos; sid:2002926; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002927; classtype:attempted-dos; sid:2002927; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002928; classtype:attempted-dos; sid:2002928; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI"; content:"ILMI"; nocase; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml; reference:url,doc.emergingthreats.net/2011011; classtype:attempted-admin; sid:2011011; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI"; flow:to_server,established; content:"ILMI"; nocase; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml; reference:url,doc.emergingthreats.net/2011012; classtype:attempted-admin; sid:2011012; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis"; content:"cable-docsis"; nocase; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm; reference:url,www.kb.cert.org/vuls/id/840665; reference:cve,2004-1776; reference:url,doc.emergingthreats.net/2011013; classtype:attempted-admin; sid:2011013; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis"; flow:to_server,established; content:"cable-docsis"; nocase; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm; reference:url,www.kb.cert.org/vuls/id/840665; reference:cve,2004-1776; reference:url,doc.emergingthreats.net/2011014; classtype:attempted-admin; sid:2011014; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101414; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101412; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101418; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101420; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2101893; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:2101892; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern:only; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101413; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern:only; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101417; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101422; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101409; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; fast_pattern:only; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:2100227; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:2101427; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101419; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp any any -> 255.255.255.255 161 (msg:"GPL SNMP Broadcast request";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101415; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp any any -> 255.255.255.255 162 (msg:"GPL SNMP broadcast trap";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101416; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp any any -> any 161 (msg:"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"; content:"|2b 06 01 04 01 09 09 60 01 01 01 01|"; fast_pattern:only; classtype:policy-violation; sid:2015856; rev:5; metadata:created_at 2012_10_31, updated_at 2012_10_31;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern:only; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:2; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 1"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016178; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 2"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016179; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 3"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; metadata: former_category SNMP; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016180; rev:2; metadata:created_at 2013_01_09, updated_at 2017_08_24;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 4"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016181; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET SQL MSSQL sp_replwritetovarbin - potential memory overwrite case 1"; flow:to_server,established; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n"; nocase; fast_pattern:only; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008909; classtype:attempted-user; sid:2008909; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"/login.uix"; fast_pattern:only; http_uri; nocase; content:"username="; nocase; isdataat:250,relative; content:!"|0A|"; within:250; pcre:"/username=[^&\x3b\r\n]{250}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2102703; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; fast_pattern:only; nocase; classtype:system-call-detect; sid:2101673; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2102699; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22 ]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102600; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; fast_pattern:only; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102697; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102618; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102610; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102607; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; fast_pattern:only; nocase; classtype:protocol-command-decode; sid:2101674; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102698; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102604; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102678; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102680; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; fast_pattern:only; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102708; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102711; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102674; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102599; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102609; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102768; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102601; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2102576; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102641; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102645; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102647; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102676; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102675; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102677; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102623; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102621; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102622; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2102602; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102638; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102640; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2102642; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:2101698; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2102644; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102616; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2102646; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2102648; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102683; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2102682; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102681; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $SQL_SERVERS $ORACLE_PORTS -> $EXTERNAL_NET any (msg:"GPL SQL Oracle misparsed login response"; flow:to_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:2101675; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2102700; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102653; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102634; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102632; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102630; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102628; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2102649; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102636; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102695; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102694; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102693; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102692; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102691; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102690; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; isdataat:1024; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102689; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102688; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102687; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102686; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102633; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102617; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102615; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102612; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102858; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102860; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102861; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102862; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102863; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102864; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102865; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102866; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102867; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102868; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102875; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102869; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102870; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102871; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102872; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102874; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102876; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102878; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102879; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102880; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102881; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102882; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102883; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102884; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102885; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102886; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102887; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102894; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102888; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102889; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102890; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102891; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102892; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102897; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102896; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102898; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102899; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102900; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102901; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102813; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102814; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102815; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102816; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2102643; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102824; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102825; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102826; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102817; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102818; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102819; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102820; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102821; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102822; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102823; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102827; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102828; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102829; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102831; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102832; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102833; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102834; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102835; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102836; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102837; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102838; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102839; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102685; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102902; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102903; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102904; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102905; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102906; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102907; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102908; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102909; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102910; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102911; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102912; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102913; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102914; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102915; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102916; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102918; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102840; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102841; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102842; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102843; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102844; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102845; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102846; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102917; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102847; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102919; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102849; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102696; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102848; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102679; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102684; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; isdataat:1024,relative; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102608; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2102614; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102625; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:2100692; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:2100694; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:2100678; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100677; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:2100681; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100690; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL MSSQL shellcode attempt 2"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:2100693; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:2100685; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:2100684; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100683; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:2100673; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:2101775; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:2101776; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2100688; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"GPL SQL Slammer Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102003; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"GPL SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2102049; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"GPL SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2102329; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SQL MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT|20|user|2c|password|20|from|20|mysql|2e|user"; classtype:bad-unknown; sid:2014910; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set)"; flow:from_server; content:"Password required, but none set"; depth:31; reference:url,doc.emergingthreats.net/bin/view/Main/2008860; classtype:attempted-admin; sid:2008860; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login Prompt from Cisco Device"; flow:from_server,established; pcre:"/^(\r\n)*/"; content:"User Access Verification"; within:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:attempted-admin; sid:2008861; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2101251; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:2100716; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2100492; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern:only; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3A| root"; fast_pattern:only; classtype:suspicious-login; sid:2100719; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET SUSPICIOUS Path to BusyBox"; flow:to_server,established; content:"/bin/busybox"; flowbits:set,ET.telnet.busybox;threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:suspicious-filename-detect; sid:2023016; rev:1; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_08_08, performance_impact Low, updated_at 2016_08_08;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET SUSPICIOUS busybox shell"; flow:to_server,established; content:"shell"; fast_pattern:only; pcre:"/\bshell\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023017; rev:3; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_08_08, performance_impact Low, updated_at 2016_08_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET SUSPICIOUS busybox enable"; flow:to_server,established; content:"enable"; fast_pattern:only; pcre:"/\benable\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023018; rev:4; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_08_08, performance_impact Low, updated_at 2016_08_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MIRAI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MIRAI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023019; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_08_08, performance_impact Low, updated_at 2016_09_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox ECCHI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"ECCHI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023304; rev:1; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_09_27, performance_impact Low, updated_at 2016_09_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MEMES Hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MEMES"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023901; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2017_02_14, malware_family Mirai, performance_impact Moderate, updated_at 2017_02_14;)

alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_12;)

alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Write Request"; content:"|00 02|"; depth:2; reference:url,doc.emergingthreats.net/2008116; classtype:policy-violation; sid:2008116; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_25;)

alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer"; content:"|00 03|"; depth:2; reference:url,doc.emergingthreats.net/2008117; classtype:policy-violation; sid:2008117; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP ACK"; content:"|00 04|"; depth:2; reference:url,doc.emergingthreats.net/2008118; classtype:policy-violation; sid:2008118; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Error Message"; content:"|00 05|"; depth:2; reference:url,doc.emergingthreats.net/2008119; classtype:policy-violation; sid:2008119; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:2101222; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2101444; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2102336; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Put"; content:"|00 02|"; depth:2; reference:cve,1999-0183; classtype:bad-unknown; sid:2100518; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP parent directory"; content:".."; offset:2; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:2100519; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP root directory"; content:"|00 01|/"; depth:3; reference:cve,1999-0183; classtype:bad-unknown; sid:2100520; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:2101289; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp any any -> any 69 (msg:"GPL TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:2101941; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:2101441; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:2101443; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:2101442; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp any any -> any 69 (msg:"GPL TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2102337; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET TFTP TFTPGUI Long Transport Mode Buffer Overflow"; content:"|00 02|"; depth:2; content:"|00|"; distance:0; within:50; content:!"|00|"; distance:0; within:9; reference:url,www.exploit-db.com/exploits/12482/; reference:url,packetstormsecurity.org/files/view/96395/tftputilgui-dos.rb.txt; reference:url,securityfocus.com/bid/39872/; classtype:attempted-dos; sid:2012051; rev:2; metadata:created_at 2010_12_14, updated_at 2010_12_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"|00 03|"; depth:2; content:"|0a 21 20|version|20|"; distance:2; within:12; metadata: former_category TFTP; classtype:policy-violation; sid:2015857; rev:5; metadata:created_at 2012_10_31, updated_at 2017_07_19;)

alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer With Cisco Config 2"; content:"|00 03|"; depth:2; content:"NVRAM config last update"; distance:0; metadata: former_category TFTP; classtype:policy-violation; sid:2024481; rev:2; metadata:affected_product Cisco_ASA, affected_product Cisco_PIX, affected_product CISCO_Catalyst, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2017_07_19, performance_impact Moderate, updated_at 2017_07_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET TROJAN IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET TROJAN IRC Private message on non-standard port"; flow:to_server,established; dsize:<128; content:"PRIVMSG "; depth:8; content:!".twitch.tv"; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; classtype:trojan-activity; sid:2000347; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET TROJAN IRC DCC chat request on non-standard port"; flow:to_server,established; content:"PRIVMSG "; nocase; depth:8; content:" |3a|.DCC CHAT chat"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000350; classtype:policy-violation; sid:2000350; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET TROJAN IRC Channel join on non-standard port"; flow:to_server,established; content:"JOIN |3a| #"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2000351; classtype:policy-violation; sid:2000351; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET TROJAN IRC DNS request on non-standard port"; flow:to_server,established; content:"USERHOST "; nocase; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2000352; classtype:policy-violation; sid:2000352; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN DHL Spam Inbound"; flow:established,to_server; content:"name=|22|DHL"; nocase; content:".zip|22|"; within:68; nocase; pcre:"/name=\x22DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download Antivirus_21.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/Antivirus_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/2010050; classtype:trojan-activity; sid:2010050; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download ws.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install/ws.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010051; classtype:trojan-activity; sid:2010051; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely TDSS Download (codec.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010054; classtype:trojan-activity; sid:2010054; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET"; http_method; content:"/pcdef.exe"; nocase; http_uri; classtype:trojan-activity; sid:2010055; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\/crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download InternetAntivirusPro.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/InternetAntivirus"; http_uri; content:".exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010061; classtype:trojan-activity; sid:2010061; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download AntivirusPlus.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/AntivirusPlus"; http_uri; content:".exe"; http_uri; reference:url,doc.emergingthreats.net/2010062; classtype:trojan-activity; sid:2010062; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV GET installer.1.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer."; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/installer\.\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010452; classtype:trojan-activity; sid:2010452; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV GET installer_1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/installer_\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010453; classtype:trojan-activity; sid:2010453; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV Download (download/install.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/install.php"; http_uri; pcre:"/\x0d\x0aHost\: [a-z\x2e]+(security|virus|pro|anti|scan|mypc|total|protect|check|guard|defend)/i"; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,www.malwaredomainlist.com; reference:url,doc.emergingthreats.net/2010465; classtype:trojan-activity; sid:2010465; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download Setup_2012.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/Setup_20\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/xxxxxxx; classtype:trojan-activity; sid:2010684; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; fast_pattern:only; content:".js"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008206; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Psyb0t joining an IRC Channel"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"JOIN #mipsel"; fast_pattern:only; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; classtype:trojan-activity; sid:2009172; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET"; nocase; http_method; content:"?mail="; http_uri; content:"subject=Keylogger";  fast_pattern:only; http_uri; content:"&body="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008368; classtype:trojan-activity; sid:2008368; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Suspicious SMTP handshake outbound"; flow:established,to_server; content:"001 RUTHERE"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2008562; classtype:unknown; sid:2008562; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET TROJAN Suspicious SMTP handshake reply"; flow:established,from_server; content:"701 IMHERE"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008563; classtype:unknown; sid:2008563; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET TROJAN Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:trojan-activity; sid:2008531; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Trojan Checkin by MAC chkmac.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; classtype:trojan-activity; sid:2006403; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DownLoader.30525 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/ctrv.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; classtype:trojan-activity; sid:2006404; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; metadata: former_category INFO; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:13; metadata:created_at 2010_07_30, updated_at 2017_12_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; content:!"Content-Type|3a 20|application"; nocase; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:9; metadata:created_at 2010_07_30, updated_at 2017_12_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; file_data; content:"Rar!"; within:4; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008754; classtype:trojan-activity; sid:2008754; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; fast_pattern; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Malware Download Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/GR_OLD_CR.EXE"; nocase; http_uri; reference:url,www.prevx.com/filenames/X22210989379038527-X1/GR_OLD_CR.EXE.html; reference:url,doc.emergingthreats.net/2011148; classtype:trojan-activity; sid:2011148; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; content:"/newuser.php?saff="; http_uri; pcre:"/\/newuser\.php\?saff=(\d+|x.+)/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; classtype:trojan-activity; sid:2008012; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"404"; http_stat_code; content:"Not Found"; http_stat_msg; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:14; metadata:created_at 2010_07_30, updated_at 2017_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SC-KeyLog Keylogger Installed - Sending Initial Email Report"; flow:established,to_server; content:"Installation of SC-KeyLog on host "; nocase; content:"<p>You will receive a log report every "; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2002979; classtype:trojan-activity; sid:2002979; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SC-KeyLog Keylogger Installed - Sending Log Email Report"; flow:established,to_server; content:"SC-KeyLog log report"; nocase; content:"See attached file"; nocase; content:".log"; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2008348; classtype:trojan-activity; sid:2008348; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gootkit Checkin User-Agent (Gootkit HTTP Client)"; flow:to_server,established; content:"Gootkit HTTP Client"; http_header; nocase; reference:url,doc.emergingthreats.net/2010718; classtype:trojan-activity; sid:2010718; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN iebar Spyware User Agent (iebar)"; flow:established,to_server; content:"|3b 20|iebar"; http_header; fast_pattern:only; threshold: type limit, count 2, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2007583; classtype:trojan-activity; sid:2007583; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Playtech Downloader Online Gaming Checkin"; flow:to_server,established; content:"/client_update_urls.php"; http_uri; content:"User-Agent|3a| Playtech "; http_header; reference:md5,00740d7d15862efb30629ab1fd7b8242; classtype:trojan-activity; sid:2008365; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent (Windows+NT+5.x)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"Windows+NT+5"; http_header; within:128; fast_pattern; flowbits:set,ET.webc2ugx; reference:url,www.mandiant.com/apt1; reference:md5,14cfaefa5b8bc6400467fba8af146b71; classtype:trojan-activity; sid:2009486; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PCFlashbang.com Spyware Checkin (PCFlashBangA)"; flow:to_server,established; content:"User-Agent|3a| PCFlashBang"; http_header; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:trojan-activity; sid:2009540; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible)|0d 0a|"; http_header; fast_pattern:18,20; threshold: type limit, count 2, track by_src, seconds 300; content:!".hddstatus.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt)"; flow:established,to_server; content:"GeT"; http_method; content:"HttP"; depth:200; content:"|0d 0a|HoST|3a| "; content:"UsER-AgENt|3a| |0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010129; classtype:trojan-activity; sid:2010129; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Incorrectly formatted User-Agent string (dashes instead of semicolons) Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible- MSIE 6.0- Windows NT 5.1- SV1- "; fast_pattern:35,20; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2010868; classtype:bad-unknown; sid:2010868; rev:6; metadata:created_at 2010_07_30, updated_at 2017_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ultimate HAckerz Team User-Agent (Made by UltimateHackerzTeam) - Likely Trojan Report"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made by UltimateHackerzTeam)"; http_header;  fast_pattern:76,20; reference:url,doc.emergingthreats.net/2010346; classtype:trojan-activity; sid:2010346; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; fast_pattern:only; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001764; classtype:misc-activity; sid:2001764; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing binary in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008946; classtype:trojan-activity; sid:2008946; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing binary in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008947; classtype:trojan-activity; sid:2008947; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile"; flow:established,from_server; file_data; content:"VirtualProtect|00|"; distance:0; reference:url,doc.emergingthreats.net/2009080; classtype:trojan-activity; sid:2009080; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET TROJAN Outbound AVISOSVB MSSQL Request"; flow:established,to_server; content:"|54 00 42 00 4c 00 5f 00 41 00 56 00 49 00 53 00 4f 00 53 00 56 00 42 00|"; reference:url,www.threatexpert.com/report.aspx?md5=1f5b6d6d94cc6272c937045e22e6d192; reference:url,doc.emergingthreats.net/2011199; classtype:trojan-activity; sid:2011199; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Possible AV KILLER"; flow:established,to_server; content:"GET"; nocase; http_method; content:"SoftName="; http_uri; nocase; content:"SoftVersion="; http_uri; nocase; content:"UserIP="; http_uri; nocase; content:"Mac="; http_uri; nocase; reference:url,doc.emergingthreats.net/2009487; classtype:trojan-activity; sid:2009487; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AVKiller with Backdoor checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&ip_int="; http_client_body; nocase; content:"&os="; http_client_body; nocase; content:"&av="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009812; classtype:trojan-activity; sid:2009812; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alman Dropper Checkin"; flow:established,to_server; content:"?action=post&HD="; fast_pattern:only; http_uri; content:"&OT="; http_uri; content:"&IV="; http_uri; pcre:"/&HD=[A-F0-9]{32}&/U"; reference:url,doc.emergingthreats.net/2009203; classtype:trojan-activity; sid:2009203; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Antispywareexpert.com Fake AS Install Checkin"; flow:established,to_server; content:"/?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; http_uri; content:"&a="; http_uri; content:"&l="; http_uri; content:"&addt"; reference:url,doc.emergingthreats.net/2008502; classtype:trojan-activity; sid:2008502; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Win32/Antivirus2008 CnC Beacon"; flow:established,to_server; content:"nick="; http_uri; nocase; content:"&group="; http_uri; nocase; content:"&os="; http_uri; content:"User-Agent|3a 20|Mozilla|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008483; classtype:trojan-activity; sid:2008483; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Antivirus2008 Fake AV Install Report"; flow:established,to_server; content:"?type=scanner&pin="; http_uri; content:"&lnd="; http_uri; reference:url,doc.emergingthreats.net/2008511; classtype:trojan-activity; sid:2008511; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; reference:url,doc.emergingthreats.net/2010909; classtype:trojan-activity; sid:2010909; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; reference:url,doc.emergingthreats.net/2010910; classtype:trojan-activity; sid:2010910; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; reference:url,doc.emergingthreats.net/2010911; classtype:trojan-activity; sid:2010911; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; reference:url,doc.emergingthreats.net/2010912; classtype:trojan-activity; sid:2010912; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; reference:url,doc.emergingthreats.net/2010913; classtype:trojan-activity; sid:2010913; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; reference:url,doc.emergingthreats.net/2010914; classtype:trojan-activity; sid:2010914; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; reference:url,doc.emergingthreats.net/2010915; classtype:trojan-activity; sid:2010915; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; reference:url,doc.emergingthreats.net/2010916; classtype:trojan-activity; sid:2010916; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; reference:url,doc.emergingthreats.net/2010917; classtype:trojan-activity; sid:2010917; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Asprox-style Message ID"; flow:established,to_server; dsize:<80; content:"Message-ID|3a20|"; depth:12; content:"|0d0a|"; within: 68; flowbits:set,ET.asproxmessageid; flowbits:noalert; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008221; classtype:trojan-activity; sid:2008221; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Asprox phishing email detected"; flow:established,to_server; content:"From|3a20|"; depth:6; content:"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,ET.asproxmessageid; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008222; classtype:trojan-activity; sid:2008222; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asprox Form Submission to C&C"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/forum.php"; http_uri; nocase; content:"Content-Type|3a| multipart/form-data|3b| boundary=1BEF0A57BE110FD467A"; http_header; reference:url,doc.emergingthreats.net/2009054; classtype:trojan-activity; sid:2009054; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asprox Data Post to C&C"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=|22|sid|22 0d 0a 0d 0a|"; http_client_body; nocase; content:"name=|22|upt|22 0d 0a 0d 0a|"; http_client_body; nocase; content:"name=|22|hcc|22 0d 0a 0d 0a|"; http_client_body; nocase; reference:url,www.secureworks.com/research/threats/danmecasprox/; reference:url,www.toorcon.org/tcx/18_Brown.pdf; reference:url,doc.emergingthreats.net/2010270; classtype:trojan-activity; sid:2010270; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; reference:url,doc.emergingthreats.net/2008675; classtype:trojan-activity; sid:2008675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 91 -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply"; flowbits:isset,ET.assassin.start; flow:established,from_server; dsize:12; content:"10000002|5e 2a|"; depth:10; flowbits:set,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008676; classtype:trojan-activity; sid:2008676; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply"; flow:established,to_server; dsize:10; content:"10000000|5e 2a|"; flowbits:isset,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008677; classtype:trojan-activity; sid:2008677; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Atya Dropper Possible Rootkit - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"b="; http_uri; nocase; content:"&idf="; http_uri; nocase; content:"&v="; http_uri; nocase; content:"&o="; http_uri; nocase; reference:url,www.paretologic.com/resources/definitions.aspx?remove=%41%67%65%6e%74%20%41%74%79%61%20%54%72%6f%6a%61%6e; reference:url,doc.emergingthreats.net/2009450; classtype:trojan-activity; sid:2009450; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Aurora Backdoor (C&C) client connection to CnC"; flow:established,to_server; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; flowbits:set,ET.aurora.init; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010695; classtype:trojan-activity; sid:2010695; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Aurora Backdoor (C&C) connection CnC response"; flowbits:isset,ET.aurora.init; flow:established,from_server; content:"|cc cc cc cc cd cc cc cc cd cc cc cc cc cc cc cc|"; depth:16; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010696; classtype:trojan-activity; sid:2010696; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Autorun.qvi Related HTTP Get on Off Port"; flow:established,to_server; content:"GET /get_r.php?fid="; depth:19; content:"&mac="; distance:0; within:15; content:"&version="; distance:0; content:"&uuid="; distance:0; reference:url,doc.emergingthreats.net/2008755; classtype:trojan-activity; sid:2008755; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Win32.Autorun HTTP Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"cbID="; http_uri; content:"cbVer="; http_uri; content:"cbTit="; content:!"User-Agent|3a|"; http_header; content:"cbBody="; reference:url,www.threatexpert.com/threats/worm-win32-autorun.html; reference:url,doc.emergingthreats.net/2009516; classtype:trojan-activity; sid:2009516; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rouge Security Software Win32.BHO.egw"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; nocase; content:"affid="; http_uri; nocase; content:"subid="; http_uri; nocase; content:"guid="; http_uri; nocase; content:"ver="; http_uri; nocase; content:"key="; http_uri; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.BHO.egw&threatid=313636; reference:url,doc.emergingthreats.net/2008461; classtype:trojan-activity; sid:2008461; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic"; content:"|6C 3C|"; depth:2; content:"|3E 20|"; within:3; content:"bid="; nocase; within:20; content:"bver="; nocase; within:20; content:"bip="; nocase; within:20; content:"bn="; nocase; within:20; reference:url,doc.emergingthreats.net/2008465; classtype:trojan-activity; sid:2008465; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Agent.fvt Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:".php?"; nocase; content:"lversion="; nocase; content:"wversion=&eversion=&fid="; nocase; content:"&mac="; nocase; reference:url,doc.emergingthreats.net/2008667; classtype:trojan-activity; sid:2008667; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST Packet 1"; flow:established,to_server; content:"/add.php"; http_uri; flowbits:noalert; flowbits:set,ET.bd1; reference:url,doc.emergingthreats.net/2009240; classtype:trojan-activity; sid:2009240; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST"; flow:established,to_server; content:"Admin="; depth:6; http_client_body; content:"&UserName="; http_client_body; within:25; content:"&IsProxy="; http_client_body; within:50; flowbits:isset,ET.bd1; reference:url,doc.emergingthreats.net/2009241; classtype:trojan-activity; sid:2009241; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established"; flow:established,to_server; dsize:4; content:"|00 00 00 00|"; flowbits:set,BSHupigonControlStart; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002974; classtype:trojan-activity; sid:2002974; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET TROJAN Backdoor.Hupigon INFECTION - Reporting Host Type"; flow:established,to_server; flowbits:isset,BSHupigonControlStart; content:"Windows "; flowbits:isset,BSHupigonControlStart; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002975; classtype:trojan-activity; sid:2002975; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.cfi (related) System Info Upload via FTP"; flow:established,to_server; content:"*************CD-Key Pack**************"; content:"|0d 0a|Microsoft Windows Product ID CD Key|3a|"; distance:0; reference:url,doc.emergingthreats.net/2008005; classtype:trojan-activity; sid:2008005; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1337 (msg:"ET TROJAN Win32.SkSocket C&C Connection"; flow:established,to_server; flags:PA,12; dsize:1; content:"|04|"; reference:url,doc.emergingthreats.net/2007585; classtype:trojan-activity; sid:2007585; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Checkin"; flow:established,to_server; content:"Status|2a 28|Idle|2e 2e 2e 29 2a|"; depth:17; offset:0; reference:url,doc.emergingthreats.net/2007922; classtype:trojan-activity; sid:2007922; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version"; flow:established,to_server; content:"Version|28 2a|"; depth:9; offset:0; content:"|29 2a|"; within:8; reference:url,doc.emergingthreats.net/2007979; classtype:trojan-activity; sid:2007979; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d/"; reference:url,doc.emergingthreats.net/2007980; classtype:trojan-activity; sid:2007980; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Acknowledge"; flow:established,to_server; dsize:29; content:"Status|28 2a|UDP Attack Running!|2a 28|"; offset:0; reference:url,doc.emergingthreats.net/2007981; classtype:trojan-activity; sid:2007981; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C DDoS Outbound"; flow:established,from_server; dsize:>100; content:"|ff ff ff ff|"; depth:4; content:" own you bitch!"; within:20; content:"|01 01 01 01 01 01 01 01 01 01 01 01 01|"; reference:url,doc.emergingthreats.net/2007982; classtype:trojan-activity; sid:2007982; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.fdi Bot Reporting to Controller"; flow:established,to_server; content:"state|3a| 0 - zombie is ready for control"; depth:38; reference:url,doc.emergingthreats.net/2008507; classtype:trojan-activity; sid:2008507; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Banbra Variant POST via x-www-form-urlencoded"; flow:established,to_server; content:".php"; http_uri; content:"POST"; nocase; http_method; content:"Content-Type|3a20|application/x-www-form-urlencoded|0D0A|Content-Length|3A20|"; http_header; nocase; content:"from="; http_client_body; nocase; content:"|26|FromMail="; http_client_body; nocase; content:"|26|destino="; http_client_body; nocase; content:"|26|assunto="; http_client_body; nocase; content:"|26|mensagem="; http_client_body; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008331; classtype:trojan-activity; sid:2008331; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"tipo=cli&cli="; http_client_body; reference:url,doc.emergingthreats.net/2009296; classtype:trojan-activity; sid:2009296; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.2; flow:established,to_server; content:"&first& # "; pcre:"/# \d+d \d+dh \d+m # /iR"; flowbits:set,BE.Bandook1.2; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003549; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Get Processes"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003550; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Kill Process Command"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:>8; content:"kill3d"; offset:0; depth:6; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003551; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Reporting Socks Proxy Active"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:7; content:"sockson"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003552; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Reporting Socks Proxy Off"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:8; content:"socksoff"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003553; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Client Ping Reply"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:10; content:"&SEXREPLY&"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003554; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.35; flow:established,to_server; content:"|cf 8f|"; offset:0; depth:2; content:"|20 26 26 26|"; distance:50; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003555; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Keepalive Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:6; content:"|cf ab a8 a7 ae cf|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003556; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Keepalive Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:9; content:"|cf ab a8 a4 ae cf 26 26 26|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003557; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Create Registry Key Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>10; content:"|cf 9b 8c 8e 8a 9b cf|"; offset:0; depth:7; content:"|95|"; distance:5; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003558; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Create Directory Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>7; content:"|cf 84 82 8d 80 9b cf 95|"; offset:0; depth:8; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003559; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Window List Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:10; content:"|cf 8e 80 84 84 8c 9e 80 87 cf|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003560; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Window List Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9e 80 87 85 80 9a 9d cf|"; offset:0; depth:9; content:"|26 26 26|"; distance:10; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003561; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Get Processes Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003562; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Get Processes Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9d 82 99 9b 86 8a cf|"; offset:0; depth:8; content:"|26 26 26|"; distance:10; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003565; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Start Socks5 Proxy Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>6; content:"|a7 a0 a7 ae 95|"; offset:0; depth:5; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003563; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:10; content:"|9a 86 8a 82 9a 86 87 26 26 26|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003564; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandok phoning home (xor by 0xe9 to decode)"; flow:established,to_server; content:"|CF 8F 80 9B 9A 9D CF 95|"; depth:8; dsize:<80; reference:url,www.dshield.org/diary.html?date=2007-03-28; reference:url,www.secureworks.com/research/threats/bbbphish/?threat=bbbphish; reference:url,doc.emergingthreats.net/2003936; classtype:trojan-activity; sid:2003936; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; depth:55; http_header; content:"Content-Length|3a20|"; http_header; content:"VISITED_URL"; depth:100; http_client_body; reference:url,www.secureworks.com/research/threats/bbbphish; reference:url,doc.emergingthreats.net/2003937; classtype:trojan-activity; sid:2003937; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.OPX HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"TIPO=CLIENTE&NOME="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007901; classtype:trojan-activity; sid:2007901; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.ili HTTP Checkin"; flow:established,to_server; content:"/ctrl/cnt_boot.php?pgv="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007940; classtype:trojan-activity; sid:2007940; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker.ike UDP C&C"; content:"|86 71 3b 72 50 61 7d 95 5f 61 46|"; nocase; reference:url,doc.emergingthreats.net/2007957; classtype:trojan-activity; sid:2007957; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Trojan (General) HTTP Checkin"; flow:established,to_server; content:".php?PC="; http_uri; content:"&Data="; http_uri; content:"&Mac="; http_uri; reference:url,doc.emergingthreats.net/2007984; classtype:trojan-activity; sid:2007984; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Trojan (General) HTTP Checkin (vit)"; flow:established,to_server; content:".php"; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; content:"vit="; nocase; content:"&bk="; nocase; content:"&dados="; fast_pattern; nocase; distance:0; reference:url,doc.emergingthreats.net/2007999; classtype:trojan-activity; sid:2007999; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.JU Related HTTP Post-infection Checkin"; flow:established,to_server; content:"/envio.php?"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"tipo="; http_client_body; reference:url,doc.emergingthreats.net/2008267; classtype:trojan-activity; sid:2008267; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.zrm/Infostealer.Bancos Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"appdata="; http_uri; nocase; content:"hd="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"computador="; http_uri; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008519; classtype:trojan-activity; sid:2008519; rev:5; metadata:tag Banking_Trojan, created_at 2010_07_30, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic Banker Trojan Downloader Config to client"; flow:established,to_client; file_data; content:"[Controlinfo]"; nocase; within:13; content:"CntInfo="; within:9; nocase; content:"UseSepControl="; within:30; nocase; content:"Names="; within:20; reference:url,doc.emergingthreats.net/2009090; classtype:trojan-activity; sid:2009090; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Banker.PWS POST Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"IDMAQUINA="; http_client_body; fast_pattern; reference:url,doc.emergingthreats.net/2009127; classtype:trojan-activity; sid:2009127; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download"; flow:to_server,established; content:"/keylogf.jpg"; http_uri; nocase; metadata: former_category TROJAN; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009235; classtype:trojan-activity; sid:2009235; rev:3; metadata:tag Banking_Trojan, created_at 2010_07_30, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TSPY_BANKER.IDV/Infostealer.Bancos Module Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a20|Mozilla|2f|4.0|2028|compatible|3b20|MSIE|20|6.0| 3b2020|Windows|20|NT|20|5.1|3b 20|SV1|3b20|.NET|20|CLR|20|1.1.4322| 3b20|.NET|20|CLR|20|2.0.50727|290d0a|Host|3a20|"; fast_pattern:37,18; http_header; content:"|0d 0a|Accept|3a 20 2a 2f 2a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009447; classtype:trojan-activity; sid:2009447; rev:6; metadata:tag Banking_Trojan, created_at 2010_07_30, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bancos/Banker Info Stealer Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; nocase; content:"op="; http_client_body; nocase; content:"servidor="; http_client_body; fast_pattern; nocase; content:"senha="; http_client_body; nocase; content:"usuario="; http_client_body; nocase; content:"base="; http_client_body; nocase; content:"sgdb="; http_client_body; nocase; metadata: former_category TROJAN; reference:url,www.pctools.com/mrc/infections/id/Trojan.Bancos/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos; reference:url,doc.emergingthreats.net/2009471; classtype:trojan-activity; sid:2009471; rev:7; metadata:tag Banking_Trojan, created_at 2010_07_30, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker PWS/Infostealer HTTP GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"guid="; http_uri; nocase; content:"ver="; nocase; http_uri; content:"stat="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"os="; nocase; http_uri; content:"ut="; nocase; http_uri; content:"cpu="; nocase; http_uri; fast_pattern; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,doc.emergingthreats.net/2009550; classtype:trojan-activity; sid:2009550; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request"; flow:established,to_server; content:"HEAD"; http_method; nocase; content:".php?action="; http_uri; nocase; content:"&uid="; nocase; http_uri; content:"&locale="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&build="; nocase; http_uri; metadata: former_category TROJAN; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,www.anti-spyware-101.com/remove-trojanbanker; reference:url,doc.emergingthreats.net/2009750; classtype:trojan-activity; sid:2009750; rev:6; metadata:tag Banking_Trojan, created_at 2010_07_30, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker Trojan CnC AddNew Command"; flow:established,to_server; dsize:<120; content:"[S]ADDNEW|7c|"; depth:10; reference:url,doc.emergingthreats.net/2009862; classtype:trojan-activity; sid:2009862; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker Trojan CnC Hello Command"; flow:established,to_server; dsize:12; content:"[S]hello["; depth:9; reference:url,doc.emergingthreats.net/2009863; classtype:trojan-activity; sid:2009863; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Patcher/Bankpatch V2 Communication with Controller"; flow:established,to_server; content:"id="; nocase; http_uri; content:"&check="; nocase; http_uri; content:"&version2="; http_uri; nocase; pcre:"/\?id=[A-Za-z]+_[A-Za-z0-9]+&/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBanker.O; classtype:trojan-activity; sid:2009408; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Patcher/Bankpatch Module Download Request"; flow:established,to_server; content:"/dl/AcroIEHelpe"; nocase; http_uri; content:".dll"; http_uri; nocase; pcre:"/\/dl\/AcroIEHelpe(r)?(\d)?\.dll/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2; reference:url,doc.emergingthreats.net/2009409; classtype:trojan-activity; sid:2009409; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banload Downloader Infection - Sending initial email to owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Dispositivo instalado."; nocase; content:"Maquina pronta para uso."; nocase; content:"Data|3a| "; nocase; content:"Hora|3a| "; nocase; content:"Development by "; nocase; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586; reference:url,doc.emergingthreats.net/2002977; classtype:trojan-activity; sid:2002977; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; fast_pattern:30,20; content:"tipo="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2007863; classtype:trojan-activity; sid:2007863; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected"; flow:established,to_server; content:"php?mac="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"++++++++"; nocase; http_raw_uri; content:"&ver="; nocase; http_uri; content:"&ie="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007864; classtype:trojan-activity; sid:2007864; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; content:"/envia.php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"praquem="; http_client_body; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008256; classtype:trojan-activity; sid:2008256; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected (quem=)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"quem="; depth:5; http_client_body; content:"praquem="; http_client_body; fast_pattern; offset:5; nocase; reference:url,doc.emergingthreats.net/2008283; classtype:trojan-activity; sid:2008283; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET TROJAN Banload Gadu-Gadu CnC Message Detected"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"Uruchomiono trojana, wpisz help aby uzyskac pomoc"; nocase; reference:url,doc.emergingthreats.net/2008320; classtype:trojan-activity; sid:2008320; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload POST Checkin (dados)"; flow:established,to_server; content: "POST"; nocase; http_method; content:"PC="; http_client_body; nocase; content: "&USER="; http_client_body; nocase; content:"&HASH="; http_client_body; nocase; content:"&DADOS="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008477; classtype:trojan-activity; sid:2008477; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BANLOAD Downloader GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_uri; content:"sys="; http_uri; content:"yp="; http_uri; content:"rand="; http_uri; nocase; pcre:"/mac=[0-9A-Fa-f]{12}&/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojbanloe.html; reference:url,doc.emergingthreats.net/2009453; classtype:trojan-activity; sid:2009453; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"c=voip&ord="; nocase; http_uri; content:"=&SCRNSZ"; http_uri; content:"&BRSRSZ="; http_uri; content:"&TIMEZONE="; http_uri; reference:url,doc.emergingthreats.net/2010266; classtype:trojan-activity; sid:2010266; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Basine Trojan Checkin"; flow:established,to_server; dsize:>1000; content:"a="; http_client_body; content:"&b=reported"; fast_pattern; distance:0; within:40; http_client_body; content:"&d=report"; http_client_body; distance:0; within:40; reference:url,doc.emergingthreats.net/2007692; classtype:trojan-activity; sid:2007692; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh Communication with Controller"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?type=slg&id="; http_uri; nocase; pcre:"/\?type=slg&id=[0-9A-Z]{18}/U"; metadata: former_category TROJAN; reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td; reference:url,doc.emergingthreats.net/2009351; classtype:trojan-activity; sid:2009351; rev:7; metadata:tag Banking_Trojan, created_at 2010_07_30, malware_family URLZone, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh Trojan Check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"N="; http_client_body; content:"&ID="; http_client_body; content:"&DATA="; http_client_body; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009520; classtype:trojan-activity; sid:2009520; rev:6; metadata:tag Banking_Trojan, created_at 2010_07_30, malware_family URLZone, updated_at 2018_04_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; nocase; fast_pattern:only; pcre:"/\/ff\.ie\?rnd=\x2d?\d/Ui";  reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010565; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bifrose Connect to Controller"; flow:established,to_server; dsize:<20; content:"|09 00 00 9a|"; depth:4; content:"|cc|"; distance:3; within:4; content:"|74|"; distance:3; within:4; reference:url,doc.emergingthreats.net/2008273; classtype:trojan-activity; sid:2008273; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bifrose Response from Controller"; flow:established,from_server; dsize:9; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; distance:3; within:4; reference:url,doc.emergingthreats.net/2008274; classtype:trojan-activity; sid:2008274; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose Connect to Controller (PING PONG)"; flow:stateless; dsize:10; content:"PING |3a|i.|0d 0a|"; flowbits:set,ET.bifrose1; reference:url,doc.emergingthreats.net/2009128; classtype:trojan-activity; sid:2009128; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bifrose Response from Controller (PING PONG)"; flow:stateless; flowbits:isset,ET.bifrose1; dsize:9; content:"PONG |3a|i.|0d|"; reference:url,doc.emergingthreats.net/2009129; classtype:trojan-activity; sid:2009129; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=./P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&bid="; http_client_body; nocase; fast_pattern:only; content:!"Referer|3a|"; http_header;  content:!".bitdefender.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010875; classtype:trojan-activity; sid:2010875; rev:9; metadata:created_at 2010_07_30, updated_at 2017_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy v2.x HTTP Request with Encrypted Variables"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; pcre:"/^[a-z]{3,6}\x3d[A-F0-9]{50}/Pi"; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010885; classtype:trojan-activity; sid:2010885; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy v2.x Plugin Download Request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; nocase; content:"getp="; http_client_body; content:"id="; http_client_body; content:"ln="; http_client_body; content:"bid="; http_client_body; content:"nt="; http_client_body; content:"cn="; http_client_body; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010886; classtype:trojan-activity; sid:2010886; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; reference:url,doc.emergingthreats.net/2009297; classtype:trojan-activity; sid:2009297; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008104; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008105; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008106; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008109; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bravix Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?wmid="; http_uri; content:"&l="; http_uri; content:"&it="; http_uri; content:"&s="; http_uri; reference:url,doc.emergingthreats.net/2008541; classtype:trojan-activity; sid:2008541; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredavi Configuration Update Response"; flow:established,from_server; content:"|0d 0a 0d 0a 21|new_config|0a|"; nocase; reference:url,doc.emergingthreats.net/2010790; classtype:trojan-activity; sid:2010790; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Downloader Communicating With Controller (1)"; flow:established,to_server; content:"action="; nocase; http_uri; content:"&entity_list="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&first="; http_uri; content:"&guid="; nocase; http_uri; content:"&rnd="; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009353; classtype:trojan-activity; sid:2009353; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Downloader Communicating With Controller (2)"; flow:established,to_server; content:"action="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&rnd="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&entity="; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009354; classtype:trojan-activity; sid:2009354; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Check In"; flow:established,to_server; content:"GET"; nocase; http_method; content:"v="; http_uri; content:"&s="; http_uri; content:"&uid="; http_uri; content:"&p="; http_uri; content:"&q="; content:"User-Agent|3a 0d 0a|"; http_header; reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/; reference:url,doc.emergingthreats.net/2009360; classtype:trojan-activity; sid:2009360; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"|0d 0a|Entity-Info|3a|"; nocase; content:"|0d 0a|Magic-Number|3a|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\|\d/"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; classtype:trojan-activity; sid:2009388; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; content:"/get"; nocase; http_uri; content:".php?c="; nocase; http_uri; content:"&d="; http_uri; nocase; pcre:"/\/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; flowbits:set,ET.Hiloti; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2010071; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Infection - Windows Key"; flow:established,to_server; content:"?s=Windows"; nocase; http_uri; content:"&p="; nocase; http_uri; pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/U"; reference:url,doc.emergingthreats.net/2010072; classtype:trojan-activity; sid:2010072; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Syrutrk/Gibon/Bredolab Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?ddos=x"; http_uri; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; reference:url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865; reference:url,doc.emergingthreats.net/2010381; classtype:trojan-activity; sid:2010381; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?type="; nocase; http_uri; content:"&affid="; distance:0; nocase; http_uri; content:"&subid="; distance:0; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; reference:url,doc.emergingthreats.net/2010382; classtype:trojan-activity; sid:2010382; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bzub2 Related RPC/Http Checkin"; flow:established,to_server; content:"/rpc.php?a=ftp"; nocase; http_uri; content:"&b="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007843; classtype:trojan-activity; sid:2007843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity"; flow:established,to_server; content:"ver="; nocase; http_uri; content:"&lg="; nocase; http_uri; content:"&phid="; nocase; http_uri; content:"&r="; http_uri; pcre:"/phid=[A-F0-9]{64}/Ui"; reference:url,doc.emergingthreats.net/2009349; classtype:trojan-activity; sid:2009349; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashout Proxy Bot reg_DST"; flow:to_server,established; content:".php?"; http_uri; content:"lang="; http_uri; content:"&pal="; http_uri; content:"&bay="; http_uri; content:"&gold="; http_uri; content:"&id="; http_uri; content:"&param="; http_uri; content: "&socksport="; http_uri; content:"&httpport="; http_uri; reference:url,doc.emergingthreats.net/2008248; classtype:trojan-activity; sid:2008248; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"os="; http_client_body; nocase; content:"&ver=";  nocase; http_client_body; distance:0; content:"&idx="; http_client_body; nocase; distance:0; content:"&user=";  http_client_body; nocase; distance:0; content:"&ioctl="; http_client_body; nocase; fast_pattern; distance:0; content:"&data=";  http_client_body; distance:0; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:trojan-activity; sid:2010217; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2|7c|"; depth:10; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d/i"; flowbits:set,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008177; classtype:trojan-activity; sid:2008177; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Ceckno Keepalive from Controller"; flow:established,from_server; dsize:1; content:"1"; flowbits:isset,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008178; classtype:trojan-activity; sid:2008178; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Chekafe.A or Related Infection Checkin"; flow:established,to_server; content:"isInst="; http_uri; content:"lockcode="; http_uri; content:"PcType="; http_uri; content:"AvName="; http_uri; content:"ProCount="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32/Chekafe.A; reference:url,doc.emergingthreats.net/2011272; classtype:trojan-activity; sid:2011272; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 6000:10000 -> $HOME_NET any (msg:"ET TROJAN Vobfus/Changeup/Chinky Download Command"; flow:to_client,established; content:"|3a 2e|dl http|3a|"; depth:11; reference:url,doc.emergingthreats.net/2010973; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=beb8bc1ba5dbd8de0761ef362bc8b0a4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVobfus; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2; reference:url,www.symantec.com/connect/blogs/w32changeup-threat-profile; reference:url,www.threatexpert.com/report.aspx?md5=f8880b851ea5ed92dd97657574fb4f70; classtype:trojan-activity; sid:2010973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cinmus.Checkin 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?version="; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&fid="; nocase; http_uri; content:"&vpc="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008623; classtype:trojan-activity; sid:2008623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cinmus.Checkin 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?fid="; nocase; http_uri; content:"&kid="; nocase; http_uri; content:"&cnt="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&kw="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008624; classtype:trojan-activity; sid:2008624; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citi-bank.ru Related Trojan Checkin"; flow:established,to_server; content:".php?hid=NT"; nocase; http_uri; content:"&wp="; nocase; http_uri; content:"&sp="; nocase; http_uri; content:"&eep="; nocase; http_uri; content:"&edp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008153; classtype:trojan-activity; sid:2008153; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; within:20; http_client_body; content:"&affid="; http_client_body; content:"="; within:5; http_client_body; content:"&subid="; http_client_body; content:"=="; within:5; http_client_body; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:trojan-activity; sid:2008442; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Codesoft PW Stealer Email Report Outbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer"; content:"******STEAM PASS STEALER*******"; distance:0; reference:url,doc.emergingthreats.net/2008310; classtype:trojan-activity; sid:2008310; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; pcre:"/\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\x3a \d+\.\d+\.\d+\.\d+\x0d\x0a/"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; classtype:trojan-activity; sid:2009024; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET TROJAN Conficker.a Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009200; classtype:trojan-activity; sid:2009200; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET TROJAN Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009201; classtype:trojan-activity; sid:2009201; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET [!1720,!1722,!2222,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009205; classtype:trojan-activity; sid:2009205; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009206; classtype:trojan-activity; sid:2009206; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009207; classtype:trojan-activity; sid:2009207; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009208; classtype:trojan-activity; sid:2009208; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/kernel/zz.htm?"; http_uri; content:"Ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008737; classtype:trojan-activity; sid:2008737; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Accept-Language HTTP Header zh-cn likely Kernelbot/Conficker Trojan Related"; flow:established,to_server; content:"Accept-Language|3A| zh|2D|cn"; http_header; flowbits:set,ET.ms08067_header; flowbits:noalert; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008738; classtype:not-suspicious; sid:2008738; rev:7; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Conficker/MS08-067 Worm Traffic Outbound"; flowbits:isset,ET.ms08067_header; flow:established,to_server; content:"If-None-Match|3A| |22|60794|2D|12b3|2D|e4169440|22|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008739; classtype:trojan-activity; sid:2008739; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN contacy.info Trojan Checkin (User agent clk_jdfhid)"; flow:to_server,established; content:"User-Agent|3a| clk_jdfhid|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008399; classtype:trojan-activity; sid:2008399; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Coreflood/AFcore Trojan Infection"; flow:to_server; content:"POST|20|/c/a"; byte_test:1,<,64,0,relative; content:"HTTP/1.0|0d0a|Host|3a20|"; fast_pattern; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008434; classtype:trojan-activity; sid:2008434; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"r="; depth:2; http_client_body; content:"&i="; distance:0; content:"&v="; distance:0; content:"&os="; distance:0; content:"&s="; distance:0; content:"&h="; distance:0; content:"&d=";  distance:0; content:"&panic"; distance:0; fast_pattern; content:"&ie="; distance:0; content:"&input=";  distance:0; content:"&c="; distance:0; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; classtype:trojan-activity; sid:2008443; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/a?"; nocase; http_uri; content:"wg="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&i="; http_client_body; nocase; content:"&panic="; http_client_body; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008353; classtype:trojan-activity; sid:2008353; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; distance:0; content:"&v="; http_client_body; distance:0; content:"&os="; http_client_body; distance:0; content:"&panic="; fast_pattern; http_client_body; distance:0; content:"&input="; http_client_body; distance:0; reference:url,doc.emergingthreats.net/2009287; classtype:trojan-activity; sid:2009287; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Corpes.j Infection Report"; flow:established,to_server; content:".php?tma="; http_uri; content:"&mode="; http_uri; pcre:"/mode=\d+D[0-9A-F]{150}/U"; reference:url,doc.emergingthreats.net/2008144; classtype:trojan-activity; sid:2008144; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cosmu Process Dump Report"; flow:established,to_server; content:"] Dumping processes {|0d 0a|"; reference:url,doc.emergingthreats.net/2011234; classtype:trojan-activity; sid:2011234; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Crypt.nc Checkin"; flow:to_server,established; content:".php?l"; http_uri; content:"&rvz1="; http_uri; fast_pattern:only; content:"&rvz2="; http_uri; content:!"Accept|3a|"; http_header; pcre:"/&rvz1=\d+&rvz2=\d+?$/U"; reference:url,doc.emergingthreats.net/2008567; classtype:trojan-activity; sid:2008567; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Crypt.CFI.Gen Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| BIE|0d 0a|"; http_header; content:"cname="; http_client_body; reference:url,doc.emergingthreats.net/2009204; classtype:trojan-activity; sid:2009204; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DMSpammer HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/stat"; http_uri; content:".php"; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Synapse)|0d 0a|"; http_header; fast_pattern:37,10; content:"x|9c|"; http_client_body; pcre:"/\/stat\d+\.php/U"; reference:url,doc.emergingthreats.net/2008271; classtype:trojan-activity; sid:2008271; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNS Changer HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a 0d 0a|x="; fast_pattern; content:!"User-Agent|3a| "; http_header; pcre:"/^x=[0-9a-zA-Z]{50}/P"; reference:url,doc.emergingthreats.net/2008263; classtype:trojan-activity; sid:2008263; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start"; flow:established,to_server; dsize:8; content:"|0b 01 00 00 00 00 00 00|"; flowbits:noalert; flowbits:set,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008805; classtype:trojan-activity; sid:2008805; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response"; flow:established,from_server; dsize:4; content:"|0b 01|"; depth:2; content:"|00|"; distance:1; within:1; flowbits:isset,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008806; classtype:trojan-activity; sid:2008806; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start"; flow:established,to_server; dsize:32; content:"|00 00 00 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; reference:url,doc.emergingthreats.net/2008807; classtype:trojan-activity; sid:2008807; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic"; flow:established,to_server; dsize:32; content:"|55 d8 09 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; reference:url,doc.emergingthreats.net/2008808; classtype:trojan-activity; sid:2008808; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNSChanger.AT or related Infection Checkin Post"; flow:established,to_server; content:"POST /cgi-bin/generator HTTP/1.0|0d 0a|Content-Length|3a| "; depth:50; content:"|0d 0a 0d 0a|"; within:10; reference:url,doc.emergingthreats.net/2008940; classtype:trojan-activity; sid:2008940; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daemonize.ft HTTP Checkin"; flow:established,to_server; content:".php?v="; nocase; http_uri; content:"&rnd="; nocase; http_uri; content:"&u=00"; nocase; http_uri; content:"&s="; nocase; http_uri; content:"&id="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008086; classtype:trojan-activity; sid:2008086; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daonol C&C Communication"; flow:established,to_server; content:"/x/?0"; http_uri; nocase; content:"|0d 0a|SS|3a|"; nocase; content:"|0d 0a|Xost|3a|"; nocase; pcre:"/\/x\/\?0\w{35}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol; reference:url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html; reference:url,www.iss.net/threats/gumblar.html; reference:url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html; reference:url,doc.emergingthreats.net/2010164; classtype:trojan-activity; sid:2010164; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Maquina.."; nocase; content:"Vers|e3|o do Windows"; nocase; content:"Microsoft Windows"; nocase; content:"Mac Address.."; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002976; classtype:trojan-activity; sid:2002976; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Nome Computador|3a| "; nocase; content:"Data|3a| "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002978; classtype:trojan-activity; sid:2002978; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Subject|3a| INFECT - "; nocase; content:"Data|3a| "; nocase; content:"Windows|3a| Microsoft Windows "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002980; classtype:trojan-activity; sid:2002980; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Maquina"; nocase; content:"IP"; nocase; content:"Hora"; nocase; content:"Data"; nocase; content:"Microsoft Windows "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002981; classtype:trojan-activity; sid:2002981; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (MzApp)"; flow:established,to_server; content:"User-Agent|3a| MzApp|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2009988; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf HTTP Checkin (1)"; flow:established,to_server; content:"/mydown.asp?"; nocase; http_uri; content:"reg="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tgid="; nocase; http_uri; content:"&address="; nocase; http_uri; content:"&mydo="; nocase; http_uri; content:"&flag="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007838; classtype:trojan-activity; sid:2007838; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Delf Keylog FTP Upload"; flow:established,to_server; content:"STOR "; depth:5; content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d 0a|"; nocase; distance:5; within:40; reference:url,doc.emergingthreats.net/2007858; classtype:trojan-activity; sid:2007858; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Download via HTTP"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/mdfexcute/"; http_uri; content:"Windows 98)"; http_header; reference:url,doc.emergingthreats.net/2007911; classtype:trojan-activity; sid:2007911; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Delf/Hupigon C&C Channel Version Report"; flow:established,to_server; dsize:<25; content:"VERSON|3a|"; depth:7; reference:url,doc.emergingthreats.net/2007930; classtype:trojan-activity; sid:2007930; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (up)"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&MAC="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007939; classtype:trojan-activity; sid:2007939; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (5)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"email="; http_client_body; nocase; content:"&computador="; http_client_body; nocase; distance:0; content:"&nomfile="; http_client_body; nocase; distance:0; content:"&user="; http_client_body; nocase; distance:0; reference:url,doc.emergingthreats.net/2008044; classtype:trojan-activity; sid:2008044; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Delf CnC Channel Keepalive Pong"; flow:established,to_server; dsize:<40; content:"|20 00 00 00 f8 4d b2 77|"; depth:8; reference:url,doc.emergingthreats.net/2008009; classtype:trojan-activity; sid:2008009; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Delf CnC Channel Keepalive Ping"; flow:established,from_server; dsize:22; content:"|12 00 00 00 1c 5e|"; depth:6; reference:url,doc.emergingthreats.net/2008010; classtype:trojan-activity; sid:2008010; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (6)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?v="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&=w"; http_uri; nocase; reference:url,doc.emergingthreats.net/2008071; classtype:trojan-activity; sid:2008071; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (7)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?macros="; nocase; http_uri; content:"&botstatus="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008090; classtype:trojan-activity; sid:2008090; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl)"; flow:established,to_server; content:".php?key=???????+????????????"; http_raw_uri; content:"+Dial-up+??????+?+??????????????"; http_raw_uri; reference:url,doc.emergingthreats.net/2008666; classtype:trojan-activity; sid:2008666; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan.Delf-5496 Checkin Error"; flow:established,to_server; dsize:350<>450; content:"Erorr File active\;sorry file erorr plaes down file agen"; reference:url,doc.emergingthreats.net/2008905; classtype:trojan-activity; sid:2008905; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan.Delf-5496 Egg Request"; flow:established,to_server; dsize:<35; content:"|7c|CreateForm|7c|FileTransfer|7c|"; depth:29; reference:url,doc.emergingthreats.net/2008906; classtype:trojan-activity; sid:2008906; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan.Delf-5496 File Manager Access Report"; flow:established,to_server; dsize:<35; content:"|7c|CreateForm|7c|FileManager|7c|"; depth:30; reference:url,doc.emergingthreats.net/2008907; classtype:trojan-activity; sid:2008907; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan.Delf-5496 New Infection Report"; flow:established,to_server; dsize:<500; content:"|7c|OnConnect|7c|"; depth:20; pcre:"/^\d+?\x7cOnConnect\x7c/"; reference:url,doc.emergingthreats.net/2008908; reference:md5,3a7f11fbaf815cd2338d633de175e252; classtype:trojan-activity; sid:2008908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet"; flow:established,to_server; content:"tip="; depth:4; nocase; content:"&cli="; nocase; content:"&tipo="; nocase; reference:url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html; reference:url,doc.emergingthreats.net/2009824; classtype:trojan-activity; sid:2009824; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"|05 00 00 00|"; depth:4; content:"|cd|"; distance:4; within:1; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; classtype:trojan-activity; sid:2009079; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Densmail.com Related Trojan Checkin"; flow:established,to_server; content:"/cc.php"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&rnd="; http_uri; nocase; pcre:"/v=\d+&rnd=\d/Ui"; reference:url,doc.emergingthreats.net/2007822; classtype:trojan-activity; sid:2007822; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer"; flow: established,to_server; content:"/getnumtemp.asp?nip=0"; http_uri; nocase; reference:url,isc.sans.org/diary.php?storyid=1388; reference:url,doc.emergingthreats.net/2003083; classtype:trojan-activity; sid:2003083; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer-715 Install Checkin"; flow: established,to_server; content:"/perl/invoc_oneway.pl"; nocase; http_uri; content:"?id_service="; nocase; http_uri; content:"&nom_exe="; nocase; http_uri; content:"&skin="; nocase; http_uri; content:"&id_produit="; nocase; http_uri; reference:url,doc.emergingthreats.net/2003650; classtype:trojan-activity; sid:2003650; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"c="; http_uri; content:"&v="; http_uri; content:"&b="; http_uri; content:"&id="; http_uri; content:"&cnt="; http_uri; fast_pattern:only; content:"&q="; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D; reference:url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d; reference:url,doc.emergingthreats.net/2007743; classtype:trojan-activity; sid:2007743; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer.MC(vf) HTTP Request - Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"mode="; http_uri; content:"&PartID="; http_uri; content:"&mac="; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; fast_pattern:30,20; http_header; reference:url,doc.emergingthreats.net/2007913; classtype:trojan-activity; sid:2007913; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer.Trojan Activity"; flow: to_server,established; content:"/dialer_min/getnum.asp?nip"; http_uri; reference:url,doc.emergingthreats.net/2008345; classtype:trojan-activity; sid:2008345; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Dialer.buv Sending Information Home"; flow:established,to_server; content:"/exit.php?if="; http_uri; nocase; content:"&cl="; content:"&id="; content:"&ov="; content:"&site="; content:"&tk="; reference:url,doc.emergingthreats.net/2008430; classtype:trojan-activity; sid:2008430; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32 Dialer Variant"; flow:established,to_server; content:"GET"; nocase; http_method; content:"icp="; http_uri; content:"&id_site="; http_uri; content:"&dl_tracker"; http_uri; content:"&connection_type="; http_uri; content:"&asked_mdl_id="; http_uri; content:"&dialer="; http_uri; reference:url,doc.emergingthreats.net/2008441; classtype:trojan-activity; sid:2008441; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer.Win32.E-Group.n Checkin"; flow:to_server,established; content:"login="; nocase; http_uri; content:"&brokerid="; nocase; http_uri; content:"&extlogin="; nocase; http_uri; content:"&autosize="; nocase; http_uri; content:"&icp="; nocase; http_uri; content:"&id_site="; nocase; http_uri; content:"&dl_tracker="; nocase; http_uri; content:"&connection_type="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008490; classtype:trojan-activity; sid:2008490; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper Checkin (often scripts.dlv4.com related)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Common/module.php?"; nocase; http_uri; content:"brokerid="; nocase; http_uri; content:"&product="; nocase; http_uri; content:"&customid="; nocase; http_uri; content:"&mediaid="; nocase; http_uri; content:"&no_product_name="; nocase; http_uri; content:"&extlogin="; http_uri; nocase; reference:url,doc.emergingthreats.net/2010458; classtype:trojan-activity; sid:2010458; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper Checkin 2 (often scripts.dlv4.com related)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Common/module.php?"; nocase; http_uri; content:"&isautogeneratedpage="; nocase; http_uri; content:"&dialer="; nocase; http_uri; content:"&p2e="; nocase; http_uri; content:"&nohit="; nocase; http_uri; reference:url,doc.emergingthreats.net/2010932; classtype:trojan-activity; sid:2010932; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN dlink router access attempt"; flow:established,to_server; content:"GET /dlink/hwiz.html HTTP/1.0|0d 0a 0d 0a|"; depth:33; content:!"|0d 0a|Host|3a| "; reference:url,doc.emergingthreats.net/2008945; classtype:trojan-activity; sid:2008945; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Donbot Connect to CnC"; flow:established,to_server; dsize:7; content:"HALLO|0d 0a|"; depth:7; reference:url,doc.emergingthreats.net/2008450; reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; classtype:trojan-activity; sid:2008450; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Donbot Report to CnC"; flow:established,to_server; content:"HASH|3a 20|"; depth:6; content:"|0d 0a|ID|3a 20|"; distance:0; content:"|0d 0a|Session|31 20|"; distance:0; content:"|0d 0a|RBL|3a 20|"; reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; reference:url,doc.emergingthreats.net/2008451; classtype:trojan-activity; sid:2008451; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Donkeyp2p Update Detected"; flow:established,to_server; content:"GET"; nocase; http_method; content:"donkeyp2p.php"; http_uri; content:"?kind="; http_uri; content:"&args="; http_uri; content:"&ver="; http_uri; content:"&uniq="; http_uri; content:"&dllver="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008364; classtype:trojan-activity; sid:2008364; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound"; flow:established,to_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; reference:url,doc.emergingthreats.net/2008031; classtype:trojan-activity; sid:2008031; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound"; flow:established,from_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; reference:url,doc.emergingthreats.net/2008032; classtype:trojan-activity; sid:2008032; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dosenjo/Kvadr Proxy Trojan Activity"; flow:established,to_server; content:"hingDeny="; nocase; http_uri; content:"&id="; http_uri; nocase; pcre:"/\?ca[sc]hingDeny=[0-9A-Za-z]{16}&/U"; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,doc.emergingthreats.net/2010334; classtype:trojan-activity; sid:2010334; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID)"; flow:established,to_server; content:"User-Agent|3a| MSID ["; nocase; http_header; reference:url,doc.emergingthreats.net/2003590; classtype:trojan-activity; sid:2003590; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Dluca HTTP Checkin"; flow:established,to_server; content:"?id={"; nocase; http_uri; content:"&srv="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&docid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&cstate="; nocase; http_uri; content:"&state="; nocase; http_uri; content:"&flash="; nocase; http_uri; content:"&pin="; nocase; http_uri; content:"&OSInfo2="; nocase; content:"&cinfo="; nocase; http_uri; content:"&smd="; nocase; http_uri; content:"&rts="; nocase; http_uri; content:"&retryattempt="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007595; classtype:trojan-activity; sid:2007595; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Small User Agent Detected (NetScafe)"; flow:established,to_server; content:"User-Agent|3a| NetScafe"; http_header; reference:url,doc.emergingthreats.net/2003641; classtype:trojan-activity; sid:2003641; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.TX/Backdoor.Win32.DSSdoor!IK Checkin"; flow:established,to_server; content:"/tx.txt"; http_uri; content:" Microsoft URL Control -"; http_header; reference:url,doc.emergingthreats.net/2003646; classtype:trojan-activity; sid:2003646; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U)"; flow:established,to_server; content:"User-Agent|3a| IRC-U v"; http_header; nocase; reference:url,doc.emergingthreats.net/2003647; classtype:trojan-activity; sid:2003647; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Clicker.BC User Agent Detected (linkrunner)"; flow:established,to_server; content:"User-Agent|3a| linkrunner"; nocase; http_header; reference:url,doc.emergingthreats.net/2003648; classtype:trojan-activity; sid:2003648; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bot Backdoor Checkin/registration Request"; flow:established,to_server; content:"/remote.php?"; http_uri; content:"os="; http_uri; content:"&user="; http_uri; content:"&status="; http_uri; content:"&version="; http_uri; content:"&build="; http_uri; reference:url,doc.emergingthreats.net/2006366; classtype:trojan-activity; sid:2006366; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.bwr CnC Beacon"; flow:established,to_server; content:"?m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006377; classtype:trojan-activity; sid:2006377; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.26001 Url Pattern Detected"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"wall_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006400; classtype:trojan-activity; sid:2006400; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.26001 Url Pattern Detected (lunch_id)"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"lunch_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/2006401; classtype:trojan-activity; sid:2006401; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader Checkin URL (GUID+)"; flow:established,to_server; content:"&version="; nocase; http_uri; content:"&configversion="; nocase; http_uri; content:"GUID="; nocase; http_uri; content:"&cmd="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&x="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007577; classtype:trojan-activity; sid:2007577; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader or Virut C&C Ack"; flow:established,to_server; content:"uid="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&actionname="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&success="; nocase; http_uri; content:"&debug="; nocase; http_uri; content:"&nocache="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007587; classtype:trojan-activity; sid:2007587; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader General Bot Checking In via HTTP Post (bot_id push)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"bot_id="; http_client_body; content:"&build_id="; http_client_body; content:"&sport="; http_client_body; content:"&hport="; http_client_body; content:"&ping="; http_client_body; content:"&speed="; http_client_body; reference:url,doc.emergingthreats.net/2007831; classtype:trojan-activity; sid:2007831; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader General Bot Checking In - Possible Win32.Small.htz related"; flow:established,to_server; content:"POST"; nocase; http_method; content:"?id="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"proc=[System Process]|0d 0a|"; http_client_body; content:"|0d 0a|&size="; http_client_body; reference:url,doc.emergingthreats.net/2007836; classtype:trojan-activity; sid:2007836; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Checkin"; flow:established,to_server; content:"/boot.php/boot.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007952; classtype:trojan-activity; sid:2007952; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Install Report"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007953; classtype:trojan-activity; sid:2007953; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Online Report"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007954; classtype:trojan-activity; sid:2007954; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cygo Checkin"; flow:established,to_server; content:"/count.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007955; classtype:trojan-activity; sid:2007955; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.CEJ HTTP Checkin"; flow:established,to_server; content:"/down"; http_uri; content:"/down/?"; http_uri; content:"s="; http_uri; content:"&t="; http_uri; content:"&v="; http_uri; pcre:"/\/down\d+\/down\/\?s=[A-F0-9]+\&t=\d+\/\d+\/20/U"; reference:url,doc.emergingthreats.net/2008087; classtype:trojan-activity; sid:2008087; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Access Count Tracking URL"; flow:established,to_server; content:"/access_count.html?id="; nocase; http_uri; content:"&MAC=0"; nocase; http_uri; pcre:"/MAC=0[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; reference:url,doc.emergingthreats.net/2008132; classtype:trojan-activity; sid:2008132; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Count Tracking URL"; flow:established,to_server; content:"/install_count.html?id="; nocase; http_uri; content:"&MAC=0"; nocase; http_uri; pcre:"/MAC=0[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; reference:url,doc.emergingthreats.net/2008133; classtype:trojan-activity; sid:2008133; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Count Tracking URL (partner)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/partner/counter/install.php?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2008134; reference:url,www.threatexpert.com/report.aspx?md5=ea70e0971cc490a15e53d24ad6564403; classtype:trojan-activity; sid:2008134; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL"; flow:established,to_server; content:"GET"; nocase; http_method; content:"a="; nocase; http_uri; content:"&k="; nocase; http_uri; content:"&wmid="; nocase; http_uri; content:"&ucid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008182; classtype:trojan-activity; sid:2008182; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (pid - mac)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; fast_pattern; reference:url,doc.emergingthreats.net/2008183; classtype:trojan-activity; sid:2008183; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (wmid - ucid)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?a="; nocase; http_uri; content:"&k="; nocase; http_uri; content:"&wmid="; nocase; http_uri; content:"&ucid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008194; classtype:trojan-activity; sid:2008194; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; content:!".pandora.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:15; metadata:created_at 2010_07_30, updated_at 2017_04_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; content:"m="; http_uri; content:"&a="; http_uri; content:"&r="; http_uri;content:"&os="; http_uri; content:"00000"; http_uri; pcre:"/\/s_\d\d_\d+\?/U"; pcre:"/&os=[0-9a-z]{40}/Ui"; reference:url,doc.emergingthreats.net/2008412; classtype:trojan-activity; sid:2008412; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Win32.Small.agoy Checkin"; flow:to_server,established; content:"/?jutr="; fast_pattern; nocase; http_uri; content:"&oo="; nocase; http_uri; content:"&ra="; nocase; http_uri; content:"Host|3A|"; http_header; nocase; pcre:"/^Host\x3A\s+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/Hmi"; reference:url,www.threatexpert.com/report.aspx?md5=e491d25d82f4928138a0d8b3a6365c39; reference:url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F; reference:url,doc.emergingthreats.net/2008859; classtype:trojan-activity; sid:2008859; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Trojan Downloader"; flow:established,to_server; content:"GET"; http_method; nocase; content:!"Accept|3a|"; http_header; content:".php?p="; http_uri; fast_pattern:only; content:"&s="; http_uri; content:"&v="; distance:0; http_uri; content:"uid="; distance:0; http_uri; content:"&q="; distance:0; http_uri; reference:url,doc.emergingthreats.net/2009299; classtype:trojan-activity; sid:2009299; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Trojan HTTP GET Logging"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?type="; nocase; http_uri; content:"&setup_id="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&sp="; nocase; http_uri; reference:url,www.virustotal.com/analisis/df09ec9ec4e5caa42db9d08e0f9d34b378e301a1eeb3aa1e6dbd0de1aa4a66be-1246158969; reference:url,doc.emergingthreats.net/2009451; classtype:trojan-activity; sid:2009451; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader Checkin - HTTP GET "; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"machineid="; nocase; http_uri; content:"pubuserid="; nocase; http_uri; content:"checkversion="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009527; classtype:trojan-activity; sid:2009527; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader - HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Length|3a| 0|0d 0a|"; http_header; nocase; content:"mac="; http_uri; fast_pattern; nocase; content:"key="; http_uri; content:"ver="; http_uri; reference:url,doc.emergingthreats.net/2009549; classtype:trojan-activity; sid:2009549; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Hupigon.dkwt Related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"htm?mac="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&id="; http_uri; pcre:"/\?mac=[0-9]*?&os=[a-z]*?&ver=[0-9]{8}&id=/Ui"; reference:url,doc.emergingthreats.net/2009704; classtype:trojan-activity; sid:2009704; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET TROJAN Downloader.Win32.Small CnC Beacon"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"User-Agent|3a| MSDN SurfBear|0d 0a|"; reference:url,doc.emergingthreats.net/2011269; classtype:trojan-activity; sid:2011269; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Screenblaze SCR Related Backdoor - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?id="; nocase; http_uri; content:"&serial="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"User-Agent|3a| WinInetHTTP|0d 0a|"; http_header; nocase; reference:url,vil.nai.com/vil/content/v_156782.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none; reference:url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7; reference:url,doc.emergingthreats.net/2009804; classtype:trojan-activity; sid:2009804; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.cah Checkin Request"; flow:established,to_server; content:"?v="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&r1="; nocase; http_uri; content:"&tm=201"; nocase; http_uri; content:"&av="; nocase; http_uri; content:"&os=Windows"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"cht="; http_uri; reference:url,doc.emergingthreats.net/2007644; classtype:trojan-activity; sid:2007644; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [!9997,1024:] (msg:"ET TROJAN Dropper-497 (Yumato) Initial Checkin"; flow:established,to_server; dsize:5; content:"|30 30 30 0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007917; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; content:"|00 00 00 83|"; depth:4; content:"<CPU>"; content:"</CPU><"; distance:0; content:"<MEM>"; content:"</MEM><"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007918; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dropper-497 Yumato Reply from server"; flow:established,from_server; content:"YUMATO|0d 0a|1234"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007919; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper.Win32.VB.on Keylog/System Info Report via HTTP"; flow:established,to_server; content:"post================================"; content:"=====|0d 0a|Resource Name "; distance:0; content:"|0d 0a|User Name/Value "; distance:0; content:"*************STEAM PASSWORDS**********"; distance:0; content:"Number of procesor|3a|"; distance:0; reference:url,doc.emergingthreats.net; classtype:trojan-activity; sid:2007987; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper mdodo.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mdodo"; http_header; reference:url,doc.emergingthreats.net/2008195; classtype:trojan-activity; sid:2008195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper 6dzone.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| 6dzone|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008196; classtype:trojan-activity; sid:2008196; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader checkin (3)"; flow:established,to_server; content:".php?"; http_uri; content:"c_pcode="; http_uri; content:"c_pid="; http_uri; content:"c_kind="; http_uri; content:"c_mac="; http_uri; reference:url,doc.emergingthreats.net/2010888; classtype:trojan-activity; sid:2010888; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dumador Reporting User Activity"; flow:established,to_server; content:".php?p="; nocase; http_uri; content:"machineid="; nocase; http_uri; content:"&connection="; nocase; http_uri; content:"&iplan="; nocase; http_uri; reference:url,www.norman.com/Virus/Virus_descriptions/24279/; reference:url,doc.emergingthreats.net/2002763; classtype:trojan-activity; sid:2002763; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Duntek establishing remote connection"; flow:established,to_server; content:"rfe.php?"; nocase; http_uri; content:"cmp=dun_tekfirst"; nocase; http_uri; content:"guid="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99; reference:url,doc.emergingthreats.net/2003537; classtype:trojan-activity; sid:2003537; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (1)"; flow:established,to_server; content:"|08616c2d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007673; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (2)"; flow:established,to_server; content:"|0861312d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007674; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (3)"; flow:established,to_server; content:"|0661726464726104686f737402736b0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007675; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (4)"; flow:established,to_server; content:"|03777777056a6f2d7566036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007676; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (5)"; flow:established,to_server; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007677; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (1)"; content:"|08616c2d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007678; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (2)"; content:"|0861312d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007679; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (3)"; content:"|0661726464726104686f737402736b0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007680; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (4)"; content:"|03777777056a6f2d7566036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007681; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (5)"; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007682; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tlog.php?logn="; http_uri; pcre:"/\/tlog\.php\?logn=[^\s]+&pss=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007683; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ntarg.php?"; http_uri; pcre:"/ntarg\.php\?[^\s]*(notdoing|howme|uname)=/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007684; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tnewu.php?nlogin="; http_uri; pcre:"/\/tnewu\.php\?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007685; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 DDoS HTTP Activity OUTBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007686; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 DDoS HTTP Activity INBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007687; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN Likely eCard Malware Laden Email Inbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| You have received an eCard"; nocase; content:"e-card.zip"; nocase; reference:url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/; reference:url,doc.emergingthreats.net/2008674; classtype:trojan-activity; sid:2008674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Egspy Infection Report Email"; flow:established,to_server; content:"FROM\: EgySpy Victim"; content:"TO|3a| EgySpy User"; distance:0; content:"SUBJECT|3a| E g y S p y KeyLogger"; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008039; classtype:trojan-activity; sid:2008039; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Egspy Infection Report via HTTP"; flow:established,to_server; content:"/keylogkontrol/"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008047; classtype:trojan-activity; sid:2008047; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Egspy Install Report via HTTP"; flow:established,to_server; content:"/control.php?pcad="; nocase; http_uri; content:"&tarih="; nocase; http_uri; content:"&saat="; nocase; http_uri; content:"&veri="; http_uri; reference:url,doc.emergingthreats.net/2008136; classtype:trojan-activity; sid:2008136; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Eleonore Exploit Pack activity"; flow:established,to_server; content:"?spl="; http_uri; content:"&br="; http_uri; content:"&vers="; http_uri; content:"&s="; http_uri; pcre:"/\?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2010248; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Eleonore Exploit Pack activity variant May 2010"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\?spl=MS[0-9]{2}-[0-9]{3}$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2011128; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN elitekeylogger v1.0 reporting - Inbound"; flow:established,to_server; content:"MAIL FROM|3a|<logs@logs.com>"; reference:url,doc.emergingthreats.net/2002938; classtype:trojan-activity; sid:2002938; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN elitekeylogger v1.0 reporting - Outbound"; flow:established,to_server; content:"MAIL FROM|3a|<logs@logs.com>"; reference:url,doc.emergingthreats.net/2002941; classtype:trojan-activity; sid:2002941; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; fast_pattern; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; content:"php?i="; http_uri; content:"&v="; http_uri;content:"&win=Windows"; http_uri; content:"&un="; http_uri; content:"&uv="; http_uri; content:"&s="; http_uri; content:"&onl="; http_uri; content:"&ip="; http_uri; content:"&f="; http_uri; reference:url,doc.emergingthreats.net/2007700; classtype:trojan-activity; sid:2007700; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FSG Packed Binary via HTTP Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/2002773; classtype:trojan-activity; sid:2002773; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue A/V Win32/FakeXPA GET Request"; flow:to_server,established; content:"?campaign="; http_uri; content:"&country="; http_uri; content:"&counter="; http_uri; content:"&campaign="; http_uri; content:"&landid="; http_uri; reference:url,doc.emergingthreats.net/2009209; classtype:trojan-activity; sid:2009209; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKE/ROGUE AV HTTP Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"mid="; content:"&wv="; content:"&r="; content:"&tp="; content:"&exe="; fast_pattern; content:"&ls="; content:"&uid="; reference:url,doc.emergingthreats.net/2009514; classtype:trojan-activity; sid:2009514; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKE/ROGUE AV Encoded data= HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:"data=/CjEfcLas0KCj/"; http_client_body; fast_pattern; depth:19; nocase; reference:url,doc.emergingthreats.net/2009553; classtype:trojan-activity; sid:2009553; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKE/ROGUE AV/Security Application Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?url="; nocase; http_uri; content:"&affid="; http_uri; fast_pattern; nocase; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| MSIE 6.0|3b| Windows XP)|0d 0a|"; http_header; nocase; pcre:"/\?url=[0-9]&affid=[0-9]{5}/Ui"; reference:url,doc.emergingthreats.net/2009554; classtype:trojan-activity; sid:2009554; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"land="; nocase; http_uri; content:"affid="; nocase; http_uri; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; classtype:trojan-activity; sid:2010347; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV FakeSmoke HTTP POST check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"User-Agent|3a| "; http_header; nocase; content:!"Referer|3a| "; nocase; http_header; content:"current_version="; http_client_body; pcre:"/current_version=[a-z0-9]{196}/Pi"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV HTTP GET Check-IN (/check)"; flow:established,to_server; urilen:6; content:"GET"; http_method; content:"/check"; nocase; http_uri; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|Host|3a| "; depth:47; fast_pattern:12,34; http_header; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue%3AWin32/FakeSpypro; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010597; classtype:trojan-activity; sid:2010597; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Landing Page (aid sid)"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:".php?aid="; nocase; http_uri; fast_pattern; content:"&sid="; nocase; http_uri; pcre:"/[a-z]+\.php\?aid=\d+&sid=[a-z0-9]+$/Ui"; metadata: former_category TROJAN; reference:url,www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html; reference:url,doc.emergingthreats.net/2010625; classtype:trojan-activity; sid:2010625; rev:7; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"loads.php?code="; nocase; http_uri; pcre:"/loads\.php\?code=\d+$/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010626; classtype:trojan-activity; sid:2010626; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"cgi-bin/download.pl?code="; nocase; http_uri; pcre:"/download\.pl\?code=\d+$/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010627; classtype:trojan-activity; sid:2010627; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"cgi-bin/get.pl?l="; nocase; http_uri; pcre:"/get\.pl\?l=\d+$/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010628; classtype:trojan-activity; sid:2010628; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; depth:9; fast_pattern; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P";  reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; content:"|2F|installer|2F|Installer|2E|exe"; nocase; http_uri; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010221; classtype:trojan-activity; sid:2010221; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; reference:url,doc.emergingthreats.net/2007646; classtype:trojan-activity; sid:2007646; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli HTTP Checkin Activity"; flow: to_server,established; content:"/getmac.asp?x="; fast_pattern:only; http_uri; content:"&y="; http_uri; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; classtype:trojan-activity; sid:2009215; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fasec/FakeAV Alert/Keylogger/Dropper/DNSChanger Possible Rootkit - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"Command="; nocase; http_uri; content:"snNO="; nocase; http_uri; content:"Encode="; nocase; http_uri; content:"SFBH"; nocase; http_uri; reference:url,www.avast.com/eng/win32-fasec.html; reference:url,www.threatexpert.com/threats/virus-win32-fasec.html; reference:url,doc.emergingthreats.net/2009472; classtype:trojan-activity; sid:2009472; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Flystud"; flow:to_server,established; content:"loading.html?fn="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&clientid="; nocase; http_uri; content:"channel="; nocase; http_uri; content:"&stn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2011086; classtype:trojan-activity; sid:2011086; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fragus Exploit Kit Landing"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"hello="; nocase; http_uri; pcre:"/\.php\?(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+$/Ui"; reference:url,jsunpack.jeek.org/dec/go?report=d60344851322218108076f1ad8d21435de9d5b7c; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2011693; classtype:trojan-activity; sid:2011693; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FraudLoad.aww HTTP CnC Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/instlog/?"; nocase; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient"; http_header; reference:url,doc.emergingthreats.net/2008322; classtype:trojan-activity; sid:2008322; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKE AV HTTP CnC Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"action="; nocase; http_client_body; content:"uid="; nocase; http_client_body; content:"cnt="; nocase; http_client_body; content:"lng="; nocase; http_client_body; content:"type="; nocase; http_client_body; content:"user_id="; nocase; http_client_body; content:"pc_id="; nocase; http_client_body; content:"abbr="; nocase; http_client_body; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)"; http_header;  fast_pattern:37,20; reference:url,doc.emergingthreats.net/2009455; classtype:trojan-activity; sid:2009455; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fraudload/FakeAlert/FakeVimes Downloader - POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)|0d 0a|"; fast_pattern:40,20; nocase; http_header; content:"verint="; nocase; http_client_body; content:"&wv="; nocase; http_client_body; content:"&report="; nocase; http_client_body; content:"&abbr="; nocase; http_client_body; content:"&pid="; http_client_body; reference:url,www.pctools.com/mrc/infections/id/Trojan-Downloader.FraudLoad/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-Downloader.FraudLoad; reference:url,doc.emergingthreats.net/2009751; classtype:trojan-activity; sid:2009751; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fruspam polling for IP likely infected"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/automation/n09230945.asp"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (X11|3b| U|3b| Linux i686|3b| en-US|3b| rv|3a|1.9.0.4) Ubuntu/8.04 (hardy) Firefox/3.0.0|0d 0a|"; http_header; reference:url,community.ca.com/blogs/securityadvisor/archive/2009/03/26/in-the-wild-win32-fruspam-using-american-greetings.aspx; reference:url,doc.emergingthreats.net/2011072; classtype:trojan-activity; sid:2011072; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fullspace.cc or Related Checkin (1)"; flow:established,to_server; content:"/config.php?ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&ras="; nocase; http_uri; content:"&verfull="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008397; classtype:trojan-activity; sid:2008397; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fullspace.cc or Related Checkin (2)"; flow:established,to_server; content:"/register."; nocase; http_uri; content:"?id="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&connect="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"ip="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008398; classtype:trojan-activity; sid:2008398; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gaboc Trojan Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:".asp"; http_uri; content:"?type="; http_uri; content:"&machinename="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=6e871b9c440d5c77b9158ebcbe3fcd4b; reference:url,doc.emergingthreats.net/2009519; classtype:trojan-activity; sid:2009519; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.Gamania Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"un="; http_client_body; content:"&pw="; http_client_body; content:"&sn="; http_client_body; content:"&l="; http_client_body; content:"&gd1="; http_client_body; content:"&pn="; http_client_body; reference:url,doc.emergingthreats.net/2008431; classtype:trojan-activity; sid:2008431; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&hAssunto=infect-"; http_client_body; content:"&hCorpo="; http_client_body; content:"&hPara=";  http_client_body; reference:url,doc.emergingthreats.net/2008984; classtype:trojan-activity; sid:2008984; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gamania Trojan Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"?p4="; http_uri; content:"&p5="; http_uri; fast_pattern; content:"&hs="; http_uri; pcre:"/p4=\d+&p5=\d+&hs=\d/Ui"; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=166939; reference:url,doc.emergingthreats.net/2009531; classtype:trojan-activity; sid:2009531; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; content:"/Layouts/Landings/CentralLandings/"; nocase; http_uri; content:"/images/"; nocase; http_uri; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010450; classtype:trojan-activity; sid:2010450; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - INFECTADO"; flow:established,to_server; content:"Subject|3a| Microsoft Windows"; nocase; content:"INFECTADO"; nocase; within:20; reference:url,doc.emergingthreats.net/2002982; classtype:trojan-activity; sid:2002982; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - SUCCESSO"; flow:established,to_server; content:"PC INFECTADO COM SUCCESSO"; nocase; reference:url,doc.emergingthreats.net/2002983; classtype:trojan-activity; sid:2002983; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pass Stealer FTP Upload"; flow:established,to_server; content:"INFECTADO|0d 0a|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|0d 0a|Computador"; depth:64; reference:url,doc.emergingthreats.net/2008237; classtype:trojan-activity; sid:2008237; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin"; flow:to_server,established; content:"POST"; http_method; content:"magic="; http_uri; content:"&id="; http_uri; content:"&cache="; http_uri; content:"&tm="; http_uri; content:"&ox="; http_uri; content:!"Mozilla"; http_header; reference:md5,29457bd7a95e11bfd0e614a6e237a344; reference:md5,173a060ed791e620c2ec84d7b360ed60; reference:url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o; classtype:trojan-activity; sid:2008523; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Buzus Checkin"; flow:established,to_server; content:".php?guid_bot="; http_uri; content:"&ver_bot="; http_uri; content:"&stat_bot="; http_uri; reference:url,doc.emergingthreats.net/2008550; classtype:trojan-activity; sid:2008550; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious Malformed Double Accept Header"; flow:established,to_server; content:"Accept|3a| Accept|3a| "; http_header; content:!"-DRM"; http_header; content:!"buhphone.ru|0d 0a|"; http_header; content:!"Host|3a 20|www.backupmaker.com"; http_header; nocase; content:!"ati.com|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2008975; classtype:trojan-activity; sid:2008975; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Murlo Trojan Checkin"; flow: to_server,established; content:"GET"; nocase; http_method; content: ".asp?mac="; nocase; http_uri; pcre:"/mac=[a-f0-9]/iU"; content: "&ver="; nocase; http_uri; content: "&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009442; classtype:trojan-activity; sid:2009442; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Info Stealer - HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Type|3a| multipart/form-data|3b| boundary|3d|"; nocase; http_header; content:"name=\"id\"|0d 0a|"; nocase; content:"name=\"upt\"|0d 0a|"; nocase; content:"name=\"mode\"|0d 0a|"; nocase; content:"name=\"version\"|0d 0a|"; nocase; content:"name=\"cpu\"|0d 0a|"; nocase; fast_pattern; content:"name=\"ram\"|0d 0a|"; nocase; content:"name=\"os\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009470; classtype:trojan-activity; sid:2009470; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Infostealer - GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| wget 3.0|0d 0a|"; nocase; http_header; content:"aid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009539; classtype:trojan-activity; sid:2009539; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Agent.QBY CnC Post"; flow:established,to_server; content:"cike.php?fid="; nocase; http_uri; content: "&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63; reference:url,doc.emergingthreats.net/2010138; classtype:trojan-activity; sid:2010138; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Checkin - MSCommonInfoEx"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/MSCommonInfoEx.php"; http_uri; reference:url,doc.emergingthreats.net/2011179; classtype:trojan-activity; sid:2011179; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/Winwebsec Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"in.php?affid="; http_uri; content:"&url="; http_uri; content:"&win="; http_uri; content:"&sts="; http_uri; reference:url,doc.emergingthreats.net/2011277; classtype:trojan-activity; sid:2011277; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger Crack by bahman"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&message=|2b|keylogger|2b|Crack|2b|By|2b 25 32 31 25 32 31 25 32 31|...bahman"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger Infection Report via POST"; flow:established,to_server; content:"texto=|25 30 44 25 30 41 25 30 44 25 30 41|Computer"; content:"|25 30 44 25 30 41|IP|25 32 45 25 32 45 25 32 45 25 32 45 25 32 45|"; distance:0; reference:url,doc.emergingthreats.net/2008521; classtype:trojan-activity; sid:2008521; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&tick="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&smtp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008189; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; classtype:trojan-activity; sid:2008189; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Spambot HTTP Checkin"; flow:established,to_server; content:"os="; http_uri; content:"&user="; http_uri; content:"&status="; http_uri; content:"&uptime="; http_uri; content:"&cmd="; http_uri; reference:url,doc.emergingthreats.net/2008261; classtype:trojan-activity; sid:2008261; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unnamed Generic.Malware http get"; flow:established,to_server; content:"/ww20/script.php?id="; nocase; http_uri; content:"&config="; nocase; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2003431; classtype:trojan-activity; sid:2003431; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin (double Content-Type headers)"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"Content-Type|3a| text/html"; http_header; content:"Content-type|3a| image/gif"; http_header; reference:url,doc.emergingthreats.net/2010282; classtype:trojan-activity; sid:2010282; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin (UA VBTagEdit)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"HTTP/1.0"; content:"User-Agent|3a| VBTagEdit"; http_header; nocase; reference:url,doc.emergingthreats.net/2010439; classtype:trojan-activity; sid:2010439; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Downloader Win32.Genome.avan"; flow:to_server,established;  content:"mac="; http_uri; content:"&hdid="; http_uri; content:"&wlid="; http_uri; fast_pattern:only; content:"&start="; http_uri; content:"&os="; http_uri; content:"&mem="; http_uri; content:"&alive="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2011236; classtype:trojan-activity; sid:2011236; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gimmiv.A.dll Infection"; flow: to_server,established; content:"/test"; http_uri; content:".php"; http_uri; content:"?abc="; http_uri; content:"?def="; http_uri; reference:url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A; reference:url,doc.emergingthreats.net/2008689; classtype:trojan-activity; sid:2008689; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gimmiv Infection Ping Outbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; reference:url,doc.emergingthreats.net/2008726; classtype:trojan-activity; sid:2008726; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Gimmiv Infection Ping Inbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; reference:url,doc.emergingthreats.net/2008727; classtype:trojan-activity; sid:2008727; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Glacial Dracon C&C Communication"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&ve="; nocase; http_uri; content:"&h="; nocase; http_uri; content:"&c[]="; nocase; depth:5; http_client_body; content:"&t[]="; nocase; http_client_body; content:"&u[]="; nocase; http_client_body; content:"&d[]="; nocase; http_client_body; content:"&p[]="; nocase; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46; reference:url,doc.emergingthreats.net/2010163; classtype:trojan-activity; sid:2010163; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting User Activity"; flow:established,to_server; content:".php?param="; http_uri; content:"&socks="; http_uri; content:"User-Agent|3a| Windows Updater"; http_header; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002775; classtype:trojan-activity; sid:2002775; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting User Activity 2"; flow:established,to_server; content:"?phid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&nn="; nocase; http_uri; content:"User-Agent|3a| z|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002780; classtype:trojan-activity; sid:2002780; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi check-in / update"; flow:established,to_server; content:"?user_id="; nocase; http_uri; content:"&version_id="; nocase; http_uri; content:"&crc="; nocase; http_uri; reference:url,www.secureworks.com/research/threats/gozi; reference:url,doc.emergingthreats.net/2009410; classtype:trojan-activity; sid:2009410; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Bobax trojan infection"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/reg|3f|u="; http_uri; content:"|26|v="; http_uri; reference:url,www.lurhq.com/bobax.html; reference:url,doc.emergingthreats.net/2001901; classtype:trojan-activity; sid:2001901; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HackerDefender Root Kit Remote Connection Attempt Detected"; flow: established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes; tag: session, 20, packets; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2001743; classtype:trojan-activity; sid:2001743; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN HackerDefender.HE Root Kit Control Connection"; flow: established,to_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003244; classtype:trojan-activity; sid:2003244; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HackerDefender.HE Root Kit Control Connection Reply"; flow: established,from_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003245; classtype:trojan-activity; sid:2003245; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Haxdoor Reporting User Activity"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"&socksport="; nocase; http_uri; content:"&httpport="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI; reference:url,doc.emergingthreats.net/2002790; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; classtype:trojan-activity; sid:2002790; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Haxdoor Reporting User Activity 2"; flow:established,to_server; content:"param="; http_uri; content:"&socksport="; http_uri; content:"&httpport="; fast_pattern:only; http_uri; content:"&uptime"; http_uri; content:"&uid="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2002929; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; reference:md5,0995ecb8bb78f510ae995a50be0c351a; classtype:trojan-activity; sid:2002929; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Exploit kit download payload likely Hiloti Gozi FakeAV etc"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/eH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/eH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011103; classtype:trojan-activity; sid:2011103; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Exploit kit attack activity likely hostile"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/oH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/oH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011104; classtype:trojan-activity; sid:2011104; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; content:"/stat.htm?id="; nocase; http_uri; content:"&agt="; nocase; http_uri; content:"&r=http"; http_uri; nocase; content:"&OS="; nocase; http_uri; content:"&ntime="; nocase; http_uri; content:"&rtime="; nocase; http_uri; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; reference:url,doc.emergingthreats.net/2008275; classtype:trojan-activity; sid:2008275; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop.AG/Pophot.az HTTP Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:".asp"; http_uri; content:"|3F|ver="; nocase; http_uri; content:"|26|tgid="; nocase; http_uri; content:"|26|address="; nocase; http_uri; pcre:"/address\=([0-9A-F][0-9A-F]-){5}([0-9A-F][0-9A-F])/Ui"; reference:url,doc.emergingthreats.net/2008317; classtype:trojan-activity; sid:2008317; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HotLan.C Spambot C&C download command"; flow:established,from_server; content:"|3B|URL|3A|http|3A 2F 2F|"; pcre:"/\x0D\x0A\x0D\x0ASLP\x3A\d+\x3BMOD\x3A[\S\x3B]+\x3BURL\x3Ahttp\x3A\x2F{2}[^\x3B]+\x3BSRV\x3Aupd\x3B/"; reference:url,doc.emergingthreats.net/2008471; classtype:trojan-activity; sid:2008471; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"|3F|mod|3D|"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"&mid="; http_uri; pcre:"/\x3Fmod\x3D\w*?\x26id\x3D[^\x26\s]+?\x5F\w+?\x26up\x3D[^\x26]+?\x26mid\x3D[^\x26\s]/Ui"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (SykO)"; flow:established,to_server; content:"User-Agent|3a| SykO"; http_header; nocase; reference:url,doc.emergingthreats.net/2003649; classtype:trojan-activity; sid:2003649; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (IE_7.0)"; flow:established,to_server; content:"User-Agent|3a| IE_7.0"; http_header; nocase; reference:url,doc.emergingthreats.net/2003932; classtype:trojan-activity; sid:2003932; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon URL Infection Checkin Detected"; flow:established,to_server; content:"?mac="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&user="; nocase; http_uri; content:"&md5="; nocase; http_uri; content:"&pc="; nocase; http_uri; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; reference:url,doc.emergingthreats.net/2007592; classtype:trojan-activity; sid:2007592; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (RAV1.23)"; flow:established,to_server; content:"User-Agent|3a| RAV"; http_header; pcre:"/^User-Agent\x3a RAV\d\.\d\d/Hm"; reference:url,doc.emergingthreats.net/2007661; classtype:trojan-activity; sid:2007661; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (??)"; flow:established,to_server; content:"User-Agent|3a| |3f 3f 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007689; classtype:trojan-activity; sid:2007689; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon CnC Data Post (variant abb)"; flow:established,to_server; dsize:>200; content:"Windows "; content:"Service Pack "; distance:0; content:"HACK|00 00|"; fast_pattern; distance:100; reference:url,doc.emergingthreats.net/2008042; classtype:trojan-activity; sid:2008042; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (VIP2007)"; flow:established,to_server; content:"User-Agent|3a| VIP20"; http_header; nocase; reference:url,doc.emergingthreats.net/2008156; classtype:trojan-activity; sid:2008156; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon CnC Communication (variant bysj)"; flow:established,to_server; dsize:5; content:"HTTP|00|"; reference:url,doc.emergingthreats.net/2008258; classtype:trojan-activity; sid:2008258; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon.AZG Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"eve="; nocase; http_uri; content:"username="; nocase; http_uri; content:"anma="; nocase; http_uri; fast_pattern; content:"ver="; nocase; http_uri; reference:url,www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=143511&sind=0; reference:url,vil.nai.com/vil/content/v_145056.htm; reference:url,doc.emergingthreats.net/2008515; classtype:trojan-activity; sid:2008515; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon.dkxh Checkin to CnC"; flow:established,to_server; content:"OK|2e 01|200"; fast_pattern; depth:20; offset:13; content:"Windows "; distance:4; within:30; reference:url,doc.emergingthreats.net/2008540; classtype:trojan-activity; sid:2008540; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon System Stats Report (I-variant)"; flow:established,to_server; content:"|00 00 00|"; depth:3; content:"<CPUI>"; content:"</CPUI><"; distance:0; within:27; content:"<MEMI>"; content:"</MEMI><"; distance:0; within:27; pcre:"/^\x00\x00\x00[\x72-\x74]/"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2009052; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Win32.Hupigon Control Server Response"; flow:from_server,established; dsize:16; content:"|03 00 00 00 00 00 00 00 c4 ec 48 f5 5e 00 85 80|"; depth:16; threshold: type both, count 2, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2009350; classtype:trojan-activity; sid:2009350; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".asp?mac="; nocase; http_uri; content:"&xxx="; nocase; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009811; classtype:trojan-activity; sid:2009811; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN psyBNC IRC Server Connection"; flow:from_server,established; content:"psyBNC@lam3rz"; depth:33; nocase; flowbits:isset,is_proto_irc; reference:url,en.wikipedia.org/wiki/PsyBNC; reference:url,doc.emergingthreats.net/2003302; classtype:misc-activity; sid:2003302; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC Channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow:to_client,established; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within:40; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; reference:url,doc.emergingthreats.net/2002029; classtype:trojan-activity; sid:2002029; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC Potential bot scan/exploit command"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; reference:url,doc.emergingthreats.net/2002030; classtype:trojan-activity; sid:2002030; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC Potential bot update/download via http command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:" http|3a|//"; fast_pattern:only; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+http\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2002031; classtype:trojan-activity; sid:2002031; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC Potential bot update/download via ftp command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"ftp|3a|//"; fast_pattern:only; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+ftp\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2011162; classtype:trojan-activity; sid:2011162; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC Potential DDoS command 1"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"floodnet "; pcre:"/floodnet ([0-9]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[0-9]{1,3}/i"; reference:url,doc.emergingthreats.net/2002032; classtype:trojan-activity; sid:2002032; rev:22; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC potential bot commands"; flow:established,from_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((\.aim\w*|ascanall|\x3agetshit200)\s+\w+)|((@kill|@get_os_version|@get_computer_name|@get_bot_version|@update|@restart|@reboot|@shutdown)\s)/i"; reference:url,doc.emergingthreats.net/2002384; classtype:trojan-activity; sid:2002384; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/(\.aim\w*|ascanall)\s+\w/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - potential DDoS command (2)"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"ddos"; nocase; pcre:"/ddos\.(phat(icmp|syn|wonk)|stop|(syn|udp|http)flood|targa3|(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3})/i"; reference:url,doc.emergingthreats.net/2003132; classtype:trojan-activity; sid:2003132; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC potential reptile commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/\.((testdlls|threads|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002363; classtype:trojan-activity; sid:2002363; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Agobot-SDBot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; reference:url,doc.emergingthreats.net/2003157; classtype:trojan-activity; sid:2003157; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC pBot PHP Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; reference:url,doc.emergingthreats.net/2003208; classtype:trojan-activity; sid:2003208; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response 2"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 03|4|5B|"; content:"|03 02|"; within: 32; pcre:"/\x3A\x02\x034\x5B(BackConnect|help|HTTP.*|SCAN|TCP.*|UDP.*|VERSION)\x5D\x03\x02/i"; reference:url,doc.emergingthreats.net/2006911; classtype:trojan-activity; sid:2006911; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Username in IRC (XP-..)"; flow:established,to_server; content:"USER XP-"; depth:8; reference:url,doc.emergingthreats.net/2008123; classtype:trojan-activity; sid:2008123; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK "; depth:5; content:"USA"; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Illusion Bot (Lussilon) Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"?act=online&"; nocase; http_uri; content:"s4="; nocase; http_uri; content:"&s5="; nocase; http_uri; content:"&nickname="; http_uri; content:"msg_out="; http_client_body; depth:8; nocase; reference:url,doc.emergingthreats.net/2007829; classtype:trojan-activity; sid:2007829; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN IE Ilookup Trojan"; flow: from_server,established; content:"#@~^/gAAAA==@#@&@#@&7lMP|3a|HVK^P{P[W1Ehn"; content:"#@~^GAIAAA==@#@&\\CMPsX/DD,xPvEU+kmC2"; reference:url,62.131.86.111/analysis.htm; reference:url,doc.emergingthreats.net/2001066; classtype:misc-activity; sid:2001066; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; reference:url,doc.emergingthreats.net/2009077; classtype:trojan-activity; sid:2009077; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; reference:url,doc.emergingthreats.net/2007611; classtype:trojan-activity; sid:2007611; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 3|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; reference:url,doc.emergingthreats.net/2007612; classtype:trojan-activity; sid:2007612; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a|MAC......."; nocase; within:20; reference:url,doc.emergingthreats.net/2007613; classtype:trojan-activity; sid:2007613; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 3|0d 0a|X-Library|3a| Indy "; content:"|0d 0a|MAC......."; nocase; within:20; reference:url,doc.emergingthreats.net/2007614; classtype:trojan-activity; sid:2007614; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body"; flow:established,to_server; content:"|0d 0a|X-Library|3a| Indy "; content:"Nome do Computador.."; nocase; distance:0; reference:url,doc.emergingthreats.net/2007950; classtype:trojan-activity; sid:2007950; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Insidebar.co.kr Related Infection Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"e=inside&s="; http_client_body; depth:11; content:"&ver="; http_client_body; content:"&p="; http_client_body; reference:url,doc.emergingthreats.net/2008760; classtype:trojan-activity; sid:2008760; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger PRO GOLD Post"; flow:established,to_server; content:"to="; content:"&from="; within:200; content:"&subject="; within:200; content:"&message="; within:200; content:"Discribtion"; within:14; content:"KEYLOGG+PRO+GOLD+VERSION"; content:"IPHostName"; content:"IPAddress"; content:"YahooMessenger+Passwords"; reference:url,doc.emergingthreats.net/2008642; classtype:trojan-activity; sid:2008642; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger Pro Update Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<root><clnt>"; http_client_body; content:"</clnt><code>CheckUpdate</code>"; nocase; fast_pattern; http_client_body;  pcre:"/<root><clnt>\d{8}-\d{4}-\d{4}-\d{4}-[0-9A-F]{12}</clnt><code>CheckUpdate</code>/P"; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009533; classtype:trojan-activity; sid:2009533; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger.ane Checkin"; flow:established,to_server; content:"Secret Client|00 00 00|"; depth:18; reference:url,doc.emergingthreats.net/2008449; classtype:trojan-activity; sid:2008449; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KLog Nick Keylogger Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"Nick+Key+Ativado"; fast_pattern; reference:url,doc.emergingthreats.net/2008338; classtype:trojan-activity; sid:2008338; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Klom.A Connecting to Controller"; flow:established,to_server; content:"/s_13_0?m="; nocase; http_uri; content:"r="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html; reference:url,doc.emergingthreats.net/2003538; classtype:trojan-activity; sid:2003538; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Knockbot Proxy Checkin"; flow:to_server,established; content:".php?win="; http_uri; content:"&id="; http_uri; content:"&lip="; http_uri; reference:url,doc.emergingthreats.net/2008249; classtype:trojan-activity; sid:2008249; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Knockbot Proxy Response From Controller"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|file|7c|http"; depth:250; nocase; content:"|7c|"; within:150; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010787; classtype:trojan-activity; sid:2010787; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Knockbot Proxy Response From Controller (empty command)"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; nocase; depth:250; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010788; classtype:trojan-activity; sid:2010788; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Koblu"; flow:established,to_server; content:"GET"; nocase; http_method; content:"sid="; nocase; http_uri; content:"&sa="; nocase; http_uri; content: "&p="; http_uri; content:"&q=cards&rf="; http_uri; content:"&enc="; http_uri; content:"&enk=&xsc=&xsp=&xsm="; http_uri; reference:url,doc.emergingthreats.net/2010230; classtype:trojan-activity; sid:2010230; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface Trojan HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"f=0&a="; http_client_body; depth:6; content:"&v="; http_client_body; content:"&c="; http_client_body; content:"&s="; http_client_body; content:"&l=&ck="; http_client_body; content:"&c_fb="; http_client_body; reference:url,doc.emergingthreats.net/2008864; classtype:trojan-activity; sid:2008864; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Koobface BLACKLABEL"; flow:established,from_server; content: "#BLACKLABEL|0d 0a|EXIT"; reference:url,blog.threatexpert.com/2008/12/koobface-leaves-victims-black-spot.html; reference:url,doc.emergingthreats.net/2009407; classtype:trojan-activity; sid:2009407; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface HTTP Request (2)"; flow:established,to_server; content:"?action="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\?action=\w+gen&v=\d/U"; reference:url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html; reference:url,doc.emergingthreats.net/2010150; classtype:trojan-activity; sid:2010150; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface C&C availability check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/achcheck.php"; nocase; http_uri; flowbits:set,ET.koobfacecheck; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010151; classtype:trojan-activity; sid:2010151; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Koobface C&C availability check successful"; flowbits:isset,ET.koobfacecheck; flow:established,from_server; content:"|0d 0a 0d 0a|ACH_OK"; nocase; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010152; classtype:trojan-activity; sid:2010152; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface fetch C&C command detected"; flow:established, to_server; content:".php"; nocase; http_uri; content:"f=0&a="; fast_pattern; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; content:"&c_tg="; content:"&c_nl="; content:"&c_fu="; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010153; classtype:trojan-activity; sid:2010153; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Koobface Beaconing (getexe)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?getexe="; http_uri; content:".exe"; http_uri; reference:url,doc.emergingthreats.net/2010700; classtype:trojan-activity; sid:2010700; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Korklic.A"; flow:to_server,established; content:"GET"; nocase; http_method; content:"mode=boot&MyValue="; http_uri; content:"&code="; http_uri; pcre:"/MyValue=[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:/Ui"; reference:url,doc.emergingthreats.net/2009003; classtype:trojan-activity; sid:2009003; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Krunchy/BZub HTTP POST Update"; flow:established,to_server; content:"action="; http_client_body; depth:7; content:"|25 35 46|script"; http_client_body; content:"POST"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007776; classtype:trojan-activity; sid:2007776; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Initial Checkin"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; content:"fstt="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"name="; http_uri; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003187; classtype:trojan-activity; sid:2003187; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Reporting"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"name="; http_uri; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003188; classtype:trojan-activity; sid:2003188; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Reporting (gcu)"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; pcre:"/\/cp\/rule\.php\?gcu=\d/Ui"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003189; classtype:trojan-activity; sid:2003189; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Reporting Spam"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/sp/post.php"; nocase; http_uri; content:"data="; depth:400; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003190; classtype:trojan-activity; sid:2003190; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1025:5000 (msg:"ET TROJAN Possible Web-based DDoS-command being issued"; flow: established,from_server; content: "Server|3a| nginx/0."; offset: 17; depth: 19; content: "Content-Type|3a| text/html"; content:"|3a|80|3b|255.255.255.255"; fast_pattern:only; reference:url,doc.emergingthreats.net/2003296; classtype:trojan-activity; sid:2003296; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor Lanfiltrator Checkin"; flow:established,to_server; content:"/ralog.cgi?action="; nocase; http_uri; fast_pattern:only; content:"&ip="; nocase; http_uri; content:"&servertype="; nocase; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642; reference:url,doc.emergingthreats.net/2009078; classtype:trojan-activity; sid:2009078; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Lethic Spambot CnC Initial Connect"; flow:established,from_server; flowbits:isnotset,ET.lethic.init; flowbits:set,ET.lethic.init; flowbits:noalert; dsize:5; content:"|00 00 00 00 06|"; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010646; classtype:trojan-activity; sid:2010646; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Lethic Spambot CnC Initial Connect Bot Response"; flow:established,to_server; flowbits:isset,ET.lethic.init; dsize:5; content:"|00 00 00 00 06|"; flowbits:set,ET.lethic.established; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010647; classtype:trojan-activity; sid:2010647; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Lethic Spambot CnC Connect Command"; flowbits:isset,ET.lethic.established; flow:established,from_server; dsize:11; content:"|02|"; offset:4; depth:5; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010648; classtype:trojan-activity; sid:2010648; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Lethic Spambot CnC Connect Command (port 25 specifically)"; flowbits:isset,ET.lethic.established; flow:established,from_server; dsize:11; content:"|02|"; offset:4; depth:5; content:"|00 19|"; offset:9; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010649; classtype:trojan-activity; sid:2010649; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Lethic Spambot CnC Bot Command Confirmation"; flow:established,to_server; flowbits:isset,ET.lethic.established; dsize:6; content:"|21 01|"; offset:4; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010650; classtype:trojan-activity; sid:2010650; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Lethic Spambot CnC Bot Transaction Relay"; flow:established,to_server; flowbits:isset,ET.lethic.established; content:"|03|"; offset:4; depth:5; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010651; classtype:trojan-activity; sid:2010651; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET TROJAN Looked.P/Gamania/Delf #109/! Style CnC Checkin Response from Server"; flow:established,from_server; dsize:6; content:"#1"; depth:2; content:"/!"; offset:4; pcre:"/^\x23\d\d\d\x2f\x21/"; reference:url,doc.emergingthreats.net/bin/view/Main/Win32Looked; classtype:trojan-activity; sid:2008220; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/tba/"; nocase; http_uri; content:"guid="; http_client_body; content:"&version="; http_client_body; content:"&clientid="; http_client_body; content:"&time="; http_client_body; content:"&idle="; http_client_body; content:"&ticksBoot="; http_client_body; reference:url,doc.emergingthreats.net/2007774; classtype:trojan-activity; sid:2007774; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin (usually host-domain-lookup.com related)"; flow:established,to_server; content:"/upd/check?"; nocase; http_uri; content:"&fxp="; http_uri; reference:url,doc.emergingthreats.net/2008333; classtype:trojan-activity; sid:2008333; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Swizzor Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"c="; http_uri; content:"&wv="; http_uri; content:"&wd="; http_uri; content:"&ie="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/2008347; classtype:successful-recon-limited; sid:2008347; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Swizzor Checkin (kgen_up)"; flow:to_server,established; content:"kgen_up.int"; http_uri; content:"fxp="; http_uri; pcre:"/fxp=[a-z0-9]{60}/Ui"; reference:url,doc.emergingthreats.net/2008379; classtype:trojan-activity; sid:2008379; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop_com or variant Checkin (9kgen_up)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/9kgen_up.int"; http_uri; reference:url,www.threatexpert.com/reports.aspx?find=9kgen_up.int; reference:url,doc.emergingthreats.net/2008943; classtype:trojan-activity; sid:2008943; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Swizzor Family GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"szclientid="; http_uri;content:"szmac="; http_uri; content:"szusername="; http_uri; content:"szver="; http_uri; content:"mode="; http_uri; content:"value="; http_uri; content:"systype="; http_uri; content:"rid="; http_uri; content:"szname="; http_uri; content:"szpaname="; http_uri; content:"palen="; http_uri; content:"szpapaname="; http_uri; content:"chksum="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=ed06e3cd6f57fc260194bf9fa224181e; reference:url,doc.emergingthreats.net/2009441; classtype:trojan-activity; sid:2009441; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lost Door Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"subject=Lost|20|door|20|"; http_uri; fast_pattern; content:"by|20|OussamiO"; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/2008340; classtype:trojan-activity; sid:2008340; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d/"; reference:url,doc.emergingthreats.net/2008130; classtype:trojan-activity; sid:2008130; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Trojan HTTP Checkin (accept-language violation)"; flow:established,to_server; content:"GET "; depth:4; content:" HTTP/1.1|0d 0a|Accept-Language|3a| "; pcre:"/Accept-Language\: [a-zA-Z0-9]{20}/"; reference:url,doc.emergingthreats.net/2007650; classtype:trojan-activity; sid:2007650; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Mac User-Agent Typo INBOUND Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Macintosh|3b|"; http_header; content:"(KHTML, like Geco,"; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2008955; classtype:trojan-activity; sid:2008955; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"|61|"; depth:1; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement"; dsize:8; content:"|40|"; depth:1; flowbits:isset,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010101; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010101; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL"; flow:established,to_server; content:"/ack.php?version="; http_uri; content:"&uid="; http_uri; content:"&status="; http_uri; reference:url,doc.emergingthreats.net/2008758; classtype:trojan-activity; sid:2008758; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 6990:6999 (msg:"ET TROJAN Medbod UDP Phone Home Packet"; dsize:<50; content:"ebex"; nocase; pcre:"/\x06\x00?$/"; reference:url,doc.emergingthreats.net/2007949; classtype:trojan-activity; sid:2007949; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MEREDROP/micr0s0fts.cn Related Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/update.asp"; http_uri; content:"ver="; http_client_body; depth:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http_client_body; reference:url,doc.emergingthreats.net/2008891; classtype:trojan-activity; sid:2008891; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Metajuan trojan checkin"; flow:established,to_server; content:"trafc-2/rfe"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-030112-0714-99; reference:url,doc.emergingthreats.net/2007811; classtype:trojan-activity; sid:2007811; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.MisleadApp Fake Security Product Install"; flow:established,to_server; content:"GET"; nocase; http_method; content:"hash?http"; nocase; http_uri; pcre:"/\/(ucleaner|udefender|ufixer)\.com\/demo\.php\?/Ui"; reference:url,doc.emergingthreats.net/2007566; classtype:trojan-activity; sid:2007566; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Monkif Downloader Checkin"; flow:to_server,established; content:"/cgi/"; http_uri; content:".php?"; nocase; http_uri; content:"x640<x"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; reference:url,doc.emergingthreats.net/2009126; classtype:trojan-activity; sid:2009126; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif/DlKroha Trojan Activity HTTP Outbound"; flow:to_server,established; content:".php?"; http_uri; content:"4x4x4x4x4x6x"; fast_pattern:only; http_uri; reference:url,doc.emergingthreats.net/2009752; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; classtype:trojan-activity; sid:2009752; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:"|0d 0a|r="; nocase; content:"&f="; nocase; content:"&p="; nocase; content:"&u="; nocase; content:"&i="; nocase; content:"&g="; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2009813; classtype:trojan-activity; sid:2009813; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nanspy Bot Checkin"; flow:established,to_server; content:"HEAD"; nocase; http_method; content:"/bbcount.php?action="; http_uri; content:"&uid="; http_uri; content:"&locale="; http_uri; content:"&build="; http_uri; reference:url,doc.emergingthreats.net/2010158; classtype:trojan-activity; sid:2010158; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Navipromo related update"; flow:established,to_client; content:"|0d 0a|Server|3a| lighttpd|0d 0a 0d 0a|<HTML><CFG>_SYSTEM_DIR_"; reference:url,doc.emergingthreats.net/2009694; classtype:trojan-activity; sid:2009694; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; content:"?nid_mac="; http_uri; content:"&nid_os_ver=Windows"; http_uri;content:"&nid_ie_ver="; http_uri; reference:url,doc.emergingthreats.net/2008592; classtype:trojan-activity; sid:2008592; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Comfoo Outbound Communication"; flow:established,to_server; content:"Accept-Language|3a 20|en-en|0d 0a|"; content:"|3b|Windows|20|"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/2009125; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2009125; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 2227 (msg:"ET TROJAN Trojan-PSW.Win32.Nilage.crg Checkin"; flow:established,to_server; dsize:32; content:"|00 c0 a8 01 f4 6f 00 00 00|"; depth:12; content:"|00 00 00 05 01 28 0a|"; reference:url,doc.emergingthreats.net/2008481; classtype:trojan-activity; sid:2008481; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nine Ball Infection ya.ru Post"; flow:established,to_server; content:"POST /"; nocase; depth:6; content:"/gate/"; http_uri; content:".php"; http_uri; content:"|0d 0a 0d 0a|"; content:"ya.ru/"; fast_pattern; distance:67; within:6; reference:url,www.martinsecurity.net/page/3; reference:url,doc.emergingthreats.net/2011186; classtype:trojan-activity; sid:2011186; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NoBo Downloader Dropper GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| NoBo"; http_header; reference:url,www.spynomore.com/trojan-nobo-v1-3.htm; reference:url,doc.emergingthreats.net/2009443; classtype:trojan-activity; sid:2009443; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Obitel trojan calling home"; flow:established,to_server; content:"/gate.php?hash="; http_uri; content:"/gate.php?hash="; content:" HTTP/1."; distance:8; within:16; reference:url,www.abuse.ch/?p=143; reference:url,doc.emergingthreats.net/2008405; classtype:trojan-activity; sid:2008405; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Obitel Downloader Request"; flow: established,to_server; content:".php?id="; http_uri; content:"User-Agent|3a| ie|0d 0a|"; http_header; pcre:"/\.php\?id=[0-9a-f]{8}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fObitel.gen!A; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.ASLV&VSect=T; reference:url,doc.emergingthreats.net/2010244; classtype:trojan-activity; sid:2010244; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Downloader Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern:only; content:"&b="; nocase; http_uri; pcre:"/\x2Ephp\x3Fid\x3D\d*\x26v\x3D\d*\x26tm\x3D\d*\x26b\x3D/iU"; reference:url,www.threatexpert.com/report.aspx?md5=38e1d644e2a16041b5ec1a02826df280; reference:url,www.threatexpert.com/report.aspx?md5=1db0c8d48a76662496af7faf581b1cf0; reference:url,doc.emergingthreats.net/2009776; classtype:trojan-activity; sid:2009776; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin (1)"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:!"Accept-Encoding|3a| "; nocase; http_header; content:".php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; classtype:trojan-activity; sid:2010743; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Oficla Russian Malware Bundle C&C instruction response with runurl"; flow:established,to_client; file_data; content:"[info]runurl|3a|"; content:"|7c|taskid|3a|"; within:100; content:"|7c|delay|3a|"; within:30; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010723; classtype:trojan-activity; sid:2010723; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Oficla Russian Malware Bundle C&C instruction response"; flow:established,to_client; file_data; content:"[info]kill|3a|"; content:"|7c|delay|3a|"; within:50; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010724; classtype:trojan-activity; sid:2010724; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Oficla Russian Malware Bundle C&C instruction response (2)"; flow:established,to_client; file_data; content:"[info]delay|3a|"; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010744; classtype:trojan-activity; sid:2010744; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN onmuz.com Infection Activity"; flow:established,to_server; content:"pid=patchup_notpid_update^on"; http_uri; content:"/logonmuz"; http_uri; reference:url,doc.emergingthreats.net/2008973; classtype:trojan-activity; sid:2008973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Opachki Link Hijacker Traffic Redirection"; flow:established,to_server; content:"/?do=rphp"; nocase; http_uri; content:"&sub="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&q="; nocase; http_uri; content:"&orig="; nocase; http_uri; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010224; classtype:trojan-activity; sid:2010224; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:".php?l="; fast_pattern; nocase; http_uri; content:"&u="; nocase; http_uri; content:"Accept-Encoding|3a|"; http_header; nocase; content:"Referer|3a| "; http_header; nocase; pcre:"/^Accept-Encoding\x3a\s+([a-z])\1{3}/Hmi"; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010283; classtype:trojan-activity; sid:2010283; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Optix Pro Trojan/Keylogger Reporting Installation via Email"; flow:established,to_server; content:"Optix Pro v"; content:"Installed Trojan Port|3a|"; distance:0; reference:url,en.wikipedia.org/wiki/Optix_Pro; classtype:trojan-activity; sid:2008212; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Optix Pro Trojan/Keylogger Reporting Installation via HTTP-Email Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"to="; http_client_body; depth:3; content:"Optix Pro v"; http_client_body; content:" Server Online"; http_client_body; reference:url,en.wikipedia.org/wiki/Optix_Pro; reference:url,doc.emergingthreats.net/2008218; classtype:trojan-activity; sid:2008218; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request"; dsize:9; icode:0; itype:8; content:"Echo This"; reference:url,doc.emergingthreats.net/2009130; classtype:trojan-activity; sid:2009130; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Response"; dsize:9; icode:0; itype:0; content:"Echo This"; reference:url,doc.emergingthreats.net/2009131; classtype:trojan-activity; sid:2009131; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea\.php\?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updateb)"; flowbits:isset,BT.ppagent.updatea; flow:to_server,established; content:"/updateb.php?p="; nocase; http_uri; pcre:"/updateb.php?p=\d/Ui"; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN Prg Trojan Server Reply"; flow:to_client,established; content:"HTTP"; depth:4; content:"|0d0a|Hall|3a|"; depth:512; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003183; classtype:trojan-activity; sid:2003183; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST v1"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?2="; http_uri; content:"&n="; http_uri; content:"&v="; http_uri; content:"&i="; http_uri; content:"&sp="; http_uri; content:"&lcp="; http_uri; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007688; classtype:trojan-activity; sid:2007688; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; classtype:trojan-activity; sid:2007724; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; content:"/cfg.bin"; nocase; http_uri; fast_pattern; content:"GET"; http_method; nocase; content:"no-cache|0d 0a|"; http_header; nocase; pcre:"/\/cfg\.bin$/Ui"; reference:url,doc.emergingthreats.net/2008100; classtype:trojan-activity; sid:2008100; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (3)"; flow:established,to_server; content:"a="; offset:0; depth:2; content:"&b=Passes from"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2007862; classtype:trojan-activity; sid:2007862; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN LDPinch SMTP Password Report"; flow:established,to_server; content:"Subject|3a| Passes from"; nocase; fast_pattern; content:"application/octet-stream|3b|"; content:".bin"; distance:0; within:100; reference:url,doc.emergingthreats.net/2008034; classtype:trojan-activity; sid:2008034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET TROJAN LD Pinch Checkin (HTTP POST on port 82)"; flow:established,to_server; content:"POST "; nocase; depth:5; content:".php"; content:"a="; content:"&b="; content:"&d="; content:"&c="; nocase; reference:url,doc.emergingthreats.net/2008366; classtype:trojan-activity; sid:2008366; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN LDPinch SMTP Password Report with mail client The Bat!"; flow:established,to_server; content:"X-Mailer|3a| The Bat!"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; reference:url,doc.emergingthreats.net/2008411; classtype:trojan-activity; sid:2008411; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET [587,25] (msg:"ET TROJAN LDPinch Reporting infection via Email"; flow:established,to_server; content:"X-Mailer|3a| Blat v2.6.2 w/GSS encryption, a Win32 SMTP/NNTP mailer http|3a|//www.blat.net|0d 0a|"; content:"|0d 0a|Subject|3a| Contents of file|3a| WINDOWS/system32/"; distance:0; reference:url,doc.emergingthreats.net/2009242; classtype:trojan-activity; sid:2009242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN PWS Banker Trojan Sending Report of Infection"; flow: established,to_server; content:"From|3a 20 22|PC ID|3a|"; nocase; content:"Subject|3a| INFECTED"; nocase; content:"esta infectado"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.banker.b.html; reference:url,doc.emergingthreats.net/2001933; classtype:trojan-activity; sid:2001933; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Password Stealer User Agent Detected (RookIE)"; flow:established,to_server; content:"User-Agent|3a| RookIE"; http_header; reference:url,doc.emergingthreats.net/2003635; classtype:trojan-activity; sid:2003635; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp"; http_uri; content:"id="; content:"&tit="; content:"&comm"; content:"Run|2B|Successfully"; fast_pattern; reference:url,doc.emergingthreats.net/2008506; classtype:trojan-activity; sid:2008506; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banito/Agent.pb Pass Stealer Email Report Outbound"; flow:established,to_server; content:"Subject|3a| Vip Passw0rds|0d 0a 0d 0a|Victim Name |3a| "; content:"|0d 0a|######## ICQ PASSWORDS ########"; distance:0; within:70; reference:url,doc.emergingthreats.net/2008551; classtype:trojan-activity; sid:2008551; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic PSW Agent server reply"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"|0d 0a|[Uptade]|0d 0a|Web="; content:"|0d 0a|[Guncellestirme]|0d 0a|Version="; within:100; reference:url,doc.emergingthreats.net/2008662; classtype:trojan-activity; sid:2008662; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP"; flow:established,to_server; content:"IE7 Passwords|3a|"; depth:14; content:"FF Passwords"; within:500; reference:url,doc.emergingthreats.net/2008841; classtype:trojan-activity; sid:2008841; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealer (PSW.Win32.Magania Family) GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"pass="; http_uri; content:"type="; http_uri; content:"host="; http_uri; content:"port="; http_uri; content:"name="; http_uri; content:"pc="; http_uri; content:"user="; http_uri;content:"ip="; http_uri; content:"version="; http_uri; content:"User-Agent|3a| NR"; http_header; reference:url,www.f-secure.com/v-descs/trojan-psw_w32_magania.shtml; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-PWS.Magania; reference:url,doc.emergingthreats.net/2009094; classtype:trojan-activity; sid:2009094; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes Update Detected"; flow:established,to_server; content:".php?wm="; nocase; http_uri; content:"&ucid="; nocase; http_uri; content:"&e="; http_uri; reference:url,doc.emergingthreats.net/2007768; classtype:trojan-activity; sid:2007768; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin URL"; flow:established,to_server; content:"/firstrun.php?product="; nocase; http_uri; content:"&aff="; nocase; http_uri; content:"&update="; nocase; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008152; classtype:trojan-activity; sid:2008152; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes Winifixer.com Related Checkin URL"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?affid="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&tm="; nocase; http_uri; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008277; classtype:trojan-activity; sid:2008277; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Razy Variant Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; content:"&ComPut="; http_uri; fast_pattern; content:!"User-Agent|3a| "; http_header; content:!"360safe.com"; http_header; reference:url,doc.emergingthreats.net/2008433; classtype:trojan-activity; sid:2008433; rev:8; metadata:created_at 2010_07_30, updated_at 2016_11_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Parite Setup Connection (tqzn.com related)"; flow:established,to_server; content:"/barbindsoft/barsetup.exe?queryid="; http_uri; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009108; classtype:trojan-activity; sid:2009108; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2010_07_30, malware_family Parite, updated_at 2017_07_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PassSickle Reporting User Activity"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&data="; nocase; http_uri; content:"PassSickle"; http_header; nocase; pcre:"/^User-Agent\:[^\n]+PassSickle/Hmi"; reference:url,doc.emergingthreats.net/2002859; classtype:trojan-activity; sid:2002859; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"c.gif?"; nocase; http_uri; content:!"__utm.gif?"; http_uri; content:".gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; classtype:trojan-activity; sid:2009522; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1900 (msg:"ET TROJAN Backdoor.Win32/PcClient.ZL Checkin"; flow:established,to_server; content:"|00 00 00 10 c8 00 00 00 b0 ff|"; depth:10; reference:url,doc.emergingthreats.net/2008920; classtype:trojan-activity; sid:2008920; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PcClient Backdoor Checkin Packet 1"; flow:established,to_server; dsize:4; content:"|82 87 99 45|"; flowbits:set,ET.PcClient; flowbits:noalert; reference:url,doc.emergingthreats.net/2009238; classtype:trojan-activity; sid:2009238; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PcClient Backdoor Checkin"; flowbits:isset,ET.PcClient; flow:established,to_server; dsize:248; content:"|52 0d 12 12|"; depth:4; flowbits:noalert; reference:url,doc.emergingthreats.net/2009239; classtype:trojan-activity; sid:2009239; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PECompact2 Packed Binary - Sometimes Hostile"; flow:from_server,established; content:"|74 65 78 74|"; content:"|50 45 43 32|"; within:40; reference:url,www.bitsum.com/pecompact.shtml; reference:url,bits.packetninjas.org/eblog/?p=306; reference:url,doc.emergingthreats.net/2008547; classtype:trojan-activity; sid:2008547; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Perfect Keylogger FTP Initial Install Log Upload"; flow:established,to_server; content:"Congratulations! Perfect Kelogger was successfully installed"; depth:63; reference:url,doc.emergingthreats.net/2007973; classtype:trojan-activity; sid:2007973; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET TROJAN Perfect Keylogger Install Email Report"; flow:established,to_server; content:"Subject|3a| Perfect Keylogger was installed successfully|3a|"; fast_pattern:7,20; reference:url,doc.emergingthreats.net/2008893; classtype:trojan-activity; sid:2008893; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Perfect Keylogger FTP Log Upload"; flow:established,to_server; content:"Log upload date|3a| "; depth:17; content:"|0d 0a|Time|3a| "; within:40; content:"To view DAT files, please do the following steps|3a|"; distance:0; reference:url,doc.emergingthreats.net/2007974; classtype:trojan-activity; sid:2007974; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Perfect Keylogger FTP Initial Install Log Upload (Null obfuscated)"; flow:established,to_server; content:"C|00|o|00|n|00|g|00|r|00|a|00|t|00|u|00|l|00|a|00|t|00|i|00|o|00|n|00|s|00|!|00| |00|P|00|e|00|r|00|f|00|e|00|c|00|t|00| |00|K|00|e|00|l|00|o|00|g|00|g|00|e|00|r|00| |00|w|00|a|00|s|00| |00|s|00|u|00|c|00|c|00|e|00|s|00|s|00|f|00|u|00|l|00|l|00|y|00| |00|i|00|n|00|s|00|t|00|a|00|l|00|l|00|e|00|d|00|"; reference:url,doc.emergingthreats.net/2008327; classtype:trojan-activity; sid:2008327; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Personal Defender 2009 - prinimalka.py"; flow:established,to_server; content:"/prinimalka.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009405; classtype:trojan-activity; sid:2009405; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Personal Defender 2009 - trash.py"; flow:established,to_server; content:"/trash.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009406; classtype:trojan-activity; sid:2009406; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp any any -> any any (msg:"ET TROJAN Philis.J ICMP Sweep (Payload Hello World)"; icode:0; itype:0; dsize:11; content:"Hello,World"; metadata: former_category TROJAN; reference:url,vil.nai.com/vil/content/v_141203.htm; reference:url,doc.emergingthreats.net/2008017; classtype:trojan-activity; sid:2008017; rev:4; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Phoenix Exploit Kit Facebook phishing page payload could be ZeuS"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/LoginFacebook.php"; http_uri; pcre:"/\/[a-z]{2}[0-9]{3}[a-z]{2}\/LoginFacebook\.php$/U"; reference:url,malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html; reference:url,doc.emergingthreats.net/2011121; classtype:trojan-activity; sid:2011121; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Phoenix Exploit Kit pdfopen.pdf"; flow:established,to_server; content:"pdfopen.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011180; classtype:trojan-activity; sid:2011180; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Phoenix Exploit Kit pdfswf.pdf"; flow:established,to_server; content:"pdfswf.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011181; classtype:trojan-activity; sid:2011181; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Phoenix Exploit Kit - libtiff.pdf"; flow:established,to_server; content:"libtiff.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011182; classtype:trojan-activity; sid:2011182; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Phoenix Exploit Kit VBscript download"; flow:established,to_client; content:"Createobject(StrReverse("; nocase; content:"|22|tcejbOmetsySeliF.gnitpircS|22|))"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,doc.emergingthreats.net/2011184; classtype:trojan-activity; sid:2011184; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Piptea.a Related Trojan Checkin (1)"; flow:established,to_server; content:"/cd/cd.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/cd\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008382; classtype:trojan-activity; sid:2008382; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Piptea.a Related Trojan Checkin (2)"; flow:established,to_server; content:"/cd/un2.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/un2\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008383; classtype:trojan-activity; sid:2008383; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Piptea.a Related Trojan Checkin (3)"; flow:established,to_server; content:"/cd/un.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/un\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008384; classtype:trojan-activity; sid:2008384; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PlayMP3z.biz Related Spyware/Trojan Install Report"; flow:established,to_server; content:"?stage=setup&application="; http_uri; content:"&campaign="; http_uri; content:"&code="; http_uri; content:"&version="; http_uri; reference:url,doc.emergingthreats.net/2008626; classtype:trojan-activity; sid:2008626; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poebot Related User Agent (SPM_ID=)"; flow:established,to_server; content:"User-Agent|3a| SPM_ID="; http_header; nocase; reference:url,doc.emergingthreats.net/2006391; classtype:trojan-activity; sid:2006391; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin"; flow:established,to_server; content:"log.php?mac="; http_uri; content:"&hdd="; content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/2008972; classtype:trojan-activity; sid:2008972; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pointpack.kr Related Trojan Checkin"; flow:established,to_server; content:"php?"; http_uri; content:"kind="; http_uri; content:"&pid="; http_uri; content:"&ver="; http_uri; content:"&uniq="; http_uri; content:"&addresses="; http_uri; content:"&hdmacid="; http_uri;content:"&dllver="; http_uri; content:"&subv="; http_uri; reference:url,doc.emergingthreats.net/2008260; classtype:trojan-activity; sid:2008260; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3460 (msg:"ET TROJAN PoisonIvy Key Exchange with CnC Init"; flow:established,to_server; dsize:256; flowbits:set,ET.Poison1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008380; classtype:trojan-activity; sid:2008380; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2010_07_30, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 3460 -> $HOME_NET any (msg:"ET TROJAN PoisonIvy Key Exchange with CnC Response"; flow:established,from_server; dsize:256; flowbits:isset,ET.Poison1; reference:url,doc.emergingthreats.net/2008381; classtype:trojan-activity; sid:2008381; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2010_07_30, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PoisonIvy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; depth:3; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2010_07_30, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Chorns/PoisonIvy related Backdoor Initial Connection"; flow:established; dsize:12; content:"/FIRSTINF/|0d0a|"; reference:url,doc.emergingthreats.net/2010344; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2010_07_30, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Chorns/PoisonIvy related Backdoor Keep Alive"; flow:established; dsize:12; content:"/AVAILABL/|0d0a|"; reference:url,doc.emergingthreats.net/2010345; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2010_07_30, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_PROX.AFV POST"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"=|22|sid|22|"; http_client_body; nocase; content:"=|22|up|22|"; http_client_body; nocase; content:"=|22|wbfl|22|"; http_client_body; nocase; content:"=|22|v|22|"; http_client_body; nocase; content:"=|22|ping|22|"; http_client_body; nocase; content:"=|22|guid|22|"; http_client_body; nocase; reference:url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T; reference:url,doc.emergingthreats.net/2007728; classtype:trojan-activity; sid:2007728; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Win32.Agent.mx CnC Beacon"; flow:established,to_server; content:"q.php"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006405; classtype:trojan-activity; sid:2006405; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Win32.Agent.mx (2)"; flow:established,to_server; content:"q.php"; fast_pattern; nocase; http_uri; content:!".chartbeat.net"; nocase; http_header; content:"&p="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&o="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006406; classtype:trojan-activity; sid:2006406; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBot Phone Home Traffic"; flow:established,to_server; content:"ind.php?p="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008244; classtype:trojan-activity; sid:2008244; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; pcre:"/&os=[a-f0-9]{50}/U"; reference:url,doc.emergingthreats.net/2008493; classtype:trojan-activity; sid:2008493; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Qhosts Trojan Check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"UserID="; http_client_body; content:"&wv="; http_client_body; content:"&res="; http_client_body; content:"&lng="; fast_pattern; http_client_body; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-100116-5901-99; reference:url,doc.emergingthreats.net/2009517; classtype:trojan-activity; sid:2009517; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN RLPacked Binary - Likely Hostile"; flow:from_server,established; content:"|2E 70 61 63 6B 65 64|"; content:"|2E 52 4C 50 61 63 6B|"; within:50; reference:url,rlpack.jezgra.net; reference:url,www.teamfurry.com/wordpress/2007/04/01/unpacking-rlpack/; reference:url,doc.emergingthreats.net/2008285; classtype:trojan-activity; sid:2008285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rcash.co.kr Bootup Checkin via HTTP"; flow:established,to_server; content:"/install/Boot.asp?macaddr="; nocase; http_uri; content:"&partner="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007807; classtype:trojan-activity; sid:2007807; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegHelper Installation"; flow:established,to_server; content:"GET"; nocase; http_method; content:"start="; http_uri; content:"&Edition="; http_uri; content:"&RHRTVersion="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008376; classtype:trojan-activity; sid:2008376; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected"; flow:established,to_server; content:"RETR k3ylogger.txt|0d 0a|"; depth:21; reference:url,doc.emergingthreats.net/2008733; classtype:trojan-activity; sid:2008733; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Renos/ssd.com HTTP Checkin"; flow:established,to_server; content:"/dlp.php?"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&ydf="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&w=___"; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&apzx="; nocase; http_uri; content:"&apz="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007834; classtype:trojan-activity; sid:2007834; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=cmd&user="; http_uri; content:"User-Agent|3A|  Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008139; classtype:trojan-activity; sid:2008139; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - log"; flow:to_server,established; content:"POST"; nocase; http_method; content:"?mod=log&user="; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^POST\x20[^\x0D\x0A]+\x3Fmod\x3Dlog\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+.*\x0D\x0A\x0D\x0Acurr\x3D.*\x26next\x3D/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008140; classtype:trojan-activity; sid:2008140; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Runner/Bublik Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"G="; http_client_body; nocase; content:"&PG="; http_client_body; nocase; content:"&EPBB="; http_client_body; nocase; content:!"User-Agent|3a|"; http_header; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:md5,6d2919a92d7dda22f4bc7f9a9b15739f; classtype:trojan-activity; sid:2009711; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SafeFighter Fake Scanner Installation in Progress"; flow:established,to_server; content:"/safefighter.php"; nocase; http_uri; content:"User-Agent|3a| NSIS"; nocase; http_header; reference:url,doc.emergingthreats.net/2010065; classtype:trojan-activity; sid:2010065; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution"; flow:established,to_server; content:"/bb.php"; nocase; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; content:"v="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"b="; nocase; http_uri; reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; reference:url,doc.emergingthreats.net/2010756; classtype:trojan-activity; sid:2010756; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN Saturn Proxy Initial Outbound Checkin (404.txt)"; flow:established,to_server; dsize:<50; content:"GET /404.txt HTTP/1.0"; depth:21; flowbits:set,ET.saturn.checkin; reference:url,doc.emergingthreats.net/2007751; classtype:trojan-activity; sid:2007751; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"ET TROJAN Saturn Proxy Checkin Response"; flow:established,from_server; flowbits:isset,ET.saturn.checkin; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Encryption|3a| on|0d 0a|"; depth:16; reference:url,doc.emergingthreats.net/2007752; classtype:trojan-activity; sid:2007752; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Saturn Proxy C&C Activity"; flow:established,from_server; dsize:12; content:"|2d 00 00 00|"; offset:0; depth:4; content:"|00 00 55 00 00 00|"; distance:2; reference:url,doc.emergingthreats.net/2007753; classtype:trojan-activity; sid:2007753; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Scar Downloader Request"; flow:established,to_server; content:"/tasksz.php?"; fast_pattern:only; http_uri; content:"User-Agent|3a| Google Bot|0d 0a|"; http_header; pcre:"/\/tasksz\.php\?(?:dc|load)/U"; reference:url,www.f-secure.com/v-descs/trojan_w32_scar_a.shtml; reference:url,doc.emergingthreats.net/2010288; classtype:trojan-activity; sid:2010288; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Shark Pass Stealer Email Report"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer "; content:"|0d 0a 0d 0a|Codesoft PW Stealer File "; distance:0; content:"filename=|22|"; distance:0; content:".log|22 0d 0a|"; distance:0; within:20; reference:url,doc.emergingthreats.net/2007992; classtype:trojan-activity; sid:2007992; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; http_method; content:"id="; nocase; http_uri; content:"User-Agent|3a| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.SillyFDC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php"; nocase; http_uri; content:"getowner=1&uniqueid="; http_uri; content:"User-Agent|3a| WinHttp.WinHttpRequest"; http_header; reference:url,doc.emergingthreats.net/2010268; classtype:trojan-activity; sid:2010268; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Silon Encrypted Data POST to C&C"; flow:established,to_server; content:".php?i="; nocase; http_uri; content:"&k="; nocase; http_uri; pcre:"/\.php\?i=\w+_[0-9A-F]{8}&k=\d+$/Ui"; reference:url,www.trusteer.com/webform/w32silon-malware-analysis; reference:url,doc.emergingthreats.net/2010201; classtype:trojan-activity; sid:2010201; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Sinowal/Torpig Phoning Home"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/ld/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_uri; content:"&n="; http_uri; content:"&try="; http_uri; reference:url,doc.emergingthreats.net/2008580; classtype:trojan-activity; sid:2008580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Small.zon checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; http_uri; content:"&id="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; pcre:"/\?n=\d+&id=.+&t=.+&i=\d/Ui"; reference:url,doc.emergingthreats.net/2009300; classtype:trojan-activity; sid:2009300; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Snatch Reporting User Activity"; flow:established,to_server; content:"/snatch/module"; http_uri; content:"User-Agent|3a 20|Snatch-System"; http_header; reference:url,doc.emergingthreats.net/2003515; classtype:trojan-activity; sid:2003515; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Social-bos.biz related trojan checkin (trackid=hex)"; flow:established,to_server; content:".php?trackid="; http_uri; content:"706172616D3D636D64266C616E673D"; http_uri; reference:url,doc.emergingthreats.net/2008545; classtype:trojan-activity; sid:2008545; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL"; flow:established,to_server; content:".php?"; http_uri; content:"&v="; http_uri; content:"&s="; http_uri; content:"&cip="; http_uri; content:"&lid="; http_uri; fast_pattern; reference:url,doc.emergingthreats.net/2008280; classtype:trojan-activity; sid:2008280; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (2)"; flow:established,to_server; content:"/?&v="; http_uri; content:"&s="; http_uri; content:"&cip="; http_uri; content:"&lid="; http_uri; reference:url,doc.emergingthreats.net/2008393; classtype:trojan-activity; sid:2008393; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (3)"; flow:established,to_server; content:"&ns="; http_uri; content:"&id="; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008395; classtype:trojan-activity; sid:2008395; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin"; flow:established,to_server; content:"/manda.php?"; nocase; http_uri; content:"ns="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2008324; classtype:trojan-activity; sid:2008324; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; content:"/manda.php?"; http_uri; content:"id="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\/manda\.php\?id=(-)?\d{9,10}&v=\w/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2010765; classtype:trojan-activity; sid:2010765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Socks666 Connection Initial Packet"; flow:established,to_server; dsize:24; content:"|9a 02 06 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; flowbits:noalert; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006395; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Socks666 Connect Command Packet"; flowbits:isset,BS.BPcheckin; flow:established,from_server; dsize:10; content:"|9a 02 07 00|"; offset:0; depth:4; flowbits:set,BS.BPset; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006396; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Socks666 Successful Connect Packet Packet"; flowbits:isset,BS.BPset; flow:established,to_server; dsize:16; content:"|9a 02 08 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; tag:session,300,seconds; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006397; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Socks666 Checkin Packet"; flow:established,to_server; dsize:30; content:"|9a 02 01 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin1; flowbits:noalert; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006398; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Socks666 Checkin Success Packet"; flowbits:isset,BS.BPcheckin1; flow:established,from_server; dsize:4; content:"|9a 02 05 00|"; offset:0; depth:4; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006399; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake.Googlebar or Softcash.org Related Post-Infection Checkin"; flow:established,to_server; content:"bl="; http_uri; content:"&cuid="; http_uri; content:"&cnid="; http_uri; content:"&luid="; http_uri; content:"&rnd="; http_uri; reference:url,doc.emergingthreats.net/2008236; classtype:trojan-activity; sid:2008236; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sohanad Checkin via HTTP"; flow:established,to_server; content:"GET"; http_method; content:"/cs/bux/check.php"; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007898; classtype:trojan-activity; sid:2007898; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spy-Net Trojan Connection"; flow:established; content:"maininfo|7c|"; depth:9; nocase; content:"|7c|"; distance:3; reference:url,doc.emergingthreats.net/2008644; classtype:trojan-activity; sid:2008644; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spy-Net Trojan Connection (2)"; flow:established; content:"conectado|7c 0a|"; depth:11; reference:url,doc.emergingthreats.net/2008645; classtype:trojan-activity; sid:2008645; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spyguarder.com Fake AV Install Report"; flow:established,to_server; content:"/statscnt.js?scrW="; http_uri; content:"&scrH="; http_uri; content:"&ua="; http_uri; content:"&referer="; http_uri; content:"&ref_id="; http_uri; content:"&cn_id="; http_uri; reference:url,doc.emergingthreats.net/2008911; classtype:trojan-activity; sid:2008911; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Srizbi requesting template"; flow:established,to_server; content:"GET|20|/"; depth:5; content:"|0d0a|X-Flags|3a20|"; within:200; content:"|0d0a|X-TM|3a20|"; within:20; content:"|0d0a|X-BI|3a20|"; within:20; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007712; classtype:trojan-activity; sid:2007712; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Srv.SSA-KeyLogger Checkin Traffic"; flow:to_server,established; content:"Srv.SSA-KeyLogger"; http_uri; reference:url,doc.emergingthreats.net/2002175; classtype:trojan-activity; sid:2002175; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Ssppyy.com Surveillance Agent Reporting via Email"; flow:established,to_server; content:"|0d 0a|Subject|3a| SSPPYY notification|0d 0a|X=Mailer|3a| Mail|0d 0a|"; content:"The computer you are monitoring has connected online - The module name of"; distance:5; reference:url,doc.emergingthreats.net/2007780; classtype:trojan-activity; sid:2007780; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Steam Pass Stealer FTP Upload"; flow:established,to_server; dsize:33; content:"STEAM nicht eingespeichert!!!"; reference:url,doc.emergingthreats.net/2008332; classtype:trojan-activity; sid:2008332; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Steam Steal0r"; flow:established,to_server; content:"info=Steam|20|Steal0r|20|"; http_uri; fast_pattern; content:"&acc="; http_uri; content:"&pw="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/2008360; classtype:trojan-activity; sid:2008360; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Storm Worm HTTP Request"; flow:established,to_server; content:"GET "; depth:4; content:"/?"; pcre:"/GET \/\?[0-9a-f]{16}/i"; pcre:"/Host\x3a [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i"; reference:url,doc.emergingthreats.net/2006411; classtype:trojan-activity; sid:2006411; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert icmp any any -> any any (msg:"ET TROJAN Storm Worm ICMP DDOS Traffic"; itype:8; icode:0; dsize:32; content:"abcdefghijklmnopqr|00 00|"; depth:22; threshold:type both, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2007618; classtype:trojan-activity; sid:2007618; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010441; classtype:trojan-activity; sid:2010441; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010442; classtype:trojan-activity; sid:2010442; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stormy Variant HTTP Request"; flow:established,to_server; content:"/zzu/zc.php?l="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&k="; nocase; http_uri; reference:url,doc.emergingthreats.net/2003435; classtype:trojan-activity; sid:2003435; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stpage Checkin (nomodem)"; flow:established,to_server; content:"/nomodem.php"; http_uri; content:"if="; http_uri; content:"&am="; http_uri; content:"&cl={"; http_uri; content:"&id="; http_uri; reference:url,doc.emergingthreats.net/2008522; classtype:trojan-activity; sid:2008522; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pragma hack Detected Outbound - Likely Infected Source"; flow:established,to_client; content:"Pragma|3a| hack/"; nocase; http_header; classtype:trojan-activity; sid:2010872; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TDSServ or Tidserv variant Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/crcmds/main"; nocase; http_uri; reference:url,www.threatexpert.com/reports.aspx?find=%2Fcrcmds%2Fmain; reference:url,doc.emergingthreats.net/2008944; classtype:trojan-activity; sid:2008944; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Themida Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 69 64 61 74 61 20 20|"; content:"|54 68 65 6D 64 61 20 00|"; within:49; reference:url,www.oreans.com/themida.php; reference:url,cwsandbox.org/?page=samdet&id=164533&password=wnnpi; reference:url,doc.emergingthreats.net/2008341; classtype:trojan-activity; sid:2008341; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Theoreon.com Related Trojan Checkin"; flow:established,to_server; content:"/firststart.php?pid="; nocase; http_uri; content:"&dt="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007832; classtype:trojan-activity; sid:2007832; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Downloader Tibs.jy Reporting to C&C"; flow:established,to_server; content:"/post.php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0b5a (Win95|3b| I)"; http_header; fast_pattern:17,20; nocase; content:"data="; nocase; reference:url,doc.emergingthreats.net/2003238; classtype:trojan-activity; sid:2003238; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (2)"; flow:established,to_server; content:"/rule.php?"; nocase; http_uri; content:"name="; nocase; http_uri; content:"b="; nocase; http_uri; content:"w="; nocase; http_uri; reference:url,doc.emergingthreats.net/2003239; classtype:trojan-activity; sid:2003239; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs Checkin"; flow:established,to_server; content:"/cntr.php?b="; nocase; http_uri; content:"&c="; nocase; http_uri; content:"&d="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002959; classtype:trojan-activity; sid:2002959; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs Checkin 2"; flow:established,to_server; content:"/cntr.php?e="; nocase; http_uri; content:"&x="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002961; classtype:trojan-activity; sid:2002961; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Spambot-Spyware Access"; flow:established,to_server; content:"/synctl/"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002963; classtype:trojan-activity; sid:2002963; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Spyware Update Download"; flow:established,to_server; content:"/synctl/task.fcgi?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002964; classtype:trojan-activity; sid:2002964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely)"; flow:established,to_server; content:"/t/d2hsdWF3OzJ0OHY5Oj0,cyJtI"; http_uri; reference:url,doc.emergingthreats.net/2008232; classtype:trojan-activity; sid:2008232; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs Trojan Downloader"; flow:established,to_server; content:"GET"; http_method; content:"?dn"; nocase; http_uri; content:"&flrdr="; nocase; http_uri; content:"&nxte="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2008639; classtype:trojan-activity; sid:2008639; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:to_server,established; content:".php?adv=adv"; http_uri; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; distance:0; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]+\)ver\d+\r?$/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tigger.a/Syzor Checkin"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/track.cgi"; http_uri; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&b="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; reference:url,doc.emergingthreats.net/2009347; classtype:trojan-activity; sid:2009347; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tigger.a/Syzor Control Checkin"; flow:established,to_server; content:"/track.cgi"; http_uri; content:"POST"; depth:4; http_method; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; content:"&z="; http_client_body; reference:url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix; reference:url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html; reference:url,doc.emergingthreats.net/2009096; classtype:trojan-activity; sid:2009096; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (x25)"; flow:established,to_server; content:"/x25.php"; nocase; http_uri; content:"?id="; nocase; http_uri; content:"&sv="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&sport="; nocase; http_uri; content:"&hport="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2002762; classtype:trojan-activity; sid:2002762; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (wur8)"; flow:established,to_server; content:"/wur8.php"; nocase; http_uri; content:"?id="; nocase; http_uri; content:"&sv="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&sport="; nocase; http_uri; content:"&hport="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2003066; classtype:trojan-activity; sid:2003066; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/Torpig Checkin"; flow:to_server,established; content:"GET"; http_method; content:"idcomp="; http_uri; content:"MyValue="; http_uri; content:"&load1="; http_uri; content:"&hist=downloaded_user_"; http_uri; pcre:"/MyValue=[a-f0-9]{32}/Ui"; reference:url,doc.emergingthreats.net/2010267; classtype:trojan-activity; sid:2010267; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Infection Reporting"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a| "; http_header; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|"; http_header; pcre:"/^\/[0-9A-F]{16}\/[0-9A-Za-z\+\/]{100,}$/U"; reference:url,www2.gmer.net/mbr/; reference:url,www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf; reference:url,doc.emergingthreats.net/2008660; reference:url,offensivecomputing.net/?q=node/909; classtype:trojan-activity; sid:2008660; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Related Fake User-Agent (Apache (compatible...))"; flow:established,to_server; content:"User-Agent|3a| Apache (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; reference:url,doc.emergingthreats.net/2010823; classtype:trojan-activity; sid:2010823; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trash Family - HTTP POST"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a|"; http_header; nocase; content:"Type="; http_client_body; nocase; content:"&Dvip="; http_client_body; nocase; content:"&Mask="; http_client_body; nocase; content:"&Guid="; http_client_body; nocase; content:"&Addr="; http_client_body; nocase; content:"&Protect="; http_client_body; nocase; content:"Url"; http_client_body; nocase; content:"&OSVer="; http_client_body; nocase; reference:url,www.spywareguide.com/product_show.php?id=1935; reference:url,www.sunbeltsecurity.com/threatdisplay.aspx?name=Trojan.Trash.Gen&tid=178782&cs=03253E96A71C3EE824071E5BE3A32CCD; reference:url,doc.emergingthreats.net/2009449; classtype:trojan-activity; sid:2009449; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trats.a Post-Infection Checkin"; flow:established,to_server; content:"AID="; http_uri; content:"GUID="; nocase; http_uri; content:"POST"; depth:4; http_method; content:"|0d 0a|SPK|3a| "; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0) WinNT 5.1|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008155; classtype:trojan-activity; sid:2008155; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Initial Checkin (ams)"; flow:established,to_server; dsize:3; content:"ams"; reference:url,doc.emergingthreats.net/2008021; classtype:trojan-activity; sid:2008021; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 81: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:trojan-activity; sid:2008022; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 81: (msg:"ET TROJAN Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO|7c|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:trojan-activity; sid:2008023; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Logs Parse Command (LOGS1)"; flow:established,from_server; dsize:5; content:"LOGS1"; depth:5; reference:url,doc.emergingthreats.net/2008024; classtype:trojan-activity; sid:2008024; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1)"; flow:established,to_server; content:"|08 00 00 00|LOGS1|5b|"; offset:0; depth:10; reference:url,doc.emergingthreats.net/2008025; classtype:trojan-activity; sid:2008025; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Keepalive (BAGLANTI)"; flow:established,to_server; dsize:9; content:"BAGLANTI?"; reference:url,doc.emergingthreats.net/2008026; classtype:trojan-activity; sid:2008026; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Browse Drive Command (BROWSC)"; flow:established,from_server; dsize:<100; content:"BROWS"; depth:5; content:"|3a|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2008027; classtype:trojan-activity; sid:2008027; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Browse Drive Command Response (metin)"; flow:established,to_server; content:"|00 00|metin|0d 3a|"; offset:2; depth:11; reference:url,doc.emergingthreats.net/2008028; classtype:trojan-activity; sid:2008028; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1023: (msg:"ET TROJAN Turkojan C&C nxt Command (nxt)"; flow:established,from_server; dsize:3; content:"nxt"; depth:3; reference:url,doc.emergingthreats.net/2008029; classtype:trojan-activity; sid:2008029; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C nxt Command Response (nxt)"; flow:established,from_server; dsize:16; content:"nxt|09 00 00 00|"; depth:7; offset:0; reference:url,doc.emergingthreats.net/2008030; classtype:trojan-activity; sid:2008030; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Universal1337 FTP Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007967; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Universal1337 Email Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007968; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sisron/BackDoor.Cybergate.1 Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action=add&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host|3a| whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:trojan-activity; sid:2009458; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Nubjub.A HTTP Check-in "; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"?&mode="; http_uri; fast_pattern; content:"&id="; http_uri; content:"&output="; http_uri; content:"&time="; http_uri; reference:url,doc.emergingthreats.net/2009521; classtype:trojan-activity; sid:2009521; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BackDoor-EGB Check-in"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".asp"; http_uri; content:"?username="; http_uri; content:"&serverMac="; http_uri; content:"&edition="; pcre:"/.asp\?username=.+&serverMac=([0-9A-F]{2}-){5}[0-9A-F]{2}&edition=/Ui"; reference:url,doc.emergingthreats.net/2009532; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=239060; classtype:trojan-activity; sid:2009532; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"&ver="; http_client_body; content:"&MAX_EXECUTE_TIME="; http_client_body; fast_pattern; content:"&RELOAD_JOBS="; http_client_body; content:"&BROWSER_DELAY="; http_client_body; content:"&CONTROL_PAGE"; http_client_body; content:"&lastlogcount"; http_client_body; content:"&min_captchasize"; http_client_body; content:"&botid"; http_client_body; content:"&REG_NAME"; http_client_body; content:"&botlogin="; http_client_body; reference:url,doc.emergingthreats.net/2009830; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FWombot.A; classtype:trojan-activity; sid:2009830; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious exe.exe request - possible downloader/Oficla"; flow:to_server,established; content:"/exe.exe"; nocase; http_uri; pcre:"/\/exe\.exe$/Ui"; reference:url,anubis.iseclab.org/?action=result&task_id=11873c8979f34c8d4fd0da512df635cac&format=txt; reference:url,doc.emergingthreats.net/2010741; classtype:trojan-activity; sid:2010741; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Java Downloader likely malicious payload download src=xrun"; flow:established,to_server; content:"GET /get?src=xrun HTTP/1."; nocase; content:"|0d 0a|Request|3a| "; nocase; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010821; classtype:trojan-activity; sid:2010821; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN smain?scout=acxc Generic Download landing"; flow:established,to_server; content:"GET"; depth:3; http_method; nocase; content:"/smain?scout=acxc"; nocase; http_uri; pcre:"/\/smain\?scout=acxc[a-z]{3}$/Ui"; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; reference:url,doc.emergingthreats.net/2010822; classtype:trojan-activity; sid:2010822; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WScript/VBScript XMLHTTP downloader likely malicious get?src="; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest"; nocase; http_header; content:"/get?src="; nocase; http_uri; fast_pattern; content:"|0d 0a|Request|3a| "; nocase; content:"run|0d 0a|"; within:5; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010838; classtype:trojan-activity; sid:2010838; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unruy Downloader Checkin"; flow:established,to_server; content:".php?U="; http_uri; content:"@"; http_uri; pcre:"/\.php\?U=\d+@\d+@\d+@\d+@\d+@[a-f0-9]+$/U"; reference:url,ddanchev.blogspot.com/2010/03/copyright-lawsuit-filed-against-you.html; reference:url,isc.sans.org/diary.html?storyid=8497; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.STM&VSect=T; reference:url,doc.emergingthreats.net/2010975; classtype:trojan-activity; sid:2010975; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN VMProtect Demo version Packed Binary - Likely Hostile"; flow:from_server,established; content:"|2E|rsrc|00|"; content:"vmp0|00|"; within: 50; content:"vmp1|00|"; within:50; reference:url,www.vmprotect.ru; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009019; classtype:trojan-activity; sid:2009019; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vanquish Trojan HTTP Checkin"; flow:established,to_server; content:"ip="; http_uri; content:"&v=1&s="; http_uri; content:"&h="; http_uri; content:"&kb="; http_uri; content:"&o="; http_uri; content:"&c="; http_uri; content:"&un="; http_uri; content:"&m="; http_uri; content:"&w="; http_uri; content:"&ss="; http_uri; reference:url,doc.emergingthreats.net/2007698; classtype:trojan-activity; sid:2007698; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server; dsize:1; content:"d"; reference:url,doc.emergingthreats.net/2008335; classtype:trojan-activity; sid:2008335; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Vipdataend C&C Traffic Checkin variant 2"; flowbits:set,ET.vipdataend; flow:established,to_server; dsize:<22; content:"|3a|"; depth:5; offset:2; content:"|7c|win "; within:12; reference:url,doc.emergingthreats.net/2009025; classtype:trojan-activity; sid:2009025; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2)"; flowbits:isset,ET.vipdataend; flow:established,to_server; dsize:1; content:"1"; depth:1; reference:url,doc.emergingthreats.net/2009026; classtype:trojan-activity; sid:2009026; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN VirtualProtect Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 72 73 72 63|"; content:"|2E 70 61 63 6B 33 32 00|"; within:49; reference:url,bits.packetninjas.org/eblog/?p=3; reference:url,doc.emergingthreats.net/2008509; classtype:trojan-activity; sid:2008509; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (2)"; flow:established,to_server; content:"php?"; nocase; http_uri; content:"cmp="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&dn_uid="; nocase; http_uri; content:"&dn_affid="; nocase; http_uri; content:"&vm_guid="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&altid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007285; classtype:trojan-activity; sid:2007285; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumod/Agent.ufv/Virtumonde Get Request"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"adm="; nocase; http_uri; fast_pattern; reference:url,doc.emergingthreats.net/2008377; classtype:trojan-activity; sid:2008377; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (3)"; flow:established,to_server; content:"dll.html?"; nocase; http_uri; content:"affid="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&guid="; nocase; http_uri; reference:url,www.threatexpert.com/reports.aspx?find=apstpldr.dll.html; reference:url,doc.emergingthreats.net/2008863; classtype:trojan-activity; sid:2008863; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET TROJAN Viruscatch.co.kr/Win32.Small.hvd Mysql Command and Control Connection (user viruscatch)"; flow:established,to_server; dsize:<40; content:"viruscatch|00|"; reference:url,doc.emergingthreats.net/2008573; classtype:trojan-activity; sid:2008573; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virusremover2008.com Checkin"; flow:to_server,established; content:"GET"; depth:3; http_method; nocase; content:"?action="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr="; http_uri; content:"User-Agent|3a| Statistican"; http_header; reference:url,doc.emergingthreats.net/2008527; classtype:trojan-activity; sid:2008527; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; depth:27; reference:md5,06b522eacdfe51bed5d041fd672e880f; reference:url,doc.emergingthreats.net/2003603; classtype:trojan-activity; sid:2003603; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virut Counter/Check-in "; flow:established,to_server; content:"GET"; http_method; content:".asp?mac="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})+&ver=\d/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009374; classtype:trojan-activity; sid:2009374; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virut Counter/Check-in "; flow:established,to_server; content:"POST"; depth:4; http_method; content:".asp?mac="; http_uri; content:"&rw="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009457; classtype:trojan-activity; sid:2009457; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virut Family GET"; flow:established,to_server; content:"GET"; http_method; content:"/lgate.php?n="; http_uri; pcre:"/n=[0-9A-F]{12,24}/Ui"; reference:url,www.f-secure.com/v-descs/virus_w32_virut.shtml; reference:url,doc.emergingthreats.net/2009444; classtype:trojan-activity; sid:2009444; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Virut - GET"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; nocase; http_uri; content:"&lastid="; nocase; http_uri; content:"&Version"; nocase; http_uri; content:"&smartpic="; nocase; http_uri; content:"&rand="; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut; reference:url,www.avast.com/eng/win32-virut.html; reference:url,free.avg.com/66558; reference:url,www.threatexpert.com/threats/virus-win32-virut-ce.html; reference:url,doc.emergingthreats.net/2009808; classtype:trojan-activity; sid:2009808; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?SoftName="; nocase; http_uri; content:"&SoftVersion="; nocase; http_uri; content:"&UserIP"; nocase; http_uri; content:"&Mac"; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html; reference:url,www.threatexpert.com/threats/w32-virut-i.html; reference:url,doc.emergingthreats.net/2009829; classtype:trojan-activity; sid:2009829; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Visual Shock Keylogger Reporting to Controller"; flow:established,to_server; dsize:<150; content:"|00 00|Visual Shock Keylogger "; offset:10; depth:34; flowbits:set,ET.vskeylogger; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008601; classtype:trojan-activity; sid:2008601; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Visual Shock Keylogger Reporting Idle to Controller"; flowbits:isset,ET.vskeylogger; flow:established,to_server; dsize:8; content:"|08 00 00 00 00 00 00 00|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008602; classtype:trojan-activity; sid:2008602; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo.dam http Update"; flow:established,to_server; content:"/cgi-bin/heartbeat.php"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"&affiliate_id="; nocase; http_uri; content:"&db=1"; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007573; classtype:trojan-activity; sid:2007573; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo HTTP Pre-Install Checkin"; flow:established,to_server; content:"/app/preinstall.php?"; nocase; http_uri; content:"t_uid="; nocase; http_uri; content:"&t_pid="; nocase; http_uri; content:"&t_mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007989; classtype:trojan-activity; sid:2007989; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo HTTP Post-Install Checkin"; flow:established,to_server; content:"/app/install_done.php?"; nocase; http_uri; content:"t_uid="; nocase; http_uri; content:"&t_pid="; nocase; http_uri; content:"&t_mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007990; classtype:trojan-activity; sid:2007990; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo HTTP Post-Install Checkin (2)"; flow:established,to_server; content:"?w="; nocase; http_uri; content:"&ucid="; nocase; http_uri; content:"&e=00"; nocase; http_uri; content:"&err="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008082; classtype:trojan-activity; sid:2008082; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo Variant reporting to Controller via HTTP (1)"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/req.html?suid=&cuid="; http_uri; content:"&tid="; http_uri; content:"&cver="; http_uri; content:"&affid="; http_uri; reference:url,doc.emergingthreats.net/2008976; classtype:trojan-activity; sid:2008976; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo Variant reporting to Controller via HTTP (2)"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?cuid="; http_uri; content:"&suid="; http_uri; content:"&affid="; http_uri; reference:url,doc.emergingthreats.net/2008977; classtype:trojan-activity; sid:2008977; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST"; http_method; content:"/frame.html?"; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009173; classtype:trojan-activity; sid:2009173; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid="; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009174; classtype:trojan-activity; sid:2009174; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.VB.aie Reporting User Activity"; flow:established,to_server; content:"php?iso="; nocase; http_uri; content:"&country="; nocase; http_uri; content:"&proxy="; nocase; http_uri; content:"&tel="; nocase; http_uri; content:"&ftp="; nocase; http_uri; content:"&socks="; nocase; http_uri; content:"&remote="; nocase; http_uri; content:"&smtp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002857; classtype:trojan-activity; sid:2002857; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN w32agent.dsi Domain Update"; flow:established,to_server; content:"/getgewinnspiel.php?uid="; http_uri; reference:url,doc.emergingthreats.net/2002782; classtype:trojan-activity; sid:2002782; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN w32agent.dsi Posting Info"; flow:established,to_server; content:"/postgewinnspiel.php"; http_uri; content:"uid="; http_uri; reference:url,doc.emergingthreats.net/2002781; classtype:trojan-activity; sid:2002781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac Beacon Traffic Detected"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"Referer|3a| Mozilla|0d 0a|"; nocase; http_header; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; content:"a="; nocase; http_client_body; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231; reference:url,doc.emergingthreats.net/2008958; classtype:trojan-activity; sid:2008958; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Warezov/Stration Data Post to Controller"; flow:established,to_server; content:"/cgi-bin/pr.cgi"; http_uri; content:"POST"; http_method; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003180; classtype:trojan-activity; sid:2003180; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Warezov/Stration Communicating with Controller 2"; flow:established,to_server; content:"/chr/"; nocase; http_uri; content:"/e/"; http_uri; content:"?lid="; nocase; http_uri; pcre:"/\/chr\/\d+\/e\/t\d+\?lid=/Ui"; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/3242/tr_dldr.warezov.df.html; reference:url,doc.emergingthreats.net/2003436; classtype:trojan-activity; sid:2003436; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.ajx Trojan Reporting to Server"; flow:established,to_server; content:"/count.php?fid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; content:"&wc="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006448; classtype:trojan-activity; sid:2006448; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET TROJAN Win32.Agent.bea C&C connection"; flow:to_server,established; dsize:24; content:"|9a 02 06 00|"; depth:4; reference:url,doc.emergingthreats.net/2007608; classtype:trojan-activity; sid:2007608; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".cgi"; http_uri; content:"o=i&k="; http_client_body; reference:url,doc.emergingthreats.net/2008003; classtype:trojan-activity; sid:2008003; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin (2)"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".cgi"; http_uri; content:"o=c&s="; http_client_body; reference:url,doc.emergingthreats.net/2008004; classtype:trojan-activity; sid:2008004; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32 Cloaker Related Post Infection Checkin"; flow:established,to_server; content:"/log/proc.php?key="; http_uri; pcre:"/\/log\/proc\.php.key=[a-z0-9]{11}/Ui"; reference:url,doc.emergingthreats.net/2008185; classtype:trojan-activity; sid:2008185; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Inject.ql Checkin Post"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"MAC="; nocase; http_client_body; content:"&IP="; nocase; http_client_body; content:"&NAME="; nocase; http_client_body; content:"&OS="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007803; classtype:trojan-activity; sid:2007803; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Inject.zy Checkin Post"; flow:established,to_server; dsize:8; content:"|16 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/2007966; classtype:trojan-activity; sid:2007966; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32.Onlinegames.ajok CnC Packet to Server"; flow:established,to_server; dsize:20; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; distance:0; within:4; flowbits:set,ET.onlinegames.ajok; reference:url,doc.emergingthreats.net/2008291; classtype:trojan-activity; sid:2008291; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Win32.Onlinegames.ajok CnC Packet from Server"; flow:established,from_server; flowbits:isset,ET.onlinegames.ajok; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; distance:0; within:4; reference:url,doc.emergingthreats.net/2008292; classtype:trojan-activity; sid:2008292; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Small.wpx or Related Downloader Posting Data"; flow:to_server,established; content:"POST"; http_method; content:"=|22|boturl|22|"; nocase; fast_pattern; content:"=|22|filename|22|"; nocase; content:"=|22|compips|22|"; nocase; content:"=|22|loadername|22|"; nocase; content:"=|22|loaderid|22|"; nocase; content:"=|22|uptime|22|"; nocase; content:"=|22|comptime|22|"; nocase; content:"=|22|winver|22|"; nocase; reference:url,doc.emergingthreats.net/2008319; classtype:trojan-activity; sid:2008319; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.yml or Related HTTP Checkin"; flow:established,to_server; content:"/ClientReg.aspx?mac="; http_uri; content:"&Type="; http_uri; content:"&Sn="; http_uri; pcre:"/mac=([0-9A-F]{2}:){5}([0-9A-F]{2})/Ui"; reference:url,doc.emergingthreats.net/2008949; classtype:trojan-activity; sid:2008949; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.yml or Related HTTP Command"; flow:established,to_server; content:"/ClientTask.aspx?mac="; http_uri; content:"&Type="; http_uri; content:"&Sn="; http_uri; pcre:"/mac=([0-9A-F]{2}:){5}([0-9A-F]{2})/Ui"; reference:url,doc.emergingthreats.net/2008952; classtype:trojan-activity; sid:2008952; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Trojan.Win32.Small.yml client registration"; flow:established,to_client; content:"|0d 0a|Content-Length|3a| "; depth:500; content:"|0d 0a 0d 0a|xxyysign|0d 0a|xxyyMyIP="; within:27; reference:url,doc.emergingthreats.net/2008950; classtype:trojan-activity; sid:2008950; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Trojan.Win32.Small.yml client command"; flow:established,to_client; content:"|0d 0a|Content-Length|3a| "; depth:500; content:"|0d 0a 0d 0a|xxyysign|0d 0a|xxyyUserNamePassWord="; within:40; reference:url,doc.emergingthreats.net/2008951; classtype:trojan-activity; sid:2008951; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.AB or related Post-infection checkin"; flow:established,to_server; content:"/work.php?"; nocase; http_uri; content:"method="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008321; classtype:trojan-activity; sid:2008321; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:trojan-activity; sid:2007610; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Proxy.Win32.Wopla.ag Server Reply"; dsize:12; flow:established,from_server; content:"|0d 00 00 00|"; depth:4; content:"|00 00 00 00 00 00|"; distance:2; within:6; reference:url,doc.emergingthreats.net/2007604; classtype:trojan-activity; sid:2007604; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Winwebsec User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| InstallNotify/1.0"; http_header; reference:url,www.f-secure.com/sw-desc/rogue_w32_winwebsec.shtml; reference:url,blogs.technet.com/mmpc/archive/2009/05/13/msrt-tackles-another-rogue.aspx; reference:url,doc.emergingthreats.net/2009896; classtype:trojan-activity; sid:2009896; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; content:"HEAD"; depth:4; http_method; content:"?controller="; http_uri; content:"&abbr="; http_uri; content:"&setupType="; http_uri; content:"&ttl="; http_uri; content:"&pid="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010240; classtype:trojan-activity; sid:2010240; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; content:"GET"; http_method; content:"/Reports/install-report.php"; http_uri; content:"abbr="; http_uri; content:"TALWinInetHTTPClient"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010241; classtype:trojan-activity; sid:2010241; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV get_product_domains.php"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/reports/get_product_domains.php?abbr="; http_uri; content:"&pid="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010242; classtype:trojan-activity; sid:2010242; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; content:"POST"; http_method; content:"verint="; http_client_body; content:"&uid="; http_client_body; content:"&wv="; http_client_body; content:"&report="; http_client_body; content:"&abbr="; http_client_body; content:"&pid="; http_client_body; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010246; classtype:trojan-activity; sid:2010246; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winspywareprotect.com Fake AV/Anti-Spyware Install Checkin"; flow:established,to_server; content:"/stat.php?func=install&pid="; http_uri; content:"&ip="; http_uri; content:"&landing="; http_uri; reference:url,doc.emergingthreats.net/2008250; classtype:trojan-activity; sid:2008250; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN XP keylogger v2.1 mail report - Inbound"; flow:established,to_server; content:"X-Mailer|3a| JMail 4.3.0 Free Version by Dimac"; content:"<H2=3EAbout the use of the PC</H2=3E"; reference:url,doc.emergingthreats.net/2002940; classtype:trojan-activity; sid:2002940; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN XP keylogger v2.1 mail report - Outbound"; flow:established,to_server; content:"X-Mailer|3a| JMail 4.3.0 Free Version by Dimac"; content:"<H2=3EAbout the use of the PC</H2=3E"; reference:url,doc.emergingthreats.net/2002942; classtype:trojan-activity; sid:2002942; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; content:"/image/logo.jpg?queryid="; http_uri; pcre:"/queryid=\d+$/U"; reference:url,doc.emergingthreats.net/2008049; classtype:trojan-activity; sid:2008049; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Yoda's Protector Packed Binary - VERY Likely Hostile"; flow:established,from_server; content:"|E8 03 00 00 00 EB 01|"; content:"|BB 55 00 00 00 E8 03 00 00 00 EB 01|"; within:14; reference:url,doc.emergingthreats.net/2009557; classtype:trojan-activity; sid:2009557; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus HTTP POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:".php?"; http_uri; content:"zip="; http_uri; content:"type="; http_uri; content:"name="; http_uri; content:"q="; http_uri; content:"item="; http_uri; fast_pattern; content:"id="; http_uri; content:"rdp="; http_uri; reference:url,doc.emergingthreats.net/2008661; classtype:trojan-activity; sid:2008661; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus or Related Infection Checkin"; flow:established,to_server; content:"btn="; http_uri; content:"q="; http_uri; content:"SOFT"; http_client_body; reference:url,doc.emergingthreats.net/2008665; classtype:trojan-activity; sid:2008665; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus Dropper Infection - /loads.php"; flow:established,to_server; content:"/loads.php"; http_uri; content:"?r="; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:"Host|3a| knocker"; http_header; fast_pattern; content:"Cache-Control|3a| no-cache|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009213; classtype:trojan-activity; sid:2009213; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Beomok/PSW - HTTP POST"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".php?i="; nocase; http_uri; content:"&o="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009448; classtype:trojan-activity; sid:2009448; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; nocase; http_header; content:!"Host|3a| toolbar.live.com|0d 0a|"; nocase; http_header; content:!"Host|3a| downloadfree.avg.com|0d 0a|"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE"; content:"Accept|3a| */*"; http_header; content:".bin"; http_uri; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; classtype:trojan-activity; sid:2010348; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zhelatin Update Detected"; flow:established,to_server; content:".php?l="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&rvz1="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007769; classtype:trojan-activity; sid:2007769; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zhelatin npopup Update Detected"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/server/npopup/"; nocase; http_uri; content:"data="; http_client_body; nocase; content:"&key="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2007787; classtype:trojan-activity; sid:2007787; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; content:"User-Agent|3a| internetsecurity"; http_header; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (Winlogon)"; flow:established,to_server; content:"User-Agent|3a| Winlogon"; http_header; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Updating via HTTP"; flow:established,to_server; content:".php?code="; nocase; http_uri; content:"&hash="; nocase; http_uri; pcre:"/code=[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}/Ui"; reference:url,doc.emergingthreats.net/2007568; classtype:trojan-activity; sid:2007568; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob HTTP Checkin"; flow:established,to_server; content:"/confirm.php?aid="; nocase; http_uri; content:"&said="; nocase; http_uri; content:"&mn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008386; classtype:trojan-activity; sid:2008386; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Initial Check-in Version 2 (confirm.php?sid=)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"confirm.php?sid="; nocase; http_uri; content:"&said="; nocase; http_uri; content:"&mn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008396; classtype:trojan-activity; sid:2008396; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent (securityinternet)"; flow:established,to_server; content:"User-Agent|3a| securityinternet"; http_header; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/2009022; classtype:trojan-activity; sid:2009022; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!".newsinc.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008420; classtype:trojan-activity; sid:2008420; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN s4t4n1c Trojan Check-in"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".php"; http_uri; content:"continencia="; http_client_body; content:"&versao_kl="; http_client_body; content:"&data="; http_client_body; content:"&hora="; http_client_body; content:"&nome_maquina="; http_client_body; reference:url,doc.emergingthreats.net/2009518; classtype:trojan-activity; sid:2009518; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN thespybot.com installation download detected"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php"; http_uri; content:"m="; http_uri; content:"&ydf="; http_uri; content:"&e="; http_uri; content:"&w="; http_uri; content:"&t="; http_uri; content:"&apz="; http_uri; reference:url,doc.emergingthreats.net/2008482; classtype:trojan-activity; sid:2008482; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN xpsecuritycenter.com Fake AntiVirus GET-Install Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php?"; http_uri; content:"wmid="; http_uri; fast_pattern; nocase; content:"|26|l="; nocase; http_uri; content:"|26|it="; nocase; http_uri; content:"|26|s="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-051910-0118-99&tabid=1; reference:url,doc.emergingthreats.net/2008329; classtype:trojan-activity; sid:2008329; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN OUTBOUND Suspicious Email Attachment"; flow:  to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename="; distance:0; pcre:"/^\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR";  reference:url,doc.emergingthreats.net/2000562; classtype:suspicious-filename-detect; sid:2000562; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"GPL TROJAN BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:2100116; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN nte Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; http_method; content:"/nte/"; http_uri; content:!"Referer|3a| "; http_header; content:"User-Agent|3a| Java"; http_header; pcre:"/(\.php|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; classtype:trojan-activity; sid:2011576; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNSTrojan FakeAV Dropper Activity Observed (1)"; flow:established,to_server; content:"v="; http_uri; nocase; content:"&step="; http_uri; nocase; content:"&hostid="; http_uri; nocase; reference:url,www.abuse.ch/?p=2740; reference:url,www.abuse.ch/?p=2796; reference:url,www.threatexpert.com/report.aspx?md5=c59cdd1366dd5c2f448c03738ec0dc88; reference:url,www.threatexpert.com/report.aspx?md5=b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011577; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNSTrojan FakeAV Dropper Activity Observed (2)"; flow:established,to_server; content:"/getfile.php?r="; http_uri; nocase; content:"&p="; http_uri; nocase; pcre:"/\/getfile\.php\?r=-?\d+&p=/U"; reference:url,www.abuse.ch/?p=2740; reference:url,www.abuse.ch/?p=2796; reference:url,www.threatexpert.com/report.aspx?md5=c59cdd1366dd5c2f448c03738ec0dc88; reference:url,www.threatexpert.com/report.aspx?md5=b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011578; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JAR Download From Crimepack Exploit Kit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"cpak/Crimepack"; nocase; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:trojan-activity; sid:2011544; rev:5; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Executable Download named to be .com FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".com.exe"; http_uri; nocase; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011495; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Executable Download named to be FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe"; http_uri; nocase; fast_pattern; content:"."; depth:200; content:".exe"; nocase; distance:2; within:6; pcre:"/\/.+(www\.)?[a-z0-9]+\.[a-z]{2,3}\.exe$/Ui"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011496; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Meredrop/Nusump Checkin"; flow:established,to_server; content:"?id="; http_uri; content:"&co="; http_uri; content:"&us="; http_uri; content:"&os="; http_uri; content:"&vr="; http_uri; content:"&dt="; http_uri; fast_pattern:only; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FNusump&ThreatID=-2147329857; reference:url,www.threatexpert.com/report.aspx?md5=ef0616d75bd892ed69fe22a510079686; reference:url,www.threatexpert.com/report.aspx?md5=463cdec2df12a04d6ea1d015746ee950; classtype:trojan-activity; sid:2011489; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Small.gen!AQ Communication with Controller"; flow:established,to_server; content:"?uid="; nocase; http_uri; fast_pattern; content:"&action="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&b="; nocase; http_uri; pcre:"/\?uid=[0-9a-f]{40}&action=\w+&v=[\w.]+&b=\d+$/U"; reference:url,perpetualhorizon.blogspot.com/2010/08/shot-in-dark-analysis-of-failed-malware.html; reference:url,www.threatexpert.com/report.aspx?md5=eb3140416c06fa8cb7851076dd100dfb; reference:url,www.threatexpert.com/report.aspx?md5=8033dffa899dcd16769f389073f9f053; classtype:trojan-activity; sid:2011414; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/sinonet/mebroot/Torpig infected host POSTing process list"; flow:established,to_server; content:"POST"; http_method; nocase; content:"[System Process]|0a|";  http_client_body; depth:17; classtype:trojan-activity; sid:2011364; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/sinonet/mebroot/Torpig infected host checkin"; flow:established,to_server; content:"/search"; http_uri; depth:7; content:"?fr=altavista&itag="; depth:28; http_uri; content:"&kls="; http_uri; content:!"User-Agent|3a|"; http_header; classtype:trojan-activity; sid:2011365; rev:9; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV SetupSecure Download Attempt SetupSecure"; flow:established,to_server; content:"/download/SetupSecure_"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=virus-scanner-6.com; classtype:trojan-activity; sid:2011357; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface Checkin via POST"; flow: to_server,established; content:"POST"; http_method; content:".php"; http_uri; nocase;  content:"f="; http_client_body; content:"&a="; http_client_body; content:"&v="; http_client_body; content:"&c="; http_client_body; content:"&s="; http_client_body; content:"&l="; http_client_body; content:"&ck="; http_client_body; content:"&c_fb="; http_client_body; content:"&c_ms="; http_client_body; content:"&c_hi="; http_client_body; content:"&c_be="; http_client_body; content:"&c_fr="; http_client_body; content:"&c_yb="; http_client_body; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:trojan-activity; sid:2009156; rev:8; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Cosmu.xet CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"GoGo.ashx?Mac="; http_uri; content:"&UserId="; http_uri; content:"&Bate="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=f39554f3afe92dca3597efc1f7709ad4; classtype:trojan-activity; sid:2011278; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.FraudPack.aweo"; flow:established,to_server; content:"GET"; http_method; content:"update.php?do="; http_uri; content:"&coid="; http_uri; content:"&IP="; http_uri; content:"&fff="; http_uri; content:"&lct="; http_uri; content:"&ttt="; http_uri; content:"&v="; reference:url,www.threatexpert.com/report.aspx?md5=4bc4c32a8d93c29b026bbfb24ccecd14; classtype:trojan-activity; sid:2011294; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stuxnet index.php"; flow:to_server,established; content:"/index.php?data=66a96e28"; http_uri; nocase; reference:url,research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html; classtype:trojan-activity; sid:2011300; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Keatep.B Checkin"; flow:established,to_server; content:"&id="; nocase; http_uri; content:"&v="; http_uri; fast_pattern; pcre:"/\?[0-9a-f]{5,}=\d+&id=\d+&v=\d+$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Keatep.B; reference:md5,239aacf49bb6381fd71841fda4d4ee58; classtype:trojan-activity; sid:2011336; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sality Variant Downloader Activity (2)"; flow:established,to_server; content:"/?rnd="; http_uri; nocase; content:"&id="; http_uri; pcre:"/\/\?rnd=\d+&id=\d+$/U"; reference:url,www.threatexpert.com/report.aspx?md5=76cf08503cdd036850bcc4f29f64022f; reference:url,www.threatexpert.com/report.aspx?md5=579f2e29434218d62d31625d369cbc42; classtype:trojan-activity; sid:2011337; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sality Variant Downloader Activity (3)"; flow:established,to_server; content:"/?id"; nocase; http_uri; content:"&rnd="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Windows NT"; http_header; pcre:"/\/\?id(\d+)?&rnd=\d+$/U"; reference:url,www.threatexpert.com/report.aspx?md5=438bcb3c4a304b65419674ce8775d8a3; classtype:trojan-activity; sid:2011338; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; content:!".avg.com|0d 0a|"; http_header; content:!"bitdefender.net|0d 0a|"; http_header; content:!"svc.iolo.com|0d 0a|"; http_header; content:!".lavasoft.com"; http_header; content:!"canonicalizer.ucsuri.tcs|0d 0a|"; http_header; classtype:trojan-activity; sid:2011341; rev:13; metadata:created_at 2010_09_28, updated_at 2016_12_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stupid Stealer C&C Communication (1)"; flow:established,to_server; content:"cmd=give&pcname="; nocase; http_uri; content:"&status="; http_uri; nocase; pcre:"/cmd=give&pcname=.+&status=\d+$/U"; reference:url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb; classtype:trojan-activity; sid:2011370; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stupid Stealer C&C Communication (2)"; flow:established,to_server; content:"action=add"; nocase; http_uri; content:"&status="; nocase; http_uri; content:"&wmid="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&pcname="; http_uri; nocase; reference:url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb; classtype:trojan-activity; sid:2011371; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN indux.php check-in"; flow:established,to_server; content:"/indux.php?U="; nocase; http_uri; fast_pattern:only; content:"@"; http_uri; content:"Referer|3a| http|3a|//www.google.com|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2011387; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeYak or Related Infection Checkin 1"; flow:established,to_server; content:"&fff="; http_uri; content:"&coid="; http_uri; content:"do="; http_uri; content:"&IP="; nocase; http_uri; content:"lct="; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak; classtype:trojan-activity; sid:2011396; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeYak or Related Infection Checkin 2"; flow:established,to_server; content:"&fff="; http_uri; content:"&coid="; http_uri; content:"saf="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak; classtype:trojan-activity; sid:2011397; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN wisp backdoor detected reporting"; flow:established,to_server; content:"getkys.kys"; nocase; http_uri; content:"hostname="; nocase; http_uri; classtype:trojan-activity; sid:2011395; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Execute DDoS Command From CnC Server"; flow:established,from_server; dsize:124; content:"|00 10 00 00|http|3a|//"; depth:11; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011398; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server"; flow:established,from_server; dsize:124; content:"|00 00 00 04|http|3a|//"; depth:11; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011399; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Execute SYN Flood Command Message From CnC Server"; flow:established,from_server; dsize:124; content:"|80 04 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011400; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV landing page - sector.hdd.png no-repeat"; flow:established,to_client; content:"sector.hdd.png) no-repeat"; fast_pattern:only; classtype:bad-unknown; sid:2011419; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKEAV client requesting image - sector.hdd.png"; flow:established,to_server; content:"sector.hdd.png"; nocase; http_uri; classtype:bad-unknown; sid:2011420; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8081:8090 (msg:"ET TROJAN Antivirus2010 Checkin port 8082"; flow:established,to_server; content:"/ask?"; content:"&u="; content:"a="; content:"&m="; content:"&h="; reference:url,blog.emsisoft.com/2010/08/09/antivirus2010-userinit-and-then-some-more/; reference:url,doc.emergingthreats.net/2011473; classtype:trojan-activity; sid:2011473; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Zlob.bgs Checkin(1)"; flow:established,to_server; content:"GET"; http_header; content:"/gatech.php?pn="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=ffdcea0ed88d47bc21d71040f9289ef4; classtype:trojan-activity; sid:2011490; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Zlob.bgs Checkin(2)"; flow:established,to_server; content:"GET"; http_method; content:"/gatech.php?id="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=ffdcea0ed88d47bc21d71040f9289ef4; classtype:trojan-activity; sid:2011491; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz/Rohimafo Checkin"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010791; classtype:trojan-activity; sid:2011791; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz/Rohimafo Binary Download Request"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&magic="; http_uri; nocase; fast_pattern; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010793; classtype:trojan-activity; sid:2011769; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Knock.php Shiz or Rohimafo CnC Server Contact URL"; flow:established,to_server; content:"GET"; http_method; nocase; content:"knock.php?n="; nocase; http_uri; content:"=seller-"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011520; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz or Rohimafo Reporting Listening Socket to CnC Server"; flow:established,to_server; content:"/socks.php?"; nocase; http_uri; content:"name="; nocase; http_uri; content:"&port="; http_uri; nocase; pcre:"/port=[1-9]{1,5}/Ui"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011523; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daurso FTP Credential Theft Reported"; flow:to_server,established; content:"/receiver/ftp"; http_uri; nocase; content:"|0d 0a 0d 0a|ftp_uri_0="; nocase; content:"&ftp_source_0="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:url,www.threatexpert.com/report.aspx?md5=348ba619aab3a92b99701335f95fe2a7; reference:url,www.threatexpert.com/report.aspx?md5=8be56dbd057c3bde42ae804bfd647bb6; classtype:trojan-activity; sid:2011470; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daurso Checkin"; flow:established,to_server; content:"POST"; http_method; content:"receiver/online"; http_uri; content:"|0d 0a 0d 0a|guid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:url,www.threatexpert.com/report.aspx?md5=348ba619aab3a92b99701335f95fe2a7; reference:url,www.threatexpert.com/report.aspx?md5=8be56dbd057c3bde42ae804bfd647bb6; classtype:trojan-activity; sid:2011471; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV scanner page enocuntered - .hdd_icon"; flow:established,to_client; content:".hdd_icon"; nocase; classtype:bad-unknown; sid:2011475; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Avzhan DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:trojan-activity; sid:2011585; rev:2; metadata:created_at 2010_09_29, updated_at 2010_09_29;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:attempted-dos; sid:2011767; rev:2; metadata:created_at 2010_09_29, updated_at 2010_09_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot Connectivity Check"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a 20|Mozilla/"; depth:68; content:"|0d 0a|Host|3a| "; distance:0; content:!"|0d 0a|Referer|3a| "; http_header; nocase; content:"|3a| no-cache"; http_header; content:!"/webhp"; http_uri; depth:6; content:!"Host|3a| login.live.com|0d 0a|"; http_header; content:!"google.com|0d 0a|"; http_header; content:!"www.bing.com"; http_header; content:!"yandex.ru|0d 0a|"; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011588; rev:20; metadata:created_at 2010_10_01, updated_at 2016_09_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential-Hiloti/FakeAV site access"; flow:established,to_server; uricontent:"?p=p52dcW"; pcre:"/\/\?p=p52dcW[A-Za-z]{4}/U"; classtype:trojan-activity; sid:2011591; rev:1; metadata:created_at 2010_10_06, updated_at 2010_10_06;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server"; flow:established,from_server; dsize:124; content:"|00 00 00 04|ftp|3a|//"; depth:10; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011592; rev:1; metadata:created_at 2010_10_07, updated_at 2010_10_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN carberp check in"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/set/first.html"; http_uri; content:"id="; http_client_body; content:"os="; http_client_body; content:"plist="; http_client_body; classtype:trojan-activity; sid:2011798; rev:3; metadata:created_at 2010_10_09, updated_at 2010_10_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carberp checkin task"; flow:established,to_server; content:"/task.php?id="; http_uri; content:"&task="; http_uri; pcre:"/\/task.php\?id=[^&]{32,64}&task=\d/U"; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; reference:url,www.honeynet.org/node/578; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2; reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb; reference:url,www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85; reference:url,www.threatexpert.com/report.aspx?md5=1d0d38dd63551a30eda664611ed4958b; reference:url,www.threatexpert.com/report.aspx?md5=6f89b98729483839283d04b82055dc44; reference:url,www.threatexpert.com/report.aspx?md5=07d3fbb124ff39bd5c1045599f719e36; classtype:trojan-activity; sid:2011799; rev:6; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV CnC Checkin cycle_report"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fa078834dd3b4c6604d12823a6f9f17e; classtype:trojan-activity; sid:2011820; rev:1; metadata:created_at 2010_10_14, updated_at 2010_10_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MUROFET/Licat Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a|"; nocase; content:"/news/?s="; http_uri; pcre:"/news\/\?s=\d{1,6}$/U"; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:trojan-activity; sid:2011825; rev:8; metadata:created_at 2010_10_18, updated_at 2010_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Xilcter/Zeus related malware dropper reporting in"; flow:established,to_server; content:"subid="; http_uri; content:"br="; http_uri; content:"os="; http_uri; content:"flg="; http_uri; classtype:trojan-activity; sid:2011827; rev:2; metadata:created_at 2010_10_20, updated_at 2010_10_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Comotor.A!dll Reporting 1"; flow:to_server,established; content:".php?ver="; http_uri; content:"&cver="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\.php\?ver=\d\&cver=\d\&id=\d{5}$/U"; reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011848; rev:4; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Comotor.A!dll Reporting 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/cy/dl.php"; nocase; http_uri; content:"id="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011849; rev:3; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carberp file download"; flow:established,to_server; content:"/cfg/"; http_uri; depth:5; content:".plug"; http_uri; classtype:trojan-activity; sid:2011850; rev:2; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Carberp CnC Reply no tasks"; flow:established,from_server; file_data; content:"no tasks"; depth:8; classtype:trojan-activity; sid:2011851; rev:5; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye C&C Check-in URI"; flow:established,to_server; content:"guid="; http_uri; content:"ver="; http_uri; content:"stat="; http_uri; fast_pattern; content:"ie="; http_uri; content:"os="; http_uri; pcre:"/(\?|&)guid=[^!&]+?\!/U"; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/; classtype:trojan-activity; sid:2011857; rev:6; metadata:created_at 2010_10_27, updated_at 2010_10_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:12; metadata:created_at 2010_10_27, updated_at 2010_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab CnC URL Detected"; flow:established,to_server; content:"GET"; http_method; content:"controller.php"; nocase; http_uri; content:"action=bot"; nocase; http_uri; content:"entity_list="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"guid="; http_uri; nocase; reference:url,blog.fireeye.com/.a/6a00d835018afd53ef013488839529970c-pi; classtype:trojan-activity; sid:2011861; rev:3; metadata:created_at 2010_10_28, updated_at 2010_10_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Feodo Banking Trojan Account Details Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"AccountSummary"; nocase; fast_pattern; content:"userid|3A|"; nocase; distance:0; content:"password|3A|"; nocase; distance:0; content:"screenid|3A|"; nocase; distance:0; content:"origination|3A|"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html#more; classtype:trojan-activity; sid:2011862; rev:4; metadata:created_at 2010_10_28, updated_at 2010_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; urilen:16<>402; content:"GET"; nocase; http_method; content:"Accept-Language|3a| "; http_header; depth:17; content:!"Accept|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE"; fast_pattern:23,18; http_header; content:"Host|3a| "; distance:0; http_header; content:"|3a| no-cache"; distance:0; http_header; pcre:"/^\/[a-z0-9+\/=]{16,400}$/Ui"; classtype:trojan-activity; sid:2011894; rev:18; metadata:created_at 2010_11_05, updated_at 2010_11_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Fake AV Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0)|0d 0a|"; http_header; content:"data="; fast_pattern; http_client_body; content:!"|0d 0a|Referer|3a|"; http_header; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; classtype:trojan-activity; sid:2011912; rev:8; metadata:created_at 2010_11_09, updated_at 2010_11_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV Gemini - JavaScript Redirection To Scanning Page"; flow:established,to_client; file_data; content:"|28|navigator.appVersion.indexof|28 22|Mac|22 29|!=-1|29|"; nocase; content:"window.location="; nocase; within:17; classtype:bad-unknown; sid:2011917; rev:3; metadata:created_at 2010_11_09, updated_at 2010_11_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV CryptMEN - Landing Page Download Contains .hdd_icon"; flow:established,to_client; content:".hdd_icon"; content:!"nmap.org"; content:!"seclists.org"; classtype:bad-unknown; sid:2011921; rev:6; metadata:created_at 2010_11_11, updated_at 2010_11_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV CryptMEN - Random Named DeObfuscation JavaScript File Download"; flow:established,from_server; file_data; content:"encrypt|3a| function|28|m, e, n|29|"; depth:64; classtype:bad-unknown; sid:2011922; rev:4; metadata:created_at 2010_11_11, updated_at 2010_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue AV Downloader concat URI"; flow:established,to_server; content:".php?id="; http_uri; content:"x="; http_uri; content:"os="; http_uri; content:"n="; http_uri; pcre:"/\.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d/U"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011925; rev:5; metadata:created_at 2010_11_15, updated_at 2010_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN X-Tag Zeus Mitmo user agent"; flow:established,to_server; content:"|29 20|X-Tag/"; nocase; reference:url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo; classtype:trojan-activity; sid:2011926; rev:4; metadata:created_at 2010_11_15, updated_at 2010_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^\x7c?\d/R"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; reference:url,www.eff.org/deeplinks/2012/08/syrian-malware-post; reference:md5,a2f58a4215441276706f18519dae9102; classtype:trojan-activity; sid:2013090; rev:8; metadata:created_at 2010_11_22, updated_at 2010_11_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious bot.exe Request"; flow:established,to_server; content:"GET"; http_method; content:"/bot.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=19eylulmusikicemiyeti.com; classtype:trojan-activity; sid:2011967; rev:3; metadata:created_at 2010_11_22, updated_at 2010_11_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup C2 Post-infection Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; classtype:trojan-activity; sid:2011969; rev:9; metadata:created_at 2010_11_22, updated_at 2010_11_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious flash_player.exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/flash_player.exe"; http_uri; reference:url,www.malwareurl.com/listing.php?domain=newpornmov.info; classtype:bad-unknown; sid:2011982; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious executable download adobe-flash.v"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adobe-flash.v"; nocase; http_uri; pcre:"/adobe-flash\.v\.\d{5}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=realmultimediaonline.com; classtype:bad-unknown; sid:2011989; rev:2; metadata:created_at 2010_12_01, updated_at 2010_12_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV Gemini systempack exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=systempack"; http_header; classtype:trojan-activity; sid:2011991; rev:2; metadata:created_at 2010_12_01, updated_at 2010_12_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious invoice.scr Download Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|invoice.scr"; nocase; http_uri; pcre:"/\x2Finvoice\x2Escr$/Ui"; classtype:trojan-activity; sid:2011995; rev:4; metadata:created_at 2010_12_02, updated_at 2010_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Darkness DDoS Bot Checkin"; flow:established,to_server; content:".php?uid="; nocase; http_uri; content:"&ver="; distance:0; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.php\?uid=\d{5,6}&ver=[^&]+(&traff=\d+)?$/U"; content:"User-Agent|3a 20|darkness"; http_header; fast_pattern; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205; reference:url,ef.kaffenews.com/?p=833; reference:url,www.threatexpert.com/report.aspx?md5=55edeb8742f0c38aaa3d984eb4205c68; reference:url,www.threatexpert.com/report.aspx?md5=60c84bb1ca03f80ca385f16946322440; reference:url,www.threatexpert.com/report.aspx?md5=7fcebf5bd67cede35d08bedd683e3524; reference:url,www.threatexpert.com/report.aspx?md5=778113cc4e758ed65de0123bb79cbd1f; classtype:trojan-activity; sid:2011996; rev:11; metadata:created_at 2010_12_06, updated_at 2010_12_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Spy.YEK MAC and IP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Disposition|3A| form-data|3B| name=|22|MAC|22|"; http_header; nocase; content:"|0d 0a|Content-Disposition|3A| form-data|3B| name=|22|IP|22|"; nocase; http_header; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101115; classtype:trojan-activity; sid:2011999; rev:5; metadata:created_at 2010_12_07, updated_at 2010_12_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Krap.ar Infection URL Request"; flow:established,to_server; content:"type="; http_uri; nocase; content:"email="; http_uri; nocase; content:"hwinfo="; http_uri; nocase; reference:url,www.threatexpert.com/report.aspx?md5=df29b9866397fd311a5259c5d4bc00dd; classtype:trojan-activity; sid:2012076; rev:1; metadata:created_at 2010_12_17, updated_at 2010_12_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:11; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BackDoor-DRV.gen.c Reporting-1"; flow:established,to_server; content:"GET"; http_method; content:"/tzl/tzl.php?"; nocase; http_uri; content:"hl="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=d5ff6df296c068fcc0ddd303984fa6b9; reference:url,support.clean-mx.de/clean-mx/viruses.php?domain=wyunion.com&sort=first desc; classtype:trojan-activity; sid:2012113; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BackDoor-DRV.gen.c Reporting-2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/zok.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"url="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"hlto="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=d5ff6df296c068fcc0ddd303984fa6b9; reference:url,support.clean-mx.de/clean-mx/viruses.php?domain=wyunion.com&sort=first desc; classtype:trojan-activity; sid:2012114; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:12; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Storm/Waledac 3.0 Checkin 1"; flow:established,to_server; content:"GET "; nocase; depth:4; content:".htm"; content:"Host|3a| "; content:"Content-Length|3a| "; content:".htm HTTP/1.1"; pcre:"/Host\x3a [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/"; pcre:"/Content-Length\x3a [1-9]/"; classtype:trojan-activity; sid:2012137; rev:5; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Storm/Waledac 3.0 Checkin 2"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"Host|3a| "; content:"Content-Length|3a| "; content:".htm HTTP/1.1"; content:"|01 02 01 01|"; fast_pattern; pcre:"/Host\x3a [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/"; pcre:"/Content-Length\x3a [1-9]/"; classtype:trojan-activity; sid:2012139; rev:6; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Blackhole Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?f="; fast_pattern; http_uri; content:"&e="; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/^[^?#]+?\.php\?f=\w+&e=\d+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012169; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_01_07, malware_family Blackhole, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Referer"; http_header; content:".php?"; http_uri; content:"=v"; http_uri; pcre:"/\.php\?[^=]+=v\d{2}[0-9A-Za-z\/\+]+==$/U"; content:"data="; http_client_body; depth:5; content:"wget"; nocase; http_header; fast_pattern:only; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:17; metadata:created_at 2011_01_12, updated_at 2011_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carberp CnC request POST /set/task.html"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/set/task.html"; http_uri; depth:14; content:"id=dvlsl"; http_client_body; classtype:trojan-activity; sid:2012178; rev:3; metadata:created_at 2011_01_14, updated_at 2011_01_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.ini"; flow:established,to_server; content:"/setting.ini"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fcb828c0b735ea8d560a45b3bdd29b94; reference:url,www.threatexpert.com/report.aspx?md5=36d9a446d6311f9a4c19865e2b62f15d; classtype:trojan-activity; sid:2012198; rev:2; metadata:created_at 2011_01_17, updated_at 2011_01_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.xls"; flow:established,to_server; content:"/setting.xls"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012199; rev:2; metadata:created_at 2011_01_17, updated_at 2011_01_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.doc"; flow:established,to_server; content:"/setting.doc"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012200; rev:2; metadata:created_at 2011_01_17, updated_at 2011_01_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV CryptMEN pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; http_header; content:"|22|pack.exe|22|"; http_header; classtype:trojan-activity; sid:2012208; rev:4; metadata:created_at 2011_01_20, updated_at 2011_01_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winsoft.E Checkin 1"; flow:established,to_server; content:".asp?prj="; http_uri; content:"&pid="; http_uri; content:"&logdata="; http_uri; content:"winsoft"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:trojan-activity; sid:2012222; rev:2; metadata:created_at 2011_01_24, updated_at 2011_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winsoft.E Checkin 2"; flow:established,to_server; content:".asp?prj="; http_uri; content:"&pid="; http_uri; content:"&mac="; http_uri; content:"winsoft"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:trojan-activity; sid:2012223; rev:2; metadata:created_at 2011_01_24, updated_at 2011_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winsoft.E Checkin 3"; flow:established,to_server; content:"autoidcnt.asp?mer_seq="; http_uri; content:"&realid="; http_uri; content:"&mac="; http_uri; content:"winsoft"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:trojan-activity; sid:2012224; rev:2; metadata:created_at 2011_01_24, updated_at 2011_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spy Banker Outbound Communication Attempt"; flow:established,to_server; content:"praquem="; nocase; content:"titulo="; distance:0; nocase; content:"Dir+System32"; nocase; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=58b3c37b61d27cdc0a55321f4c12ef04; classtype:trojan-activity; sid:2012225; rev:2; metadata:created_at 2011_01_24, updated_at 2011_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Banbra Banking Trojan Communication"; flow:established,to_server; content:"para="; nocase; content:"titulo="; nocase; distance:0; content:"mensagem="; nocase; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=7ce03717d6879444d8e45b7cf6470c67; classtype:trojan-activity; sid:2012226; rev:2; metadata:created_at 2011_01_24, updated_at 2011_01_24;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV Gemini softupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=softupdate"; http_header; classtype:trojan-activity; sid:2012227; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)

alert tcp $EXTERNAL_NET 900:11000 -> $HOME_NET any (msg:"ET TROJAN x0Proto Init"; flow:established,from_server; dsize:2; content:"x0"; depth:2; flowbits:noalert; flowbits:set,et.x0proto; classtype:trojan-activity; sid:2012236; rev:1; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 900:11000 (msg:"ET TROJAN x0Proto Client Info"; flow:established,to_server; flowbits:isset,et.x0proto; dsize:<128; content:"x0|0c|"; depth:3; classtype:trojan-activity; sid:2012237; rev:1; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 900:11000 (msg:"ET TROJAN x0Proto Pong"; flow:established,to_server; flowbits:isset,et.x0proto; dsize:9; content:"x53|0c|"; depth:4; content:"|0c|0|0c|1"; distance:1; within:4; classtype:trojan-activity; sid:2012238; rev:1; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

alert tcp $EXTERNAL_NET 900:11000 -> $HOME_NET any (msg:"ET TROJAN x0Proto Ping"; flow:established,from_server; flowbits:isset,et.x0proto; dsize:7; content:"x53|0c|1|0c|0"; depth:7; classtype:trojan-activity; sid:2012239; rev:1; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

alert tcp $EXTERNAL_NET 900:11000 -> $HOME_NET any (msg:"ET TROJAN x0Proto Download Cmd"; flow:established,from_server; flowbits:isset,et.x0proto; content:"x74|0c|1|0c|1x"; depth:8; classtype:trojan-activity; sid:2012240; rev:1; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MUROFET/Licat Trojan Checkin Forum"; flow:established,to_server; content:"GET"; http_method; content:!"|0d 0a|Referer|3a|"; nocase; content:"/forum/?"; http_uri; pcre:"/forum\/\?[0-9a-f]{8}$/U"; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; reference:url,www.threatexpert.com/report.aspx?md5=531e84b0894a7496479d186712acd7d2; classtype:trojan-activity; sid:2012248; rev:2; metadata:created_at 2011_01_29, updated_at 2011_01_29;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN USPS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_Document.zip"; nocase; classtype:trojan-activity; sid:2012276; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012279; rev:3; metadata:created_at 2011_02_03, updated_at 2011_02_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:3; metadata:created_at 2011_02_03, updated_at 2011_02_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32 Troxen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/report3.ashx?"; http_uri; nocase; content:"m="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"d="; nocase; http_uri; content:"uid="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=664a5147e6258f10893c3fd375f16ce4; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32/Troxen!rts; classtype:trojan-activity; sid:2012289; rev:3; metadata:created_at 2011_02_04, updated_at 2011_02_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spy.Win32.Agent.bijs Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/inst.php?"; http_uri; nocase; content:"ucode="; nocase; http_uri; content:"pcode="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012290; rev:3; metadata:created_at 2011_02_04, updated_at 2011_02_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spy.Win32.Agent.bijs Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/boot.php?"; nocase; http_uri; content:"ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012288; rev:3; metadata:created_at 2011_02_04, updated_at 2011_02_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; content:"/favicon.ico?0="; http_uri; content:"&1="; http_uri; content:"&2="; http_uri; content:"&3="; http_uri; content:"&4="; http_uri; content:"&5="; http_uri; content:"&6="; http_uri; content:"&7="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fbcdfecc73c4389e8d3ed7e2e573b6f1; classtype:trojan-activity; sid:2012299; rev:2; metadata:created_at 2011_02_06, updated_at 2011_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Night Dragon CnC Beacon Outbound"; flow:established,to_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:2012303; rev:4; metadata:created_at 2011_02_10, updated_at 2011_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon CnC Beacon Inbound"; flow:established,from_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012304; rev:6; metadata:created_at 2011_02_10, updated_at 2011_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Night Dragon CnC Traffic Outbound 2"; flow:established,to_server; dsize:16; content:"|68 57 24 13|"; offset:12; depth:4; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012306; rev:6; metadata:created_at 2011_02_10, updated_at 2011_02_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon CnC Traffic Inbound 2"; flow:established,from_server; dsize:16; content:"|68 57 24 13|"; offset:12; depth:4; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012305; rev:5; metadata:created_at 2011_02_10, updated_at 2011_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Night Dragon CMD Shell"; flow:established,to_server; content:"|68 57 24 13 00 33|Microsoft"; offset:12; depth:15; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012307; rev:1; metadata:created_at 2011_02_11, updated_at 2011_02_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon Dropper Download Command"; flow:established,from_server; dsize:5; content:"|01 08 00 00 00|"; fast_pattern:only; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012308; rev:3; metadata:created_at 2011_02_11, updated_at 2011_02_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon Server Auth to Bot"; flow:established,from_server; dsize:29; content:"|00 00|password|00 00 00|"; offset:3; depth:13; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012309; rev:1; metadata:created_at 2011_02_11, updated_at 2011_02_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rootkit TDSS/Alureon Checkin 2"; flow:established,to_server; content:"/dx.php?i="; http_uri; content:"&x64="; http_uri; content:"os="; http_uri; content:"&a="; http_uri; content:"&f="; http_uri; pcre:"/dx\.php\?i=[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}&a=/Ui"; reference:url,contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html; classtype:trojan-activity; sid:2012314; rev:1; metadata:created_at 2011_02_14, updated_at 2011_02_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV download (AntiSpyWareSetup.exe)"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=AntiSpy"; nocase; http_header; content:"etup.exe"; nocase; http_header; classtype:trojan-activity; sid:2012318; rev:4; metadata:created_at 2011_02_18, updated_at 2011_02_18;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN IRS Inbound SMTP Malware"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|irs_legalauth-tax_payment_notice_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012319; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN IRS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|IRS-TaxPaymentNotification"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012320; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN IRS Inbound SPAM variant 3"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Individual_Income_Tax_Rtrn_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012329; rev:2; metadata:created_at 2011_02_21, updated_at 2011_02_21;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN USPS SPAM Inbound possible spyeye trojan"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_"; nocase; content:".zip|22|"; nocase; reference:url,www.virustotal.com/file-scan/report.html?id=ed1766eb13cc7f41243dd722baab9973560c999c1489763c0704debebe8f4cb1-1298551066; classtype:trojan-activity; sid:2012388; rev:2; metadata:created_at 2011_02_27, updated_at 2011_02_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Java Exploit Kit Success Check-in Executable Download Likely"; flow:established,to_server; content:".php?"; http_uri; content:"=javajsm"; http_uri; classtype:trojan-activity; sid:2012389; rev:2; metadata:created_at 2011_02_27, updated_at 2011_02_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cnzz.cn Related Dropper Checkin"; flow:established,to_server; content:"?Hook1=1,Setup="; http_uri; classtype:trojan-activity; sid:2013790; rev:4; metadata:created_at 2011_02_27, updated_at 2011_02_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tatanga Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?build="; http_uri; content:"&id="; http_uri; content:"&SA=1-0"; http_uri; content:"&SP=1-"; http_uri; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojtatangac.html; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=4b5eb54de32f86819c638878ac2c7985&id=740958; reference:url,www.malware-control.com/statics-pages/06198e9b72e1bb0c256769c5754ed821.php; classtype:trojan-activity; sid:2012391; rev:1; metadata:created_at 2011_02_28, updated_at 2011_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Download Setup_ exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/Setup_\d+\.exe$/Ui"; reference:url,www.malwareurl.com/listing.php?domain=antivirus-live21.com; classtype:trojan-activity; sid:2012392; rev:4; metadata:created_at 2011_02_28, updated_at 2011_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakePAV Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/soft-usage/favicon.ico?"; nocase; http_uri; pcre:"/\?0=.*\&1=.*\&2=.*\&3=.*\&4=.*\&5=.*\&6=.*\&7=.*\&8=/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=f5dd61e29eff89a93c591fba7ea14d92; classtype:trojan-activity; sid:2012405; rev:4; metadata:created_at 2011_03_01, updated_at 2011_03_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Likseput.B Checkin 2"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 0d 0a 3c|img border="; nocase; distance:0; content:"|2f 23|KX8|2E|"; distance:5; within:64; fast_pattern; pcre:"/^\x3c\x21\x2d\x2d\x0d\x0a\x3cimg\x20border=\d+\x20src=\x22\S+\x2f\x23KX8\x2e/mi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fLikseput.B; classtype:trojan-activity; sid:2016428; rev:3; metadata:created_at 2011_03_08, updated_at 2011_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanDownloader Win32/Harnig.gen-P Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bhanx.php?"; http_uri; nocase; content:"adv="; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&p="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=40d1819b9c3c85e1f3b7723c7a9118ad; classtype:trojan-activity; sid:2012438; rev:4; metadata:created_at 2011_03_08, updated_at 2011_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Vilsel.akd Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app_count/ag4_del_count.php?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=2d6cede13913b17bc2ea7c7f70ce5fa8; classtype:trojan-activity; sid:2012439; rev:3; metadata:created_at 2011_03_08, updated_at 2011_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.bqkb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/updata/"; nocase; http_uri; content:"lg1="; nocase; http_uri; content:"lg2="; nocase; http_uri; content:"lg3="; nocase; http_uri; content:"lg5="; nocase; http_uri; content:"lg6="; nocase; http_uri; content:"lg7="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=de85ae919d48325189bead995e8052e7; reference:url,support.clean-mx.de/clean-mx/viruses.php?ip=210.163.9.69&sort=first desc; classtype:trojan-activity; sid:2012440; rev:3; metadata:created_at 2011_03_08, updated_at 2011_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Banload Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/avisa.php?"; nocase; http_uri; content:"usuario="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"serial="; nocase; http_uri; content:"versao="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=43b0ddf87c66418053ee055501193abf; reference:url,scumware.org/report/89.108.68.81; classtype:trojan-activity; sid:2012441; rev:3; metadata:created_at 2011_03_08, updated_at 2011_03_08;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN UPS Inbound bad attachment v.5"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS"; nocase; content:".zip|22|"; nocase; pcre:"/ups(_parcel_delivery-tracking-notice-|-Delivery-Notification-Message_)\S*\.zip/Ui"; classtype:trojan-activity; sid:2012443; rev:2; metadata:created_at 2011_03_08, updated_at 2011_03_08;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From|3a| |22|United Parcel Service|22|"; nocase; content:"|40|ups.com"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|document.zip|22|"; nocase; classtype:trojan-activity; sid:2012444; rev:3; metadata:created_at 2011_03_08, updated_at 2011_03_08;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Post Express Inbound bad attachment"; flow:established,to_server; content:"Post Express|22|"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|Post_Express_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012445; rev:6; metadata:created_at 2011_03_08, updated_at 2011_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Eleonore Exploit pack download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/load/load.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=ultranichehost.com; classtype:trojan-activity; sid:2012446; rev:1; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Win32.Agent.FakeAV.AVG 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=lr&id="; http_uri; content:"&ver="; http_uri; content:"&bit="; http_uri; content:"&uni="; http_uri; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408; classtype:trojan-activity; sid:2012448; rev:1; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Win32.Agent.FakeAV.AVG 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=vv&i="; http_uri; content:"&id="; http_uri; content:"&uni="; http_uri; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408; classtype:trojan-activity; sid:2012449; rev:1; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download 500.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/500.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012456; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download ddos.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ddos.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012457; rev:1; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download desyms.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/desyms.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012458; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download 1691.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/1691.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012459; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download wm.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/wm.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012460; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download cl.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cl.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012461; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN DHL Spam Inbound"; flow:established,to_server; content:"|40|dhl.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012492; rev:2; metadata:created_at 2011_03_11, updated_at 2011_03_11;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; content:"|22|filename=dhl_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012493; rev:3; metadata:created_at 2011_03_11, updated_at 2011_03_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Trup.CX Checkin 1"; flow:to_server,established; content:"/sms/do|2e|php?userid="; nocase; offset:4; depth:19; content:"&time="; nocase; within:64; content:"&msg="; nocase; within:32; content:"&pauid="; nocase; within:128; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Agent.AAE; classtype:trojan-activity; sid:2016951; rev:4; metadata:created_at 2011_03_14, updated_at 2011_03_14;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV InstallInternetDefender Download"; flow:established,from_server; content:"attachment|3b 20|filename=|22|InstallInternetDefender_"; http_header; nocase; classtype:trojan-activity; sid:2012494; rev:2; metadata:created_at 2011_03_14, updated_at 2011_03_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/photo/"; http_uri; content:"6x5x5772=712x5772=716x"; http_uri; classtype:trojan-activity; sid:2012505; rev:3; metadata:created_at 2011_03_15, updated_at 2011_03_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_03_15, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Monkif CnC response in fake JPEG"; flow:established,from_server; file_data; content:"|ff d8 ff e0|"; within:4; content:"JFIF|00 01 01|"; distance:2; content:"lppt>++"; fast_pattern; within:50; content:"bm|60|95"; distance:0; content:"|7c|0"; distance:0; reference:url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf; reference:url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html; reference:url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs; classtype:trojan-activity; sid:2012507; rev:4; metadata:created_at 2011_03_15, updated_at 2011_03_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti loader installed successfully request"; flow:established,to_server; content:"POST"; http_method; content:"/install.php?affid="; http_uri; depth:19; content:"|64 61 74 61 3d|"; depth:5; http_client_body; content:"|30 31 30|"; distance:64; within:3; fast_pattern; http_client_body; content:"|31|"; distance:1; within:1; http_client_body; metadata: former_category TROJAN; classtype:trojan-activity; sid:2012513; rev:3; metadata:created_at 2011_03_16, updated_at 2018_03_21;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Hiloti loader installed successfully response"; flow:established,from_server; file_data; content:"a|0D 0A|install OK"; within:13; classtype:trojan-activity; sid:2012512; rev:1; metadata:created_at 2011_03_16, updated_at 2011_03_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti loader requesting payload URL"; flow:established,to_server; content:"/lurl.php?affid="; http_uri; depth:16; classtype:trojan-activity; sid:2012514; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud.B Activity"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&acc=ups"; http_uri; content:"&nick="; http_uri; content:"&botver=Beta&code="; http_uri; content:"User-Agent|3a 20|"; nocase; http_header; content:"|3b 20|es-ES|3b|"; distance:39; http_header; content:"plist|3d 2d 2d 2d|"; depth:9; http_client_body; content:"Passwords"; distance:0; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=01dd7102b9d36ec8556eed2909b74f52; classtype:trojan-activity; sid:2012517; rev:3; metadata:created_at 2011_03_17, updated_at 2011_03_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Win32 Banker Trojan CheckIn"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"/sys7."; http_uri; fast_pattern; reference:url,www.xandora.net/xangui/malware/view/18e5c43b3d430526e90799e7cc2c3ec8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FBancos.ZY; classtype:trojan-activity; sid:2012521; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Virut.BN Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"list.php?c="; within:32; content:"&v="; distance:0; content:"&t="; distance:0; pcre:"/c\x3d[0-9A-F]{100}/i"; reference:url,www.threatexpert.com/report.aspx?md5=199d9ea754f193194e251415a2f6dd46; classtype:trojan-activity; sid:2012533; rev:6; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.small Generic Checkin"; flow:established,to_server; content:"/install.asp?mac="; http_uri; content:"User-Agent|3a| MyAgent"; http_header; classtype:trojan-activity; sid:2012541; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-Banker.gen.b Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/curubacom.php?"; http_uri; nocase; content:"op="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=e3fdf31ce57b3807352971a62f85c55b; classtype:trojan-activity; sid:2012592; rev:3; metadata:created_at 2011_03_28, updated_at 2011_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackshadesRAT Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/alive.php?"; nocase; http_uri; content:"key="; nocase; http_uri; content:"pcuser="; nocase; http_uri; content:"pcname="; nocase; http_uri; content:"hwid="; nocase; http_uri; content:"country="; nocase; http_uri; metadata: former_category TROJAN; reference:url,threatexpert.com/report.aspx?md5=85a9f25c9b6614a8ad16dd7f3363a247; classtype:trojan-activity; sid:2012587; rev:4; metadata:created_at 2011_03_28, updated_at 2018_06_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Best Spyware Scanner FaveAV Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/BestSpywareScanner_Setup.exe"; nocase; http_uri; classtype:trojan-activity; sid:2012590; rev:4; metadata:created_at 2011_03_28, updated_at 2011_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Slugin.A PatchTimeCheck.dat Request"; flow:established,to_server; content:"/PatchTimeCheck.dat"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2012616; rev:3; metadata:created_at 2011_03_31, updated_at 2011_03_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Malware PatchPathNewS3.dat Request"; flow:established,to_server; content:"/PatchPathNewS3.dat"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2012617; rev:3; metadata:created_at 2011_03_31, updated_at 2011_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.FakeAV.chhq Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|2f|index|2e|php|3f 30 64 34 30 62 30 3d|"; http_uri; fast_pattern; content:"User-Agent|3A| Mozilla|2f|3|2e|0"; http_header; classtype:trojan-activity; sid:2012620; rev:8; metadata:created_at 2011_03_31, updated_at 2011_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Host|3a 20|"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; distance:0; content:")|0d 0a|Content-Length"; distance:0; content:"|0d 0a 0d 0a|data="; fast_pattern; classtype:trojan-activity; sid:2012627; rev:1; metadata:created_at 2011_04_04, updated_at 2011_04_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8081] (msg:"ET TROJAN Chinese Bootkit Checkin"; flow:established,to_server; content:".aspx"; content:"a=Windows"; nocase; content:"&b="; content:"&c="; content:"&f="; content:"&k="; pcre:"/c=[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}/i"; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:trojan-activity; sid:2012631; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GET to Google with specific HTTP lib likely Cycbot/Bifrose/Kryptic checking Internet connection "; flow:established,to_server; content:"GET|20|/|20|HTTP/1."; content:"|0d 0a|Connection|3a 20|close|0d 0a|Host|3a 20|www.google.com|0d 0a|Pragma|3a 20|no-cache|0d 0a 0d 0a|"; within:65; classtype:trojan-activity; sid:2012645; rev:4; metadata:created_at 2011_04_06, updated_at 2011_04_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Related Lame Updater User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|LameUpdater"; http_header; classtype:trojan-activity; sid:2017347; rev:3; metadata:created_at 2011_04_07, updated_at 2011_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dooptroop Dropper Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/nconfirm.php?"; http_uri; fast_pattern; content:"rev="; distance:0; http_uri; content:"code="; http_uri; content:"param="; http_uri; content:"num="; http_uri; content:!"Referer|3a|"; http_header; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2013808; rev:3; metadata:created_at 2011_04_07, updated_at 2017_01_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to a Malware Related Numerical .cn Domain"; flow:established,to_server; content:"Host|3a| "; http_header; content:".cn|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{4,30}\x2Ecn\x0D\x0A/Hi"; classtype:misc-activity; sid:2012650; rev:8; metadata:created_at 2011_04_08, updated_at 2011_04_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive"; flow:from_server,established; dsize:<100; content:"ping|7c|"; depth:5; content:!"|7c|"; within:1; classtype:trojan-activity; sid:2017990; rev:12; metadata:created_at 2011_04_09, updated_at 2011_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response"; flow:to_server,established; dsize:<100; content:"pong|7c|"; depth:5; classtype:trojan-activity; sid:2017991; rev:6; metadata:created_at 2011_04_09, updated_at 2011_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Checkin version 1.3.25 or later"; flow:established,to_server; content:"POST"; nocase; http_method; content:"data=vK6yv+"; http_client_body; depth:11; classtype:trojan-activity; sid:2012686; rev:4; metadata:created_at 2011_04_13, updated_at 2011_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Win32.UFRStealer.A issuing MKD command FTP"; flow:to_server,established; content:"MKD UFR_Stealer|0d 0a|"; nocase; depth:17; reference:url,www.threatexpert.com/report.aspx?md5=a251ef38f048d695eae52626e57d617d; classtype:trojan-activity; sid:2014111; rev:4; metadata:created_at 2011_04_20, updated_at 2011_04_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV InstallInternetProtection Download"; flow:established,from_server; content:"|3b 20|filename=|22|InstallInternetProtection_"; http_header; nocase; classtype:trojan-activity; sid:2012696; rev:1; metadata:created_at 2011_04_21, updated_at 2011_04_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Suspicious double Server Header"; flow:from_server,established; content:"HTTP/1.1 200"; depth:12; content:"Server|3a| Apache"; within:50; content:"Server|3a|nginx"; fast_pattern; within:150; classtype:trojan-activity; sid:2012707; rev:3; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Internet Protection FakeAV checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"php?partner_id="; http_uri; content:"&u="; http_uri; content:"&log_id="; http_uri; content:"&os="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=7710686d03cd3174b6f644434750b22b; classtype:trojan-activity; sid:2012713; rev:2; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV BestAntivirus2011 Download"; flow:established,from_server; content:"|3b 20|filename=|22|BestAntivirus20"; http_header; nocase; classtype:trojan-activity; sid:2012714; rev:2; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET TROJAN Ixeshe/Mecklow Checkin"; flow:to_server,established; content:"GET /"; depth:5; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"."; distance:0; content:"sp?"; distance:1; within:3; content:"HTTP/1."; distance:0; content:" MSIE 5.01|3b| Windows NT 5.0|29|"; distance:0; fast_pattern; pcre:"/^GET (?:\/[^\x2f]+)*?\/[A-Z0-9]+\.[aj]sp\?[a-zA-Z0-9+/\x20=]+\x20HTTP\/1\./"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:md5,3422e76cf4c99ec1091f8c342a3aedaa; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; classtype:trojan-activity; sid:2018379; rev:8; metadata:created_at 2011_04_26, updated_at 2011_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/FakeSysdef Rogue AV Checkin"; flow:established,to_server; content:"/dfrg/dfrg"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=f0f750e8f195dcfc8623679ff2df1267; reference:url,www.threatexpert.com/report.aspx?md5=e186e530ebf0aec07f0cd2afd706633c; reference:url,www.threatexpert.com/report.aspx?md5=294a729bb6a8fc266990b4c94eb86359; classtype:trojan-activity; sid:2012725; rev:7; metadata:created_at 2011_04_26, updated_at 2011_04_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain citi-bank.ru Lookup"; content:"|09|citi-bank|02|ru|00|"; nocase; classtype:trojan-activity; sid:2012728; rev:4; metadata:created_at 2011_04_26, updated_at 2011_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BestAntivirus2011 Fake AV reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?affid="; http_uri; content:"&data="; http_uri; content:"&v="; http_uri; classtype:trojan-activity; sid:2012727; rev:2; metadata:created_at 2011_04_26, updated_at 2011_04_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain .ntkrnlpa.info Lookup"; content:"|08|ntkrnlpa|04|info|00|"; nocase; classtype:trojan-activity; sid:2012729; rev:3; metadata:created_at 2011_04_26, updated_at 2011_04_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup"; content:"|03|ilo|05|brenz|02|pl|00|"; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2012730; rev:4; metadata:created_at 2011_04_26, updated_at 2017_05_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-GameThief.Win32.OnLineGames.bnye Checkin"; flow:to_server,established; content:"|20|HTTP|2f|1|2e|1|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"|0d 0a|Host|3a 20|"; within:13; content:"|3a|8080|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; http_header; pcre:"/User-Agent\x3a\x20[a-z]{3,4}\x0d\x0a/H"; reference:url,www.threatexpert.com/report.aspx?md5=014945cf93ffc94833f7a3efd92fe263; classtype:trojan-activity; sid:2012736; rev:9; metadata:created_at 2011_04_28, updated_at 2011_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.VBKrypt.cugq/Umbra Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/bot.php"; nocase; http_uri; fast_pattern:only; content:"mode="; nocase; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; pcre:"/\/bot\.php$/Ui"; pcre:"/mode=\d/Pi"; metadata: former_category TROJAN; reference:url,securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya; classtype:trojan-activity; sid:2018518; rev:5; metadata:created_at 2011_04_28, updated_at 2017_11_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"HttpAddRequestHeader"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012767; rev:6; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Suspicious IAT ZwProtectVirtualMemory - Undocumented API Which Can be Used for Rootkit Functionality"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwProtectVirtualMemory"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012768; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Possible Hiloti DNS Checkin Message explorer_exe"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"explorer_exe"; nocase; distance:0; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2012781; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Possible FakeAV Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"antiv"; nocase; fast_pattern; distance:0; classtype:bad-unknown; sid:2012786; rev:1; metadata:created_at 2011_05_04, updated_at 2011_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup C2 Sending Data to Controller 1"; flow:established,to_server; content:"/images2/"; nocase; http_uri; fast_pattern:only; pcre:"/\/images2\/[0-9a-fA-F]{500}/U"; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2012799; rev:6; metadata:created_at 2011_05_10, updated_at 2011_05_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup C2 Sending Data to Controller 2"; flow:established,to_server; content:"/cgi-bin/rokfeller3.cgi?v=11"; nocase; http_uri; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012800; rev:3; metadata:created_at 2011_05_10, updated_at 2011_05_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| MSIE 7.0|3b| Windows NT 6.0|3b| en-US)|0d 0a|"; http_header; fast_pattern:20,20; content:!"google-analytics.com|0d 0a|"; http_header; content:!"mail.ru|0d 0a|"; http_header; content:!"79xs.com|0d 0a|"; http_header; content:!"paoshuba.cc|0d 0a|"; http_header; content:!"dajiadu.net|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012801; rev:5; metadata:created_at 2011_05_10, updated_at 2018_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spoofed MSIE 8 User-Agent Likely Ponmocup"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| MSIE 8.0|3b| Windows NT 6.0|3b| en-US)|0d 0a|"; http_header; fast_pattern:20,20; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012802; rev:3; metadata:created_at 2011_05_10, updated_at 2011_05_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Alms backdoor checkin"; flow:to_server,established; content:"/getnewv.php?keyword=google&id="; http_uri; fast_pattern; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US)"; http_header; classtype:trojan-activity; sid:2012803; rev:4; metadata:created_at 2011_05_11, updated_at 2011_05_11;)

alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info)"; flow:to_server,established; content:"Auth"; nocase; depth:4; content:" @ "; within:128; content:"|5C 23 2F|"; within:128; content:"|5C 23 2F|"; within:32; content:"|5C 23 2F|"; fast_pattern; within:20; reference:url,www.threatexpert.com/report.aspx?md5=e7d9bc670d69ad8a6ad2784255324eec; reference:url,www.threatexpert.com/report.aspx?md5=37207835e128516fe17af3dacc83a00c; classtype:trojan-activity; sid:2016913; rev:5; metadata:created_at 2011_05_16, updated_at 2011_05_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:4; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Pony Downloader Checkin"; flow:to_server,established; content:"CRYPTED0"; depth:8; nocase; http_client_body; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2013934; rev:5; metadata:created_at 2011_05_19, updated_at 2011_05_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud download"; flow:established,to_server; content:"/peca"; nocase; http_uri; content:".exe"; nocase; http_uri; content:"User-Agent|3a 20|SKOLOVANI"; nocase; http_header; pcre:"/\x2fpeca\d+\x2eexe/Ui"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Rimecud.A; classtype:trojan-activity; sid:2012828; rev:2; metadata:created_at 2011_05_20, updated_at 2011_05_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 27889 (msg:"ET TROJAN Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2e|ashx|3f|m|3d|"; content:"|2d|"; distance:2; within:1; content:"|26|mid|3d|"; distance:0; content:"|26|tid|3d|"; distance:0; content:"|26|d|3d|"; distance:0; content:"|26|uid|3d|"; distance:0; content:"|26|t|3d|"; distance:0; reference:url,threatexpert.com/report.aspx?md5=48432bdd116dccb684c8cef84579b963; classtype:trojan-activity; sid:2012839; rev:3; metadata:created_at 2011_05_23, updated_at 2011_05_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Incognito Exploit Kit Checkin"; flow:established,to_server; content:".php|3F|a|3D|QQk"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,blog.fireeye.com/research/2011/03/the-rise-of-incognito.html; classtype:attempted-user; sid:2012841; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Xyligan Checkin"; flow:to_server,established; dsize:16; content:"|00 00 00 11 C8 00 00 00|"; depth:8; reference:url,www.threatexpert.com/report.aspx?md5=bfbc0b106a440c111a42936906d36643; reference:url,www.threatexpert.com/report.aspx?md5=2190a2c0a3775bc9c60629ec2eb6f3b9; classtype:trojan-activity; sid:2012842; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Clicker.Win32.AutoIt.ai Checkin"; flow:to_server,established; content:"/getpmnum"; http_uri; content:".asp?"; http_uri; content:"id="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=39d0dbe4f6923ed36864ae339f558963; classtype:trojan-activity; sid:2012867; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=|22|upload_file|22|"; http_client_body; content:"URL|3a|"; http_client_body; content:!"elsevier.com"; http_header; classtype:trojan-activity; sid:2012871; rev:4; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Poison.AU checkin"; flow:established,to_server; content:"|4D 53 47 20 35 20 4E 20 31 33 30 0D 0A 4D 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e 30 0d 0a|"; depth:32; fast_pattern; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; reference:url,www.threatexpert.com/report.aspx?md5=4b8adc7612e984d12b77f197c59827a2; classtype:trojan-activity; sid:2012882; rev:4; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN JKDDOS Bot CnC Phone Home Message"; dsize:<510; flow:established,to_server; content:"|10 00 00 00|Windows|20|"; depth:12; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/; reference:url,www.threatexpert.com/report.aspx?md5=d6b3baae9fb476f0cf3196e556cab348; classtype:trojan-activity; sid:2012892; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dropper.Win32.Agent.bpxo Checkin"; flow:established,to_server; content:"|71 4E 6C 39 34 65 66 59 41 7A 32 32 37 4F 71 45 44 4D 50 0A|"; depth:20; reference:url,www.threatexpert.com/report.aspx?md5=02e447b347a90680e03c8b7d843a8e46; reference:url,www.antivirus365.org/PCAntivirus/37128.html; classtype:trojan-activity; sid:2012894; rev:4; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 288 (msg:"ET TROJAN Dropper.Win32.Agent.ahju Checkin"; flow:established,to_server; content:"|44 78 47 54 33 43 6D 42 66 39 73 39 6C 74 62 6A 35 61 4A 7C 0A|"; depth:21; reference:url,www.threatexpert.com/report.aspx?md5=48ad09c574a4bd3bb24d007005382e63; reference:url,www.threatexpert.com/report.aspx?md5=a264690a775a4e1b3d91c2dbcd850ce9; classtype:trojan-activity; sid:2012895; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor Win32/Begman.A Checkin"; flow:established,to_server; content:".php?v="; http_uri; content:"&id="; http_uri; content:"&wv="; http_uri; pcre:"/\.php\?v=[A-Za-z0-9.]+&id=-?\d+&wv=[0-9.]{1,14}$/U"; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A; reference:url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248; reference:url,anubis.iseclab.org/?action=result&task_id=138559df2a6ed04a401366a9c60e2e1cf&format=txt; classtype:bad-unknown; sid:2012908; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS Trojan GET with xxxx_ string"; flow:established,to_server; content:"/xxxx_"; http_uri; pcre:"/\/xxxx_\d+\//U"; classtype:trojan-activity; sid:2012918; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper/Clicker Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/nxdtic.txt"; http_uri; classtype:trojan-activity; sid:2012931; rev:4; metadata:created_at 2011_06_06, updated_at 2011_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Suspicious Email Attachment Possibly Related to Mydoom.L@mm"; flow:to_server,established; content:"Subject|3a 20|"; nocase; content:"mail"; nocase; within:34; content:"name|3d 22|"; pcre:"/name\x3d\x22(message|letter|.*lebanon\x2donline\x2ecom\x2elb)?\x2ezip\x22\x0d\x0a/"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=28110a8ea5c13859ddf026db5a8a864a; classtype:trojan-activity; sid:2012932; rev:7; metadata:created_at 2011_06_06, updated_at 2011_06_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic adClicker Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"web"; http_uri; content:"getinfo"; http_uri; content:".aspx?"; http_uri; content:"ver="; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; classtype:trojan-activity; sid:2012934; rev:3; metadata:created_at 2011_06_06, updated_at 2011_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?v"; http_uri; content:"&tq="; http_uri; content:"User-Agent|3a| mozilla/2.0|0d 0a|"; fast_pattern:10,15; http_header; pcre:"/\.(jpg|png|gif)\?v[0-9]{1,2}=[0-9]+&tq=/U"; classtype:trojan-activity; sid:2012939; rev:6; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious user agent (V32)"; flow:to_server,established; content:"User-Agent|3a| V"; http_header; pcre:"/^User-Agent\x3a V\d{2}\r$/Hm"; classtype:trojan-activity; sid:2014090; rev:6; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.ZZSlash/Redosdru.E checkin"; flow:established,to_server; content:"|14 00 00 00 04 00 00 00 78 9C 63 60 60 60 00 00 00 04 00 01|"; depth:20; reference:url,www.threatexpert.com/report.aspx?md5=3b0299d72c853f56a1595c855776f89f; reference:url,www.threatexpert.com/report.aspx?md5=adc3a35d1244c9129be6edd6ccfaec5b; classtype:trojan-activity; sid:2012957; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Request"; flow:to_server,established;  content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:url,threatexpert.com/report.aspx?md5=47a6dd02ee197f82b28cee0ab2b9bd35; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012960; rev:8; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Response"; flow:from_server,established; flowbits:isset,et.trojan.valkik.kku; content:"Content-Length|3a 20|88|0d 0a|"; nocase; content:"|0d 0a 0d 0a|"; distance:0; content:"|48 00 00 00|"; distance:4; within:4; flowbits:unset,et.trojan.valkik.kku; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012961; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Qakbot Update Request"; flow:established,to_server; content:"/u/upd_"; http_uri; content:"cb"; http_uri; pcre:"/\x2Fu\x2Fupd\x5F(cb|.+\x2Ecb)/U"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012971; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Qakbot Request for Compromised FTP Sites"; flow:established,to_server; content:"/cgi-bin/jl/ad03.pl?pv=2&d="; http_uri; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012972; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Qakbot Webpage Infection Routine POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/jl/ad03.pl"; http_uri; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012973; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32.Qakbot .cb File Extention FTP Upload"; flow:established,to_server; content:"si_"; content:".cb"; distance:10; within:3; pcre:"/si\x5F[a-z]{5}[0-9]{5}\x2Ecb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012974; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32.Qakbot Seclog FTP Upload"; flow:established,to_server; content:"seclog_"; content:".kcb"; within:30; pcre:"/seclog\x5F[a-z]{5}[0-9]{5}\x5F.+\x2Ekcb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012975; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible FakeAV Binary Download (Security)"; flow:established,to_client; content:"filename=|22|"; http_header; nocase; content:"security"; fast_pattern; nocase; http_header; within:50; pcre:"/filename\x3D\x22[^\r\n]*security[^\n]+\.exe/Hi"; content:!"ALLOW-FROM www.onecallnow.com"; http_header; content:!"Content-Type|3a 20|text/xml"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2012981; rev:3; metadata:created_at 2011_06_09, updated_at 2017_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Secure-Soft.Stealer Checkin"; flow:to_server,established; content:"|0d 0a|Content-Disposition|3A 20|form-data|3B 20|name|3D 22|programm|22 0d 0a 0d 0a|Windows Key|0d 0a|"; http_client_body; fast_pattern:46,20; reference:url,www.threatexpert.com/report.aspx?md5=c86923d90ef91653b0a61eb2fbfae202; reference:url,www.threatexpert.com/report.aspx?md5=0a52131eebbee1df877767875ab32352; classtype:trojan-activity; sid:2013026; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WebToolbar.Win32.WhenU.r Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/prod/MEADInst.exe"; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=27867435a1b6b3f35daf13faac6f77b7; classtype:trojan-activity; sid:2013034; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|00 00|"; distance:0; content:"PE|00|"; distance:0; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_06_16, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DLoader File Download Request Activity"; flow:established,to_server; content:"/load.php?file="; http_uri; pcre:"/\/load\.php\?file=(\d+|(\w+)?grabber(s)?|uploader)(&luck=\d)?$/U"; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:url,www.threatexpert.com/report.aspx?md5=3310259795b787210dd6825e7b6d6d28; reference:url,www.threatexpert.com/report.aspx?md5=12554e7f2e78daf26e73a2f92d01e7a7; reference:url,www.threatexpert.com/report.aspx?md5=7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013045; rev:1; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DLoader PWS Module Data Upload Activity"; flow:established,to_server; content:"/grabbers.php"; http_uri; content:"logs="; http_client_body; content:"&module=grabbers"; http_client_body; distance:0; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:url,www.threatexpert.com/report.aspx?md5=3310259795b787210dd6825e7b6d6d28; reference:url,www.threatexpert.com/report.aspx?md5=12554e7f2e78daf26e73a2f92d01e7a7; reference:url,www.threatexpert.com/report.aspx?md5=7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013046; rev:1; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DonBot Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gateway/index"; http_uri; content:"|20|HTTP/1.0"; offset:19; depth:9; reference:url,labs.m86security.com/2011/06/new-bots-old-bots-ii-donbot/; classtype:trojan-activity; sid:2013047; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MacShield FakeAV CnC Communication"; flow:established,to_server; content:"/mac/soft.php?affid="; nocase; http_uri; fast_pattern:only; reference:url,blog.trendmicro.com/obfuscated-ip-addresses-and-affiliate-ids-in-mac-fakeav/; classtype:trojan-activity; sid:2013062; rev:1; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Tracur.Q HTTP Communication"; flow:to_server,established; content:"GET"; http_method; content:"fQ_fQ_fQ_fQ"; http_uri; reference:url,xml.ssdsandbox.net/view/d2afc3be7357f96834ec684ab329d7e2; classtype:trojan-activity; sid:2013064; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper.MSIL.Agent.ate Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bot.php?"; http_uri; content:"hwid="; http_uri; content:"pcname="; http_uri; reference:url,threatexpert.com/report.aspx?md5=4860e53b7e71cd57956e10ef48342b5f; classtype:trojan-activity; sid:2013071; rev:3; metadata:created_at 2011_06_21, updated_at 2011_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Meredrop Checkin"; flow:established, to_server; content:"POST"; nocase; http_method; content:"praquem="; http_client_body; content:"&titulo="; http_client_body; reference:url,www.virustotal.com/file-scan/report.html?id=14c8e9f054d6f7ff4d59b71b65933d73027fe39a2a62729257712170e36f32c5-1308250070; classtype:trojan-activity; sid:2013073; rev:3; metadata:created_at 2011_06_21, updated_at 2011_06_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Large DNS Query possible covert channel"; content:"|01 00 00 01 00 00 00 00 00 00|"; fast_pattern; depth:10; offset:2; dsize:>300; content:!"youtube|03|com|00|"; content:!"sophosxl|03|net|00|"; content:!"|0a|hashserver|02|cs|0a|trendmicro|03|com|00|"; content:!"spamhaus|03|org|00|"; classtype:bad-unknown; sid:2013075; rev:8; metadata:created_at 2011_06_21, updated_at 2011_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; content:"GET"; nocase; http_method; content:" HTTP/1."; content:"|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| "; distance:1; within:46; content:"|0d 0a|Host|3a| "; distance:0; content:!"|0d 0a|Referer|3a| "; nocase; content:"/webhp"; http_uri; metadata: former_category TROJAN; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013076; rev:6; metadata:created_at 2011_06_21, updated_at 2017_11_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.DarkComet Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2011_06_21, performance_impact Low, updated_at 2017_04_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER|20|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4; metadata:created_at 2011_06_21, updated_at 2011_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Vilsel Checkin"; flow:to_server,established; content:"/isup.php?v="; http_uri; content:"&sox="; http_uri; reference:url,www.malware-control.com/statics-pages/5de2e2f56e5277cfe3d44299ab496648.php; reference:url,www.malware-control.com/statics-pages/87290c3019b7dbac0d7d2e15f03572ba.php; classtype:trojan-activity; sid:2013114; rev:1; metadata:created_at 2011_06_24, updated_at 2011_06_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related"; flow:to_server,established; content:"User-Agent|3a| IPHONE"; http_header; pcre:"/User-Agent\x3a\sIPHONE\d+\x2e\d+\x28(host\x3a|[^\r\n\x2c]+\x2c(\d{1,3}\.){3}\d{1,3})/Hi";  reference:url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe; reference:md5,0149b7bd7218aab4e257d28469fddb0d; reference:md5,6f9992c486195edcf0bf2f6ee6c3ec74; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016461; rev:3; metadata:created_at 2011_06_27, updated_at 2011_06_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vilsel.ayjv Checkin (aid)"; flow:to_server,established; content:"?aid="; http_uri; content:"&si="; http_uri; content:"&rd="; http_uri; pcre:"/&si=\d+&si=\d+&rd=20\d{11}/U"; classtype:trojan-activity; sid:2013122; rev:7; metadata:created_at 2011_06_28, updated_at 2011_06_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV FakeAlert.Rena.n Checkin Flowbit set"; flow:established,to_server; content:"/1020000"; http_uri; depth:8; content:" HTTP/1.0|0d 0a|"; http_header; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:trojan-activity; sid:2013135; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV FakeAlertRena.n Checkin Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; dsize:<200; content:"Content-Length|3a| 2|0d 0a|"; http_header; file_data; content:"OK"; within:2; classtype:trojan-activity; sid:2013136; rev:3; metadata:created_at 2011_06_29, updated_at 2011_06_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Gbod.dv Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Opera/"; http_header; content:"Presto/"; http_header; content:!"Accept|3a| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:trojan-activity; sid:2013154; rev:4; metadata:created_at 2011_07_01, updated_at 2011_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Bot Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gateway/index"; http_uri; content:"botver="; content:"&build="; content:"&profile="; reference:url,www.threatexpert.com/report.aspx?md5=be3aed34928cb826030b462279a1c453; classtype:trojan-activity; sid:2013168; rev:7; metadata:created_at 2011_07_01, updated_at 2011_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Communication 2"; flow:established,to_server; content:"?user_id="; http_uri; content:"&version_id="; http_uri; content:"&sys="; http_uri; classtype:trojan-activity; sid:2013169; rev:1; metadata:created_at 2011_07_01, updated_at 2011_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"User-Agent|3a| Egypack"; nocase; http_header; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013176; rev:5; metadata:created_at 2011_07_04, updated_at 2011_07_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; depth:14; content:"p="; nocase; http_uri; content:"h=";  nocase; http_uri; content:"u="; nocase; http_uri; content:"q=";  nocase; http_uri; content:"t="; http_uri; nocase; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:11; metadata:created_at 2011_07_04, updated_at 2011_07_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Banker.Win32.Agent Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| ICS)"; fast_pattern:20,20; http_header; content:"para="; http_client_body; depth:5; content:"&subject="; http_client_body; content:"&dados="; http_client_body; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1bcc87209703cf73c80f9772935e47b0; reference:url,www.threatexpert.com/report.aspx?md5=c8b3d2bc407b0260b40b7f97e504faa5; classtype:trojan-activity; sid:2013185; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Backdoor Win32/IRCbot.FJ Cnc connection dns lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|minerva|05|cdmon|03|org"; fast_pattern; distance:0; nocase; reference:url,www.exposedbotnets.com/2011/02/minervacdmonorgbotnet-hosted-in.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.FJ; reference:url,www.threatexpert.com/report.aspx?md5=13e43c44681ba9acb8fd42217bd3dbd2; reference:url,www.bfk.de/bfk_dnslogger_en.html?query=minerva.cdmon.org; classtype:misc-activity; sid:2013187; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Dropper HTTP POST Check-in"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| NSIS_InetLoad (Mozilla)"; http_header; content:"spill&a="; http_client_body; reference:url,www.mywot.com/en/forum/13816-clickjacking-scam-spreading-on-facebook; classtype:trojan-activity; sid:2013189; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan/Hacktool.Sniffer Initial Checkin"; flow:established,to_server; content:"/username.asp?Uid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013198; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Genome Initial Checkin"; flow:established,to_server; content:"/?uid="; http_uri; content:"&aid="; http_uri; content:"&linkuid="; http_uri; classtype:trojan-activity; sid:2013196; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Genome Download.php HTTP Request"; flow:established,to_server; content:"GET /download.php?nd="; depth:21; content:"&id="; distance:3; within:6; classtype:trojan-activity; sid:2013197; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan/Hacktool.Sniffer Successful Install Message"; flow:established,to_server; content:"/Install/Post.asp?Uid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013199; rev:4; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rodecap CnC Checkin"; flow:established,to_server; content:".cgi?s"; http_uri; content:"&r="; http_uri; content:!"Accept|3a| "; http_header; content:"Cache-Control|3a| no-cache|0d 0a|"; http_header; content:!"Referer|3a| "; http_header; content:"User-Agent|3a 20 2d 0d 0a|"; fast_pattern:10,5; http_header; pcre:"/\.cgi\?s(id)?=\d{1,12}&r=/U"; classtype:trojan-activity; sid:2013201; rev:6; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.FakeAV POST datan.php"; flow:established,to_server; content:"/datan.php"; http_uri; content:!"User-Agent|3A 20|"; http_header; nocase; classtype:trojan-activity; sid:2013206; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Fosniw MacTryCnt CnC Style Checkin"; flow:established,to_server; content:"&logdata=MacTryCnt|3A|"; http_uri; fast_pattern:only; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:trojan-activity; sid:2013202; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Fosniw CnC Checkin Style 2"; flow:established,to_server; content:".asp?prj="; http_uri; content:"&pid="; http_uri; content:"&mac="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:trojan-activity; sid:2013203; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Internet Connectivity Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/geo/productid.php"; http_uri; depth:18; content:"adobe.com"; http_header; content:"Opera/"; http_header; content:"Pesto/"; http_header; classtype:trojan-activity; sid:2013207; rev:4; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Esion CnC Checkin"; flow:established,to_server; content:"/bot/gate.php"; http_uri; fast_pattern:only; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-052510-1535-99&tabid=2; classtype:trojan-activity; sid:2013211; rev:1; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Meciv Checkin"; flow:established,to_server; content:"/trandocs/netstat"; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-070516-5325-99&tabid=2; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2013212; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gh0st Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; content:"Gh0st"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:trojan-activity; sid:2013214; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2011_07_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sefnit Initial Checkin"; flow:established,to_server; content:"/version.php?ver="; http_uri; content:"&app="; http_uri; content:"User-Agent|3A| NSISDL"; http_header; classtype:trojan-activity; sid:2013221; rev:1; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ISRStealer Checkin"; flow:to_server,established; content:"?action="; http_uri; content:"&username="; http_uri; content:"&password="; http_uri; content:"&app="; http_uri; content:"&pcname="; fast_pattern:only; http_uri; content:"&sitename="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=44be7c6d4109ae5fb0ceb2824facf2dd; reference:url,cert.pl/news/8706/langswitch_lang/en; classtype:trojan-activity; sid:2016941; rev:7; metadata:created_at 2011_07_06, updated_at 2011_07_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/IRCBrute Checkin 2"; flow:established,to_server; content:"/Dialer_Min/telcom.asp"; nocase; http_uri; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-IRB/detailed-analysis.aspx; classtype:trojan-activity; sid:2013225; rev:2; metadata:created_at 2011_07_07, updated_at 2011_07_07;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Palevo (OUTBOUND)"; dsize:21; content:"|18|"; depth:1; content:"|80 00 00|"; metadata: former_category TROJAN; reference:url,threatexpert.com/report.aspx?md5=5f1296995c7ccba13c0c0655baf03a3a; reference:md5,119ee859144111dbc5419f4d5fd9b6b1; reference:md5,095d76e0bc48361b40d717b238f11501; classtype:trojan-activity; sid:2013236; rev:2; metadata:created_at 2011_07_08, updated_at 2018_06_26;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ruskill/Palevo Download Command"; flow:established,to_server; content:"PRIVMSG #"; depth:9; content:"|3a 5b|d=|22|http|3a|//"; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=2d69d8d243499ab53b840c64f68cc830; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013245; rev:3; metadata:created_at 2011_07_11, updated_at 2011_07_11;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ruskill/Palevo CnC PONG"; flow:established,to_server; content:"PONG |3a|hub.us.com"; depth:16; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013246; rev:2; metadata:created_at 2011_07_11, updated_at 2011_07_11;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ruskill/Palevo KCIK IRC Command"; flow:established,to_server; content:"KCIK |7b|"; depth:6; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013247; rev:5; metadata:created_at 2011_07_11, updated_at 2011_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; content:"User-Agent|3a| Agent"; http_header; content:!".maxthon.com"; http_header; pcre:"/^User-Agent\x3a Agent\d{5,6}\r?$/Hmi"; classtype:trojan-activity; sid:2013315; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_07_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yandexbot Request Outbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:trojan-activity; sid:2013254; rev:1; metadata:created_at 2011_07_12, updated_at 2011_07_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Guagua Trojan Update Checkin"; flow:established,to_server; content:"/update_check?version="; http_uri; content:"User-Agent|3A| Update"; http_header; classtype:trojan-activity; sid:2013259; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Nekill Checkin"; flow:established,to_server; content:"?v="; http_uri; content:"&mid="; http_uri; content:"&r1="; http_uri; content:"&tm="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&uid="; http_uri; content:"&cht="; http_uri; content:"&sn="; http_uri; reference:url,blog.emergingthreatspro.com/2011/07/bot-of-day-nekilla.html; classtype:trojan-activity; sid:2013260; rev:4; metadata:created_at 2011_07_13, updated_at 2011_07_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkComet-RAT init connection"; flow:from_server,established; dsize:12; content:"|38 45 41 34 41 42 30 35 46 41 37 45|"; flowbits:set,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013283; rev:4; metadata:created_at 2011_07_18, updated_at 2011_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DarkComet-RAT server join acknowledgement"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013284; rev:3; metadata:created_at 2011_07_18, updated_at 2011_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DarkComet-RAT Client Keepalive"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; classtype:trojan-activity; sid:2013285; rev:2; metadata:created_at 2011_07_18, updated_at 2011_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Jadtre Retrieving Cfg File"; flow:established,to_server; content:"/tool/mavatarcfg/"; http_uri; content:".cfg"; http_uri; pcre:"/\x2F(data|main|patch)\x2Ecfg/U"; classtype:trojan-activity; sid:2013286; rev:1; metadata:created_at 2011_07_19, updated_at 2011_07_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Papras Banking Trojan Checkin"; flow:established,to_server; content:"|4e 2a 43 cc 01 c0 2a 77|"; depth:23; http_client_body; content:"POST"; nocase; http_method; reference:url,www.threatexpert.com/report.aspx?md5=85d82c840f4b90fcb6d5311f501374ca; classtype:trojan-activity; sid:2013287; rev:4; metadata:created_at 2011_07_19, updated_at 2011_07_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Cycbot Pay-Per-Install Executable Download"; flow:established,to_server; content:"/adv.php?login="; http_uri; content:"&key="; http_uri; content:"&subacc="; http_uri; reference:url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/; classtype:trojan-activity; sid:2013291; rev:1; metadata:created_at 2011_07_19, updated_at 2011_07_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Cycbot Initial Checkin to CnC"; flow:established,to_server; content:"id="; http_uri; content:"&hwid="; http_uri; content:"&step="; http_uri; content:"&wd="; http_uri; content:"&av="; fast_pattern; http_uri; reference:url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/; classtype:trojan-activity; sid:2013292; rev:1; metadata:created_at 2011_07_19, updated_at 2011_07_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Glupteba/ClIEcker CnC Checkin"; flow:established,to_server; content:"&downlink="; offset:4; depth:100; content:"&uplink="; distance:0; content:"&id="; distance:0; content:"&statpass="; fast_pattern; distance:0; content:"&version="; distance:0; content:"&features="; distance:0; content:"&guid="; distance:0; content:"&comment="; distance:0; metadata: former_category TROJAN; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:trojan-activity; sid:2013293; rev:4; metadata:created_at 2011_07_19, updated_at 2018_02_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Ponmocup Driveby Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/se/"; nocase; http_uri; pcre:"/\/se\/[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/Ui"; reference:url,www9.dyndns-server.com%3a8080/pub/botnet/r-cgi_malware_analyse.txt; classtype:bad-unknown; sid:2013312; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_07_26, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Phoenix Landing Page Obfuscated Javascript 2"; flow:established,to_client; file_data; content:"<html><body><input|20|type|3d 27|hidden|27 20|value|3d 27|"; within:40; pcre:"/\S{20,40}\'\>/R"; classtype:trojan-activity; sid:2013314; rev:3; metadata:created_at 2011_07_26, updated_at 2011_07_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Google Warning Infected Local User"; flow:established,from_server; file_data; content:"<span>It appears that your computer is infected with software that intercepts your connection to Google and other sites.</span>"; distance:0; classtype:trojan-activity; sid:2013318; rev:3; metadata:created_at 2011_07_26, updated_at 2011_07_26;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Ruskill CnC Download Command 1"; flow:established,to_client; content:"|3a|["; depth:2; content:".r.getfile http|3a|//"; distance:0; classtype:trojan-activity; sid:2013329; rev:3; metadata:created_at 2011_07_27, updated_at 2011_07_27;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Ruskill CnC Download Command 2"; flow:established,to_client; content:"|3a|n"; depth:2; content:"on .dl http|3a|//"; distance:0; classtype:trojan-activity; sid:2013330; rev:1; metadata:created_at 2011_07_27, updated_at 2011_07_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ruskill Reporting on Local Scans"; flow:established,to_server; content:"PRRVMSG"; depth:7; content:"Port Scan started on"; distance:0; content:"with a delay of"; distance:0; classtype:trojan-activity; sid:2013331; rev:1; metadata:created_at 2011_07_27, updated_at 2011_07_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Landing Page"; flow:established,to_server; content:".cgi?p="; http_uri; content:"&i="; http_uri; content:"&j="; http_uri; content:"&m="; http_uri; content:"&h="; http_uri; content:"&u="; http_uri; content:"&q="; http_uri; content:"&t=201"; http_uri; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23514; classtype:trojan-activity; sid:2013332; rev:3; metadata:created_at 2011_07_27, updated_at 2011_07_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.E Keepalive to CnC"; flow:established,to_server; content:"|90 48 5c d5 ec 70 a3 8b 41 72 28 50 ec f6 d5 2a|"; offset:16; depth:16; reference:url,www.threatexpert.com/report.aspx?md5=fc414168a5b4ca074ea6e03f770659ef; classtype:trojan-activity; sid:2013337; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2011_08_01, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bifrose Client Checkin"; flow:established,to_server; content:"|00 00 99 4F B9 74 E2 75 94 0A 5A|"; offset:2; depth:11; classtype:trojan-activity; sid:2013338; rev:2; metadata:created_at 2011_08_02, updated_at 2011_08_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.FakeAV.Rean Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:" HTTP/1.0|0d 0a|"; depth:26; pcre:"/\/\d{10}$/U"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)|0d 0a|"; fast_pattern:23,20; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0a998a070beb287524f9be6dd650c959; classtype:trojan-activity; sid:2013339; rev:4; metadata:created_at 2011_08_02, updated_at 2011_08_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV/Application JPDesk/Delf checkin"; flow:established,to_server; content:"|2f 3f|data="; http_uri; nocase; content:"jpdesk.com|0d 0a|"; nocase; http_header; pcre:"/\x2f\x3fdata\x3d[a-fA-F0-9]{60}/U"; reference:url,www.threatexpert.com/report.aspx?md5=08f116cf4feff245dca581244e4f509c; classtype:trojan-activity; sid:2013340; rev:1; metadata:created_at 2011_08_02, updated_at 2011_08_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sisproc Variant POST to CnC Server"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/GetGrid.asp"; http_uri; content:"SN="; http_client_body; depth:3; content:"&SP="; http_client_body; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=04dc87d4dcf12f9c05a22ab9890a6323; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSisproc&ThreatID=-2147342628; classtype:trojan-activity; sid:2013342; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Pamesg/ArchSMS.HL CnC Checkin"; flow:established,to_server; content:".php?aid="; http_uri; content:"&uncv="; http_uri; content:"&skey="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5= 00068992bc003713058a17d50d9e3e14; classtype:trojan-activity; sid:2013345; rev:1; metadata:created_at 2011_08_02, updated_at 2011_08_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN PSW.Win32.Ruftar.lon File Stealer FTP File Upload"; flow:established,to_server; content:"CWD Stealer"; depth:11; classtype:trojan-activity; sid:2013346; rev:2; metadata:created_at 2011_08_02, updated_at 2011_08_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dirt Jumper/Russkill3 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0"; content:"k="; fast_pattern; depth:2; http_client_body; pcre:"/k=\d{15}/P"; reference:md5,10e7af7057833a19097cb22ba0bd1b99; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; reference:url,www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html; classtype:trojan-activity; sid:2013439; rev:9; metadata:created_at 2011_08_03, updated_at 2011_08_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot Request to CnC 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"Accept|3a| */*|0d 0a|If-None-Match|3a| "; fast_pattern; depth:28; http_header; content:"Cache-Control|3a| no-cache|0d 0a|User-Agent|3a| Mozilla"; distance:0; http_header; content:"Connection|3a| Close|0d 0a 0d 0a|"; distance:0; http_header; classtype:trojan-activity; sid:2013348; rev:10; metadata:created_at 2011_08_03, updated_at 2011_08_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Connectivity Check of Unknown Origin 1"; flow:to_server,established; content:"GET";  http_method; nocase; content:"/"; urilen:1; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.google.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:85; fast_pattern:18,20; content:"PREF=ID="; http_cookie; depth:8; classtype:trojan-activity; sid:2013349; rev:3; metadata:created_at 2011_08_04, updated_at 2011_08_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Connectivity Check of Unknown Origin 2"; flow:to_server,established; content:"GET"; content:"/whois/usgoodluck.com"; http_uri; fast_pattern:only; urilen:21; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.whois-search.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:91; classtype:trojan-activity; sid:2013350; rev:3; metadata:created_at 2011_08_04, updated_at 2011_08_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Connectivity Check of Unknown Origin 3"; flow:to_server,established; content:"GET"; http_method; content:"/images/logo.gif"; http_uri; urilen:16; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.study-centers.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; fast_pattern:45,20; depth:92; classtype:trojan-activity; sid:2013351; rev:2; metadata:created_at 2011_08_04, updated_at 2011_08_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Executable Download Purporting to be JavaScript likely 2nd stage Infection"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a| application/x-javascript"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; classtype:trojan-activity; sid:2013352; rev:2; metadata:created_at 2011_08_04, updated_at 2011_08_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTran/SensLiceld.A response to infected host"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013361; rev:5; metadata:created_at 2011_08_04, updated_at 2011_08_04;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013362; rev:7; metadata:created_at 2011_08_04, updated_at 2011_08_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN windows_security_update Fake AV download"; flow:established,from_server; file_data; content:"filename=|22|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:5; metadata:created_at 2011_08_04, updated_at 2011_08_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shady Rat/HTran style HTTP Header Pattern Request UHCa and Google MSIE UA"; flow:established,to_server; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32|3b|Google|3b|)|0d 0a|Host|3a| "; fast_pattern:54,20; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:70; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:2016429; rev:3; metadata:created_at 2011_08_04, updated_at 2011_08_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Checkin"; flow:established,to_server; content:"/ping.php?v="; http_uri; content:"&cid="; http_uri; content:"&s="; http_uri; content:"&wid="; http_uri; content:"&fid="; http_uri; content:"&step="; http_uri; classtype:trojan-activity; sid:2013366; rev:1; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyloggerOnline Keylogger Checkin (kill)"; flow:established,to_server; content:"/kill/"; http_uri; content:" HTTP/1.1|0d 0a|User-Agent|3a| Internet Explorer|0d 0a|Host|3a| "; content:!"|0d 0a|Accept"; reference:url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef; classtype:trojan-activity; sid:2013367; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyloggerOnline Keylogger Checkin (sleep)"; flow:established,to_server; content:"/sleep"; http_uri; content:" HTTP/1.1|0d 0a|User-Agent|3a| Internet Explorer|0d 0a|Host|3a| "; content:!"|0d 0a|Accept"; reference:url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef; classtype:trojan-activity; sid:2013368; rev:1; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyloggerOnline Keylogger Checkin (go https)"; flow:established,to_server; content:"/https"; http_uri; content:" HTTP/1.1|0d 0a|User-Agent|3a| Internet Explorer|0d 0a|Host|3a| "; content:!"|0d 0a|Accept"; reference:url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef; classtype:trojan-activity; sid:2013369; rev:1; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Oliga Fake User Agent"; flow:established,to_server; content:"User-Agent|3A| Mozilla/4.75 [en]"; http_header; fast_pattern:11,18; content:!"Linux"; http_header; classtype:trojan-activity; sid:2013372; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV oms.php Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/oms.php"; http_uri; content:"data="; http_client_body; depth:5; classtype:trojan-activity; sid:2013373; rev:4; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Nolja Trojan Downloader Initial Checkin"; flow:established,to_server; content:"/info.php?pid="; http_uri; content:"&bo_table="; http_uri; content:"&wr_id="; http_uri; content:"&mac="; http_uri; classtype:trojan-activity; sid:2013375; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_08_05, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Alunik User Agent Detected"; flow:established,to_server; content:"User-Agent|3A| Alun4ik"; http_header; classtype:trojan-activity; sid:2013377; rev:1; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013379; rev:3; metadata:created_at 2011_08_08, updated_at 2011_08_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/Sality Executable Pack Digital Signature ASCII Marker"; flow:established,from_server; content:"e#o203kjl,!"; fast_pattern:only; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf; classtype:trojan-activity; sid:2013381; rev:2; metadata:created_at 2011_08_08, updated_at 2011_08_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fakealert.Rena CnC Checkin 2"; flow:established,to_server; content:"/images/img.php?id="; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; reference:url,www.malware-control.com/statics-pages/24b9c5f59a4706689d4f9bb5f510ec35.php; classtype:trojan-activity; sid:2013382; rev:2; metadata:created_at 2011_08_08, updated_at 2011_08_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fakealert.Rena CnC Checkin 1"; flow:established,to_server; content:"/images/thanks_25.php?id="; fast_pattern:only; content:"HTTP/1.1|0d 0a|User-Agent"; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2013383; rev:3; metadata:created_at 2011_08_08, updated_at 2011_08_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Siscos CnC Checkin"; flow:established,to_server; content:"/getcommand.php?getcmd="; http_uri; content:"&uid="; http_uri; content:"&port="; http_uri; classtype:trojan-activity; sid:2013384; rev:1; metadata:created_at 2011_08_09, updated_at 2011_08_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Accept-encode HTTP header with UA indicating infected host"; flow:established,to_server; content:"Accept-encode|3a| "; fast_pattern; http_header; content:"Accept-Encoding|3a| "; http_header; threshold:type limit, count 1, seconds 360, track by_src; classtype:trojan-activity; sid:2013385; rev:2; metadata:created_at 2011_08_09, updated_at 2011_08_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/FakeAlert Fake Security Tool Checkin"; flow:established,to_server; content:"==/count.htm"; http_uri; reference:url,threatexpert.com/reports.aspx?find=03abdc31d0f864c7b69b09d6481d3ff7; classtype:trojan-activity; sid:2013386; rev:1; metadata:created_at 2011_08_09, updated_at 2011_08_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent 3653Client"; flow:established,to_server; content:"User-Agent|3A 20|3653Client"; http_header; classtype:trojan-activity; sid:2013390; rev:1; metadata:created_at 2011_08_10, updated_at 2011_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Hupigon.B User Agent TSDownload"; flow:established,to_server; content:"User-Agent|3A 20|TSDownload"; http_header; classtype:trojan-activity; sid:2013392; rev:1; metadata:created_at 2011_08_10, updated_at 2011_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Skintrim CnC Checkin"; flow:established,to_server; content:"/binaries/bin.php?id="; http_uri; content:"&plateform="; http_uri; content:"&mh="; http_uri; content:"&me="; http_uri; classtype:trojan-activity; sid:2013396; rev:1; metadata:created_at 2011_08_10, updated_at 2011_08_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Pandex Trojan Dropper Initial Checkin"; flow:established,to_server; content:"?r="; http_uri; content:"&hdd="; http_uri; content:"&gen="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:trojan-activity; sid:2013397; rev:1; metadata:created_at 2011_08_10, updated_at 2011_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Momibot Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; content:"byE8PCdtbzE6PTU8czo3"; http_client_body; reference:url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html; classtype:trojan-activity; sid:2013398; rev:4; metadata:created_at 2011_08_11, updated_at 2011_08_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Momibot Ping Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; content:"byE8PCdtbyM6PTRzOjdu"; http_client_body; reference:url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html; classtype:trojan-activity; sid:2013399; rev:2; metadata:created_at 2011_08_11, updated_at 2011_08_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Winshow User Agent"; flow:established,to_server; content:"User-Agent|3A 20|WinShow Installer"; http_header; classtype:trojan-activity; sid:2013401; rev:1; metadata:created_at 2011_08_11, updated_at 2011_08_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent ksdl_1_0"; flow:established,to_server; content:"User-Agent|3A 20|ksdl_"; http_header; classtype:trojan-activity; sid:2013404; rev:1; metadata:created_at 2011_08_11, updated_at 2011_08_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET TROJAN Bancos.DV MSSQL CnC Connection Outbound"; flow:to_server,established; flowbits:isset,ET.MSSQL; content:"|49 00 B4 00 4D 00 20 00 54 00 48 00 45 00 20 00 4D 00 41 00 53 00 54 00 45 00 52 00|"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013411; rev:1; metadata:tag Banking_Trojan, created_at 2011_08_15, malware_family Bancos, updated_at 2018_04_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBKrypt.dytr Checkin"; flow:to_server,established; content:"/gate.php?id="; http_uri; content:"&pc="; http_uri; content:"&os="; http_uri; content:"&version="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=090986b0e303779bde1ddad3c65a9d78; classtype:trojan-activity; sid:2014003; rev:2; metadata:created_at 2011_08_15, updated_at 2011_08_15;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV Landing Page Checking firewall status"; flow:established,from_server; content:"|5c|r|5c|n Checking firewall status|5c|r|5c|n"; fast_pattern:only; classtype:trojan-activity; sid:2013413; rev:2; metadata:created_at 2011_08_16, updated_at 2011_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV FakeAlert.Rena or similar Checkin Flowbit Set 2"; flow:established,to_server; content:".php?id="; http_uri; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla"; content:"|0d 0a|Host|3a| "; within:100; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:60; content:!"Accept"; http_header; pcre:"/\.php\?id=\d{2,4}$/U"; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:trojan-activity; sid:2013419; rev:4; metadata:created_at 2011_08_18, updated_at 2011_08_18;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV FakeAlertRena.n Checkin NO Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; dsize:<200; content:"Content-Length|3a| 2|0d 0a|"; http_header; file_data; content:"NO"; within:2; classtype:trojan-activity; sid:2013420; rev:1; metadata:created_at 2011_08_18, updated_at 2011_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN User-Agent in Referer Field - Likely Malware"; flow:established,to_server; content:"Referer|3A 20|Mozilla/4.0 "; http_header; classtype:trojan-activity; sid:2013423; rev:7; metadata:created_at 2011_08_18, updated_at 2011_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"User-Agent|3a 20|Mozilla/4.0|20 28|compatible|3b 20|MSIE 2.0|3b|"; http_header; fast_pattern:36,9; content:"Referer|3a 20|http|3a 2f 2f|www.google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013435; rev:5; metadata:created_at 2011_08_19, updated_at 2011_08_19;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; file_data; content:"|7C|"; distance:2; within:1; content:"|7c|"; distance:2; within:4; content:"http|3A 2F 2F|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:trojan-activity; sid:2013440; rev:3; metadata:created_at 2011_08_19, updated_at 2011_08_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:5; metadata:created_at 2011_08_22, updated_at 2011_08_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Mnless Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"cpname="; http_client_body; depth:7; content:"&hardid="; distance:0; http_client_body; content:"&netid="; distance:0; http_client_body; content:"&user="; distance:0; http_client_body; content:"&sname="; distance:0; http_client_body; content:"&ver="; distance:0; http_client_body; content:"&val="; distance:0; http_client_body; classtype:trojan-activity; sid:2013443; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/NetShare User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|netsharingsite.com"; http_header; classtype:trojan-activity; sid:2013445; rev:2; metadata:created_at 2011_08_22, updated_at 2011_08_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 882 (msg:"ET TROJAN Win32/TrojanDownloader.Chekafe.D User-Agent my_check_data On Off HTTP Port"; flow:established,to_server; content:"User-Agent|3A 20|my_check_data"; fast_pattern:only; classtype:trojan-activity; sid:2013446; rev:1; metadata:created_at 2011_08_22, updated_at 2011_08_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 882 (msg:"ET TROJAN Win32/TrojanDownloader.Chekafe.D Initial Checkin"; flow:established,to_server; content:"/count.php?id="; content:"&isInst="; distance:0; content:"&lockcode="; distance:0; content:"&pc="; distance:0; content:"&PcType="; distance:0; content:"&AvName="; distance:0; content:"&ProCount="; distance:0; classtype:trojan-activity; sid:2013447; rev:1; metadata:created_at 2011_08_22, updated_at 2011_08_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Troxen Downloader Checkin"; flow:established,to_server; content:"/active_count.php?"; http_uri; content:"?mac="; http_uri; content:"&pid="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=c936b15a8f7a3732bc16ee36693831ec; classtype:trojan-activity; sid:2013450; rev:3; metadata:created_at 2011_08_23, updated_at 2011_08_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; depth:11; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:trojan-activity; sid:2013451; rev:1; metadata:created_at 2011_08_23, updated_at 2011_08_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/VB.HV Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/popcode.php?aid="; http_uri; content:"&lc="; http_uri; content:"&domain="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FVB.HV; classtype:trojan-activity; sid:2013456; rev:4; metadata:created_at 2011_08_24, updated_at 2011_08_24;)

#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN Win32/Wizpop Initial Checkin"; flow:established,to_server; content:"User-Agent|3a| WizPop"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:trojan-activity; sid:2013461; rev:2; metadata:created_at 2011_08_25, updated_at 2011_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain qfsl.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|qfsl|03|net"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013480; rev:2; metadata:created_at 2011_08_29, updated_at 2011_08_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jaifr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jaifr|03|com"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013481; rev:2; metadata:created_at 2011_08_29, updated_at 2011_08_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jaifr.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|03|net"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013482; rev:3; metadata:created_at 2011_08_29, updated_at 2011_08_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jifr.co.cc"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|02|co|02|cc"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013483; rev:2; metadata:created_at 2011_08_29, updated_at 2011_08_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Bing checking Internet connectivity"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| "; depth:60; content:"|0d 0a|Host|3a| www.bing.com"; distance:0; content:!"|0d 0a|Referer|3a| "; nocase; content:"|3a| no-cache"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013488; rev:1; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Best Pack Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?e="; http_uri; content:"&o="; http_uri; content:"&b="; http_uri; content:"&id="; http_uri; pcre:"/\.php\?e=\d+&o=\w+&b=\w+&id=[0-9a-f]{32}$/U"; reference:url,www.kahusecurity.com/2011/best-pack/; classtype:bad-unknown; sid:2013489; rev:1; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain qfsl.co.be"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|qfsl|02|co|02|be"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013493; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain qfsl.co.cc"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|qfsl|02|co|02|cc"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013494; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jifr.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|04|info"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013495; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jifr.co.be"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|02|co|02|be"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013496; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Wizpop Checkin"; flow:established,to_server; content:"/count.asp?exe="; http_uri; content:"&act="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:trojan-activity; sid:2013502; rev:3; metadata:created_at 2011_08_31, updated_at 2011_08_31;)

alert tcp $HOME_NET any -> 11.11.11.11 55611 (msg:"ET TROJAN W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems"; flow:to_server; flags:S; reference:url,blog.eset.com/2011/08/03/win32delf-qcztrust-me-i%E2%80%99m-your-anti-virus; reference:url,www.eset.com/about/blog/blog/article/win32delf-qcz-additional-details; classtype:trojan-activity; sid:2013506; rev:1; metadata:created_at 2011_08_31, updated_at 2011_08_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lalus Trojan Downloader Checkin"; flow:established,to_server; content:".php?guid="; http_uri; content:"&h="; http_uri; content:"&v="; http_uri; content:"&affid="; http_uri; content:"&update="; http_uri; content:"&brand="; http_uri; classtype:trojan-activity; sid:2013509; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_08_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lalus Trojan Downloader User Agent (Message Center)"; flow:established,to_server; content:"User-Agent|3A 20|Message Center|0D 0A|"; http_header; classtype:trojan-activity; sid:2013510; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_08_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/CazinoSilver Checkin"; flow:established,to_server; content:".php?key="; http_uri; content:"User-Agent|3A 20|DMFR|0D 0A|"; http_header; fast_pattern:12,6; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2013511; rev:4; metadata:created_at 2011_08_31, updated_at 2011_08_31;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bancos Reporting"; flow:established,to_server; content:".php?codigo="; http_uri; content:"&g_id="; http_uri; content:"&g_windows="; http_uri; content:"&func_versao_ie="; http_uri; content:"&firefox="; http_uri; content:"&primeira_versao_update="; http_uri; content:"&ultimo_acesso="; http_uri; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013513; rev:1; metadata:tag Banking_Trojan, created_at 2011_08_31, malware_family Bancos, updated_at 2018_04_23;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Potential DNS Command and Control via TXT queries"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013514; rev:2; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 53 (msg:"ET TROJAN Potential DNS Command and Control via TXT queries"; flow:established,to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:4; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013515; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TR/Spy.Gen checkin via dns ANY query"; content:"|01 00 00 01 00 00 00 00 00 00 32|"; depth:11; offset:2; content:"|00 00 FF 00 01|"; pcre:"/\x32[0-9a-f]{50}/"; reference:url,anubis.iseclab.org/?action=result&task_id=1623d5fd288be7024e56c5bd38359c33c; reference:url,mwanalysis.org/?page=report&analysisid=430235&password=wwgcvyheon; reference:url,www.threatexpert.com/report.aspx?md5=2519bdb5459bc9f59f59cd7ccb147d23; classtype:trojan-activity; sid:2013516; rev:1; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Loader Request List.php"; flow:established,to_server; content:"/list.php?c="; http_uri; depth:12; content:"&v="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013518; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_01, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Loader Request sn.php"; flow:established,to_server; content:"/sn.php?c="; http_uri; depth:10; content:"&t="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013519; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_01, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 0"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013521; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 1"; flow:established,to_server; content:"|40 40 40 40 48 4B 4B 4B 4B 49 49 49 49 47 47 47 47|"; offset:5; depth:17; classtype:trojan-activity; sid:2013522; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 2"; flow:established,to_server; content:"|0B 0B 0B 0B 03 00 00 00 00 02 02 02 02 0C 0C 0C 0C|"; offset:5; depth:17; classtype:trojan-activity; sid:2013523; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 3"; flow:established,to_server; content:"|AC AC AC AC A4 A7 A7 A7 A7 A5 A5 A5 A5 AB AB AB AB|"; offset:5; depth:17; classtype:trojan-activity; sid:2013524; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 4"; flow:established,to_server; content:"|DD DD DD DD D5 D6 D6 D6 D6 D4 D4 D4 D4 DA DA DA DA|"; offset:5; depth:17; classtype:trojan-activity; sid:2013525; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 5"; flow:established,to_server; content:"|7A 7A 7A 7A 72 71 71 71 71 73 73 73 73 7D 7D 7D 7D|"; offset:5; depth:17; classtype:trojan-activity; sid:2013526; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 6"; flow:established,to_server; content:"|B5 B5 B5 B5 BD BE BE BE BE BC BC BC BC B2 B2 B2 B2|"; offset:5; depth:17; classtype:trojan-activity; sid:2013527; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 7"; flow:established,to_server; content:"|6F 6F 6F 6F 67 64 64 64 64 66 66 66 66 68 68 68 68|"; offset:5; depth:17; classtype:trojan-activity; sid:2013528; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 8"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013529; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 9"; flow:established,to_server; content:"|0F 0F 0F 0F 07 04 04 04 04 06 06 06 06 08 08 08 08|"; offset:5; depth:17; classtype:trojan-activity; sid:2013530; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Command Request"; flow:to_server,established; content:"#BOT#"; depth:5; pcre:"/^\x23BOT\x23(VisitUrl|OpenUrl|Ping|RunPrompt|CloseServer|SvrUninstall|URLUpate|URLDownload)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013532; rev:2; metadata:created_at 2011_09_02, updated_at 2011_09_02;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Command Response"; flow:to_server,established; content:"#botCommand%"; depth:12; pcre:"/^\x23botCommand\x25(close\x20command|Error|Finish|Http\x20Flood|Mass\x20Download|Respond\x20\x5bOK|Syn\x20Flood|UDP\x20Flood|uninstall|Update|)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013533; rev:2; metadata:created_at 2011_09_02, updated_at 2011_09_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; content:"/iLog.php?dl="; fast_pattern:only; http_uri; content:"&log="; http_uri; content:"User-Agent|3a| IE"; http_header; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:trojan-activity; sid:2013534; rev:8; metadata:created_at 2011_09_02, updated_at 2011_09_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP Addresses"; flow:established,to_server; content:"/distrib_serv/ip_list_"; http_uri; content:" HTTP/1.1|0d 0a|Connection|3a| close|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013536; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Major, created_at 2011_09_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP Addresses From Server"; flow:established,to_server; content:"/search=ip_list_"; http_uri; content:" HTTP/1.1|0d 0a|Connection|3a| close|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013537; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Major, created_at 2011_09_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware From Server"; flow:established,to_server; content:"/search="; http_uri; content:" HTTP/1.1|0d 0a|Connection|3a| close|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013538; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Major, created_at 2011_09_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Server Checkin"; flow:established,to_server; content:"knock.php?ver="; http_uri; content:"&sid="; http_uri; content:" HTTP/1.1|0d 0a|Connection|3a| close|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013539; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Major, created_at 2011_09_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; offset:4; depth:13; classtype:trojan-activity; sid:2013543; rev:2; metadata:created_at 2011_09_06, updated_at 2011_09_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google"; flow:established,to_server; content:"/whatever.exe"; fast_pattern; http_uri; content:"Host|3A 20|google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013544; rev:1; metadata:created_at 2011_09_06, updated_at 2011_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Gagolino Banking Trojan Reporting to CnC"; flow:established,to_server; content:"?op="; http_uri; content:"&macaddress="; http_uri; content:"&pcname="; http_uri; content:"&nomeusuario="; http_uri; content:"&serialhd="; http_uri; content:"&versaowindows="; http_uri; content:"&versaoatual="; http_uri; content:"&arquivosplugins="; http_uri; content:"&origem="; http_uri; classtype:trojan-activity; sid:2013546; rev:1; metadata:created_at 2011_09_06, updated_at 2011_09_06;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 54 (msg:"ET TROJAN Win32.Unknown.UDP.edsm CnC traffic"; content:"|65 f2 9c 64 cf 0a 5e d3 f6 5b 2a 9f 73 3c 91 4d|"; offset:16; depth:16; threshold:type limit, track by_src, count 1, seconds 600; reference:url,xml.ssdsandbox.net/view/11c0df38d31121885a76500140780cef; classtype:trojan-activity; sid:2013547; rev:2; metadata:created_at 2011_09_06, updated_at 2011_09_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.FresctSpy.A User-Agent (MBVDFRESCT)"; flow:to_server,established; content:"User|2d|Agent|3a| MBVDFRESCT"; nocase; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FAgent.CZ; classtype:trojan-activity; sid:2016908; rev:3; metadata:created_at 2011_09_09, updated_at 2011_09_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fivfrom Downloader (Unitrix)"; flow:established,to_server; content:".php?seller="; http_uri; content:"&hash={"; http_uri; pcre:"/hash=\{[a-f0-9]+-/Ui"; classtype:trojan-activity; sid:2013555; rev:4; metadata:created_at 2011_09_09, updated_at 2011_09_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potentially Unwanted Program Storm3-607.exe Download Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/Storm3-607.exe"; nocase; http_uri; content:"User-Agent|3a| InnoTools_Downloader"; http_header; classtype:trojan-activity; sid:2013560; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http|3a|{"; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi|3a|"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Exploit Pack Binary Load Request (server_privileges.php)"; flow:established,to_server; content:"/server_privileges.php?"; http_uri; pcre:"/\/server_privileges\.php\?[0-9a-f]{32}=\d+(&\w+)?$/U"; classtype:trojan-activity; sid:2013663; rev:1; metadata:created_at 2011_09_18, updated_at 2011_09_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (listdir)"; flow:to_server,established; content:"/listdir.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013668; rev:1; metadata:created_at 2011_09_19, updated_at 2011_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (mkdir)"; flow:to_server,established; content:"/mkdir.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013669; rev:1; metadata:created_at 2011_09_19, updated_at 2011_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (fsize)"; flow:to_server,established; content:"/fsize.php?name="; http_uri; content:"/WF-update.log"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013670; rev:1; metadata:created_at 2011_09_19, updated_at 2011_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (touch)"; flow:to_server,established; content:"/touch.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013671; rev:1; metadata:created_at 2011_09_19, updated_at 2011_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (postit3)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/postit3.php"; http_uri; content:"Content-Type|3A| multipart/form-data|3B| boundary="; http_header; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013672; rev:2; metadata:created_at 2011_09_19, updated_at 2011_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET TROJAN Win32.Parite Checkin SQL Database"; flow:established,to_server; content:"SHOW COLUMNS FROM webronaldogyn01"; metadata: former_category TROJAN; reference:url,www.threatexpert.com/report.aspx?md5=19441bc629e6c1dcb54cb5febdf9a22d; classtype:trojan-activity; sid:2013683; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2011_09_21, malware_family Parite, updated_at 2017_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess/Max++ Rootkit C&C Activity 1"; flow:established,to_server; content:".php?w="; http_uri; content:"&i="; http_uri; content:"&a="; http_uri; pcre:"/\.php\?w=\d+&i=[0-9a-f]{32}&a=\d+$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:trojan-activity; sid:2013685; rev:1; metadata:created_at 2011_09_21, updated_at 2011_09_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess/Max++ Rootkit C&C Activity 2"; flow:established,to_server; content:".php?w="; http_uri; content:"&fail="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?w=\d+&fail=\d+&i=[0-9a-f]{32}$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:trojan-activity; sid:2013686; rev:1; metadata:created_at 2011_09_21, updated_at 2011_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shylock Module Data POST"; flow:established,to_server; content:"id="; http_client_body; content:"&bid="; http_client_body; content:"&query="; http_client_body; content:"&data="; http_client_body; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w/P"; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013687; rev:3; metadata:created_at 2011_09_21, updated_at 2011_09_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Shylock Module Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a 23 23 23|ERROR_SRC|23 23 23|"; content:"|23 23 23|ERROR_SRC_END|23 23 23|"; distance:0; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013688; rev:1; metadata:created_at 2011_09_21, updated_at 2011_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Aldibot.A Checkin"; flow:to_server,established; content:"/gate.php?hwid="; nocase; http_uri; content:"&pc="; nocase; http_uri; content:"&localip="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013748; rev:3; metadata:created_at 2011_09_23, updated_at 2011_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; nocase; content:".php?gd="; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:trojan-activity; sid:2013701; rev:4; metadata:created_at 2011_09_27, updated_at 2011_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Dofoil.L Checkin"; flow:to_server,established; content:"/index.php?cmd="; http_uri; content:"&login="; http_uri; content:"&ver="; http_uri; content:"&bits="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=47f2b8fcc2873f4dfd573b0e8a77aaa9; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615; classtype:trojan-activity; sid:2013917; rev:3; metadata:created_at 2011_09_29, updated_at 2011_09_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 6060 (msg:"ET TROJAN Win32/Wapomi.AD Variant Checkin"; flow:established,to_server; content:"/passport.asp?ID="; content:"&fn="; within:8; content:"&Var="; within:30; reference:md5,37ab252df52f5e1a46b3b40e9afb40c0; classtype:trojan-activity; sid:2013720; rev:3; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_header; pcre:"/User-Agent\x3A[^\r\n]*WindowsNT/H"; content:!".rview.com|0d 0a|"; http_header; content:!".mobizen.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013721; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_09_30, updated_at 2017_01_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"ID="; http_uri; content:"User-Agent|3a 20 5c 0d 0a|"; pcre:"/ID=\d{24}($|&)/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013723; rev:2; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET TROJAN Win32/OnLineGames GetMyIP Style Checkin"; flow:established,to_server; content:".asp?ID="; content:"&Action=GetMyIP"; within:40; classtype:trojan-activity; sid:2013728; rev:1; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (GenericHttp/VER_STR_COMMA)"; flow:to_server,established; content:"User-Agent|3a| GenericHttp/VER_STR_COMMA"; http_header; classtype:trojan-activity; sid:2013737; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_10_04, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin"; flow:to_server,established; content:"GET /Count.asp?UserID="; depth:22; content:"&MAC="; distance:0; content:"&Process="; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=7d2eb4b364e15e90cec1ddd7dcb97f64; reference:url,blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/; reference:url,threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20; classtype:trojan-activity; sid:2013741; rev:4; metadata:created_at 2011_10_04, updated_at 2011_10_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Aeausuc P2P Variant Retrieving Peers List"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gameover"; http_uri; pcre:"/gameover(\d+)?\.php/U"; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|X-ID|3a|"; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013740; rev:9; metadata:created_at 2011_10_05, updated_at 2011_10_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2013745; rev:3; metadata:created_at 2011_10_05, updated_at 2011_10_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32/Comisproc Checkin"; flow:to_server,established; content:".asp?mac="; offset:4; content:"&ver="; distance:0; content:" HTTP/1."; distance:0; content:"|0d 0a|User-Agent|3a| Google"; nocase; distance:1; within:20; reference:url,threatexpert.com/report.aspx?md5=9378ef5f2fb2e71e5eeed20f9f21d8dd; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Comisproc&ThreatID=-2147341910; reference:url,unixfreaxjp.blogspot.com.br/2012/11/ocjp-080-bootkitsoftbankbb.html; classtype:trojan-activity; sid:2017066; rev:9; metadata:created_at 2011_10_06, updated_at 2011_10_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-CSON Checkin - APT1 Related"; flow:to_server,established; content:"/Default.aspx?INDEX="; http_uri; pcre:"/\?INDEX=[A-Z]{10}$/U"; content:!"User-Agent|3a| Mozilla "; http_header; reference:url,www.threatexpert.com/report.aspx?md5=ba45339da92ca4622b472ac458f4c8f2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,intelreport.mandiant.com/; reference:md5,8dd6a7fe83bd9682187d956f160ffb47; classtype:trojan-activity; sid:2016460; rev:8; metadata:created_at 2011_10_06, updated_at 2011_10_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible German Governmental Backdoor/R2D2.A 1"; flow:from_client,established; content:"|11 26 80 7c ff ff ff ff 00 26 80 7c 42 25 80 7c|"; fast_pattern; reference:url,ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013751; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible German Governmental Backdoor/R2D2.A 2"; flow:from_client,established; content:"C3PO-r2d2-POE"; depth:13; reference:url,ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013752; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

#alert tcp 207.158.22.134 any -> $HOME_NET any (msg:"ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1"; flow:established,to_server; threshold:type limit, track by_src,count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013755; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

#alert tcp $HOME_NET any -> 207.158.22.134 any (msg:"ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1"; flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013756; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Swisyn Reporting"; flow:to_server,established; content:"/Qvodav.exe"; nocase; http_uri; content:"User-Agent|3a| Av_DVD"; nocase; http_header; reference:url,precisesecurity.com/worms/trojan-win32-swisyn-algm; classtype:trojan-activity; sid:2013766; rev:7; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Einstein CnC Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?id="; http_uri; content:"&ext="; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U"; reference:url,www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/; classtype:trojan-activity; sid:2013767; rev:2; metadata:created_at 2011_10_12, updated_at 2011_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Dropper.Wlock Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"hardware_id="; http_client_body; content:"&user_id="; http_client_body; content:"&os_ver="; http_client_body; content:"&os_sp="; http_client_body; content:"&os_arch="; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=881e21645e5ffe1ffb959835f8fdf71d; classtype:trojan-activity; sid:2013768; rev:4; metadata:created_at 2011_10_12, updated_at 2011_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Prosti Checkin"; flow:from_client,established; content:"&first& # 0d 0h "; depth:16; reference:url,www.threatexpert.com/report.aspx?md5=5113c6dbd644874482f3a26650970600; classtype:trojan-activity; sid:2013769; rev:1; metadata:created_at 2011_10_12, updated_at 2011_10_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN USPS Spam/Trojan Executable Download"; flow:from_server,established; content:"filename=USPS_Invoice"; http_header; content:".exe"; within:32; http_header; reference:url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235; classtype:trojan-activity; sid:2013770; rev:3; metadata:created_at 2011_10_12, updated_at 2011_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Cerberus RAT Checkin Outbound"; flow:established,to_server; content:"Ypmw1Syv023QZD"; depth:30; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013771; rev:4; metadata:created_at 2011_10_13, updated_at 2011_10_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Cerberus RAT Checkin Response"; flow:established,to_client; content:"Ypmw1Syv023QZD"; depth:30; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013772; rev:2; metadata:created_at 2011_10_13, updated_at 2011_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Cerberus RAT Client pong"; flow:from_client,established; content:"wZ2pla"; depth:6; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013773; rev:2; metadata:created_at 2011_10_13, updated_at 2011_10_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Cerberus RAT Server ping"; flow:from_server,established; content:"wBmpf3Pb7RJe|0d0a|"; depth:14; dsize:14; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013774; rev:2; metadata:created_at 2011_10_13, updated_at 2011_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious HTTP Request for gift.exe"; flow:established,to_server; content:"/gift.exe"; http_uri; classtype:trojan-activity; sid:2013780; rev:1; metadata:created_at 2011_10_19, updated_at 2011_10_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Scar.dvov Searchstar.co.kr related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/juso_return.php?mode="; http_uri; content:"&pluslook_p"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=07ed70b6e7775a510d725c9f032c70d8; classtype:trojan-activity; sid:2013781; rev:3; metadata:created_at 2011_10_19, updated_at 2011_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Emold.C Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?v="; http_uri; fast_pattern; content:"&rs="; distance:0; http_uri; content:"&n="; distance:0; http_uri; content:"Windows NT 5."; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?v\x3d\d+?\x26rs\x3d(?:(?:\d+?\x2d){3})?\d+?\x26n\x3d\d/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=49205774f0ff7605c226828e080238f3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FEmold.C; classtype:trojan-activity; sid:2016251; rev:4; metadata:created_at 2011_10_19, updated_at 2011_10_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Duqu UA and Filename Requested"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv|3a|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; fast_pattern:20,20; content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:2013783; rev:4; metadata:created_at 2011_10_19, updated_at 2011_10_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zentom FakeAV Checkin"; flow:established,to_server; content:".php?prodclass="; fast_pattern; http_uri; content:"&coid="; http_uri; content:"&fff="; http_uri; content:"&IP="; http_uri; content:"&lct="; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; classtype:trojan-activity; sid:2013785; rev:2; metadata:created_at 2011_10_20, updated_at 2011_10_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dropper.Win32.Npkon Client Checkin"; flow:established,to_server; content:"|40 1f|"; offset:1; depth:2; content:"|03|"; distance:1; within:1; content:"|20 00 00 00|"; distance:1; within:4; dsize:10; reference:url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013793; rev:1; metadata:created_at 2011_10_24, updated_at 2011_10_24;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dropper.Win32.Npkon Server Responce"; flow:from_server,established; content:"|40 1f|"; offset:1; depth:2; content:"|01|"; distance:1; within:1; content:"|10 00 00 00|"; distance:1; within:4; dsize:26; reference:url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013794; rev:1; metadata:created_at 2011_10_24, updated_at 2011_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?sv="; fast_pattern; http_uri; content:"&tq="; http_uri; content:"User-Agent|3a| chrome/9.0"; http_header; pcre:"/(?:1|2)\.(?:p(?:hp|ng)|jpe?g|cgi|gif)\?sv=\d{2,3}&tq=/Ui"; classtype:trojan-activity; sid:2013795; rev:9; metadata:created_at 2011_10_24, updated_at 2011_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.PEx.Delphi.1151005043 Post-infection Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/boot.php?ptr="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=b58485c9a221e8bd5b4725e7e19988b0; reference:url,www.threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043; classtype:trojan-activity; sid:2013798; rev:2; metadata:created_at 2011_10_24, updated_at 2011_10_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Trojan.SuspectCRC FakeAV Checkin"; flow:established,to_server; content:"value.php?"; http_uri; content:"md="; http_uri; content:"&pc="; http_uri; content:"User-Agent|3a| sample"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=54c9d51661a05151e5143f4e80cbed86; classtype:trojan-activity; sid:2013799; rev:2; metadata:created_at 2011_10_24, updated_at 2011_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cycbot POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"FILE0|00 44 30 A8 71 D1 89 53 50|"; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=1f04bd1b4eceb42e6d5859b6330fc7d7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx; classtype:trojan-activity; sid:2013802; rev:2; metadata:created_at 2011_10_25, updated_at 2011_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jorik FakeAV GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/britix/a"; http_uri; content:"User-Agent|3a| Internet Explorer"; http_header; classtype:trojan-activity; sid:2013807; rev:4; metadata:created_at 2011_10_31, updated_at 2011_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tatanga/Win32.Kexject.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:!"User-Agent|3a|"; http_header; content:"|CE FA AD DE 03 00|"; http_client_body; depth:6; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; classtype:trojan-activity; sid:2013819; rev:4; metadata:created_at 2011_11_02, updated_at 2011_11_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Kryptik/proscan.co.kr Checkin"; flow:established,to_server; content:"User-Agent|3a| proscan-down"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013821; rev:1; metadata:created_at 2011_11_03, updated_at 2011_11_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBS/Wimmie.A Set"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=c&n="; http_uri; content:"_"; distance:0; http_uri; content:"@"; distance:0; http_uri; content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; classtype:trojan-activity; sid:2014803; rev:6; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBS/Wimmie.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=w&n="; http_uri; content:"_"; distance:0; http_uri; content:"@."; distance:0; http_uri; content:"|16 00 00 00|down"; http_client_body; depth:8; reference:url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:trojan-activity; sid:2014804; rev:5; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN SecurityDefender exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; http_header; content:"SecurityDefender"; nocase; http_header; within:24; content:".exe"; http_header; within:24; classtype:trojan-activity; sid:2013826; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; http_header; content:"AntiVirus"; nocase; http_header; within:24; content:".exe"; http_header; within:24; classtype:trojan-activity; sid:2013827; rev:4; metadata:created_at 2011_11_04, updated_at 2011_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?tq="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/\.(?:(?:jp|pn)g|cgi|gif)\?tq=/U"; classtype:trojan-activity; sid:2013865; rev:5; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sefbov.E Reporting"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CallBack/SomeScripts/mgsGetMGList.php"; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=f50d954f1fd38c6eb10e7e399caab480; classtype:trojan-activity; sid:2013868; rev:3; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Fullstuff Initial Checkin"; flow:established,to_server; content:"/version.txt?type="; http_uri; content:"&GUID="; http_uri; content:"&rfr="; http_uri; content:"&bgn="; http_uri; content:"User-Agent|3a| FULLSTUFF"; http_header; classtype:trojan-activity; sid:2013887; rev:2; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Koobface Variant Initial Checkin"; flow:established,to_server; content:".php?datos=c|3A|"; http_uri; content:"&user="; http_uri; classtype:trojan-activity; sid:2013890; rev:1; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Svlk Client Checkin"; flow:from_client,established; dsize:12; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; depth:12; reference:url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013891; rev:1; metadata:created_at 2011_11_09, updated_at 2011_11_09;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Svlk Server Reply"; flow:from_server,established; dsize:44; content:"|33 39 0d ff 0a c4 e5 9f d5 ec 58 4a 69|"; depth:13; reference:url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013892; rev:1; metadata:created_at 2011_11_09, updated_at 2011_11_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Svlk Client Ping"; flow:from_client,established; dsize:7; content:"|33 0D FF 0A C5 F8 C1|"; depth:7; reference:url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013893; rev:2; metadata:created_at 2011_11_09, updated_at 2011_11_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET TROJAN W32/Yaq Checkin"; flow:established,to_server; content:"/Submit.php?id="; content:"&action="; within:10; content:"&mac="; within:10; content:"&lockcode="; within:30; content:"&homepc="; within:15; content:"User-Agent|3A 20|getinfo|0D 0A|"; distance:0; classtype:trojan-activity; sid:2013900; rev:1; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent GeneralDownloadApplication"; flow:established,to_server; content:"User-Agent|3A 20|GeneralDownloadApplication"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013901; rev:1; metadata:created_at 2011_11_10, updated_at 2017_11_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.BlackControl Retrieving IP Information"; flow:established,to_server; content:"/v2/ip_query_country.php?key="; http_uri; content:"&timezone="; http_uri; content:"User-Agent|3A 20|1|0D 0A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2013902; rev:2; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent GetFile"; flow:established,to_server; content:"User-Agent|3A 20|GetFile|0D 0A|"; http_header; classtype:trojan-activity; sid:2013903; rev:1; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rimecud User Agent beat"; flow:established,to_server; content:"User-Agent|3A 20|beat|0D 0A|"; http_header; classtype:trojan-activity; sid:2013904; rev:1; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent banderas"; flow:established,to_server; content:"User-Agent|3A 20|banderas"; http_header; classtype:trojan-activity; sid:2013905; rev:1; metadata:created_at 2011_11_10, updated_at 2011_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin"; flow:established,to_server; content:"/stat"; http_uri; content:".php?w="; http_uri; content:"&i=00000000000"; http_uri; fast_pattern; content:"&a="; http_uri; content:"User-Agent|3a 20|Opera/6 (Windows NT 5.1|3b 20|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013907; rev:3; metadata:created_at 2011_11_10, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN P2P Zeus or ZeroAccess Request To CnC"; flow:established,to_server; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; reference:url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf; classtype:trojan-activity; sid:2013911; rev:9; metadata:created_at 2011_11_11, updated_at 2011_11_11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN P2P Zeus Response From CnC"; flow:established,from_server; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74|"; distance:5; within:2; content:"|C1|"; distance:4; within:2; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013912; rev:4; metadata:created_at 2011_11_11, updated_at 2011_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Usteal.B Checkin"; flow:to_server,established; content:"/ufr.php"; fast_pattern:only; http_uri; content:"name="; http_client_body; content:"filename="; http_client_body; content:"UFR|21|"; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=3155b146bee46723acc5637617e3703a; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862; classtype:trojan-activity; sid:2014616; rev:4; metadata:created_at 2011_11_16, updated_at 2011_11_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Request for utu.dat Likely Ponmocup checkin"; flow:to_server,established; content:"GET"; nocase; http_method; uricontent:"/update/utu.dat"; reference:url,www.threatexpert.com/report.aspx?md5=6fd8cdee653c0fde769e6c48d65e28bd; classtype:trojan-activity; sid:2013913; rev:2; metadata:created_at 2011_11_16, updated_at 2011_11_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Emp Keepalive to CnC"; flow:established,to_server; content:"|7a 05 61 17 27 f5 09 f9 05 a2 ff 71 e0 49 96 47|"; offset:16; depth:16; dsize:48; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=541210; classtype:trojan-activity; sid:2013922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2011_11_17, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu2 Keepalive to CnC"; flow:established,to_server; content:"|1c e9 a1 06 39 95 48 0d 64 1f 39 23 21 7f dc 43|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2013923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2011_11_17, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu3 Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2013924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2011_11_17, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu4 Keepalive to CnC"; flow:established,to_server; content:"|ea a2 0d a1 b4 a9 a2 18 12 34 67 eb aa 6f ab 3f|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2013925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2011_11_17, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"p="; distance:0; content:!"spf2.0/"; content:!"spf1"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013935; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2011_11_21, performance_impact Low, updated_at 2018_03_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud.A User-Agent (counters)"; flow:to_server,established; content:"User-Agent|3a| counters|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=60ce66bd10fcac3c97151612c8a4d343; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013953; rev:2; metadata:created_at 2011_11_22, updated_at 2011_11_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TR/Rimecud.aksa User-Agent (indy)"; flow:to_server,established; content:"User-Agent|3a| indy|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=1536a7072981ce5140efe6b9c193bb7e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013952; rev:2; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud.A User-Agent (needit)"; flow:to_server,established; content:"User-Agent|3a| needit|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=1b1fff82c72277aff808291d53df7fd8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013951; rev:2; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.EGZ Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/logo/go.php?id="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; pcre:"/\/logo\/go\.php\?id=\d{1,3}$/U"; reference:url,www.virustotal.com/file-scan/report.html?id=458ec5d5b3c1c02b6c64b360f82bcbf529f580c2d646b2ae161fc7dd2ea9927d-1321069787; classtype:trojan-activity; sid:2013946; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.EGZ Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/b.php?id="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; pcre:"/\/images\/b\.php\?id=\d{1,3}$/U"; classtype:trojan-activity; sid:2013947; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.TIBIA Checkin or Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; classtype:trojan-activity; sid:2013948; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.TIBIA Checkin or Data Post 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV2|0d 0a|"; http_header; classtype:trojan-activity; sid:2013949; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud.A User-Agent (giftz)"; flow:to_server,established; content:"User-Agent|3a| giftz|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f726e84bae5a8d1f166bbf6d09d821b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013954; rev:1; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Sality User-Agent (DEBUT.TMP)"; flow:established,to_server; content:"User-Agent|3A 20|DEBUT.TMP|0D 0A|"; http_header; classtype:trojan-activity; sid:2013959; rev:1; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Sality User-Agent (Internet Explorer 5.01)"; flow:established,to_server; content:"User-Agent|3A 20|Internet Explorer 5.01|0D 0A|"; http_header; classtype:trojan-activity; sid:2013963; rev:2; metadata:created_at 2011_11_23, updated_at 2011_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious UA Mozilla / 4.0"; flow:to_server,established; content:"User-Agent|3a| Mozilla / 4.0|0d 0a|"; http_header; content:!"captive.apple.com|0d 0a|"; http_header; content:!".google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013964; rev:5; metadata:created_at 2011_11_23, updated_at 2017_01_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:11; metadata:created_at 2011_12_01, updated_at 2011_12_01;)

#alert udp $HOME_NET any -> 8.8.8.8 53 (msg:"ET TROJAN TDSS DNS Based Internet Connectivity Check"; dsize:34; content:"|33 33 01 00 00 01 00 00 00 00 00 00 07|counter|05|yadro|02|ru|00 00 01 00 01|"; classtype:trojan-activity; sid:2013977; rev:1; metadata:created_at 2011_12_01, updated_at 2011_12_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Jorik DDOS Instructions From CnC Server"; flow:established,to_client; file_data; content:"|7C|ddos|7C|"; distance:2; within:6; pcre:"/\x7Cddos\x7C(syn|http)\x7C/"; classtype:trojan-activity; sid:2013998; rev:1; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake Variation of Mozilla 4.0 - Likely Trojan"; flow:established,to_server; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 29|"; fast_pattern:20,17; http_header; content:!"BlueCoat"; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2014002; rev:8; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Sykipot Checkin"; flow:established,from_client; content:"allow_get.asp?name="; fast_pattern; http_uri; content:"&hostname="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014006; rev:2; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Sykipot Put"; flow:established,from_client; content:"/kys_allow_put.asp?type="; http_uri; content:"&hostname="; http_uri; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014007; rev:1; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Sykipot Get Config Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/kys_allow_get.asp?"; http_uri; content:"name=getkys.kys"; http_uri; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; classtype:trojan-activity; sid:2014008; rev:4; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getgrab Command"; flow:established,to_server; content:"cmd=getgrab"; http_uri; classtype:trojan-activity; sid:2014009; rev:1; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getproxy Command"; flow:established,to_server; content:"cmd=getproxy&login="; http_uri; classtype:trojan-activity; sid:2014010; rev:1; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getsock Command"; flow:established,to_server; content:"cmd=getsocks&login="; http_uri; classtype:trojan-activity; sid:2014011; rev:1; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getload Command"; flow:established,to_server; content:"cmd=getload&login="; http_uri; reference:url,sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf; reference:url,symantec.com/security_response/writeup.jsp?docid=2011-100515-1838-99&tabid=2; classtype:trojan-activity; sid:2014012; rev:1; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|X-ID|3a 20|"; fast_pattern:23,6; pcre:"/^X-ID\x3a\x20\d+\r?$/Hm"; classtype:trojan-activity; sid:2014014; rev:8; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gootkit Checkin User-Agent 2"; flow:established,to_server; content:"Gootkit ldr"; http_header; classtype:trojan-activity; sid:2014021; rev:1; metadata:created_at 2011_12_12, updated_at 2011_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gootkit Scanner User-Agent Outbound"; flow:established,to_server; content:"Gootkit auto-rooter scanner"; http_header; classtype:web-application-attack; sid:2014023; rev:1; metadata:created_at 2011_12_12, updated_at 2011_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Xtrat.A Checkin"; flow:established,to_server;  content:".functions HTTP/1."; fast_pattern; content:!"Referer|3a|"; distance:0; pcre:"/^[^\r\n]+\/\d+\.functions HTTP\/1\./"; content:!"Host|3a| microsoft.com|0d 0a|"; reference:url,threatexpert.com/report.aspx?md5=f45b1b82c849fbbea3374ae7e9200092; classtype:trojan-activity; sid:2016275; rev:14; metadata:created_at 2011_12_12, updated_at 2011_12_12;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Likely CryptMEN FakeAV Download vclean"; flow:established,from_server; content:"filename=|22|vclean"; nocase; http_header; content:".exe"; nocase; http_header; within:20; classtype:trojan-activity; sid:2014028; rev:2; metadata:created_at 2011_12_14, updated_at 2011_12_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe"; flow:established,to_server; content:"/yahoo.com"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:trojan-activity; sid:2014029; rev:2; metadata:created_at 2011_12_14, updated_at 2011_12_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Vundo.OD Checkin"; flow:to_server,established; content:"/get.php?"; http_uri; content:"id="; http_uri; content:"key="; http_uri; content:"&os="; http_uri; content:"&av="; http_uri; content:"&vm="; http_uri; content:"&al="; http_uri; content:"&p="; http_uri; content:"&z="; http_uri; content:!"User-Agent|3a|"; http_header; pcre:"/\/get\.php\?(id|key)\x3d/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=8840a0d9d7f4dba3953ccb68b17b2d6c; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FVundo.OD; classtype:trojan-activity; sid:2016424; rev:4; metadata:created_at 2011_12_16, updated_at 2011_12_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32.PowerPointer checkin"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a 0d 0a|<packet>"; content:"</packet>"; distance:0; classtype:trojan-activity; sid:2014040; rev:3; metadata:created_at 2011_12_28, updated_at 2011_12_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Checkin version 1.3.25 or later 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"data=6Prm67"; depth:11; http_client_body; classtype:trojan-activity; sid:2014044; rev:5; metadata:created_at 2011_12_28, updated_at 2011_12_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Double HTTP/1.1 Header Inbound - Likely Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2014047; rev:1; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Hilgild!gen.A CnC Communication"; flow:established,to_server; content:"Y|00|M|00|S|00|G|00 2e 00 2e 00 2e 00 2e 00|"; depth:16; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6|"; dsize:1024; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014055; rev:1; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu5 Keepalive to CnC"; flow:established,to_server; content:"|13 cb df 56 6f f3 20 08 c2 f1 ab d3 6f 75 56 a9|"; offset:16; depth:16; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2011_12_30, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PoisonIvy.Eu5 Keepalive from CnC"; flow:established,from_server; content:"|3a 62 26 fd 44 34 01 ed a1 ed 88 48 7e f4 6e ca 0d 81 aa 70 c7 da e0 1c fc f2 f1 d2 94 f6 d9 44 f6 c1 92 c4 4f d4 2d 53 a7 5f 59 fd f6 1e 9b 6f|"; depth:48; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2011_12_30, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Clicker.Win32.VB.gnf Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/onSale.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE; classtype:trojan-activity; sid:2014066; rev:3; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Downloader.Bancos Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Lead3r_Ship.exe"; nocase; http_uri; metadata: former_category TROJAN; reference:url,symantec.com/security_response/writeup.jsp?docid=2006-061110-0512-99; classtype:trojan-activity; sid:2014070; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, tag Banking_Trojan, signature_severity Major, created_at 2012_01_02, malware_family Bancos, updated_at 2018_04_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN Win32.OnlineGames.Bft Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/urlrcv.php?"; nocase; http_uri; content:"mc="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"uuid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=e488fca95cb923a0ecd329642c076e0d; reference:url,www.thespywaredetector.com/spywareinfo.aspx?ID=1874131; classtype:trojan-activity; sid:2014084; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN Win32-WebSec Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cb_soft.php?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"tj="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=971e560b80e335ab88ef518b416d415a; classtype:trojan-activity; sid:2014085; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.A.FakeAV Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/404.php?"; nocase; http_uri; content:"type=stats"; nocase; http_uri; content:"affid="; nocase; http_uri; content:"subid="; nocase; http_uri; reference:url,securelist.com/en/descriptions/24405309/Trojan.Win32.FakeAV.dlbc; reference:md5,ac0ba9e186aee9cf9889d71158485715; classtype:trojan-activity; sid:2014083; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Nurech Checkin UA"; flow:from_client,established; content:"User-Agent|3a| ipwf|0d 0a|"; http_header; classtype:trojan-activity; sid:2014093; rev:2; metadata:created_at 2012_01_03, updated_at 2012_01_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; distance:0; content:!".msi"; content:!".img"; content:!"This program cannot"; classtype:trojan-activity; sid:2014099; rev:2; metadata:created_at 2012_01_04, updated_at 2012_01_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Blackshades Payload Download Command"; flow:established,to_client; content:"x74|0C|64|0C|"; depth:7; content:"x49|0C|"; distance:64; classtype:trojan-activity; sid:2014101; rev:2; metadata:created_at 2012_01_04, updated_at 2012_01_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; fast_pattern:only; content:"Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:43; http_header;  content:"|0d 0a|Host|3a| "; distance:0; http_header; content:!"Referer|3a| "; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2014105; rev:5; metadata:created_at 2012_01_09, updated_at 2012_01_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC - cookie variation"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Cookie|3a 20|cid="; distance:1; within:51; content:"User-Agent|3a 20|Mozilla"; distance:0; content:"Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache|0d 0a 0d 0a|"; distance:0; reference:url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103; classtype:trojan-activity; sid:2014107; rev:2; metadata:created_at 2012_01_09, updated_at 2012_01_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu6 Keepalive to CnC"; flow:established,to_server; content:"|29 a7 7b 28 9b c5 b8 b6 10 d7 d7 6b e1 3e 62 f1|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2014108; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2012_01_09, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dooptroop CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?num="; http_uri; fast_pattern; content:"&rev="; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.php\?num=\d+&rev=/U"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014112; rev:3; metadata:created_at 2012_01_10, updated_at 2017_01_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32-Dynamer.dtc Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/total_visitas.php"; http_uri; content:".php HTTP/1.1|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Dynamer!dtc; reference:md5,989ba48e0a9e39b4b6fc5c6bf400c41b; classtype:trojan-activity; sid:2014113; rev:3; metadata:created_at 2012_01_11, updated_at 2012_01_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Likseput.A Checkin"; flow:to_server,established; content:"User-Agent|3a| 5|2e|"; http_header; content:"|5c|"; within:64; http_header; content:"Host|3a| "; http_header; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http_header; pcre:"/User\-Agent\x3a\x205\.[0-2]\x20\d\d\x3a\d\d\x20/Hi"; reference:url,threatexpert.com/report.aspx?md5=4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:trojan-activity; sid:2016450; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf/Troxen/Zema Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&s="; http_uri; content:"&v="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?m=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&[vs]=/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014114; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf/Troxen/Zema Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?s="; http_uri; content:"&m="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?s=\d&m=[A-F0-9]{16}$/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014115; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; content:"User-Agent|3a| build"; http_header; pcre:"/User-Agent\x3a build\d/H"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2012_01_12, updated_at 2016_07_01;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET TROJAN Cythosia V2 DDoS WebPanel Hosted Locally"; flow:established,from_server; content:"|3C|title|3E|Cythosia|20|V2|20|Bot|20|Webpanel|20 2D 20|Login|3C 2F|title|3E|"; nocase; reference:url,blog.webroot.com/2012/01/09/a-peek-inside-the-cythosia-v2-ddos-bot/; classtype:successful-admin; sid:2014118; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lici Initial Checkin"; flow:established,to_server; content:".php?email="; http_uri; content:"&lici="; http_uri; content:"&ver="; http_uri; content:"HTTP/1.0"; content:!"User-Agent|3A|"; http_header; reference:md5,2f4d35e797249e837159ff60b827c601; classtype:trojan-activity; sid:2014119; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Nuclear Checkin"; flow:established,to_server; content:".htm"; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32)"; http_header; content:"HOST|3A 20|"; http_header; reference:md5,bd4af162f583899eeb6ce574863b4db6; classtype:trojan-activity; sid:2014121; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_01_12, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Jiwerks.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/update.aspx"; http_uri; content:"Accept-Language|3A 20|zh-cn"; http_header; content:"a="; fast_pattern; http_client_body; depth:2; content:"&v="; http_client_body; distance:0; reference:md5,0e47c711d9edee337575b6dbef850514; classtype:trojan-activity; sid:2014133; rev:4; metadata:created_at 2012_01_18, updated_at 2012_01_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; metadata: former_category TROJAN; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:trojan-activity; sid:2014135; rev:3; metadata:created_at 2012_01_18, updated_at 2018_02_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Query to Known CnC Domain msnsolution.nicaze.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"nicaze|03|net"; fast_pattern; distance:0; reference:md5,89332c92d0360095e2dda8385d400258; classtype:trojan-activity; sid:2014139; rev:4; metadata:created_at 2012_01_21, updated_at 2012_01_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Webprefix checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?email="; fast_pattern:only; http_uri; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^Accept\x3a\x20\*\/\*\r\nConnection\x3a\x20close\r\nHost\x3a\x20[^\r\n\x2e]+\x2e[^\r\n\x2e]+(?:\x3a\d{1,5})?\r\n(?:\r\n)?$/H"; metadata: former_category TROJAN; reference:md5,8284c2202342102000ae9a04dd07bb76; classtype:trojan-activity; sid:2018481; rev:8; metadata:created_at 2012_01_23, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Ehy Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:md5,d2311b7208d563ac59c9114f5d422441; classtype:trojan-activity; sid:2014145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2012_01_23, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Win32/Spy.Banker Reporting Via SMTP"; flow:established,to_server; content:"|3A 3A 3A 3A 3A 28 20|Cliente"; content:"Sistem S/"; distance:0; content:"Versao S/"; distance:0; classtype:trojan-activity; sid:2014146; rev:1; metadata:created_at 2012_01_23, updated_at 2012_01_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious executable download possible Trojan NgrBot"; flow:established,to_server; content:"GET"; http_method; content:"/adobe-flash.exe"; http_uri; classtype:bad-unknown; sid:2014150; rev:2; metadata:created_at 2012_01_26, updated_at 2012_01_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Checkin to CnC"; flow:to_server,established; content:"user_id="; depth:8; http_client_body; content:"&version_id="; http_client_body; content:"&socks="; fast_pattern; http_client_body; content:"&build="; http_client_body; classtype:trojan-activity; sid:2014152; rev:2; metadata:created_at 2012_01_26, updated_at 2012_01_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| chrome/9.0"; http_header;  pcre:"/\x2E(?:p(?:hp|ng)|jpe?g|cgi|gif)\x3F(?:v\d{1,2}|pr)\x3D/U"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:trojan-activity; sid:2014163; rev:5; metadata:created_at 2012_01_27, updated_at 2012_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; content:"/gate.php?username="; http_uri; content:"&country="; http_uri; content:"&OS="; http_uri; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:trojan-activity; sid:2014164; rev:1; metadata:created_at 2012_01_27, updated_at 2012_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent MyAgrent"; flow:established,to_server; content:"User-Agent|3A 20|MyAgrent"; http_header; reference:md5,75c2f3168eca26e10bd5b2f3f0e2a8c5; classtype:trojan-activity; sid:2014165; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2012_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Mentory CnC Server Providing Update Details"; flow:established,to_client; file_data; content:"[UPDATE]|0D 0A|VER ="; within:15; content:"URL ="; distance:0; content:"[PATTERN]|0D 0A|VER ="; distance:0; content:"URL ="; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:trojan-activity; sid:2014166; rev:1; metadata:created_at 2012_01_27, updated_at 2012_01_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Mentory CnC Server Providing File Info Details"; flow:established,to_client; file_data; content:"[DBINFO]|0D 0A|Info ="; within:16; content:"Version ="; distance:0; content:"[TotalCount]|0D 0A|Count ="; distance:0; content:"[GaruYac"; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:trojan-activity; sid:2014167; rev:1; metadata:created_at 2012_01_27, updated_at 2012_01_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN ClickCounter Connectivity Check"; flow:established,to_server; content:" clickme=1|0d 0a|"; http_header; content:"clickme=1"; http_cookie; classtype:trojan-activity; sid:2014172; rev:2; metadata:created_at 2012_01_31, updated_at 2012_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Cryptrun.B Connectivity check"; flow:from_client,established; content:"GET"; http_method; content:"/search?qu="; fast_pattern; http_uri; content:"User-Agent|3a| Firefox/2.0.0.2|0D 0A|"; http_header; content:"Host|3a| www.google.com|0D 0A|"; http_header; distance:0; content:"Content-Length|3a| 4|0D 0A|"; http_header; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; classtype:trojan-activity; sid:2014173; rev:2; metadata:created_at 2012_01_31, updated_at 2012_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Cryptrun.B/MSUpdater C&C traffic 1"; flow:from_client,established; content:"/search"; http_uri; content:"?h1="; fast_pattern; http_uri; content:"&h2="; distance:0; http_uri; content:"&h3="; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B|"; http_header; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014174; rev:4; metadata:created_at 2012_01_31, updated_at 2012_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.MSUpdater C&C traffic GET"; flow:from_client,established; content:".aspx?ID="; http_uri; content:"para1="; distance:0; http_uri; content:"para2="; distance:0; http_uri; content:"para3="; distance:0; http_uri; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014175; rev:1; metadata:created_at 2012_01_31, updated_at 2012_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/118GotYourNo Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/count"; http_uri; content:"appTitle="; http_client_body; content:"&strLink="; distance:0; http_client_body; content:"&proFirstTime="; distance:0; http_client_body; content:"&proLastTime="; distance:0; http_client_body; content:"&appName="; distance:0; http_client_body; content:"&KillList="; distance:0; http_client_body; classtype:trojan-activity; sid:2014191; rev:3; metadata:created_at 2012_02_06, updated_at 2012_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/VPEYE Trojan Downloader User-Agent (VP-EYE Downloader)"; flow:established,to_server; content:"User-Agent|3A 20|VP-EYE Downloader"; http_header; classtype:trojan-activity; sid:2014193; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2012_02_06, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato/Cleaman Checkin"; flow:established,to_server; content:".php?rnd="; http_uri; fast_pattern; content:"GET"; http_method; pcre:"/\?rnd=\d{5,7}\x20HTTP1\/1\.[01]\x0d\x0aHost\x3a\x20/"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,45b3b6fcb666c93e305dba35832e1d42; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FCleaman.G; classtype:trojan-activity; sid:2014200; rev:4; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TLD4 Purple Haze Variant Initial CnC Request for Ad Servers"; flow:established,to_server; content:"trf?q="; http_uri; content:"&edv="; http_uri; content:"&o="; http_uri; content:"&kp="; http_uri; content:"&tk="; http_uri; content:"&fk="; http_uri; content:"&ks="; http_uri; reference:url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html; classtype:trojan-activity; sid:2014208; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Sykipot SSL Certificate serial number detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 ec 32 09 67 c9 34 3f 50|"; within:30; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014209; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_02_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Sykipot SSL Certificate subject emailAddress detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"marry.smith@ltu.edu"; within:400; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014210; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_02_07, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSUpdater alt checkin to CnC"; flow:established,to_server; content:"/microsoft/errorpost/default/connect.aspx?ID="; http_uri; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014211; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSUpdater POST checkin to CnC"; flow:established,to_server; content:"/microsoft/errorpost/default.aspx?ID="; http_uri; content:"POST"; nocase; http_method; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014212; rev:2; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSUpdater Connectivity Check to Google"; flow:established,to_server; content:"/search?qu="; http_uri; content:"User-Agent|3a 20|Firefox/2.0.0.2"; http_header; content:"news"; http_client_body; depth:4; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014213; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Delf/Troxen/Zema controller responding to client"; flow:established,to_client; file_data; content:"wait.<os>"; within:9; classtype:trojan-activity; sid:2014216; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Delf/Troxen/Zema controller delivering clickfraud instructions"; flow:established,to_client; file_data; content:"<md5>"; within:5; content:"</md5><url>"; distance:16; within:11; classtype:trojan-activity; sid:2014217; rev:1; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC sk1 and bn1 post parameters"; flow:established,to_server; content:"POST"; nocase; http_method; content:"bn1="; depth:4; http_client_body; fast_pattern; content:"&sk1="; http_client_body; pcre:"/&sk1=[A-F0-9]{30}/P"; classtype:trojan-activity; sid:2014218; rev:4; metadata:created_at 2012_02_10, updated_at 2012_02_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent|3a 20|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:trojan-activity; sid:2014219; rev:2; metadata:created_at 2012_02_10, updated_at 2012_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Graybird Checkin"; flow:to_server,established; content:"/count.asp?mac="; http_uri; content:"&os="; http_uri; content:"&av="; http_uri; content:"User-Agent|3a| Post|0d 0a|"; http_header; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:trojan-activity; sid:2014365; rev:2; metadata:created_at 2012_02_11, updated_at 2012_02_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN QDIGIT Trojan Protocol detected"; flow:to_server,established; content:"|51 31 39 21 00|"; depth:5; dsize:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014222; rev:2; metadata:created_at 2012_02_14, updated_at 2012_02_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014223; rev:3; metadata:created_at 2012_02_14, updated_at 2012_02_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on non-http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014224; rev:4; metadata:created_at 2012_02_14, updated_at 2012_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN LURK Trojan Communication Protocol detected"; flow:established,to_server; content:"LURK|30|"; depth:5; content:"|78 9c|"; distance:8; metadata: former_category TROJAN; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014225; rev:3; metadata:created_at 2012_02_14, updated_at 2017_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN IP2B Trojan Communication Protocol detected"; flow:established,to_server; content:"|78 56 34 12 00 10 00 10|"; depth:8; content:"|00 18 09 07 20|"; distance:4; within:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014226; rev:2; metadata:created_at 2012_02_14, updated_at 2012_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BB Trojan Communication Protocol detected"; flow:established,to_server; content:"|01 00 00 00|"; offset:4; depth:4; content:"|01 04 01 00 00|"; distance:8; within:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014227; rev:2; metadata:created_at 2012_02_14, updated_at 2012_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32.Idicaf/Atraps"; flow:to_server,established; dsize:780; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 9C 00 00 00|"; distance:31; within:5; fast_pattern; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00|"; distance:2; within:2; content:"|00|"; distance:172; within:1; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014228; rev:7; metadata:created_at 2012_02_14, updated_at 2012_02_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NfLog Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/Nfile.asp"; fast_pattern:only; http_uri; content:"Content-Length|3a| 7|0d 0a|"; http_header; content:"GetFile"; depth:7; http_client_body; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:trojan-activity; sid:2014229; rev:2; metadata:created_at 2012_02_16, updated_at 2012_02_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Karagany/Kazy Obfuscated Payload Download"; flow:established,to_client; content:"Content-Disposition|3a| "; http_header; content:"windows-update-";  fast_pattern; http_header; distance:0; content:".exe"; distance:0; http_header; file_data; content:!"MZ"; within:2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I; reference:url,www.virustotal.com/file/6c7ae03b8b660826f0c58bbec4208bf03e704201131b3b5c5709e5837bfdd218/analysis/1334672726/; classtype:trojan-activity; sid:2014230; rev:4; metadata:created_at 2012_02_16, updated_at 2012_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on non-http ports 2"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/update?id="; distance:0; content:"X-Status|3A|"; offset:16; content:"X-Size|3A|"; offset:16; content:"X-Sn|3A|"; fast_pattern; offset:16; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; offset:16; classtype:trojan-activity; sid:2014231; rev:5; metadata:created_at 2012_02_16, updated_at 2012_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?id="; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2014232; rev:4; metadata:created_at 2012_02_16, updated_at 2012_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|Host|3a 20|"; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.0"; http_header; content:"|3b| Windows 98)"; within:13; fast_pattern; http_header; flowbits:set,ET.Fareit.chk; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014234; rev:9; metadata:created_at 2012_02_17, updated_at 2012_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32.Duptwux/Ganelp FTP Username - onthelinux"; flow:established,to_server; content:"USER onthelinux"; depth:15; classtype:trojan-activity; sid:2014239; rev:1; metadata:created_at 2012_02_18, updated_at 2012_02_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sefnit Checkin 4"; flow:established,to_server; content:"?aid="; http_uri; content:"&url="; http_uri; pcre:"/\?aid=\d{9}&url=[\w\.\-]{23}$/Ui"; classtype:trojan-activity; sid:2014247; rev:1; metadata:created_at 2012_02_20, updated_at 2012_02_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sefnit Checkin 5"; flow:established,to_server; content:"?subid="; http_uri; content:"&u="; distance:0; http_uri; pcre:"/\?subid=\d{9}&u=[\w\.\-]{23}$/Ui"; classtype:trojan-activity; sid:2014248; rev:1; metadata:created_at 2012_02_20, updated_at 2012_02_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Pasta.IK Checkin"; flow:established,to_server; content:"/data/index.asp?act="; http_uri; content:"&ver=Ver"; http_uri; content:"&a="; http_uri; reference:md5,1a13d56365e864aba54967d4745ab660; classtype:trojan-activity; sid:2014263; rev:1; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.NfLog Checkin (TTip)"; flow:to_server,established; content:"/NfStart.asp?ClientId="; http_uri; nocase; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:trojan-activity; sid:2014266; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Query for Known Hostile *test.3322.org.cn Domain"; content:"|01 00 00 01 00 00 00 00 00|"; depth:9; offset:2; content:"test|04|3322|03|org|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814; reference:md5,e4afcee06ddaf093982f80dafbf9c447; classtype:trojan-activity; sid:2014267; rev:1; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.RShot Checkin"; flow:established,to_server; content:"connected#"; depth:10; content:"#Windows "; content:"##"; distance:0; dsize:<120; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:trojan-activity; sid:2014268; rev:1; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.RShot HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|3B| name=|22|bot_id|22 0D 0A 0D 0A|"; fast_pattern; content:" name=|22|os_version|22 0D 0A 0D 0A|"; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:trojan-activity; sid:2014269; rev:2; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert icmp $HOME_NET any -> any any (msg:"ET TROJAN Backdoor.Win32.RShot Ping Outbound"; icode:0; itype:8; icmp_id:512; dsize:32; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; reference:md5,34477e29f7408966d2703f3471741618; reference:md5,adf4c3a16f5f6d4baa634b2c50bf7454; classtype:trojan-activity; sid:2014270; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Cutwail.BE Checkin 1"; flow:established,from_client; dsize:234; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,4352407efc8891215b514a54db5b8a1d; reference:md5,45ab3554f3d60d07fc5228faff7784e1; classtype:trojan-activity; sid:2014271; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,c6d256edcc8879717539f348706061f2; reference:md5,8f17e2a9e7c6cbec772ae56dfffb13cb; classtype:trojan-activity; sid:2014272; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/Winwebsec Install"; flow:to_server,established; content:"/api/stats/install/?affid="; content:"&ver=30"; http_uri; content:"&group="; http_uri; reference:md5,5310a7d855a14c93b12a36869cd252ec; classtype:trojan-activity; sid:2015653; rev:5; metadata:created_at 2012_02_24, updated_at 2012_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rovnix Activity"; flow:established,to_server; content:".php?version="; http_uri; fast_pattern:only; content:"&user="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{31,32}&/Ui"; content:!"Referer|3a 20|"; http_header; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014275; rev:6; metadata:created_at 2012_02_24, updated_at 2012_02_24;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rovnix Downloading Config File From CnC"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config.php?"; http_uri; content:"user="; http_uri; content:"version="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{32}&/Ui"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014276; rev:3; metadata:created_at 2012_02_24, updated_at 2012_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trustezeb Checkin to CnC"; flow:established,to_server; content:".php?id="; http_uri; content:"&stat="; fast_pattern; distance:0; http_uri; pcre:"/id=[A-F0-9]{20}/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)"; http_header; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=417; classtype:trojan-activity; sid:2014283; rev:2; metadata:created_at 2012_02_24, updated_at 2012_02_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Java Archive sent when remote host claims to send an image"; flow:established,from_server; content:"Content-Type|3a| image"; nocase; http_header; content:"|0d 0a 0d 0a|PK"; fast_pattern; content:"META-INF/MANIFEST"; distance:0; classtype:trojan-activity; sid:2014288; rev:1; metadata:created_at 2012_02_27, updated_at 2012_02_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Infostealer.Banprox Proxy.pac Download"; flow:from_server,established; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; pcre:"/(?:www\.(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|espa)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:antander(?:banespa|net)?|erasa(?:experian)?)|uolhost)\.com\.br|c(?:(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov))\.br|redicard\.com(?:\.br)?)|itau(?:p(?:ersonnalite|rivatebank)|uniclass)?\.com\.br,|ame(?:ricanexpress\.com(?:\.br)?|x\.com\.br))|(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|risul)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:erasa(?:experian)?|antander)|uolhost)\.com|c(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov)|redicard\.com))\.br|itau(?:(?:p(?:ersonnalite|rivatebank)|uniclass)\.com\.br|\.com\.br,)|ame(?:ricanexpress.com(?:\.br)?|x\.com\.br)|\*(?:linhadefensiva*|hsbc*))/"; reference:md5,3baae632d2476cbd3646c5e1b245d9be; reference:md5,ace343a70fbd26e79358db4c27de73db; classtype:trojan-activity; sid:2014435; rev:13; metadata:created_at 2012_02_28, updated_at 2012_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.PEx.942728546 Checkin"; flow:established,to_server; content:".com.exe"; http_uri; fast_pattern; content:"User-Agent|3a| GetRight/"; http_header; reference:md5,25e9e3652e567e70fba00c53738bdf74; reference:url,threatcenter.crdf.fr/?More&ID=74977&D=CRDF.Backdoor.Win32.PEx.942728546; classtype:trojan-activity; sid:2014290; rev:1; metadata:created_at 2012_02_29, updated_at 2012_02_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smart Fortress FakeAV/Kryptik.ABNC Checkin"; flow:established,to_server; content:"/?&affid="; http_uri; fast_pattern; content:"Accept|3a| *//*|0d 0a|"; http_header; reference:md5,fa20c17e5f58e7419b4f0eed318fa95a; reference:url,support.kaspersky.com/viruses/rogue/description?qid=208286259; classtype:trojan-activity; sid:2014293; rev:3; metadata:created_at 2012_02_29, updated_at 2012_02_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cridex.B/Feodo Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/in"; offset:11; depth:3; http_uri; content:".ru"; http_header; pcre:"/\/\w{3}\/\w\d_\w\w\w\/in\/?$/Ui"; pcre:"/Host\x3a\s[a-z]{15,19}\.ru(\x3a8080)?/Hm"; reference:md5,7ed139b53e24e4385c4c59cd2aa0e5f7; reference:url,labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; reference:url,about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CRIDEX.IC; classtype:trojan-activity; sid:2014405; rev:14; metadata:created_at 2012_02_29, updated_at 2012_02_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FlashBack Mac OSX malware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/aaupdate/"; fast_pattern; http_uri; content:"User-Agent|3a| "; http_header; content:!"Mozilla"; within:7; http_header; content:!"|0d 0a|"; within:124; http_header; reference:url,blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/; classtype:trojan-activity; sid:2014596; rev:4; metadata:created_at 2012_02_29, updated_at 2012_02_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Yakes.pwo Checkin"; flow:to_server,established; content:"/stat.php?w="; http_uri; content:"&i="; http_uri; content:"&a="; http_uri; content:"User-Agent|3A| Opera/6"; http_header; content:"|3B| LangID="; http_header; reference:md5,d40927e8c4b59a1c2af4f981ef295321; classtype:trojan-activity; sid:2014604; rev:2; metadata:created_at 2012_03_01, updated_at 2012_03_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Spy.Win32.Agent.byhm User-Agent (EMSCBVDFRT)"; flow:to_server,established; content:"User-Agent|3a| EMSCBVDFRT|0d 0a|"; http_header;  classtype:trojan-activity; sid:2016907; rev:3; metadata:created_at 2012_03_02, updated_at 2012_03_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kryptik.ABUD Checkin"; flow:established,to_server; content:"/imagedump/image.php?size="; http_uri; content:"&thumbnail="; http_uri; reference:md5,00b714468f1bc2254559dd8fd84186f1; classtype:trojan-activity; sid:2014300; rev:2; metadata:created_at 2012_03_02, updated_at 2012_03_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious HTTP Referer C Drive Path"; flow:established,to_server; content:"Referer|3A 20|res|3A 2F 2F|c|3A 5C|"; nocase; http_header; reference:md5,8ef81f2555725f7eeae00b3e31229e0e; classtype:trojan-activity; sid:2014302; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Koobface Variant Checkin Attempt"; flow:established,to_server; content:"/ping.php"; http_uri; content:" WinHttp.WinHttpRequest.5|29 0d 0a|"; http_header; reference:md5,62aa9e798746e586fb1f03459a970104; classtype:trojan-activity; sid:2014303; rev:1; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TCYWin.Downloader User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|TCYWinHTTPDownload"; http_header; reference:md5,4cfe5674d9f33804572ae0d14f0c941b; classtype:trojan-activity; sid:2014305; rev:1; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Backdoor.BlackMonay Checkin"; flow:established,to_server; content:".Php?UserName="; nocase; http_uri; content:"&Bank="; nocase; http_uri; content:"&Money="; nocase; http_uri; content:"Accept-Language|3A 20|zh-cn"; http_header; reference:md5,4a203e37caa2e04671388341419bda69; classtype:trojan-activity; sid:2014306; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SelfStarterInternet.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/login.aspx?ReturnUrl=/card/Pay_query.aspx"; http_uri; content:"VIEWSTATE="; nocase; http_client_body; content:"EVENTVALIDATION="; nocase; distance:0; http_client_body; content:"&txtUser="; nocase; distance:0; http_client_body; content:"&txtPwd="; nocase; distance:0; http_client_body; content:"&btnEnter="; nocase; distance:0; http_client_body; reference:md5,67c748f3ecc0278f1f94596f86edc509; classtype:trojan-activity; sid:2014307; rev:3; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LockScreen Scareware Geolocation Request"; flow:established,to_server; content:"/loc/gate.php?getpic=getpic"; http_uri; reference:url,www.abuse.ch/?p=3610; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf; classtype:trojan-activity; sid:2014309; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegSubsDat Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"0000/log"; http_uri; fast_pattern:only;  pcre:"/\/\d\d[A-F0-9]{4}0000\/log$/U"; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014310; rev:7; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN RegSubsDat Checkin Off Ports"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"0000/log"; fast_pattern;  pcre:"/\/\d\d[A-F0-9]{4}0000\/log /"; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014311; rev:4; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; file_data; content:"|3B 20|Ini download file modue"; nocase; distance:0; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]*\x2E(dll|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:1; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ZeuS Clickfraud List Delivered To Client"; flow:established,from_server; file_data; content:"<xml>"; within:5; content:"<time>"; distance:0; content:"<doc>"; distance:0; content:"<url>http|3a|//"; distance:0; content:"<ref>"; distance:0; content:"<n>"; distance:0; classtype:trojan-activity; sid:2014317; rev:1; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kelihos/Hlux GET jucheck.exe from CnC"; flow:established,to_server; content:"/jucheck.exe"; http_uri; content:"HTTP/1.0"; content:!"User-Agent|3A|"; http_header; content:!"Accept"; http_header; reference:url,www.abuse.ch/?p=3658; classtype:trojan-activity; sid:2014330; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Genome.aetqe Checkin"; flow:established,to_server; content:"/stats/counterz.php?id="; http_uri; content:"&stat="; http_uri; reference:md5,700b7a81d1460a652e5f9f06fc54dcd6; classtype:trojan-activity; sid:2014331; rev:2; metadata:created_at 2012_03_07, updated_at 2012_03_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yayih.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bbs/info.asp"; http_uri; fast_pattern; content:!"User-Agent|3a| "; http_header; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:trojan-activity; sid:2014336; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject|3A 20|"; content:"C|3A 5C|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]*C\x3A\x5C[^\r\n]*\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Coced.PasswordStealer User-Agent 5.0"; flow:established,to_server; content:"User-Agent|3A 20|5.0|0D 0A|"; http_header; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:trojan-activity; sid:2014344; rev:1; metadata:created_at 2012_03_08, updated_at 2012_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; content:"Content-Type|3a| application/x-www-form-urlencoded|3b 20|charset=UTF-8|0d 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"aa1020R0=";  depth:9;  fast_pattern; http_client_body; content:"%3D%0D%0A"; offset:109; http_client_body; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:trojan-activity; sid:2014347; rev:4; metadata:created_at 2012_03_08, updated_at 2012_03_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN RevProxy ClientHello"; flow:established,to_server; dsize:13; content:"|04 00 00 01 05 00 00 00 00 07 00 01 00|"; reference:md5,7bf026c71d4ca6cdc7b6e543f9a5bb64; classtype:trojan-activity; sid:2014348; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN W32/SCKeyLog.InfoStealer Installation Confirmation Via SMTP"; flow:established,to_server; content:"Subject|3A 20|Installation of SC-KeyLog on host"; nocase; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=910563; reference:md5,cc439073eeb244e6bcecee8b6774b672; classtype:trojan-activity; sid:2014354; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/ProxyChanger.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/abc.php"; http_uri; fast_pattern; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; http_header; content:"ABC="; http_client_body; depth:4; content:"&XRE="; within:30; http_client_body; reference:md5,67c9799940dce6b9af2e6f98f52afdf7; classtype:trojan-activity; sid:2014356; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Kazy Checkin"; flow:established,to_server; content:"/guidcheck.php?q="; http_uri; content:"&g="; http_uri; content:"&n="; http_uri; content:"&h="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; reference:md5,bb129d433271951abb0e5262060a4583; classtype:trojan-activity; sid:2014357; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Riern.K Checkin Off Port"; flow:established,from_client; content:"|01|new_host_"; depth:10; fast_pattern; content:"|ff ff ff ff ff 00 00 00 00 00 00 00 00|"; distance:0; classtype:trojan-activity; sid:2014358; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Win32/Protux.B POST checkin"; flow:from_client,established; content:"POST"; nocase; http_method; content:"Mozilla/4.8.20 (compatible|3B| MSIE 5.0.2|3B| Win32)|0D 0A|Host|3a| "; http_header; reference:md5,53105ecf3cf6040039e16abb382fb836; classtype:trojan-activity; sid:2014360; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible|3B| MSIE 5.0.2|3B| Win32|29 0D 0A|"; http_header; reference:md5,0cab2e1959a2c9eaa3aed1f2e556bf17; classtype:trojan-activity; sid:2014361; rev:4; metadata:created_at 2012_03_09, updated_at 2012_03_09;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Lookup of Algorithm Generated Zeus CnC Domain (DGA)"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; pcre:"/[a-z0-9]{33,}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014363; rev:7; metadata:created_at 2012_03_12, updated_at 2012_03_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Blocker Checkin"; flow:established,to_server; content:"/gate.php?cmd="; http_uri; content:"&botnet="; http_uri; content:"&userid="; http_uri; content:"&os="; http_uri; reference:md5,1d8841128e63ed7e26200d4ed3bc8e05; classtype:trojan-activity; sid:2014364; rev:1; metadata:created_at 2012_03_13, updated_at 2012_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent Post"; flow:established,to_server; content:"User-Agent|3A 20|Post|0d 0a|"; http_header; fast_pattern:only; content:!"/uup.php"; http_uri; content:!".360.cn|0d 0a|"; http_header; content:!".360.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014366; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2012_03_13, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/GamesForum.InfoStealer Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/forum/"; http_uri; pcre:"/\/forum\/[0-9a-f]{32}\x2ephp/U"; content:"HTTP/1.0"; content:!"User-Agent|3A|"; nocase; http_header; content:"Data="; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2014370; rev:2; metadata:created_at 2012_03_13, updated_at 2012_03_13;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014372; rev:5; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014376; rev:4; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Spy.Win32.Zbot.djrm Checkin"; flow:to_server,established; content:"/index.html?mac="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&dtime="; fast_pattern; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; reference:md5,b895249cce7d2c27cb9c480feb36560c; reference:md5,f70a5f52d4c0071963602c25b62865cb; classtype:trojan-activity; sid:2014399; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper User-Agent (XXXwww)"; flow:established,to_server; content:"User-Agent|3a| XXXwww"; http_header; classtype:trojan-activity; sid:2014387; rev:2; metadata:created_at 2012_03_16, updated_at 2012_03_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; content:"GET"; http_method; content:"= HTTP/1.1|0D 0A|Host|3a| "; fast_pattern:only; content:!"User-Agent|3a| "; http_header; content:"|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"pandora.com"; http_header; content:!"wordpress.com"; http_header; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:trojan-activity; sid:2014409; rev:8; metadata:created_at 2012_03_21, updated_at 2012_03_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Ixeshe"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; fast_pattern:only; content:"/ym/Attachments?YY="; nocase; http_uri; reference:url,blog.spiderlabs.com/2012/03/dirty-rat.html; classtype:trojan-activity; sid:2014410; rev:4; metadata:created_at 2012_03_22, updated_at 2012_03_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Encoding|3a| binary|0d 0a|"; http_header; fast_pattern:8,20; content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http_header; content:" MSIE "; http_header; content:!"Referer|3a 20|"; http_header; content:" HTTP/1.0|0d 0a|"; flowbits:set,ET.Fareit.chk; metadata: former_category TROJAN; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014411; rev:8; metadata:created_at 2012_03_22, updated_at 2018_07_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Checkin version 1.3.25 or later 3"; flow:established,to_server; content:"POST"; nocase; http_method; content:"data=mIqWm8"; http_client_body;  depth:11; classtype:trojan-activity; sid:2014428; rev:5; metadata:created_at 2012_03_26, updated_at 2012_03_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV Landing Page - Initializing Protection System"; flow:established,from_server; content:">Initializing Protection System...</"; fast_pattern; content:">System Tasks</"; distance:0; classtype:trojan-activity; sid:2014437; rev:5; metadata:created_at 2012_03_28, updated_at 2012_03_28;)

alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET TROJAN IRC Bot Download http Command"; flow:established,from_server; content:"JOIN |3a|#"; nocase; content:"dl|20|http|3a 2f 2f|"; distance:0; content:"|2e|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:4; metadata:created_at 2012_03_28, updated_at 2012_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Andromeda Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern:12,13; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})([\r\n](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/Pi"; reference:md5,41c33fdb9a95353a3b109393543f90dd; classtype:trojan-activity; sid:2016223; rev:7; metadata:created_at 2012_03_29, updated_at 2012_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LuckyCat/TROJ_WIMMIE Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?m="; http_uri; content:"&n="; http_uri; within:4; content:"_"; http_uri; distance:0; content:"@"; http_uri; distance:0; pcre:"/\.php\?m=\w&n=\w+_\w+(@|@.c|@.t)$/U"; reference:url,blog.trendmicro.com/luckycat-redux-inside-an-apt-campaign/; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:trojan-activity; sid:2014462; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DwnLdr-JMZ Downloading Binary"; flow:established,to_server; content:"/ngt.exe"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014464; rev:1; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DwnLdr-JMZ Downloading Binary 2"; flow:established,to_server; content:"/?path=qx200.exe"; http_uri; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014465; rev:1; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Datamaikon Checkin"; flow:to_server,established; content:"/index.dat?"; http_uri; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)|0D 0A|Host|3a| "; fast_pattern:35,7; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; classtype:trojan-activity; sid:2014466; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Datamaikon Checkin NewAgent"; flow:to_server,established; content:"/index.dat?"; http_uri; content:" NewAgent|0d 0a|Host|3a| "; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,77d68770fcdc6052bd8d761d14a14f5a; classtype:trojan-activity; sid:2014467; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Datamaikon Checkin myAgent"; flow:to_server,established; content:"/index.dat?"; http_uri; content:" myAgent|0d 0a|Host|3a| "; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,a51933ee0f2ade7df98feb7207a2ffaf; classtype:trojan-activity; sid:2014468; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to Zaletelly CnC Domain zaletellyxx.be"; flow:established,to_server; content:"Host|3a| zaletelly"; http_header; nocase; content:".be|0d 0a|"; http_header; within:9; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:trojan-activity; sid:2014476; rev:1; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to Zaletelly CnC Domain atserverxx.info"; flow:established,to_server; content:"Host|3a| atserver"; http_header; nocase; content:".info|0d 0a|"; http_header; within:11; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:trojan-activity; sid:2014477; rev:1; metadata:created_at 2012_04_04, updated_at 2012_04_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Request for Zaletelly CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"zaletelly"; fast_pattern; nocase; distance:0; content:"|02|be|00|"; nocase; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx; classtype:trojan-activity; sid:2014513; rev:1; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection"; flow:established,to_server; content:"/stat_d/"; http_uri; pcre:"/\/stat_d\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014522; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection 2"; flow:established,to_server; content:"/stat_u/"; http_uri; pcre:"/\/stat_u\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014523; rev:4; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting failed infection"; flow:established,to_server; content:"/stat_n/"; http_uri; pcre:"/\/stat_n\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014524; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K first execution checkin"; flow:established,to_server; content:"/stat_svc/"; http_uri; pcre:"/\/stat_svc\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014525; rev:2; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I User-Agent"; flow:established,to_server; content:" WOW64|3b| rv|3a|9.0.1|3b| sv|3a|"; http_header; content:" id|3a|"; http_header; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:2014534; rev:3; metadata:created_at 2012_04_05, updated_at 2012_04_05;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Taidoor.Backdoor Command Request CnC Checkin"; flow:established,to_server; content:".php?id="; http_uri; content:"&ext="; fast_pattern; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D.+[a-f0-9]{12}&ext\x3D/Ui"; reference:url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks; classtype:trojan-activity; sid:2014528; rev:1; metadata:created_at 2012_04_06, updated_at 2012_04_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Taidoor.Backdoor CnC Checkin With Default Substitute MAC Address Field"; flow:established,to_server; content:".php?id="; http_uri; content:"121212121212"; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D.+121212121212/U"; reference:url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks; classtype:trojan-activity; sid:2014529; rev:1; metadata:created_at 2012_04_06, updated_at 2012_04_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Metasploit Meterpreter stdapi_* Command Request"; flow:established; content:"|00 01 00 01|stdapi_"; offset:12; depth:11;  classtype:successful-user; sid:2014530; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_04_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Metasploit Meterpreter core_channel_* Command Request"; flow:established; content:"|00 01 00 01|core_channel_"; offset:12; depth:17;  classtype:successful-user; sid:2014531; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_04_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Metasploit Meterpreter stdapi_* Command Response"; flow:established; content:"|00 01 00 01|stdapi_"; offset:11; depth:11;  classtype:successful-user; sid:2014532; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_04_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Metasploit Meterpreter core_channel_* Command Response"; flow:established; content:"|00 01 00 01|core_channel_"; offset:11; depth:17;   classtype:successful-user; sid:2014533; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_04_06, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET TROJAN Virus.Win32.Sality.aa Checkin"; flow:established,to_server; content:".txt"; offset:4; depth:9; content:"User-Agent|3a| Download|0d 0a|"; within:64; reference:md5,1e0e6717f72b66f6fc83f2ef6c00dcb7; classtype:trojan-activity; sid:2014826; rev:5; metadata:created_at 2012_04_09, updated_at 2012_04_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32/Mutopy.A Checkin"; flow:to_server,established; content:"/protocol.php?p="; fast_pattern:only; http_uri; content:"&d="; http_uri; pcre:"/&d=.{44}$/U"; reference:md5,2a0344bac492c65400eb944ac79ac3c3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FMutopy.A&ThreatID=-2147312217; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/header-spoofing-hides-malware-communication/; classtype:trojan-activity; sid:2016963; rev:4; metadata:created_at 2012_04_13, updated_at 2012_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; http_header; fast_pattern:37,20; content:"*|3b|q=0"; http_header; content:"HTTP/1.0|0d 0a|Host|3a 20|"; classtype:trojan-activity; sid:2014562; rev:4; metadata:created_at 2012_04_13, updated_at 2012_04_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:5; metadata:created_at 2012_04_13, updated_at 2012_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OS X Backdoor Checkin"; flow:established,to_server; content:"Accept-Encoding|3a 20|base64,gzip"; http_header; fast_pattern; content:"|20|Mac|20|OS|20|X|3a|"; http_header; reference:url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link; classtype:trojan-activity; sid:2014564; rev:1; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/UltimateDefender.FakeAV Checkin"; flow:established,to_server; content:"/show_module.php?IsAutoGeneratedPage="; http_uri; content:"&asked_billing_id="; http_uri; content:"&original_asked_billing_id="; http_uri; content:"&brokerid="; http_uri; content:"&country="; http_uri; content:"&customid="; http_uri; content:"&product="; http_uri; content:"&custom_param="; http_uri; content:"&extparam="; http_uri; content:"&nums="; http_uri; reference:md5,cec40236236466a1acb33aca3220eebe; classtype:trojan-activity; sid:2014566; rev:2; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to a known malware domain (regicsgf.net)"; flow: to_server,established; content:"regicsgf.net|0D 0A|"; fast_pattern:only; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014570; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for a known malware domain (regicsgf.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|regicsgf|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014572; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for a known malware domain (sektori.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|sektori|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014573; rev:5; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Winwebsec.B Checkin"; flow:established,to_server; content:"/temp1.jpg"; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; reference:md5,9c9109cea5845272d6abd1b5523c8de7; classtype:trojan-activity; sid:2014578; rev:2; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2014579; rev:2; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hoax.Win32.BadJoke/DownLoader1.57593 Checkin"; flow:established,to_server; content:"/agent.htm"; http_uri; content:"User-Agent|3a 20|OINC|0d 0a|"; http_header; reference:url,malwr.com/analysis/5ee02601d265a9a88f03a5465a99b190/; classtype:trojan-activity; sid:2014581; rev:3; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/owncheck/"; http_uri; classtype:trojan-activity; sid:2014597; rev:1; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/scheck/"; http_uri; fast_pattern:only; pcre:"/^User-Agent\x3a\s*?[A-Za-z0-9+\/=]+?\r?$/Hm"; classtype:trojan-activity; sid:2014598; rev:7; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:trojan-activity; sid:2014599; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.A Checkin"; flow:from_client,established; dsize:1028; content:"|01 00 00 00|"; depth:4; content:!"|00|"; distance:0; within:1; content:"|00|"; distance:1; within:1; content:"|00|"; distance:61; within:1; content:"|00 00 00 00 00|Windows|20|"; fast_pattern; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:12; within:20; classtype:trojan-activity; sid:2014600; rev:6; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.B Checkin"; flow:from_client,established; dsize:536<>1029; content:"|01 00 00 00|"; depth:4; content:!"|26|"; distance:0; within:1; content:"|26|"; distance:1; within:1; content:"|26|"; distance:61; within:1; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:204; within:20; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:12; within:20; classtype:trojan-activity; sid:2014601; rev:4; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downvision.A Initial Checkin"; flow:established,to_server; content:"/up.php?id=201"; http_uri; content:"software IPWorks HTTP/S Component - www.nsoftware.com"; http_header; reference:url,www.fortiguard.com/av/VID3309956; classtype:trojan-activity; sid:2014610; rev:4; metadata:created_at 2012_04_17, updated_at 2012_04_17;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel"; flow:established,to_client; file_data; content:"DZKS"; distance:0; content:"DZJS"; within:50; reference:url,blogs.norman.com/2012/security-research/trojan-moves-its-configuration-to-twitter-linkedin-msdn-and-baidu; classtype:trojan-activity; sid:2014618; rev:2; metadata:created_at 2012_04_19, updated_at 2012_04_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Es11 Keepalive to CnC"; flow:established,to_server; content:"|89 e7 52 d4 68 64 a7 73 bd 7e 3f 5c f7 99 3a 2e|"; offset:16; depth:16; dsize:48; reference:md5,4a17e9bd99f496c518ddfaaef93384b0; classtype:trojan-activity; sid:2014630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2012_04_20, malware_family PoisonIvy, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FireEye.STX RAT Checkin"; flow:established,to_server; content:"GET /WinData.DLL?HELO-STX-1*"; depth:28; content:"$|0D 0A|"; distance:0; within:40; reference:url,blog.fireeye.com/research/2012/04/spear-phished-by-fireeye.html; reference:md5,89217de164ffca0f0fed54a8003eb98f; classtype:trojan-activity; sid:2014632; rev:2; metadata:created_at 2012_04_23, updated_at 2012_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_test:1,>,SSL.Client_Hello.length,34,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014634; rev:1; metadata:created_at 2012_04_24, updated_at 2012_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_jump:1,34,relative; byte_test:2,>,SSL.Client_Hello.length,0,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014635; rev:1; metadata:created_at 2012_04_24, updated_at 2012_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeM RAT CnC Beacon"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; distance:0; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:trojan-activity; sid:2014636; rev:5; metadata:created_at 2012_04_25, updated_at 2012_04_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Maljava Dropper for OS X"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.py"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014638; rev:3; metadata:created_at 2012_04_25, updated_at 2012_04_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Maljava Dropper for Windows"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.tmp2"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014637; rev:2; metadata:created_at 2012_04_25, updated_at 2012_04_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ConstructorWin32/Agent.V"; flow:to_server,established; content:"GET http|3A|//"; depth:11; content:"|0D 0A|Pragma|3A| no-catch|0D 0A|"; http_header; content:"|0D 0A|X-HOST|3a| "; http_header; content:"|0D 0A|Content-Length|3A| 0|0D 0A|"; http_header; reference:md5,3305ad96bcfd3a406dc9daa31e538902; classtype:trojan-activity; sid:2014643; rev:6; metadata:created_at 2012_04_26, updated_at 2012_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Ponmocup.A Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/space.php"; http_uri; fast_pattern; content:"Accept|3a| */*|0d 0a|Cookie|3a| uid="; offset:25; depth:25; content:"|3b 20|VISITOR="; distance:0; content:"User-Agent|3a| "; distance:0; content:"Host|3a| "; distance:0; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:trojan-activity; sid:2014660; rev:3; metadata:created_at 2012_05_01, updated_at 2012_05_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN W32/SpyBanker Infection Confirmation Email"; flow:established,to_server; content:"From|3A 20 22|Bitch Infected|22|"; reference:md5,007eb53d1b0de237f86750a239cae48e; classtype:trojan-activity; sid:2014668; rev:2; metadata:created_at 2012_05_02, updated_at 2012_05_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32/Backdoor.BAT.Agent.W User Botnet"; flow:established,to_server; content:"USER botnet"; depth:11; reference:md5,fc7059ec1e3e86fd0a664c3747f09725; classtype:trojan-activity; sid:2014700; rev:2; metadata:created_at 2012_05_02, updated_at 2012_05_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN W32/Simbot.Backdoor Checkin"; flow:established,to_server; content:"GET /rclgx.php?id="; depth:18; reference:md5,a4edc9d31bc0ad763b3424e9306f4d7c; classtype:trojan-activity; sid:2014719; rev:1; metadata:created_at 2012_05_07, updated_at 2012_05_07;)

#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Downloader/Agent.dxh.1 Reporting to CnC"; flow:established,to_server; dsize:80<>110; content:"!"; depth:1; content:"|5C 7C 3F 2F|"; within:6; content:".exe|5C 7C 3F 2F|"; distance:0; reference:md5,ded49b8c92d7ab6725649f04f30df8ce; classtype:trojan-activity; sid:2014720; rev:2; metadata:created_at 2012_05_07, updated_at 2012_05_07;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Boatz Checkin"; flow:to_server,established; content:"/clients.php?os="; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&loc="; distance:0; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code; classtype:trojan-activity; sid:2014721; rev:1; metadata:created_at 2012_05_07, updated_at 2012_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Medfos/Midhos Checkin"; flow:to_server,established; content:"/id="; http_uri; content:"&rt="; distance:0; http_uri; content:"AAAAAAAAAAA"; http_uri; content:!"Accept|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; reference:md5,00da8acc14d0e827dbb1326c023fc720; reference:md5,8f561f46fb262cac6bb4cacf3e4e78a6; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014722; rev:2; metadata:created_at 2012_05_08, updated_at 2012_05_08;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Suspicious lcon http header in response seen with Medfos/Midhos downloader"; flow:to_client,established; content:"|0d 0a|lcon|3a 20|"; http_header; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014723; rev:1; metadata:created_at 2012_05_08, updated_at 2012_05_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smoke Loader Checkin r=gate"; flow:established,to_server; content:".php?r=gate&"; http_uri; content:"&group="; http_uri; distance:0; content:"&debug="; http_uri; distance:0; content:"5.0 (Windows|3b| U|3b| MSIE 9"; http_header; reference:md5,7ef1e61d9b394a972516cc453bf0ec06; classtype:trojan-activity; sid:2014728; rev:4; metadata:created_at 2012_05_09, updated_at 2012_05_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Snap Bot Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014731; rev:1; metadata:created_at 2012_05_10, updated_at 2012_05_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Snap Bot Receiving Download Command"; flow:to_client,established; file_data; content:"|7c|dlexec|7c|"; nocase; distance:1; within:12; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x7cdlexec\x7c([^\x7c]+\x7c){3}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014732; rev:5; metadata:created_at 2012_05_10, updated_at 2012_05_10;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Snap Bot Receiving DDoS Command"; flow:to_client,established; file_data; content:"|7c|ddos|7c|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:4; metadata:created_at 2012_05_10, updated_at 2012_05_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Win32/Comrerop Checkin to FTP server"; flow:established,to_server; content:"USER griptoloji|0d 0a|"; depth:17; fast_pattern:5,12; reference:md5,6b16290b05afd1a9d638737924f2ab5c; classtype:trojan-activity; sid:2014757; rev:2; metadata:created_at 2012_05_15, updated_at 2012_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.BAT.Qhost - SET"; flow:established,to_server; content:"GET "; depth:4; content:"/stat/tuk/"; within:10; flowbits:set,ETPRO.Trojan.BAT.Qhost; flowbits:noalert; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014758; rev:4; metadata:created_at 2012_05_16, updated_at 2012_05_16;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Trojan.BAT.Qhost Response from Controller"; flow:established,from_server; flowbits:isset,ETPRO.Trojan.BAT.Qhost; content:"Set-Cookie|3a| ci_session="; content:"session_id"; distance:0; content:"ip_address"; distance:0; content:"user_agent"; distance:0; content:"last_activity"; distance:0; content:"user_data"; distance:0; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014759; rev:4; metadata:created_at 2012_05_16, updated_at 2012_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.HLLW.Autoruner USA_Load UA"; flow:established,to_server; content:"User-Agent|3A 20|USA_Load"; http_header; reference:url,news.drweb.com/show/?i=2440&lng=en&c=5; classtype:trojan-activity; sid:2014752; rev:2; metadata:created_at 2012_05_17, updated_at 2012_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC"; flow:established,to_server; content:"/PostView.nhn?blogId="; fast_pattern; http_uri; content:"&logNo="; http_uri; content:"&parentCategoryNo="; http_uri; content:"&userTopListOpen="; http_uri; content:"&userTopListManageOpen="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)|0d 0a|"; http_header; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=1072862; reference:md5,8af17164500aac1c0965b842aca3fed7; classtype:trojan-activity; sid:2014754; rev:5; metadata:created_at 2012_05_17, updated_at 2012_05_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/HupigonUser.Backdoor Rabclib UA Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3A 20|RAbcLib|0D 0A|"; http_header; reference:md5,65467e7ff3140f42f4758eca7b76185c; classtype:trojan-activity; sid:2014755; rev:3; metadata:created_at 2012_05_17, updated_at 2012_05_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Votwup.Backdoor Checkin"; flow:established,to_server; content:"/ddos?uid="; http_uri; content:"&ver="; http_uri; reference:md5,1325e4e44b5bf2f8dfe550dec016da53; classtype:trojan-activity; sid:2014760; rev:2; metadata:created_at 2012_05_17, updated_at 2012_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN W32/SpyBanker Infection Confirmation Email 2"; flow:established,to_server; content:"From|3A 20 22|Infected|22|"; reference:md5,f091e8ed0e8f4953ff10ce3bd06dbe54; classtype:trojan-activity; sid:2014762; rev:1; metadata:created_at 2012_05_17, updated_at 2012_05_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptic Checkin with Opera/9 User-Agent"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&c="; http_uri; content:"&d="; http_uri; content:"|0d 0a|User-Agent|3a 20|Opera/9 (Windows"; fast_pattern:14,16; http_header; reference:url,malwr.com/analysis/18c5b31198777f93a629a0357b22f2f8/; reference:md5,18c5b31198777f93a629a0357b22f2f8; reference:url,www.virustotal.com/file/94cf780fa829c16cd0b09a462b5419cd1175bac01ba935e906a109d97b4dadaa/; classtype:trojan-activity; sid:2014777; rev:3; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh connectivity check"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"Host|3a 20|"; depth:6; http_header; content:"Content-Length|3a 20|0|0d 0a|"; distance:0; http_header; content:"|3a 20|no-cache"; distance:0; http_header; content:!"|0d 0a|User-Agent"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,ccb463b2dadaf362a03c8bbf34dc247e; classtype:trojan-activity; sid:2014778; rev:3; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Win32/MultiPasswordRecovery.A cs-crash PWS"; flow:to_server,established; content:"X-Mailer|3a| Blat "; content:"Subject|3A 20|Contents of file|3A 20|stdin.txt"; content:"name|3D|"; distance:0; content:".mpf"; within:24; classtype:trojan-activity; sid:2014793; rev:3; metadata:created_at 2012_05_18, updated_at 2012_05_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Syndicasec.Backdoor Client POST CMD result"; flow:established,to_server; content:"POST"; http_method; content:".php?cstype="; http_uri; content:"&authname="; distance:0; http_uri; content:"&authpass="; distance:0; http_uri; content:"&hostname="; distance:0; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2014795; rev:3; metadata:created_at 2012_05_21, updated_at 2012_05_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeuS Ransomware win_unlock"; flow:established,to_server; content:"/locker/lock.php?id="; http_uri; reference:url,www.f-secure.com/weblog/archives/00002367.html; reference:md5,14a1d23b5a8b4f5c186bc5082ede4596; classtype:trojan-activity; sid:2014797; rev:3; metadata:created_at 2012_05_21, updated_at 2012_05_21;)

alert tcp any any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Perl.Shellbot.cd IRC Bot that have DoS/DDoS functions"; flow:from_server,established; flowbits:isset,is_proto_irc; content:"PRIVMSG|20|"; pcre:"/^PRIVMSG.*@(portscan|back|(tcp|udp|http)flood|tsunami|(de)?voice|reset|die|say|join|part|(de)?op)/mi"; metadata: former_category TROJAN; reference:url,theprojectxblog.net/another-perl-irc-bot-that-have-dosddos-functions/; classtype:trojan-activity; sid:2025065; rev:3; metadata:created_at 2012_05_22, updated_at 2017_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/Winwebsec Install 2"; flow:to_server,established; content:"/api/urls/?ts="; http_uri; content:"&affid="; http_uri; content:"GTB0.0|3b|"; http_header; reference:md5,181999985de5feae6f44f9578915417f; classtype:trojan-activity; sid:2014816; rev:3; metadata:created_at 2012_05_24, updated_at 2012_05_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible SKyWIper/Win32.Flame UA"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| .NET CLR 1.1.2150)|0d 0a|"; http_header; fast_pattern:52,20; reference:url,crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:2014818; rev:5; metadata:created_at 2012_05_29, updated_at 2012_05_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible SKyWIper/Win32.Flame POST"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/wp-content/rss.php"; http_uri; content:"UNIQUE_NUMBER="; depth:14; fast_pattern; http_client_body; content:"&PASSWORD="; distance:0; http_client_body; content:"&ACTION="; distance:0; http_client_body; reference:url,blog.cuckoobox.org/2012/05/29/cuckoo-in-flame/; classtype:trojan-activity; sid:2014822; rev:6; metadata:created_at 2012_05_30, updated_at 2012_05_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Feodo/Cridex Traffic Detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/zb/v_01_a/in/"; http_uri; classtype:trojan-activity; sid:2014841; rev:1; metadata:created_at 2012_06_01, updated_at 2012_06_01;)

#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN Flamer WuSetupV module traffic 1"; flow:established,to_server; content:"?mp=1"; http_uri; content:"&jz="; http_uri; distance:0; content:"&fd="; http_uri; distance:0; content:"&am="; http_uri; distance:0; content:"&ef="; http_uri; distance:0; content:"&pr="; http_uri; distance:0; content:"&ec="; http_uri; distance:0; content:"&ov="; http_uri; distance:0; content:"&pl="; http_uri; distance:0; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014849; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;)

#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN Flamer WuSetupV module traffic 2"; flow:established,to_server; content:"?ac=1"; http_uri; content:"&fd="; http_uri; distance:0; content:"&gb="; http_uri; distance:0; content:"&rt="; http_uri; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014850; rev:4; metadata:created_at 2012_06_04, updated_at 2012_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAvCn-A Checkin 1"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/s"; http_uri; fast_pattern:only; urilen:10; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; classtype:trojan-activity; sid:2014855; rev:2; metadata:created_at 2012_06_04, updated_at 2012_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAvCn-A Checkin 3"; flow:established,to_server; content:"GET"; http_method; nocase; content:".php?0Q9oBPXEN0uECUg"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2014857; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Gimemo/Aldibot CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"ukashcode="; http_client_body; depth:10; content:"&euro="; http_client_body; distance:0; content:"&submitukash="; http_client_body; distance:0; reference:url,www.evild3ad.com/?p=1693; classtype:trojan-activity; sid:2014864; rev:1; metadata:created_at 2012_06_06, updated_at 2012_06_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Self Signed SSL Certificate (Reaserch)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Security Reaserch WWEB Group|2c| LLC"; classtype:trojan-activity; sid:2014871; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Self Signed SSL Certificate (John Doe)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|08|John Doe0"; classtype:trojan-activity; sid:2014872; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN W32/Bakcorox.A ProxyBot CnC Server Connection"; flow:established,to_server; content:"GET favicon.ico HTTP/1.1"; depth:24; content:"Host|3A 20|bcProxyBot.com"; fast_pattern; distance:0; reference:url,contagioexchange.blogspot.co.uk/2012/06/022-crime-win32bakcoroxa-proxy-bot-web.html; classtype:trojan-activity; sid:2014887; rev:2; metadata:created_at 2012_06_12, updated_at 2012_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Dervec.gen Connectivity Check to Google"; flow:established,to_server; content:"HOST|3a|"; depth:5; http_header; content:"www.google.com|0d 0a 0d 0a|"; within:19; http_header; content:"|00 00 00 00 00 00 00 00 00 00|"; offset:39; depth:10; reference:md5,5eaae2d6a4b5d338b83ea5d97af93672; classtype:trojan-activity; sid:2019129; rev:9; metadata:created_at 2012_06_12, updated_at 2012_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ixeshe/Mecklow Checkin 2"; flow:to_server,established; content:!"Accept"; content:!"Referer|3a|"; content:"HTTP/1."; content:"|0d 0a|x_bigfix_client_string|3a|"; distance:1; within:25; fast_pattern; metadata: former_category TROJAN; reference:md5,df9ce5d06498419a3c93ad95a2ed82fd; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf; classtype:trojan-activity; sid:2018380; rev:5; metadata:created_at 2012_06_19, updated_at 2017_11_27;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Bicololo.Dropper ne_unik CnC Server Response"; flow:established,to_client; file_data; content:"ne_unik"; within:7; classtype:trojan-activity; sid:2014933; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Capfire4 Checkin (register machine)"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/registraMaquina"; http_uri; content:"User-Agent|3a| Clickteam"; http_header; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:trojan-activity; sid:2014952; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Capfire4 Checkin (update machine status)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/updMaqStatus"; http_uri; content:"User-Agent|3a| Clickteam"; http_header; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:trojan-activity; sid:2014953; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Client Checkin"; flow:to_server,established; content:"|00 00 00 18 01 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; classtype:trojan-activity; sid:2014955; rev:2; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Server Checkin"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 01 00 01|"; distance:2; within:5; classtype:trojan-activity; sid:2014956; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Client Idle"; flow:to_server,established; content:"|00 00 00 02 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00|"; distance:3; within:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; sid:2014957; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Server Idle"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 1f 00 1f|"; distance:2; within:5; classtype:trojan-activity; sid:2014958; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Scar CnC Checkin"; flow:established,to_server; content:"/yeni_urunler.php?hdd="; http_uri; reference:md5,b345634df53511c7195d661ac755b320; classtype:trojan-activity; sid:2014961; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Nutiliers.A Downloader CnC Checkin - Request Encrypted Response"; flow:established,to_server; content:"/js/data/encryptedtest.dll"; http_uri; reference:md5,7b2bfb9d270a5f446f32502d2ed34d67; classtype:trojan-activity; sid:2014962; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Armageddon CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| ArmageddoN"; nocase; http_header; content:"GetList="; http_client_body; depth:8; reference:md5,3f4c5649d66fc5befc0db47930edb9f6; classtype:trojan-activity; sid:2014963; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.APT.9002 CnC Traffic"; flow:to_server,established; dsize:24; content:"|0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00|"; offset:4; depth:20; reference:md5,81687637b7bf2b90258a5006683e781c; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-campaign-continues.html; classtype:trojan-activity; sid:2016398; rev:8; metadata:created_at 2012_06_28, updated_at 2012_06_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC POST /common/versions.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/versions.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014979; rev:1; metadata:created_at 2012_06_28, updated_at 2012_06_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC GET /lost.dat"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/lost.dat"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014980; rev:2; metadata:created_at 2012_06_28, updated_at 2012_06_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC POST /common/timestamps.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/timestamps.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014999; rev:1; metadata:created_at 2012_07_02, updated_at 2012_07_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushbot User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|cvc_v105"; fast_pattern:only; http_header; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015002; rev:4; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pushbot server response"; flow:to_client,established; file_data; content:"ZG%|20|!GX"; within:7; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015003; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Icoo CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/tUrl.xml?num="; http_uri; fast_pattern:only; content:"Accept-Language|3A| de-at"; http_header; reference:md5,1d2ddece4cd5cff3658c59e20d40dd8b; classtype:trojan-activity; sid:2015019; rev:1; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Numnet.Downloader CnC Checkin 1"; flow:established,to_server; content:"/counter/mac_proc.php?cid="; fast_pattern; http_uri; content:"&mid="; http_uri; content:"User-Agent|3A| internet|0D 0A|"; http_header; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:trojan-activity; sid:2015020; rev:1; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Numnet.Downloader CnC Checkin 2"; flow:established,to_server; content:"/check_counter.php?pid="; http_uri; content:"&mid="; http_uri; content:"User-Agent|3A| internet|0D 0A|"; http_header; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:trojan-activity; sid:2015021; rev:1; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zusy Gettime Checkin"; flow:established,to_server; content:"/gettime.html?"; fast_pattern:only; http_uri; content:"HTTP/1.0"; http_header; content:"If-None-Match|3A 20|"; http_header; reference:md5,a152772516cef409ddd58f90917a3b44; classtype:trojan-activity; sid:2015022; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cridex Post to CnC"; flow:established,to_server; content:"|0d 0a 0d 0a de ad be ef|"; content:"POST"; http_method; content:!"."; http_uri; content:!"hbi-ingest.net"; http_header; metadata: former_category TROJAN; reference:url,vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015028; rev:6; metadata:created_at 2012_07_06, updated_at 2018_03_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2015050; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pift Checkin 1"; flow:established,to_server; content:"/plg3.z"; fast_pattern; http_uri; urilen:7; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015458; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pift Checkin 2"; flow:established,to_server; content:"/ext1.z"; fast_pattern; http_uri; urilen:7; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015459; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Pift DNS TXT CnC Lookup ppift.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|ppift|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015460; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN XPSecurityCenter FakeAV Checkin"; flow:to_server,established; content:"/XPSecurityCenter/"; http_uri; content:"User-Agent|3a| Internet Explorer 6.0|0d 0a|"; http_header; reference:md5,1c5eb2ea27210cf19c6ab24b7cc104b9; classtype:trojan-activity; sid:2018761; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon.DF Checkin"; flow:to_server,established; content:"/ip.txt"; http_uri; urilen:7; content:"User-Agent|3a| Huai_Huai|0d 0a|"; http_header; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:trojan-activity; sid:2018762; rev:2; metadata:created_at 2012_07_13, updated_at 2012_07_13;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN ZeroAccess udp traffic detected"; content:"|9e 98|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2; metadata:created_at 2012_07_13, updated_at 2012_07_13;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ZeroAccess Outbound udp traffic detected"; content:"|28 94 8d ab c9 c0 d1 99|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:8; metadata:created_at 2012_07_16, updated_at 2012_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Simda.C Checkin"; flow:established,to_server; content:"/?"; nocase; http_uri; content:"=%96%"; http_raw_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Trident/4.0|3b| .NET CLR 2.0.50727|3b| .NET CLR 1.1.4322|3b| .NET CLR 3.0.04506.590|3b| .NET CLR 3.0.04506.648|3b| .NET CLR 3.5.21022|3b| .NET CLR 3.0.4506.2152|3b| .NET CLR 3.5.30729)|0d 0a|"; fast_pattern:37,20; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\n\r\n$/H"; reference:md5,10642e1067aca9f04ca874c02aabda5c; classtype:trojan-activity; sid:2016300; rev:3; metadata:created_at 2012_07_19, updated_at 2012_07_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OnlineGame.DaGame Variant CnC Checkin"; flow:established,to_server; content:"/logexp.php?aid="; http_uri; content:"&pid="; http_uri; content:"&kind="; http_uri; pcre:"/User\x2DAgent\x3A\x20[a-f0-9]{5,14}\x0D\x0A/H"; classtype:trojan-activity; sid:2015489; rev:1; metadata:created_at 2012_07_19, updated_at 2012_07_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ProxyBox -ProxyBotCommand - CHECK_ME"; flow:established,to_server; content:"CHECK_ME|0D 0A|Port|3a| "; depth:16; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015502; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - .com.tw/check_version.php"; flow:established,to_server; content:"/check_version.php"; http_uri; content:"&version="; http_uri; content:".com.tw|0D 0A|"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015503; rev:1; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - POST 1-letter.php"; flow:established,to_server; content:"POST"; http_method; urilen:6; content:"Indy Library"; http_header; pcre:"/^\/[a-z]\.php/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015504; rev:5; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - getiplist.php"; flow:established,to_server; content:"/getiplist.php"; http_uri; content:!"User-Agent"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015505; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - get_servers.php"; flow:established,to_server; content:"/get_servers.php?"; http_uri; content:!"User-Agent"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015506; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - botinfo.php"; flow:established,to_server; content:"/botinfo.php?"; http_uri; content:!"User-Agent"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015508; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ProxyBox - ProxyBotCommand - I_AM"; flow:established,to_server; content:"I_AM|0D 0A|"; depth:6; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015510; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ProxyBox - ProxyBotCommand - FORCE_AUTHENTICATION*"; flow:established,to_client; content:"FORCE_AUTHENTICATION_"; depth:21; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015511; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh/Bublik Checkin /was/vas.php"; flow:established,to_server; content:"POST"; http_method; content:"/was/vas.php"; http_uri; fast_pattern:only; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8; reference:url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb; reference:url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24; classtype:trojan-activity; sid:2015512; rev:4; metadata:tag Banking_Trojan, created_at 2012_07_23, malware_family URLZone, updated_at 2018_04_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"|01 00 01 ae 84 e3 aa 1f 90|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Lethic - Client Alive"; flow:established,to_server; dsize:6; content:"|01 00 21 01|"; offset:2; depth:4; classtype:trojan-activity; sid:2015522; rev:3; metadata:created_at 2012_07_25, updated_at 2016_07_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes2 - Checkin - /test.php"; flow:established,to_server; urilen:9; content:"/test.php"; http_uri; fast_pattern:only; content:!"User-Agent"; http_header; classtype:trojan-activity; sid:2015523; rev:1; metadata:created_at 2012_07_25, updated_at 2012_07_25;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET [5080,$HTTP_PORTS] (msg:"ET TROJAN Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater)"; flow:established,to_server; content:"User-Agent|3a| Microsoft|20|Internet|20|Updater|0d 0a|"; fast_pattern:12,20; reference:md5,2c832d51e4e72dc3939c224cc282152c; classtype:trojan-activity; sid:2015528; rev:3; metadata:created_at 2012_07_26, updated_at 2012_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl"; flow:established,to_server; content:".waw.pl|0D 0A|"; nocase; fast_pattern:only; http_header; pcre:"/^Host\x3a\s[^\r\n]+?\.[abedgfihkmlonqpsruwvyxz]{16}\.waw\.pl\r$/Hmi"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015530; rev:4; metadata:created_at 2012_07_26, updated_at 2012_07_26;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:4; metadata:created_at 2012_07_26, updated_at 2012_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess HTTP GET request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?w="; fast_pattern:only; http_uri; content:"&i="; http_uri; content:"&v="; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:"Connection|3a 20|close|0d 0a|Cookie|3a 20|"; content:!"Accept"; http_header; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/U"; classtype:trojan-activity; sid:2015535; rev:3; metadata:created_at 2012_07_26, updated_at 2012_07_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic - ProxyJudge Reverse Proxy Scoring Activity"; flow:established,to_client; file_data; content:"ProxyJudge V"; fast_pattern:only; nocase; classtype:trojan-activity; sid:2015532; rev:1; metadata:created_at 2012_07_26, updated_at 2012_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Karagany checkin (sid5 1)"; flow:to_server,established; content:"?f="; http_uri; content:"&t="; http_uri; content:"&sid5="; http_uri; content:!"Accept|3a| "; http_header; classtype:trojan-activity; sid:2015533; rev:2; metadata:created_at 2012_07_26, updated_at 2012_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Karagany checkin (sid5 2)"; flow:to_server,established; content:"?mode="; http_uri; content:"&f="; http_uri; content:"&sid5="; http_uri; content:!"Accept|3a| "; http_header; classtype:trojan-activity; sid:2015534; rev:2; metadata:created_at 2012_07_26, updated_at 2012_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Keep-Alive (INBOUND)"; flow:from_server,established; content:"P[endof]"; dsize:8; reference:md5,0ae2261385c482d55519be9b0e4afef3; reference:url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e; reference:md5,41a0a4c0831dbcbbfd877c7d37b671e0; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html; classtype:trojan-activity; sid:2017417; rev:9; metadata:created_at 2012_07_30, updated_at 2012_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; fast_pattern:only; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:trojan-activity; sid:2015546; rev:4; metadata:created_at 2012_07_30, updated_at 2012_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes2 - EXE Download Request"; flow:established,to_server; urilen:<12; content:".exe"; http_uri; fast_pattern; content:"1.1|0D 0A|User-Agent|3a| Mozilla/4.0|0D 0A|Host|3a| "; content:"|0D 0A 0D 0A|"; within:19; classtype:trojan-activity; sid:2015547; rev:3; metadata:created_at 2012_07_30, updated_at 2012_07_30;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 0a|"; content:"|0e|MyCompany Ltd."; distance:1; within:15; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:bad-unknown; sid:2015560; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Banking_Trojan, signature_severity Major, created_at 2012_08_01, malware_family URLZone, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Jorik.Totem.vg HTTP request"; flow:established,to_server; content:"/?xclzve_"; depth:9; http_uri; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:2015562; rev:1; metadata:created_at 2012_08_03, updated_at 2012_08_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lile.A DoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"UserAgent|3a|"; http_header; content:"Windows 98"; fast_pattern:only; http_header; content:"Host|3a| www.fbi.gov"; http_header; threshold:type limit, track by_src, count 1, seconds 30; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2; reference:md5,d6d0cd7eca2cef5aad66efbd312a7987; classtype:trojan-activity; sid:2015577; rev:4; metadata:created_at 2012_08_06, updated_at 2012_08_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MP-FormGrabber Checkin"; flow:established,to_server; content:"/panel/gate.php?host="; nocase; http_uri; content:"&data="; nocase; distance:0; http_uri; reference:url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw; classtype:trojan-activity; sid:2015587; rev:1; metadata:created_at 2012_08_07, updated_at 2012_08_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015594; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015595; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.gowin7.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|gowin7|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:3; metadata:created_at 2012_08_09, updated_at 2012_08_09;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query Gauss Domain *.secuurity.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|secuurity|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:3; metadata:created_at 2012_08_09, updated_at 2012_08_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.bestcomputeradvisor.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015599; rev:4; metadata:created_at 2012_08_09, updated_at 2012_08_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.dotnetadvisor.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dotnetadvisor|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015600; rev:4; metadata:created_at 2012_08_09, updated_at 2012_08_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.dataspotlight.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dataspotlight|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:4; metadata:created_at 2012_08_09, updated_at 2012_08_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.guest-access.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|guest-access|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015602; rev:4; metadata:created_at 2012_08_09, updated_at 2012_08_09;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN DOCHTML C&C http directive in HTML comments"; flow:established,from_server; content:"|3c|!-- DOCHTMLhttp|3a|//"; reference:url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack; classtype:trojan-activity; sid:2015616; rev:2; metadata:created_at 2012_08_10, updated_at 2012_08_10;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smardf/Boaxxe GET to cc.php3"; flow:established,to_server; content:"/cc.php3"; http_uri; fast_pattern:only; content:"GET"; http_method; content:!"|0d 0a|Accept"; http_header; reference:md5,f856b4c526c3e5cee9d47df59295d2e1; reference:md5,232b4dbed0453e2a952630fb1076248f; classtype:trojan-activity; sid:2015617; rev:1; metadata:created_at 2012_08_10, updated_at 2012_08_10;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.datajunction.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|datajunction|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:3; metadata:created_at 2012_08_13, updated_at 2012_08_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh/Bublik Checkin /was/uid.php"; flow:established,to_server; content:"POST"; http_method; content:"/was/uid.php"; fast_pattern:only; http_uri; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8; reference:url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb; reference:url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24; classtype:trojan-activity; sid:2015623; rev:1; metadata:tag Banking_Trojan, created_at 2012_08_13, malware_family URLZone, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shamoon/Wiper/DistTrack Checkin"; flow:to_server,established; content:"/data.asp?mydata="; http_uri; content:"&uid="; http_uri; content:"&state="; http_uri; content:"User-Agent|3a| you"; http_header; reference:url,www.symantec.com/connect/blogs/shamoon-attacks; reference:url,www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory_W32_DistTrack.pdf; classtype:trojan-activity; sid:2015632; rev:4; metadata:created_at 2012_08_16, updated_at 2012_08_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Briba Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"loginmid="; http_client_body; content:"nickid="; http_client_body; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:trojan-activity; sid:2015635; rev:2; metadata:created_at 2012_08_16, updated_at 2012_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.JS.QLP Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/read.php?nm="; http_uri; depth:16; content:!"User-Agent|3a|"; http_header; classtype:trojan-activity; sid:2015673; rev:2; metadata:created_at 2012_08_30, updated_at 2012_08_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"User-Agent|3a 20|Mozilla/4.1"; http_header; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:trojan-activity; sid:2015713; rev:6; metadata:created_at 2012_09_18, updated_at 2012_09_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mirage Campaign checkin"; flow:established,to_server; content:"POST"; http_method; content:"/result?hl="; depth:11; http_uri; content:"&meta="; distance:0; http_uri; content:"Mjtdkj"; depth:6; http_client_body; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:trojan-activity; sid:2015714; rev:1; metadata:created_at 2012_09_19, updated_at 2012_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Mirage Campaign checkin (port 443)"; flow:established,to_server; content:"POST "; depth:5; content:"/result?hl="; offset:5; depth:11; content:"&meta="; distance:0; content:"|0d 0a 0d 0a|Mjtdkj"; distance:0; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:trojan-activity; sid:2015715; rev:3; metadata:created_at 2012_09_19, updated_at 2012_09_19;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit (ashburn)"; flow:established,from_server; content:"ashburn@gmail.com"; fast_pattern:only; classtype:trojan-activity; sid:2015717; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_09_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 0a 0c 0C|The Internet"; distance:3; within:Certs.len; content:"|55 04 03 0c 03|web"; distance:0; classtype:trojan-activity; sid:2015718; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_09_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC"; flow:from_server,established; content:"|0d 0a 0d 0a|c=run&u=/get/"; content:".exe"; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2015902; rev:4; metadata:created_at 2012_09_20, updated_at 2012_09_20;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|palauone|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015719; rev:2; metadata:created_at 2012_09_20, updated_at 2012_09_20;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0d|traindiscover|03|com|00|"; nocase; distance:4; within:19; fast_pattern; classtype:bad-unknown; sid:2015720; rev:3; metadata:created_at 2012_09_20, updated_at 2012_09_20;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|manymanyd|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015721; rev:3; metadata:created_at 2012_09_20, updated_at 2012_09_20;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|whatandwhyeh|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:bad-unknown; sid:2015722; rev:3; metadata:created_at 2012_09_20, updated_at 2012_09_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/counter.img?theme="; fast_pattern:only; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"User-Agent|3a| Opera/9 (Windows NT"; http_header; reference:url,sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2015723; rev:2; metadata:created_at 2012_09_20, updated_at 2012_09_20;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|bktwenty|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015728; rev:3; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|sleeveblouse|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:bad-unknown; sid:2015730; rev:3; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

#alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 2"; flow:from_server,established; content:"|0d 0a 0d 0a|c=idl"; fast_pattern; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2015903; rev:8; metadata:created_at 2012_09_24, updated_at 2012_09_24;)

#alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 3"; flow:from_server,established; content:"200 OK|0d 0a|Server|3a| "; content:"|0d 0a 0d 0a|c=rdl&u="; distance:0; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,96255178f15033362c81fb6d9b9c3ce4; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2015904; rev:5; metadata:created_at 2012_09_25, updated_at 2012_09_25;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|defmaybe|03|com|00|"; nocase; distance:0; classtype:bad-unknown; sid:2015736; rev:4; metadata:created_at 2012_09_25, updated_at 2012_09_25;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|adbullion|03|com|00|"; nocase; distance:0; classtype:bad-unknown; sid:2015741; rev:4; metadata:created_at 2012_09_27, updated_at 2012_09_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 06 13 02|SE"; distance:3; within:Certs.len; content:"|55 04 08 13 01 20|"; distance:0; content:"|55 04 07 13 01 20|"; distance:0; content:"|55 04 0a 13 01 20|"; distance:0; content:"|55 04 0b 13 01 20|"; distance:0; content:"|55 04 03 13 01 20|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2015742; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_09_27, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake Anti-Hacking Tool"; flow:established,to_server; content:"/update/WinUpdater.exe"; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,93443e59c473b89b5afad940a843982a; reference:url,eff.org/deeplinks/2012/08/syrian-malware-post; classtype:trojan-activity; sid:2015748; rev:2; metadata:created_at 2012_09_28, updated_at 2012_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"User-Agent|3A 20|Asynchronous WinHTTP"; http_header; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:trojan-activity; sid:2015753; rev:2; metadata:created_at 2012_10_01, updated_at 2012_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Downloader GetBooks UA"; flow:established,to_server; content:"User-Agent|3a| GetBooks"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015756; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2012_10_03, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot UA"; flow:established,to_server; content:"Windows NT 7.1"; http_header; content:"Firefox/9.1.2"; http_header; classtype:trojan-activity; sid:2015780; rev:3; metadata:created_at 2012_10_04, updated_at 2012_10_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri; pcre:"/^\/\?ptrxcz_[a-z0-9A-Z]{30}$/U"; reference:md5,58ffe2b79be4e789be80f92b7f96e20c; classtype:trojan-activity; sid:2015807; rev:2; metadata:created_at 2012_10_05, updated_at 2012_10_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; content:".html"; http_uri; content:"From|3a| "; depth:6; http_header;  content:"Via|3a| "; http_header; content:!"1|2e|"; within:2; http_header; content:!"User-Agent|3a| "; http_header; pcre:"/^\/\d+?\/\d+?\.html$/Ui"; pcre:"/^From\x3a \d+?\r\n/Hmi"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:trojan-activity; sid:2015786; rev:3; metadata:created_at 2012_10_09, updated_at 2012_10_09;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Winlock.6870 SSL Cert"; flow:from_server,established; content:"|00 cc 05 c7 80 14 cf 3f 50|"; content:"|55 04 08 13 0c|Someprovince"; distance:0; content:"|55 04 07 13 08|Sometown"; distance:0; classtype:trojan-activity; sid:2015795; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_10_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Pony Downloader Checkin (2)"; flow:to_server,established; content:"ch=1"; http_uri; fast_pattern:only; content:"ch=1"; http_client_body; depth:4; pcre:"/ch=1$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2015799; rev:5; metadata:created_at 2012_10_12, updated_at 2012_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|Host|3a| api.wipmania.com|0d 0a|"; http_header; depth:49; fast_pattern:31,18; classtype:trojan-activity; sid:2015800; rev:6; metadata:created_at 2012_10_12, updated_at 2012_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"|3b|c|3a|INT-"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aINT-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:5; metadata:created_at 2012_10_12, updated_at 2012_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (AMD)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"|3b|c|3a|AMD-"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aAMD-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:5; metadata:created_at 2012_10_12, updated_at 2012_10_12;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mini-Flame v 4.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/feed.cgi"; http_uri; fast_pattern:only; pcre:"/(?:web(?:\.(?:velocitycache\.com|autoflash\.info)|update\.(?:dyndns\.info|hopto\.org)|app\.serveftp\.com)|flash(?:center\.info|rider\.org)|cache\.dyndns\.info)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:trojan-activity; sid:2015805; rev:1; metadata:created_at 2012_10_16, updated_at 2012_10_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mini-Flame v 5.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/counter.cgi"; http_uri; fast_pattern:only; pcre:"/(?:(?:nvidia(?:s(?:tream|oft)|drivers)|(?:rendercode|videosyn)c|flashupdates|syncstream)\.info|194\.192\.14\.125|202\.75\.58\.179)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:trojan-activity; sid:2015806; rev:1; metadata:created_at 2012_10_16, updated_at 2012_10_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Taidoor Checkin"; flow:established,to_server; content:"GET "; depth:4; content:".php?id="; fast_pattern; distance:6; within:8; pcre:"/^GET\s\/[a-z]{5}\.php\?id=[A-Z0-9]{18}\sHTTP\/1\.[0-1]\r\n/"; content:"MSIE 6.0|3b|"; distance:0; reference:md5,f4b8b51b75f67e68d0c1a9639e2488c3; classtype:trojan-activity; sid:2015808; rev:1; metadata:created_at 2012_10_17, updated_at 2012_10_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Sinkhole Domain Various Families (Possible Infected Host)"; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; content:"|0f|torpig-sinkhole|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.sysenter-honeynet.org/?p=269; classtype:bad-unknown; sid:2015813; rev:7; metadata:created_at 2012_10_18, updated_at 2012_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Fujacks Activity"; flow:to_server,established; content:"User-Agent|3a| QQ|0d 0a|"; http_header; content:".whboy.net|0d 0a|"; nocase; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015814; rev:11; metadata:created_at 2012_10_18, updated_at 2012_10_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GeckaSeka User-Agent"; flow: established,to_server; content:"GeckaSeka"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+GeckaSeka/Hi"; classtype:trojan-activity; sid:2015824; rev:3; metadata:created_at 2012_10_19, updated_at 2012_10_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Citadel Control Panel Access (Outbound)"; flow:established,to_server; content:".php?m=login"; fast_pattern:only; http_uri; nocase; content:"user="; http_client_body; depth:5; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015825; rev:7; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Citadel Control Panel Access (Inbound)"; flow:established,to_server; content:".php?m=login"; http_uri; fast_pattern:only; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015826; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Iframer Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015827; rev:5; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access VNC Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015829; rev:5; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access VNC Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015830; rev:5; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Bot Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015831; rev:5; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Bot Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015832; rev:5; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Video Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015834; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length|3a| 4|0d 0a|"; http_header; file_data; content:"Smk"; depth:3; fast_pattern; pcre:"/^\d+[\r\n]*?$/Rs"; classtype:trojan-activity; sid:2015835; rev:6; metadata:created_at 2012_10_22, updated_at 2012_10_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|00 c8 b9 67 4e 25 75 e9 92|"; content:"|55 04 06 13 02 4e 4c|"; distance:0; content:"|55 04 07 0c 01 20|"; distance:0; content:"|55 04 03 0c 01 20|"; distance:0; classtype:trojan-activity; sid:2015837; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_10_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Xtrat Checkin 2"; flow:to_server,established; content:"GET "; depth:4; pcre:"/^[^\r\n]+\/1234\.functions HTTP/R"; content:"/1234.functions HTTP"; fast_pattern:only; reference:md5,fea70e818984b82c9a6bbdc5157d4a40; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fXtrat.A; classtype:trojan-activity; sid:2016599; rev:4; metadata:created_at 2012_10_25, updated_at 2012_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georgian Targeted Attack - Trojan Checkin"; flow:established,to_server; content:"/index312.php?ver="; http_uri; content:"&cam="; http_uri; content:"&p=spy"; http_uri; content:"&id="; http_uri; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015850; rev:2; metadata:created_at 2012_10_31, updated_at 2012_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georbot requesting update"; flow:to_server,established; content:"/modules/docs/upload/calc.exe"; http_uri; classtype:trojan-activity; sid:2015853; rev:1; metadata:created_at 2012_10_31, updated_at 2012_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georbot initial checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php?ver="; http_uri; content:"&p=cert123"; fast_pattern:only; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2015854; rev:1; metadata:created_at 2012_10_31, updated_at 2012_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georbot checkin"; flow:to_server,established; content:".php?ver="; http_uri; content:"&p=bot123"; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2015855; rev:2; metadata:created_at 2012_10_31, updated_at 2012_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potentially Unwanted Program RebateInformerSetup.exe Download Reporting"; flow:established,to_server; content:"/RebateInformerSetup.exe"; fast_pattern; nocase; http_uri; content:"User-Agent|3a| Inno Setup Downloader"; http_header; reference:url,www.ripoffreport.com/directory/rebategiant-com.aspx; classtype:trojan-activity; sid:2015862; rev:2; metadata:created_at 2012_11_02, updated_at 2012_11_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 1"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|ddoser|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015868; rev:2; metadata:created_at 2012_11_06, updated_at 2012_11_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 2"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Zombie|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015869; rev:2; metadata:created_at 2012_11_06, updated_at 2012_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Stable|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015870; rev:2; metadata:created_at 2012_11_06, updated_at 2012_11_06;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Known Reveton Domain HTTP whatwillber.com"; flow:established,to_server; content:"whatwillber.com|0d 0a|"; http_header; fast_pattern:only; metadata: former_category TROJAN; classtype:trojan-activity; sid:2015874; rev:4; metadata:created_at 2012_11_08, updated_at 2018_02_08;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query Known Reveton Domain whatwillber.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|whatwillber|03|com|00|"; nocase; distance:0; classtype:bad-unknown; sid:2015875; rev:5; metadata:created_at 2012_11_08, updated_at 2012_11_08;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown FakeAV - /get/*.crp"; flow:established,to_server; content:"/get/"; http_uri; content:".crp"; http_uri; fast_pattern; classtype:trojan-activity; sid:2015894; rev:1; metadata:created_at 2012_11_19, updated_at 2012_11_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown_comee.pl - POST with stpfu in http_client_body"; flow:established,to_server; content:"POST"; http_method; content:"stpfu"; http_client_body; depth:5; classtype:trojan-activity; sid:2015895; rev:1; metadata:created_at 2012_11_19, updated_at 2012_11_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Andromeda Check-in Response"; flow:established,to_client; content:"Content-Length|3a| 9|0d 0a|"; http_header; file_data; content:"|6C 95 32 CB|"; within:4; metadata: former_category TROJAN; classtype:trojan-activity; sid:2015896; rev:4; metadata:created_at 2012_11_19, updated_at 2017_10_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lyposit Ransomware Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad"; depth:3; http_uri; pcre:"/^\/ad[^\x2f]*?\/\?[a-z]{1,5}\x3d\x2e?[a-z0-9]+?$/Ui"; content:"User-Agent|3a| Microsoft BITS/"; http_header; classtype:trojan-activity; sid:2015957; rev:5; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lyposit Ransomware Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad/?"; depth:5; http_uri; fast_pattern; pcre:"/^\/ad\/\?[a-z]{1,4}\x3d[a-z0-9]+?$/Ui"; content:!"User-Agent|3a| "; http_header; classtype:trojan-activity; sid:2015958; rev:1; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin 1"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; content:" HTTP"; distance:1; within:5; content:"MSIE 7.0|3b|"; content:".ddns"; fast_pattern; content:".eu|0d 0a|"; distance:1; within:5; pcre:"/\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\x2eeu\r\n\r\n$/"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015968; rev:5; metadata:created_at 2012_11_29, updated_at 2012_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"|3f|"; offset:6; depth:11; content:"GET "; depth:4; pcre:"/^\/[a-z0-9]{1,10}\/?\?.+? HTTP\/1\.[0-1]/Ri"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a 20|"; within:77; fast_pattern:57,20; pcre:"/^[^\r\n]+?(\r\nConnection\x3a Keep-Alive)?\r\n\r\n$/Ri"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:12; metadata:created_at 2012_11_29, updated_at 2012_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; fast_pattern; content:" HTTP"; distance:1; within:5; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; pcre:"/GET \/1\/\?\w HTTP\/1\.1\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a .+?(\x3a(443|8080|900[0-9]))?\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:2; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kuluoz.B Request"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/[a-f0-9]+$/Ui"; content:"Windows NT 9.0|3b|"; http_header; pcre:"/^Host\x3a\s*(\d{1,3}\.){3}\d{1,3}(\x3a\d{1,5})?\r?$/Hmi"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:2; metadata:created_at 2012_12_04, updated_at 2012_12_04;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A 20|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:1; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Necurs"; flow:to_server,established; content:"POST"; http_method; content:"/iis/host.aspx"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:"application/octet-stream"; http_header; reference:md5,871ecf11ddd7ffe294cab82bcaf9c310; reference:url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx; classtype:trojan-activity; sid:2016000; rev:1; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32/Trojan.Agent.AXMO CnC Beacon"; flow:established,to_server; content:"POST"; content:"/log HTTP/1."; distance:0; fast_pattern; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/osxdockstera-and-win32trojanagentaxmo.html; classtype:trojan-activity; sid:2016014; rev:1; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SmokeBot grab data plaintext"; flow:established,to_server; content:"cmd=grab&data="; fast_pattern:only; http_client_body; content:"&login="; http_client_body; classtype:trojan-activity; sid:2016011; rev:3; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

#alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Pseudo Random Domain for Web Malware (.mynumber.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|08|mynumber|03|org|00|"; distance:16; within:14; pcre:"/\x10[acdefghijlmopqrtwz]{16}\x08mynumber\x03org\x00/"; reference:url,blog.lab69.com/2012/12/another-implementation-of-pseudo-random.html; classtype:bad-unknown; sid:2018766; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/KeyLogger.ACQH!tr Checkin"; flow:to_server,established; content:".php?cn"; http_uri; content:"&str="; fast_pattern:only; http_uri; content:"&file="; http_uri; content:"User-Agent|3a| WinInetGet/"; http_header; pcre:"/\.php\?cn(ame)?=/U"; reference:md5,eddce1a6c0cc0eb7b739cb758c516975; reference:md5,c0d9352ad82598362a426cd38a7ecf0e; reference:url,www.fortiguard.com/av/VID4225990; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016912; rev:4; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kelihos.K Executable Download DGA"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"Host|3a 20|"; http_header; content:".ru|0d 0a|"; http_header; distance:7; within:6; pcre:"/^Host\x3a\x20(?:u(?:wf(?:ekfyj|ubpeb)|d(?:xowub|zycaf)|h(?:duxic|zubvo)|x(?:fokur|osgik)|celgos|ggifym|mpefan|qlahaf)|s(?:u(?:t(?:fasof|imjy)|kbewli)|i(?:ttanyg|webheb|hemuj)|e(?:suhror|xjereh)|o(?:haxim|qvaqo)|axyjuw)|r(?:i(?:zsebym|firac|sytfa|trios)|e(?:bfelqi|kvyfo)|u(?:xymqic|jfeag)|y(?:buhoq|kafeh)|acadpuh)|j(?:y(?:meegom|vvozoz|kyvca|torqu)|a(?:mwazer|ibzup)|e(?:btelyx|dytlu)|o(?:dkymy|kenqi))|o(?:t(?:geguuz|xolpow|pipug)|q(?:lapjim|jogxi)|cgaextu|gdowkys|jpaxlam|vquqaip|smuryf)|i(?:r(?:ojvuqu|hegre)|v(?:kikcop|nuvuk)|hmytog|kevzaq|mgohut|pdehas|wvahin|zxirfy)|b(?:y(?:(?:cmolh|vbym)y|gotbys|jlegta)|i(?:pulte|wuvba)|o(?:pwyeb|wbaiv))|p(?:e(?:dugtap|gyrgun|vhyvys)|y(?:nxomoj|ykxug)|a(?:gube|waha)v|ogwytfy)|d(?:e(?:afesqy|hjujuq)|o(?:hwapih|xilik)|a(?:lwoza|rabub)|inymak)|t(?:a(?:hfifak|ixcih)|i(?:wciwu|koqo)x|ecviqir|ozfyma|uriwil)|g(?:i(?:jevsog|nnyjyb)|olhysux|ywilhof|azuzoz|edopan|ubahvi)|y(?:(?:n(?:japru|kicy)|kocna)r|bsahov|dabxag|xyqwiz|zsabuq)|h(?:a(?:hsekju|poneg)|e(?:ztymut|dybih)|uquqxov|itakat)|w(?:a(?:pifnu|rkafo)c|e(?:tifjam|fecfo)|ibveces|yjenqo)|a(?:d(?:nedat|tesok)|qzepylu|baxhad|smukuf|wewsip)|l(?:u(?:(?:fseki|pylzu)m|ditla)|eqgugom|opoqyv)|z(?:u(?:pivzed|qijcel)|aefofin|idamuk|ylhomu)|v(?:u(?:njuet|ohsub)|ijsixem|otqygiq|euwhyz)|m(?:u(?:zupdyg|hipew|wosiv)|osjinme|abuhos)|x(?:o(?:fsimi|gitaj|moqol)|ikmonej|enacoz)|f(?:e(?:vnotow|tucxo)|i(?:dedhah|xavpu))|k(?:u(?:btyhuz|irfufo)|ejejib|ycufvy)|n(?:(?:iliqri|obzeky)x|eluzjiv)|c(?:ylqiduh|aqxaro|itsibe)|q(?:aijroke|iquzcy|uohdit)|e(?:gnisje|stesgo|vdyvaz))\.ru\r$/Hm"; classtype:trojan-activity; sid:2016029; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Faked Russian Opera UA without Accept - probable downloader"; flow:established,to_server; content:"User-Agent|3a 20|Opera/9.80"; http_header; content:"Edition Yx|3b| ru"; fast_pattern; http_header; distance:0; content:!"Accept|3a|"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016034; rev:1; metadata:created_at 2012_12_13, updated_at 2012_12_13;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server; content:"/command?user_id="; fast_pattern; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016047; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Prinimalka Configuration Update Request"; flow:established,to_server; content:"/options?user_id="; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port="; http_uri; content:"&ip="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016048; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Prinimalka Prinimalka.py Script In CnC Beacon"; flow:established,to_server; content:"/prinimalka.py/"; http_uri; fast_pattern:only; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016049; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server; content:"/list.php?db="; http_uri; fast_pattern; content:"Accept-Language|3A| ko-kr"; http_header; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:trojan-activity; sid:2016050; rev:2; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/write.php"; http_uri; fast_pattern; content:"Accept-Language|3A| ko-kr"; http_header; content:"db="; http_client_body; depth:3; content:"&ch="; http_client_body; content:"&name="; http_client_body; content:"&email="; http_client_body; content:"&pw="; http_client_body;  reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:trojan-activity; sid:2016051; rev:3; metadata:created_at 2012_12_17, updated_at 2012_12_17;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Chapro.A Malicious Apache Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"c="; http_client_body; depth:2; content:"&version="; http_client_body; distance:0; content:"&uname="; fast_pattern; http_client_body; distance:0; reference:url,blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a; classtype:trojan-activity; sid:2016062; rev:1; metadata:created_at 2012_12_19, updated_at 2012_12_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN Unk_Banker - Check In"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Opera/11.1"; http_header; content:"&action=check"; http_client_body; content:"&id="; http_client_body; content:"&version2="; http_client_body; classtype:trojan-activity; sid:2016087; rev:2; metadata:created_at 2012_12_21, updated_at 2012_12_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN SmokeLoader - Init 0x"; flow:established,to_client; content:"Init|3a| 0x"; http_header; classtype:trojan-activity; sid:2016088; rev:1; metadata:created_at 2012_12_21, updated_at 2012_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 7.1|3b| Trident/5.0)|0d 0a|Host|3a20|"; depth:83; http_header; fast_pattern:47,20; content:!"Accept|3a 20|"; http_header; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:trojan-activity; sid:2016089; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Dexter Infostealer CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"page="; http_client_body; depth:5; content:"&spec="; distance:0; http_client_body; content:"&opt="; distance:0; http_client_body; content:"var="; distance:0; http_client_body; content:"val="; distance:0; http_client_body; reference:url,contagiodump.blogspot.co.uk/2012/12/dexter-pos-infostealer-samples-and.html; classtype:trojan-activity; sid:2016095; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown - Loader - Check .exe Updated"; flow:established,to_server; urilen:<10; content:"If-Modified-Since|3a| "; http_header; content:"If-None-Match|3a| "; http_header; content:".exe"; http_uri; fast_pattern; classtype:trojan-activity; sid:2016097; rev:4; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.11-12"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:6; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24"; content:"|00 01 00 01|"; content:"|00 04 c7 02 89|"; distance:4; within:5; classtype:trojan-activity; sid:2016102; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft - 207.46.90.0/24"; content:"|00 01 00 01|"; content:"|00 04 cf 2e 5a|"; distance:4; within:5; classtype:trojan-activity; sid:2016103; rev:2; metadata:created_at 2012_12_27, updated_at 2012_12_27;)

#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"|00 01 00 01|"; content:"|00 04 01 01 01|"; distance:4; within:5; metadata: former_category TROJAN; classtype:trojan-activity; sid:2016104; rev:3; metadata:created_at 2012_12_27, updated_at 2018_04_03;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Download antivirus-installer.exe"; flow:to_server,established; content:"/antivirus-install.exe"; http_uri; classtype:trojan-activity; sid:2016110; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon"; flow:established,to_server; content:"/clientregister.php?type="; http_uri; content:"&uniqid="; http_uri; content:"&winver="; http_uri; content:"&compusername="; http_uri; content:"&compnetname="; http_uri; classtype:trojan-activity; sid:2016124; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon"; flow:established,to_server; content:"/status.php?cliver="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; classtype:trojan-activity; sid:2016125; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; content:"&ver="; http_uri; content:"bitensiteler="; http_uri; classtype:trojan-activity; sid:2016126; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri; content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri; classtype:trojan-activity; sid:2016127; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stabuniq Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&varname="; http_client_body; content:"&comp="; http_client_body; content:"&ver="; http_client_body; content:"&xid="; http_client_body; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016130; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 1"; flow:to_server,established; content:".asp?imageid="; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2016139; rev:4; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Request for fake postal receipt from e-mail link"; flow:established,to_server; content:".php?php=receipt"; http_uri; pcre:"/^\/[A-Z]+\.php\?php=receipt$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016147; rev:1; metadata:created_at 2013_01_03, updated_at 2013_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.2013Jan04 victim beacon"; flow:established,to_server; dsize:48; content:"|1e de 5c f1 1f f6 94 12 d1 fa f1 42 8c fe 8d f7|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016167; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_01_04, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PoisonIvy.2013Jan04 server response"; flow:established,from_server; dsize:48; content:"|48 3A E9 78 C0 B9 2E 3F 9A 49 C5 56 65 5F CE 22|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016168; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_01_04, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; classtype:trojan-activity; sid:2016171; rev:1; metadata:created_at 2013_01_08, updated_at 2013_01_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic -POST To file.php w/Extended ASCII Characters"; flow:established,to_server; content:"POST"; http_method; content:"/file.php"; http_uri; content:!"Referer: "; http_header; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}/P"; classtype:bad-unknown; sid:2016172; rev:7; metadata:created_at 2013_01_08, updated_at 2013_01_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; content:!"Referer: "; http_header; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}/P"; classtype:bad-unknown; sid:2016173; rev:7; metadata:created_at 2013_01_08, updated_at 2013_01_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV security_scanner.exe"; flow:established,to_client; content:"Content-Disposition|3a| "; http_header; content:"filename=|22|security_scanner.exe|22|"; fast_pattern:9,20; http_header; classtype:trojan-activity; sid:2016177; rev:1; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Tobfy.Ransomware CnC Request - status.php"; flow:established,to_server; content:"/status.php"; http_uri; content:".my-files-download.ru"; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x2Emy\x2Dfiles\x2Ddownload\x2Eru/H"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:trojan-activity; sid:2016186; rev:3; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Tobfy.Ransomware Invalid URI CnC Request - "; flow:established,to_server; content:"/.ru|60|utr/qiq"; http_uri; content:".my-files-download.ru"; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x2Emy\x2Dfiles\x2Ddownload\x2Eru/H"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:trojan-activity; sid:2016187; rev:3; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Midhos/Medfos downloader"; flow:established,to_server; content:"/upload/fid="; http_uri; content:"AAAAAAAAAAA"; http_uri; content:!"Accept|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; content:"Host|3a 20|megaupload.com|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0"; http_header; classtype:trojan-activity; sid:2016189; rev:1; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Fareit Checkin 2"; flow:to_server,established; content:"POST "; depth:5; content:"/forum/viewtopic.php"; within:20; content:"Windows 98|0d 0a 0d 0a|"; fast_pattern:only; content:"Content-Type|3a| application/octet-stream"; metadata: former_category TROJAN; reference:md5,10baa5250610fc2b5b2cdf932f2007c0; classtype:trojan-activity; sid:2016550; rev:3; metadata:created_at 2013_01_11, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zemra.DDoS.Bot Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/telnet_cmd.php"; fast_pattern; http_uri; content:"User-Agent|3A| Opera/9.61|0D 0A|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; distance:0; content:"&c="; http_client_body; distance:0; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-1.html; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-2.html; classtype:trojan-activity; sid:2016205; rev:1; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Iyus.H Initial CnC Beacon"; flow:established,to_server; content:"/run1/pr.php?p1="; fast_pattern:only; http_uri; content:"&p2="; http_uri; content:"&id="; http_uri; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:trojan-activity; sid:2016206; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Iyus.H work_troy.php CnC Request"; flow:established,to_server; content:"/work_troy.php?id="; fast_pattern:only; http_uri; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:trojan-activity; sid:2016207; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader Secondary Download Request - W32/Hupigon.Backdoor Likely Secondary Payload"; flow:established,to_server; content:"/pir/bfg.php?dll="; http_uri; fast_pattern:only; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; sid:2016208; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; urilen:6; content:".htm"; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.0|3B| Trident/5.0)"; fast_pattern:47,20; http_header; pcre:"/^\x2F[a-z]{1}\x2Ehtm$/U"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,malwaremustdie.blogspot.co.uk/2013/01/once-upon-time-with-cool-exploit-kit.html; reference:url,www.fortiguard.com/latest/av/4057936; reference:md5,92899c20da4d9db5627af89998aadc58; classtype:trojan-activity; sid:2016211; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BroBot POST"; flow:established,to_server; content:"POST"; http_method;  content:"User-Agent|3a 20|Mozilla/5.0 Firefox/3.6.12|0d 0a|"; http_header; fast_pattern:20,20; pcre:"/^(?:c(?:omment|_id)|m(?:jdu)?)=/P"; threshold: type limit, count 1, seconds 300, track by_src; classtype:web-application-attack; sid:2016212; rev:3; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/nt/th"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/nt/th"; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\/cgi-bin\/nt\/th$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016214; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/nt/sk"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/nt/sk"; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\/cgi-bin\/nt\/sk$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016215; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/dllhost/ac"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/dllhost/ac"; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\/cgi-bin\/dllhost\/ac$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016216; rev:5; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/ms/check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/ms/check"; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\/cgi-bin\/ms\/check$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016217; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/ms/flush"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/ms/flush"; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\/cgi-bin\/ms\/flush$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016218; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/win/wcx"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/win/wcx"; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\/cgi-bin\/win\/wcx$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016219; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/win/cab"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/win/cab"; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\/cgi-bin\/win\/cab$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016220; rev:2; metadata:created_at 2013_01_15, updated_at 2013_01_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Red October proxy CnC 1"; flow:to_client,established; content:"ETag|3a 20 22|8c0bf6-ba-4b975a53906e4|22|"; http_header; classtype:trojan-activity; sid:2016224; rev:2; metadata:created_at 2013_01_17, updated_at 2013_01_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Red October proxy CnC 2"; flow:to_client,established; content:"ETag|3a 20 22|1c824e-ba-4bcd8c8b36340|22|"; http_header; classtype:trojan-activity; sid:2016225; rev:1; metadata:created_at 2013_01_17, updated_at 2013_01_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Red October proxy CnC 3"; flow:to_client,established; content:"ETag|3a 20|W/|22|186-1333538825000|22|"; http_header; classtype:trojan-activity; sid:2016226; rev:1; metadata:created_at 2013_01_17, updated_at 2013_01_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win.Trojan.Agent-29225 Checkin"; flow:to_server,established; content:"/proxy.exe"; nocase; fast_pattern:only; http_uri; content:"Java/1"; nocase; http_header; reference:url,virustotal.com/file/17b1639c08352cc37baac08f23137563546750292131896f37fd8be8c9412407/analysis/; classtype:trojan-activity; sid:2018763; rev:2; metadata:created_at 2013_01_21, updated_at 2013_01_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown POST of Windows PW Hashes to External Site"; flow:established,to_server; content:"POST"; http_method; content:"X-ID|3a|"; http_header; content:"PSTORE|3a|"; http_client_body; classtype:trojan-activity; sid:2016252; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown POST of System Info"; flow:established,to_server; content:"POST"; http_method; content:"X-ID|3a|"; http_header; content:"User is SYSTEM|3a|"; http_client_body; classtype:trojan-activity; sid:2016253; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PoisonIvy Variant Jan 24 2013"; flow:established,from_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset: 16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_01_24, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy Variant Jan 24 2013"; flow:established,to_server; dsize:48; content:"|84 a5 f0 be 11 da ce 7e c9 4a 9a af 40 24 8a f5|"; offset:16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016271; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_01_24, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bilakip.A Downloader API Ping CnC Beacon"; flow:established,to_server; content:"/api/ping?stage="; http_uri; content:"&uid="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:trojan-activity; sid:2016273; rev:1; metadata:created_at 2013_01_24, updated_at 2013_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bilakip.A Downloader Viruslist Download For Populating FakeAV"; flow:established,to_server; content:"/viruslist/?uid="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:trojan-activity; sid:2016274; rev:1; metadata:created_at 2013_01_24, updated_at 2013_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Mashigoom/Tranwos/RevProxy ClickFraud - hello"; flow:established,to_server; threshold:type both,track by_src,seconds 60,count 1; dsize:<150; content:"hello/"; depth:6; content:"/"; within:3; distance:2; content:"/"; pcre:"/^hello\/[0-9]\.[0-9]\/[0-9]{3}/"; classtype:trojan-activity; sid:2016292; rev:6; metadata:created_at 2013_01_26, updated_at 2013_01_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RevProxy - ClickFraud - MIDUIDEND"; flow:established,to_server; dsize:46; content:"MID"; depth:3; content:"UID"; distance:32; within:3; content:"END"; distance:5; within:3; classtype:trojan-activity; sid:2016293; rev:2; metadata:created_at 2013_01_26, updated_at 2013_01_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/DownloaderAgent.fajk Successful Infection CnC Beacon"; flow:established,to_server; content:"GET /admin/count.php?isOnline=1 HTTP/1."; depth:39; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:trojan-activity; sid:2016312; rev:1; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN W32/DownloaderAgent.fajk Second Stage Download List Requested"; flow:established,to_server; content:"GET /Down/list.txt HTTP/1."; depth:26; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:trojan-activity; sid:2016313; rev:1; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/SSHDoor.A Reporting Backdoor CnC Beacon"; flow:established,to_server; content:"port="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; pcre:"/port\x3D[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x3A[0-9]{1,5}/U"; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:trojan-activity; sid:2016314; rev:1; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/StartPage.eba Dropper Checkin"; flow:established,to_server; content:"/Count.asp?mac="; http_uri; content:"&ver="; http_uri; content:"&t="; http_uri; content:"User-Agent|3a| Forthgoer"; http_header; reference:url,www.securelist.com/en/descriptions/24621847/Trojan-Dropper.Win32.StartPage.eba; classtype:trojan-activity; sid:2016316; rev:2; metadata:created_at 2013_01_30, updated_at 2013_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious user-agent (f**king)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"fucking|0d 0a|"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]+fucking/Hmi"; classtype:trojan-activity; sid:2016317; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2013_01_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeuS Post to C&C footer.php"; flow:established,to_server; content:"/footer.php"; http_uri; content:"POST"; http_method; content:!"Accept-"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2016328; rev:1; metadata:created_at 2013_01_31, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SecVerif.Downloader Initial Checkin"; flow:established,to_server; content:"/atp.txt"; http_uri; fast_pattern; content:"Accept-Language|3A| de-at"; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_header; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:trojan-activity; sid:2016329; rev:2; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SecVerif.Downloader Second Stage Download Request"; flow:established,to_server; content:"/ssl/cert.dll"; fast_pattern; http_uri; content:"Accept-Language|3A| de-at"; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_header; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:trojan-activity; sid:2016330; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET TROJAN W32/Jabberbot.A Trednet XMPP CnC Beacon"; flow:established,to_server; content:"trednet@jabber.ru"; fast_pattern:only; reference:url,blog.eset.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc; classtype:trojan-activity; sid:2016331; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Beebus HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/s/asp?"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 |28|compatible|3B 20 29 0D 0A|"; http_header; reference:url,blog.fireeye.com/research/2013/02/operation-beebus.html; classtype:trojan-activity; sid:2016342; rev:1; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/ServStart.Variant CnC Beacon"; flow:established,to_server; content:"&mac="; http_uri; nocase; content:"type="; http_uri; nocase; content:"id="; http_uri; nocase; content:"User-Agent|3A| Google ++|0D 0A|"; http_header; fast_pattern:3,20; classtype:trojan-activity; sid:2016355; rev:1; metadata:created_at 2013_02_05, updated_at 2013_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Request for fake postal receipt from e-mail link"; flow:established,to_server; content:"receipt="; nocase; http_uri; fast_pattern:only; pcre:"/\.php\?(print_)?receipt=(s00|\d{3})_\d+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016359; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Umbra/Multibot Loader User-Agent (umbra)"; flow:established,to_server; content:"User-Agent|3a| umbra|0d 0a|"; http_header; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016366; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Umbra/MultiBot Plugin access"; flow:established,to_server; content:"/admin/plugins/"; http_uri; content:"User-Agent|3a| umbra|0d 0a|"; http_header; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016367; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Toby.N Multilocker Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/picture.php"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/\/picture\.php$/U"; pcre:"/^Host\x3a[^\r\n]+?\r\nConnection\x3a\x20Keep-Alive\r\n(\r\n)?$/H"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016368; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Toby.N Multilocker Request"; flow:established,to_server; content:"/upload/img.jpg"; http_uri; content:" MSIE 6.0|3b| "; http_header; pcre:"/^Host\x3a\s*(\d{1,3}\.){3}\d{1,3}\r$/Hm"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016369; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Toby.N Multilocker Image Request"; flow:established,to_server; content:"/upload/mp3.mp3"; http_uri; content:" MSIE 6.0|3b| "; http_header; pcre:"/^Host\x3a\s*(\d{1,3}\.){3}\d{1,3}\r$/Hm"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016370; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/FloatingCloud.Banker CnC Beacon"; flow:established,to_server; content:"/Install/Post.asp?Uid="; http_uri; nocase; pcre:"/\x2FPost\x2Easp\x3FUid\x3D[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}$/Ui"; reference:url,www.securelist.com/en/blog/798/God_horses_are_floating_clouds_The_story_of_a_Chinese_banker_Trojan; classtype:trojan-activity; sid:2016399; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PDF 0day Communication - agent UA Feb 14 2013"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/param"; http_uri; content:"User-Agent|3a| agent|0d 0a|"; fast_pattern; http_header; content:"Content-Length|3a|"; http_header; reference:url,www.joesecurity.org/reports/report-f3b9663a01a73c5eca9d6b2a0519049e.html; classtype:trojan-activity; sid:2016411; rev:2; metadata:created_at 2013_02_14, updated_at 2013_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Vundo.Downloader Reporting User Website Session Information"; flow:established,to_server; content:"/js.php?ran="; http_uri; fast_pattern; content:"&t="; http_uri; content:"&u="; http_uri; content:"Accept-Language|3A 20|ru-RU"; nocase; http_header; reference:url,www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojandownloaderwin32vundojd; classtype:trojan-activity; sid:2016417; rev:1; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Zbot.ivgw Downloading EXE"; flow:to_server,established; content:"/forum/images.php?id"; http_uri; nocase; fast_pattern:only; content:"User-Agent|3a| Mozilla/6"; http_header; content:" MSIE "; http_header; reference:md5,e8e3d22203f9549d6c5f361dfe51f8c6; classtype:trojan-activity; sid:2016425; rev:4; metadata:created_at 2013_02_18, updated_at 2013_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Tosct.B UA Mandiant APT1 Related"; flow:established,to_server; content:"User-Agent|3a 20|HTTP Mozilla/5.0(compatible+MSIE)|0d 0a|"; http_header; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:trojan-activity; sid:2016431; rev:3; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likseput.B Checkin"; flow:established,to_server; content:"|3b|Trident/4.0 "; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\r\n]+[^\x20]\x3bTrident\/4\.0\x29\s\d{2}\x3a\d{2}\s\r$/Hmi"; reference:md5,95d85aa629a786bb67439a064c4349ec; classtype:trojan-activity; sid:2016432; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8"; flow:to_server,established; content:"User-Agent|3a| 6|2e|"; http_header; content:"|5c|"; within:64; http_header; content:"Host|3a| "; http_header; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http_header; pcre:"/User\-Agent\x3a\x206\.[0-2]\x20\d\d\x3a\d\d\x20/Hi"; reference:md5,b5e9ce72771217680efaeecfafe3da3f; reference:url,threatexpert.com/report.aspx?md5=4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:trojan-activity; sid:2016433; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/COOKIEBAG Cookie APT1 Related"; flow:established,to_server; content:"|0a|Cookie|3a 20|CAQGBgoFD1Y"; fast_pattern:only; content:"CAQGBgoFD1Y"; http_cookie; depth:11; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016434; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-TABLE Checkin 1 - APT1 Related"; flow:established,to_server; content:"User-Agent|3a| 0"; http_header; content:"|3a|";  http_header; distance:1; within:1; content:"|3a|"; http_header; distance:2; within:1; content:"+"; http_header; distance:2; within:1; flowbits:set,ET.webc2; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016435; rev:4; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-TABLE Checkin 2 - APT1 Related"; flow:established,to_server; content:"User-Agent|3a| 1"; http_header; content:"|3a|"; http_header; distance:1; within:1; content:"|3a|"; http_header; distance:2; within:1; content:"+"; http_header; distance:2; within:1; flowbits:set,ET.webc2; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016436; rev:1; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-TABLE Checkin 3 - APT1 Related"; flow:established,to_server; content:"User-Agent|3a| 2"; http_header; content:"|3a|"; http_header; distance:1; within:1; content:"|3a|"; http_header; distance:2; within:1; content:"+"; http_header; distance:2; within:1; flowbits:set,ET.webc2; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016437; rev:1; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN WEBC2-TABLE Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; flowbits:isset,ET.webc2; file_data; content:"<!---<table<b"; reference:url,www.mandiant.com/apt1; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; classtype:trojan-activity; sid:2016438; rev:1; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Namsoth.A Checkin/NEWSREELS APT1 Related"; flow:established,to_server; content:"POST"; http_method; content:"name="; depth:5; http_client_body; content:"&userid="; http_client_body; distance:0; content:"&other"; distance:4; within:6; http_client_body; pcre:"/&userid=\d{4}&other=[MF]/P"; reference:md5,a2cd1189860b9ba214421aab86ecbc8a; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016439; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SEASALT HTTP Checkin"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 5.00|3b| Windows 98) KSMM|0d 0a|"; http_header; fast_pattern:24,20; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016440; rev:1; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SEASALT Client Checkin"; flow:established,to_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016441; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SEASALT Server Response"; flow:established,from_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016442; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN STARSYPOUND Client Checkin"; flow:established,to_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016443; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN STARSYPOUND Client Checkin"; flow:established,from_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016444; rev:3; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN SWORD Sending Sword Marker"; flow:established,to_server; content:"|20 20 20 20 2f 2a 0a 40 2a 2a 2a 40 2a 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40|"; reference:md5,052f5da1734464a985dcd669bff62f93; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016445; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TABMSGSQL/Sluegot.C Checkin"; flow:established,to_server; content:"?rands="; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| )|0d 0a|"; http_header; reference:url,www.cyberesi.com/2011/06/15/trojan-letsgo-analysis/; reference:url,www.mandiant.com/apt1; reference:md5,052ec04866e4a67f31845d656531830d; classtype:trojan-activity; sid:2016446; rev:3; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WARP Win32/Barkiofork.A"; flow:established,to_server; content:"/s/asp?"; http_uri; fast_pattern; pcre:"/p=1$/U"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| )|0d 0a|"; http_header; reference:url,www.mandiant.com/apt1; reference:md5,7acb0d1df51706536f33bbdb990041d3; classtype:trojan-activity; sid:2016447; rev:1; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN WEBC2-ADSPACE Server Response"; flow:established,from_server; file_data; content:"<!---HEADER ADSPACE style=|22|"; content:"|5c|text $-->"; distance:0; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016448; rev:1; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN WEBC2-AUSOV Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!-- DOCHTMLAuthor"; pcre:"/^\d+\s*-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,0cf9e999c574ec89595263446978dc9f; classtype:trojan-activity; sid:2016449; rev:3; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN WEBC2-QBP Checkin Response 1 - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!--<2010QBP"; content:" 2010QBP//-->"; within:150; reference:url,intelreport.mandiant.com; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,fcdaa67e33357f64bc4ce7b57491fc53; classtype:trojan-activity; sid:2016451; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-CLOVER Checkin APT1 Related"; flow:established,to_server; content:"/Default.asp"; http_uri; content:"Accept: image/gif,image/x-xbitmap"; http_header; content:" MSIE "; http_header; content:"Cookie|3a 20|PREF=86845632017245|0d 0a|"; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:trojan-activity; sid:2016452; rev:1; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-CLOVER Download UA"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| Windows NT 5.1|3b| en-US|3b| rv|3a|1.8.0.12) Firefox/1.5.0.12|0d 0a|"; http_header; fast_pattern:66,20; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:trojan-activity; sid:2016453; rev:1; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Small.XR Checkin 2 WEBC2-CSON APT1 Related"; flow:to_server,established; urilen:27; content:"/Default.aspx?ID="; http_uri; pcre:"/\?ID=[A-Z]{10}$/U"; content:!"User-Agent|3a| Mozilla "; http_header; reference:url,www.threatexpert.com/report.aspx?md5=ba45339da92ca4622b472ac458f4c8f2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016459; rev:4; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-DIV UA"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Explorer Exelon "; http_header; fast_pattern:27,20; reference:url,www.mandiant.com/apt1; reference:md5,1e5ec6c06e4f6bb958dcbb9fc636009d; classtype:trojan-activity; sid:2016454; rev:1; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"<!--|0d 0a|<img border="; pcre:"/^[0-4]\s*src=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,b5e9ce72771217680efaeecfafe3da3f; classtype:trojan-activity; sid:2016455; rev:3; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:trojan-activity; sid:2016456; rev:2; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related"; flow:established,from_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:isset,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:trojan-activity; sid:2016457; rev:3; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-RAVE UA"; flow:established,to_server; content:"User-Agent|3a| HTTP Mozilla/5.0(compatible+MSIE)|0d 0a|"; http_header; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:trojan-activity; sid:2016458; rev:2; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Fake Virtually SSL Cert APT1"; flow:established,from_server; content:"|55 04 03|"; content:"|03|new"; distance:1; within:4; content:"|55 04 0b|"; content:"|03|new"; distance:1; within:4; content:"|55 04 0a|"; content:"|16|www.virtuallythere.com"; distance:1; within:23; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016462; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Fake IBM SSL Cert APT1"; flow:established,from_server; content:"|55 04 03|"; content:"|03|IBM"; distance:1; within:4; content:"|55 04 0a|"; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016463; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN EMAIL SSL Cert APT1"; flow:established,from_server; content:"|2f 09 dd e0 ff 81 b7 6c bf 2f 17 92 0c d8 bd 57|"; content:"|55 04 03|"; content:"|05|EMAIL"; distance:1; within:6; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016464; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN LAME SSL Cert APT1"; flow:established,from_server; content:"|0e 97 88 1c 6c a1 37 96 42 03 bc 45 42 24 75 6c|"; content:"|55 04 03|"; content:"|0F|LM-68AB71FBD8F5"; distance:1; within:16; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016465; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN NS SSL Cert APT1"; flow:established,from_server; content:"|72 a2 5c 8a b4 18 71 4e bf c6 6f 3f 98 d6 f7 74|"; content:"|55 04 03|"; content:"|02|NS"; distance:1; within:3; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016466; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SERVER SSL Cert APT1"; flow:established,from_server; content:"|52 55 38 16 fb 0d 1a 8a 4b 45 04 cb 06 bc c4 af|"; content:"|55 04 03|"; content:"|06|SERVER"; distance:1; within:7; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016467; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SUR SSL Cert APT1"; flow:established,from_server; content:"|20 82 92 3f 43 2c 8f 75 b7 ef 0f 6a d9 3c 8e 5d|"; content:"|55 04 03|"; content:"|03|SUR"; distance:1; within:4; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016468; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN FAKE AOL SSL Cert APT1"; flow:established,from_server; content:"|7c a2 74 d0 fb c3 d1 54 b3 d1 a3 00 62 e3 7e f6|"; content:"|55 04 03|"; content:"|0c|mail.aol.com"; distance:1; within:13; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016469; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN FAKE YAHOO SSL Cert APT1"; flow:established,from_server; content:"|0a 38 c9 27 08 6f 96 4b be 75 dc 9f c0 1a c6 28|"; content:"|55 04 03|"; content:"|0e|mail.yahoo.com"; distance:1; within:15; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016470; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_02_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-UGX User-Agent (Windows+NT+5.x) APT1"; flow:established,to_server; content:"User-Agent|3a| Windows+NT+5"; http_header; flowbits:set,ET.webc2ugx; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016471; rev:1; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN WEBC2-UGX Embedded CnC Response APT1"; flow:established,from_server; flowbits:isset,ET.webc2ugx; file_data; content:"<!-- dW"; within:20; reference:md5,ae45648a8fc01b71214482d35cf8da54; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016472; rev:1; metadata:created_at 2013_02_21, updated_at 2013_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CommentCrew UGX Backdoor initial connection"; flow:established,to_server; content:"|dd b5 61 f0 20 47 20 57 d6 65 9c cb 31 1b 65 42 00 00 00 00|"; depth:20; classtype:trojan-activity; sid:2016474; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CommentCrew downloader without user-agent string exe download without User Agent"; flow:established,to_server; content:"GET"; http_method; content:"open="; http_uri; nocase; content:"myid="; http_uri; nocase; content:!"User-Agent|3a|"; http_header; classtype:trojan-activity; sid:2016475; rev:2; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT c2 communications get system"; flow:established,to_client; content:"Y29tbWFuZD1nZXRzeXN0ZW07"; classtype:trojan-activity; sid:2016476; rev:4; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT c2 communications html return 1 "; flow:established,to_client; content:"|48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a|"; content:"|43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d 0a|"; content:"|43 6f 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a|"; content:"|53 65 74 2d 43 6f 6f 6b 69 65 3a|"; content:"|0d 0a 20 31|"; classtype:trojan-activity; sid:2016477; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT c2 communications sleep"; flow:established,to_client; file_data; content:"<!-- dWdzMTA= -->"; classtype:trojan-activity; sid:2016478; rev:2; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT c2 communications sleep2"; flow:established,to_client; file_data; content:"<!-- dWdzMw== -->"; classtype:trojan-activity; sid:2016479; rev:2; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT c2 communications sleep3"; flow:established,to_client; file_data; content:"<!--czoxMzc=--!>"; classtype:trojan-activity; sid:2016480; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT c2 communications sleep5"; flow:established,to_client; file_data; content:"<!-- czoy -->"; classtype:trojan-activity; sid:2016482; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT c2 communications download client.png"; flow:established,to_client; file_data; content:"<!-- dWdlY2xpZW50LnBuZw== -->"; classtype:trojan-activity; sid:2016483; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT crabdance backdoor base64 head 2"; flow:established,to_client; file_data; content:"FSssJi01MWwnOic="; classtype:trojan-activity; sid:2016484; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT crabdance backdoor base64 head"; flow:established,to_client; file_data; content:"MS4nJzJ4cHZyeQ=="; classtype:trojan-activity; sid:2016485; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT backdoor stage 2 download base64 update.gif"; flow:established,to_client; file_data; content:"IHVwZGF0ZS5naWY="; classtype:trojan-activity; sid:2016486; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN CommentCrew Possible APT backdoor download logo.png"; flow:established,to_server; content:"GET"; http_method; content:"/images/logo.png"; http_uri; content:"Accept|3a| */*,,,,,,"; http_header; fast_pattern; classtype:trojan-activity; sid:2016487; rev:4; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN CommentCrew Possible APT c2 communications get command client key"; flow:established,to_client; content:"Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT"; content:"O2hvc3RuYW1lPW"; classtype:trojan-activity; sid:2016488; rev:5; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CBeplay Downloading Design"; flow:established,to_server; content:".CAB.bin"; http_uri; fast_pattern:only; pcre:"/[a-z]{2}\.CAB.bin$/U"; content:" Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)|0d 0a|"; http_header; classtype:trojan-activity; sid:2016489; rev:3; metadata:created_at 2013_02_22, updated_at 2013_02_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Gimemo Ransomware Checkin"; flow:established,to_client; file_data; content:"/gate.php?computername="; nocase; classtype:trojan-activity; sid:2016496; rev:3; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Caphaw Requesting Additional Modules From CnC"; flow:established,to_server; content:"/ping.html?r="; http_uri; fast_pattern:only; content:!"/utils/"; http_uri; pcre:"/\x2Fping\x2Ehtml\x3Fr\x3D[0-9]{5,14}$/U"; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:trojan-activity; sid:2016507; rev:4; metadata:created_at 2013_02_26, updated_at 2013_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Caphaw CnC Configuration File Request"; flow:established,to_server; content:"&id="; http_uri; content:"&inst="; http_uri; content:"&net"; http_uri; content:"&cmd=cfg"; fast_pattern:only; http_uri; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:trojan-activity; sid:2016508; rev:1; metadata:created_at 2013_02_26, updated_at 2013_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zbot.Variant Fake MSIE 6.0 UA"; flow:to_server,established; content:".htm?"; fast_pattern:only; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; pcre:"/\/[a-z]\.htm\?[A-Za-z0-9]+$/U"; flowbits:set,ET.zbot.ua.2106509; classtype:trojan-activity; sid:2016509; rev:3; metadata:created_at 2013_02_26, updated_at 2013_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Travnet.A Checkin"; flow:to_server,established; content:".asp?hostid="; http_uri; content:"&hostname="; http_uri; content:"&hostip="; http_uri; content:"&filename="; http_uri; content:"&filestart="; http_uri; content:!"Referer|3a 20|"; http_header; content:"&filetext=begin|3a 3a|"; fast_pattern:only; http_uri; pcre:"/\?hostid=[0-9A-F]+?&/U"; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; reference:url,www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; classtype:trojan-activity; sid:2016968; rev:4; metadata:created_at 2013_03_01, updated_at 2013_03_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gimemo Activity"; flow:established,to_server; content:"mainsettings/settings.sol"; http_uri; content:" MSIE 7.0|3b|"; http_header; classtype:trojan-activity; sid:2016515; rev:2; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox php.dll.crp POST CnC Beacon"; flow:established,to_server; content:"POST "; depth:5; pcre:"/\r\nHost\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/"; content:"|0d 0a 0d 0a|id="; content:"&code="; fast_pattern; distance:0; content:"&data="; distance:0; pcre:"/^POST \x2F[a-f0-9]{40,60}\x20/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016527; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox CnC Beacon"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern:30,20; pcre:"/\r\nHost\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/"; pcre:"/^POST \x2F[a-f0-9]{40,60}\x20/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox Passgrub POST CnC Beacon"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|akk="; content:"&client="; distance:0; pcre:"/^POST \x2F[a-f0-9]{40,60}\x20/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016529; rev:2; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox.FakeAV Affiliate Second Stage Download Location Request"; flow:established,to_server; content:"/api/urls/?ts="; http_uri; content:"&affid="; http_uri; pcre:"/\x26affid\x3D[0-9]{4,7}$/Ui"; flowbits:noalert; flowbits:set,ET.asproxfakeav; metadata: former_category TROJAN; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016530; rev:2; metadata:created_at 2013_03_04, updated_at 2017_11_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess"; flowbits:isset,ET.asproxfakeav; flow:established,to_client; file_data; content:"http|3A|//"; within:50; content:".exe?ts="; fast_pattern; distance:0; content:"&affid="; distance:0; metadata: former_category TROJAN; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016531; rev:2; metadata:created_at 2013_03_04, updated_at 2017_11_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TrojanSpy.MSIL Fetch Time CnC Beacon"; flow:established,to_server; content:"/features/fetch/time/"; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Content-"; http_header; content:!"Accept-"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:trojan-activity; sid:2016533; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TrojanSpy.MSIL Get New MAC CnC Beacon"; flow:established,to_server; content:"/features/get/new/mac/"; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Content-"; http_header; content:!"Accept-"; http_header; content:!"Connection|3A|"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:trojan-activity; sid:2016534; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TrojanSpy.MSIL Set Done Day CnC Beacon"; flow:established,to_server; content:"/features/set/done/day/"; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Content-"; http_header; content:!"Accept-"; http_header; content:!"Connection|3A|"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:trojan-activity; sid:2016535; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TrojanSpy.MSIL Fetch Header CnC Beacon"; flow:established,to_server; content:"/features/fetch/header/"; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Content-"; http_header; content:!"Accept-"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:trojan-activity; sid:2016536; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Trustezeb.C CnC Beacon"; flow:established,to_server; content:".php?ltype="; http_uri; content:"&ccr="; http_uri; content:"&id="; http_uri; content:"&stat="; http_uri; content:"&ver="; http_uri; content:"&loc="; http_uri; content:"&os="; http_uri; reference:url,www.abuse.ch/?p=5175; reference:url,www.virusradar.com/Win32_Trustezeb.C/description; classtype:trojan-activity; sid:2016552; rev:1; metadata:created_at 2013_03_07, updated_at 2013_03_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Urausy.C Checkin"; flow:to_server,established; urilen:>80; content:"GET"; http_method; pcre:"/^\/[a-z-_]+?\.(php|html)$/Ui"; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11|0d 0a|"; fast_pattern:86,20; depth:122; http_header; content:!"Referer|3a| "; http_header; content:!"Accept|3a| "; http_header; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:trojan-activity; sid:2016553; rev:2; metadata:created_at 2013_03_07, updated_at 2013_03_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN vSkimmer.PoS Checkin"; flow:to_server,established; content:"/process.php?xy="; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,a99d5d1652dfcda190c3d412828dcf6d; reference:md5,82d9cab2692ae13fc5b835ea2cbb36d7; reference:url,anubis.iseclab.org/action=result&task_id=1b92f08cdbfb73e64450fd07ec88849b3; classtype:trojan-activity; sid:2018109; rev:4; metadata:created_at 2013_03_12, updated_at 2013_03_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LetsGo.APT Sleep CnC Beacon"; flow:established,to_server; content:"User-Agent|3a| sleep "; http_header; fast_pattern:only; pcre:"/\.html\?[0-9]{10}$/U"; pcre:"/User-Agent\x3a\x20sleep \d+[\r\x2c]/H"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/the-dingo-and-the-baby.html; classtype:trojan-activity; sid:2016568; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT_NGO_wuaclt C2 Check-in"; flow:to_server,established; content:"/news/show.asp?id1="; http_uri; fast_pattern:only; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1"; http_header; reference:url,labs.alienvault.com; classtype:trojan-activity; sid:2016572; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT_NGO_wuaclt"; flow:to_server,established; content:"/pics/"; http_uri; content:".asp?id="; http_uri; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SP Q"; http_header; content:"|0d 0a|Cookies|3a 20|"; fast_pattern:only; reference:url,labs.alienvault.com; classtype:trojan-activity; sid:2016573; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Urausy.C Checkin 2"; flow:to_server,established; urilen:>80; content:"GET"; http_method; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a| "; http_header; content:!"Accept|3a| "; http_header; pcre:"/\/[A-Za-z0-9-_]{75,}\.html$/U"; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE "; depth:42; http_header; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:trojan-activity; sid:2016567; rev:4; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dorkbot Loader Payload Request"; flow:established,to_server; content:"Mozilla/4.0|0D 0A|Host|3a|"; http_header; content:".exe"; http_uri; fast_pattern; urilen:<11; reference:md5,3452c20fd0df69ccfdea520a6515208a; classtype:trojan-activity; sid:2016578; rev:3; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN APT_NGO_wuaclt PDF file"; flow:from_server,established; file_data; content:"%PDF-"; within:5; content:"|3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A|"; within:200; reference:url,labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/; classtype:trojan-activity; sid:2016579; rev:1; metadata:created_at 2013_03_15, updated_at 2013_03_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN RevProxy Java  Settings"; flow:established,to_client; file_data; content:"USE_USERAGENT="; content:"DELAY_BETWEEN_SYNCS="; content:"CONNECTION_TIMEOUT="; classtype:trojan-activity; sid:2016592; rev:3; metadata:created_at 2013_03_18, updated_at 2013_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/GameThief Initial CnC Beacon"; flow:established,to_server; content:"/count/bindplugin.ini"; http_uri; content:"User-Agent|3A| NSISDL/1.2 (Mozilla)"; http_header; classtype:trojan-activity; sid:2016637; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Depyot.Downloader CnC Beacon"; flow:established,to_server; content:"/pdf.php?id="; http_uri; fast_pattern; content:"User-Agent|3A| Mozilla/4.0 (compatible)|0D 0A|"; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FDepyot.A&ThreatID=-2147288740; classtype:trojan-activity; sid:2016638; rev:1; metadata:created_at 2013_03_21, updated_at 2013_03_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Galock Ransomware Check-in"; flow:established,to_server; content:"&os="; http_uri; content:"&hostname="; http_uri; content:"&codepage="; http_uri; content:"&account"; http_uri; content:"|3a| Mozilla/4.1 "; http_header; fast_pattern:only; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016644; rev:1; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Galock Ransomware Command"; flow:established,from_server; file_data; content:"[LOCK]"; within:6; isdataat:!1,relative; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016645; rev:1; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon"; flow:established, to_server; content: "Adobe"; depth:5; content:"|e0 00 00 00 78 9c|"; distance: 4; within:15; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_03_22, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; flowbits:set,ET.Torn.toread_header; flowbits: noalert; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message"; dsize: 200; flow: to_server,established; flowbits:isset,ET.Torn.toread_header; content:"|40 7e 7e 7e|"; offset:196; depth:4; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016660; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.Win32.Vobfus Checkin 3"; flow:established,to_server; content:!"Accept-Language|3a|"; content:!"Referer"; content:"GET /"; depth:5; content:"|3f|"; distance:1; within:21; pcre:"/^GET \/[a-zA-Z0-9]{1,19}\/?\?[abdeijhg\x22](\x7C\x2d?\d+?[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14})?\x20HTTP\/1\.1/"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE|20|"; fast_pattern:36,6; content:!"Host|3a 20|www.pinterest.com"; reference:md5,3ed744b12a77359576af10a265154081; reference:md5,a2049adc2834d797b37f45382608f2b4; classtype:trojan-activity; sid:2018958; rev:17; metadata:created_at 2013_03_25, updated_at 2013_03_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Delfinject Check-in"; flow:established,to_server; content: "|44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f|"; depth:16; dsize:<65; reference:md5,90f8b934c541966aede75094cfef27ed; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject; classtype:trojan-activity; sid:2016685; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Enchanim Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"svchost.exe"; http_uri; fast_pattern:only; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.01|3b| Windows NT 5.0)"; http_header; reference:md5,539d3b15e9c3882ac70bb1ac7f90a837; classtype:trojan-activity; sid:2016707; rev:2; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kovter Ransomware Check-in"; flow:established,to_server; content:".php?mode="; nocase; http_uri; content:"&OS="; nocase; http_uri; content:"&OSbit="; http_uri; nocase; fast_pattern:only; reference:url,www.botnets.fr/index.php/Kovter; reference:md5,82d0e4f8b34d6d39ee4ff59d0816ec05; classtype:trojan-activity; sid:2016690; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus User-Agent(z00sAgent)"; flow:to_server,established; content:"User-Agent|3a| z00sAgent"; fast_pattern:12,9; http_header; reference:md5,e94fb19f3a38f9b2a775b925e4c0abe3; classtype:trojan-activity; sid:2016710; rev:1; metadata:created_at 2013_04_02, updated_at 2013_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/BaneChant.APT Data Exfiltration POST to CnC"; flow:established,to_server; content:"POST"; http_method; content:"/adserv/get.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV2)|0D 0A|"; http_header; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016727; rev:1; metadata:created_at 2013_04_05, updated_at 2013_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/BaneChant.APT Initial CnC Beacon"; flow:established,to_server; content:"/adserv/logo.jpg"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV2)|0D 0A|"; http_header; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016728; rev:1; metadata:created_at 2013_04_05, updated_at 2013_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Revoyem Ransomware Check-in"; flow:established,to_server; content:".php?id="; http_uri; content:"&os="; http_uri; content:"&bot_id="; http_uri; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&os=\d\.\d[^&]*&bot_id=/U"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016731; rev:3; metadata:created_at 2013_04_05, updated_at 2013_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Revoyem Ransomware Activity"; flow:established,to_server; content:".php?id="; http_uri; content:"&gr"; http_uri; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-(\d{1,3}\.){3}\d{1,3}&gr/U"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016732; rev:3; metadata:created_at 2013_04_05, updated_at 2013_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel File.php CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/administrator/templates/system/html/file.php"; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016739; rev:1; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel Content.php CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/administrator/modules/mod_menu/tmpl/content.php"; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016740; rev:1; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel Pro File.php CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/pro/file.php"; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016741; rev:1; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment"; flow:established,to_client;content:" filename=|22|%2e/files/"; nocase; http_header; pcre:"/\sfilename=\x22\%2e\/files\/[^\x22\x2f\r\n]+?\x22\r\n/H"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016742; rev:7; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Citadel Conf.bin Download From CnC Server"; flow:established,to_client; content:"filename=|22|%2e/files/conf.bin|22|"; nocase; http_header; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016743; rev:1; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/NSISDL.Downloader CnC Server Response"; flow:established,to_client; file_data; content:"[install 1]"; within:11; content:"Ins="; within:40; classtype:trojan-activity; sid:2016746; rev:1; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RansomCrypt Intial Check-in"; flow:to_server,established; content:"GET "; depth:4; pcre:"/^\/[a-zA-Z0-9]+\sHTTP/R"; content:"Windows NT 5.1|3b| ru|3b|"; distance:0; content:"Gecko/20100722 Firefox/3.6.12|0d 0a|Host|3a|"; distance:0; fast_pattern:16,20; classtype:trojan-activity; sid:2016748; rev:1; metadata:created_at 2013_04_10, updated_at 2013_04_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RansomCrypt Getting Template"; flow:to_server,established; content:"GET /lnd/template="; fast_pattern; pcre:"/^[^\r\n]*\/[a-z0-9]+\sHTTP/Ui"; content:"MSIE 7.0|3b| Windows NT 5.1|3b|"; distance:0; classtype:trojan-activity; sid:2016749; rev:1; metadata:created_at 2013_04_10, updated_at 2013_04_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Nymaim Checkin (2)"; flow:to_server,established; content:"POST"; depth:5; content:"Content-Type|3a| application/x-www-form-urlencoded|0d 0a|"; nocase; distance:0; content:" MSIE "; content:"|0d 0a 0d 0a|filename="; distance:0; fast_pattern; content:"&data="; distance:0; content:!"Referer"; pcre:"/\r\n\r\nfilename=[a-z]+?\.[a-z]+?&data=/"; classtype:trojan-activity; sid:2016757; rev:8; metadata:created_at 2013_04_15, updated_at 2013_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Redyms.A Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; offset:6; depth:7; content:".net|0d 0a|"; http_header; pcre:"/^POST \/(?P<filep>[a-z]{5,8})\.php HTTP.+?\r\nHost\x3a\x20(?P=filep)[a-z]+?\.net\r\n/s"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016759; rev:1; metadata:created_at 2013_04_16, updated_at 2013_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Dorkbot.AR Join IRC channel"; flow:to_server,established; content:"NICK n|7B|"; nocase; pcre:"/^\S{2,3}\x7c\S+?[au]\x7D\w{2,11}\x0d?\x0a/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,7e76c7db8706511fc59508af4aef27fa; classtype:trojan-activity; sid:2016768; rev:4; metadata:created_at 2013_04_17, updated_at 2013_04_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Enchanim Check-in Response"; flow:established,to_client; file_data; content:"|3a|some_magic_code1"; distance:9; within:29; isdataat:!1,relative; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:1; metadata:created_at 2013_04_18, updated_at 2013_04_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Enchanim Process List Dump"; flow:to_server,established; content:"GET"; http_method; content:"&pl=|5b|System|20|Process"; http_uri; content:"svchost.exe"; http_uri; content:"&r="; http_uri; content:"&g="; http_uri; content:"&s="; http_uri; content:"&c="; http_uri; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016770; rev:1; metadata:created_at 2013_04_18, updated_at 2013_04_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Enchanim C2 Injection Download"; flow:established,to_client; content:"set_url "; content:"|0d 0a|data_before|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_inject|0d 0a|"; distance:0; fast_pattern; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_after|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016771; rev:4; metadata:created_at 2013_04_18, updated_at 2013_04_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Enchanim C2 Client Check-in"; flow:established,to_server; content:"some_magic_code1"; depth:16; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016772; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mutter Backdoor Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/index.aspx?i="; http_uri; fast_pattern:only; pcre:"/^(Host\x3a [^\r\n]+?\r\nConnection\x3a Keep-Alive|Connection\x3a Keep-Alive\r\nHost\x3a [^\r\n]+?)\r\n(\r\n)?$/Hi"; reference:url,fireeye.com/blog/technical/malware-research/2013/04/the-mutter-backdoor-operation-beebus-with-new-targets.html; classtype:trojan-activity; sid:2016773; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [!5721,!5938] (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:9; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+.{8}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:trojan-activity; sid:2016922; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_04_22, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Athena DDoS Bot Checkin"; flow:established,to_server; content:"POST"; depth:4; content:"|20|HTTP/1."; distance:0; content:!"Referer|3a|"; distance:0; content:"&b="; distance:0; content:"&c="; distance:0; content:"|0d 0a 0d 0a|a="; fast_pattern; pcre:"/^(%[0-9A-Fa-f]{2})+\x26b=[0-9A-Za-z]+(%3[dD]){0,2}\x26c=(%[0-9A-Fa-f]{2})+$/R"; reference:md5,19ca0d830cd7b44e5de1ab85f4e17d82; classtype:trojan-activity; sid:2017633; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Zbot.Variant CnC Response"; flow:established,from_server; flowbits:isset,ET.zbot.ua.2106509; content:"200"; http_stat_code; content:"Content-Length|3a| 0|0d 0a|Content-Type|3a| text/html|0d 0a 0d 0a|"; http_header; fast_pattern:11,20; reference:md5,0c4d7d9138de7d7919e3b3c33ac2f851; classtype:trojan-activity; sid:2018764; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Linux Backdoor Linux/Cdorked.A Redirect 1"; flow:from_server,established; content:"302"; http_stat_code; content:"/index.php?"; http_header; content:"JnN1cmk9"; http_header; fast_pattern; distance:0; pcre:"/^Location\x3a\x20\s*?https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})\r$/Hmi"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016793; rev:5; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ET TROJAN TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Medfos Connectivity Check"; flow:established,to_server; content:"/uploading/id="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; pcre:"/^\/uploading\/id=\d{2,20}&u=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/I"; classtype:misc-activity; sid:2016800; rev:3; metadata:created_at 2013_04_30, updated_at 2013_04_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Known Sinkhole Response Header"; flow:established,to_client; content:"X-Sinkhole|3a| "; http_header; nocase; classtype:trojan-activity; sid:2016803; rev:3; metadata:created_at 2013_04_30, updated_at 2013_04_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cookies/Cookiebag Checkin"; flow:to_server,established; content:"/indexs.zip"; http_uri; fast_pattern:only; reference:md5,840BD11343D140916F45223BA05ABACB; classtype:trojan-activity; sid:2016808; rev:1; metadata:created_at 2013_05_01, updated_at 2013_05_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Urausy.C Checkin 3"; flow:to_server,established; urilen:>80; content:"GET"; http_method; content:".php"; http_uri; fast_pattern:only; content:!"Referer|3a| "; http_header; content:!"Accept|3a| "; http_header; pcre:"/\/[a-z-_]{75,}\.php$/U"; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE "; depth:42; http_header; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:trojan-activity; sid:2016809; rev:5; metadata:created_at 2013_05_01, updated_at 2013_05_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Greencat SSL Certificate"; flow:established,from_server; content:"|55 04 08 13 05|Ocean"; fast_pattern:only; classtype:trojan-activity; sid:2016812; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2013_05_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Linux Backdoor Linux/Cdorked.A Redirect 2"; flow:from_server,established; content:"302"; http_stat_code; content:"/index.php?"; http_header; content:"mc3VyaT0"; http_header; fast_pattern; distance:0; pcre:"/^Location\x3a\x20\s*?https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})\r$/Hmi"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016814; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Linux Backdoor Linux/Cdorked.A Redirect 3"; flow:from_server,established; content:"302"; http_stat_code; content:"/index.php?"; http_header; content:"ZzdXJpP"; http_header; fast_pattern; distance:0; pcre:"/^Location\x3a\x20\s*?https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})\r$/Hmi"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016815; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Variant.Zusy.45802 Checkin"; flow:to_server,established; content:".php?uid="; fast_pattern:only; http_uri; content:"&affid="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)|0d 0a 0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?uid=[-a-f0-9]+?&affid=\d+$/Ui"; classtype:trojan-activity; sid:2016816; rev:1; metadata:created_at 2013_05_03, updated_at 2013_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DEEP PANDA Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"/forum/login.cgi"; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern:5,20; http_header; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:trojan-activity; sid:2016819; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DEEP PANDA Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"/Photos/Query.cgi?loginid="; http_uri; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:trojan-activity; sid:2016820; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DEEP PANDA Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/Catelog/login1.cgi"; http_uri; fast_pattern; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:trojan-activity; sid:2016821; rev:4; metadata:created_at 2013_05_03, updated_at 2013_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Fake Opera 10 User-Agent"; flow:established,to_server; content:"|3a 20|Opera/10|20|"; http_header; fast_pattern:only; content:!"Accept|3a 20|"; http_header; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:2016823; rev:3; metadata:created_at 2013_05_04, updated_at 2013_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Checkin"; flow:established,to_server; content:"POST"; http_method; pcre:"/\/[a-z]\/$/Ui"; content:"(compatible|3b|"; http_header; content:" MSIE "; distance:0; http_header; content:"(Compatible|3b|"; fast_pattern; distance:0; http_header; classtype:trojan-activity; sid:2016829; rev:1; metadata:created_at 2013_05_07, updated_at 2013_05_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alina Checkin"; flow: established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"User-Agent|3a| Alina v"; http_header; content:"act="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; content:"&v="; http_client_body; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:trojan-activity; sid:2016837; rev:5; metadata:created_at 2013_05_09, updated_at 2013_05_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alina User-Agent(Alina)"; flow: established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Alina v"; http_header; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:trojan-activity; sid:2016838; rev:4; metadata:created_at 2013_05_09, updated_at 2013_05_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Downloader.Win32.AutoIt.mj Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/downloads/IPFilter"; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/downloads\/IPFilter\.exe$/Ui"; content:"User-Agent|3a| AutoIt"; depth:18; http_header; reference:url,threatexpert.com/report.aspx?md5=c4e923564c564163620959f23691cc26; reference:md5,4a77d3575845cf24b72400816d0b95c2; classtype:trojan-activity; sid:2016844; rev:1; metadata:created_at 2013_05_14, updated_at 2013_05_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Troj.Cidox Checkin"; flow:established,to_server; content:".php?sign="; fast_pattern:only; http_uri; content:"&key="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&vm="; http_uri; content:"&digital="; http_uri; reference:md5,0ce7f9dde5c273d7e71c9f1301fe505d; classtype:trojan-activity; sid:2017349; rev:2; metadata:created_at 2013_05_14, updated_at 2013_05_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.Win32.Ngrbot.lof Join IRC channel"; flow:to_server,established; content:"NICK New|7B|"; nocase; pcre:"/^\S{2,3}\x2d(XP|2K3|VIS|2K8|W7|ERR)\w?\x2d\w+?\x7D\w+?\r\n?/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,dd05fcd2368d8d410a5b85e8d504a435; classtype:trojan-activity; sid:2016849; rev:3; metadata:created_at 2013_05_14, updated_at 2013_05_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN Possible Linux/Cdorked.A CnC"; flow:established,to_server; content:"/favicon.iso?"; fast_pattern:only; http_uri; reference:url,code.google.com/p/malware-lu/wiki/en_malware_cdorked_A; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016850; rev:1; metadata:created_at 2013_05_14, updated_at 2013_05_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Embedded Android Dalvik Executable File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"dex|0A|"; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016854; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:1; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:" MSIE "; http_header; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/P"; classtype:trojan-activity; sid:2016858; rev:7; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neurevt.A/Betabot checkin"; flow:established,to_server; content:"POST"; http_method; nocase;  content:!"Referer|3a|"; http_header; content:"ps0="; http_client_body; depth:4; fast_pattern; content:"&ps1="; http_client_body; pcre:"/^ps0=[A-F0-9]+\&ps1=[A-F0-9]+($|\&[a-z]s\d=)/P"; reference:md5,c447d364a9dad369ff07dcc14f5fbefb; reference:md5,a0a66dfbdf1ce76782ba20a07a052976; classtype:trojan-activity; sid:2017371; rev:8; metadata:created_at 2013_05_15, updated_at 2016_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Book of Eli CnC Checkin "; flow:to_server,established; content:"POST"; http_method; nocase; content:"CharSet|3a| windows-1256|0d 0a|"; http_header; content:!"User-Agent|3a| "; http_header; content:"id_serial="; depth:10; http_client_body; content:"&id_cpu="; http_client_body; content:"&go_and_fuck_this_life="; http_client_body; content:"&system__="; fast_pattern:only; http_client_body; content:"&hard_id="; http_client_body; metadata: former_category TROJAN; reference:url,blog.eset.ie/2016/09/22/malware-in-libya-book-of-eli-african-targeted-attacks/; reference:md5,25e5744979b365dc58cce23d377b3835; reference:md5,d22857cebad4200c3b1e8ec17836b451; reference:url,www.virustotal.com/en/file/faa20341f7a7277114f5c61e5013b9871ab2b0356f383b6798013ce333a30ae5/analysis/; classtype:trojan-activity; sid:2023254; rev:3; metadata:created_at 2013_05_16, updated_at 2017_11_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hangover Campaign Keylogger Checkin"; flow:established,to_server; content:".php?fol="; fast_pattern:only; http_uri; content:"&ac="; http_uri; content:"AVs"; http_uri; content:"OS"; http_uri; content:"SystemDT"; http_uri; content:"AppVersion"; http_uri; content:"DropPath"; http_uri; reference:md5,023d82950ebec016cd4016d7a11be58d; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016861; rev:1; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hangover Campaign Keylogger 2 checkin"; flow:established,to_server; content:"/access.php"; fast_pattern:only; http_uri; content:"User-Agent|3a| sendfile"; http_header; nocase; reference:md5,0b38f87841ed347cc2a5ffa510a1c8f6; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016862; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.VB.cefz Checkin"; flow:established,to_server; content:"/hyper/fm.php?tp=in"; fast_pattern:only; http_uri; content:"&tg="; http_uri; reference:md5,0cace87b377a00df82839c659fc3adea; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016863; rev:1; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Agent.bjjv Checkin"; flow:established,to_server; content:"/wakeup/access.php"; fast_pattern:only; http_uri; content:"User-Agent|3a| UPHTTP"; http_header; reference:md5,06ba10a49c8cea32a51f0bbe8f5073f1; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016864; rev:1; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger.acqh User-Agent(EMSFRTCBVD)"; flow:established,to_server; content:"User-Agent|3a| EMSFRTCBVD"; http_header; fast_pattern:12,10; reference:md5,0e9e46d068fea834e12b2226cc8969fd; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016865; rev:1; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Spy.Win32.KeyLogger.acuj Checkin"; flow:established,to_server; content:".php"; http_uri; content:"User-Agent|3a| MyHttpClient"; http_header; content:"tit="; fast_pattern; depth:4; http_client_body; content:"&cont="; http_client_body; reference:md5,078d12eb9fc2b1665c0cc3001448b69b; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016866; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a 20|"; http_header; content:"Accept|3a| */*|0d 0a|Accept-Language|3a| en-us|0d 0a|Content-Type|3a| application/octet-stream|0d 0a|Content-Length|3a| "; http_header; depth:93; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|29 0d 0a|Host|3a|"; fast_pattern:37,20; pcre:"/^[^\r\n]+?\r\n(Connection\x3a Keep-Alive\r\n)?Cache-Control\x3a no-cache\r\n/R"; flowbits:set,ET.Pushdo.S; threshold: type limit,track by_src,count 1,seconds 600; classtype:trojan-activity; sid:2016867; rev:3; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(FMBVDFRESCT)"; flow:established,to_server; content:"User-Agent|3a| FMBVDFRESCT"; nocase; http_header; fast_pattern:12,10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016881; rev:2; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(DSMBVCTFRE)"; flow:established,to_server; content:"User-Agent|3a| DSMBVCTFRE"; nocase; http_header; fast_pattern:12,10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016882; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(MBESCVDFRT)"; flow:established,to_server; content:"User-Agent|3a| MBESCVDFRT"; nocase; http_header; fast_pattern:12,10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016883; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(TCBFRVDEMS)"; flow:established,to_server; content:"User-Agent|3a| TCBFRVDEMS"; nocase; http_header; fast_pattern:12,10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016884; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMOMAKE)"; flow:established,to_server; content:"User-Agent|3a| DEMOMAKE"; nocase; http_header; fast_pattern:12,8; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016885; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMO)"; flow:established,to_server; content:"User-Agent|3a| DEMO|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016886; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(UPHTTP)"; flow:established,to_server; content:"User-Agent|3a| UPHTTP|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016887; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(sendFile)"; flow:established,to_server; content:"User-Agent|3a| sendFile|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016888; rev:2; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(vbusers)"; flow:established,to_server; content:"User-Agent|3a| vbusers|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016891; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(folderwin)"; flow:established,to_server; content:"User-Agent|3a| folderwin|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016892; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(smaal)"; flow:established,to_server; content:"User-Agent|3a| smaal|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016893; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(nento)"; flow:established,to_server; content:"User-Agent|3a| nento|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016894; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(bugmaal)"; flow:established,to_server; content:"User-Agent|3a| bugmaal|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016895; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5"; flow:established,to_server; content:" MSIE 9.0|3b| Windows NT 5."; fast_pattern:3,20; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s9\.0\x3b\sWindows\sNT\s5\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; reference:url,windows.microsoft.com/en-us/internet-explorer/products/ie-9/system-requirements; classtype:trojan-activity; sid:2016897; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Registering Client"; flow:established,to_server; content:"/gate.php?reg="; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?reg=([a-z]{10}|[A-Za-z]{15})$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016899; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Download Executable"; flow:established,to_server; content:"/gate.php?cmd=getinstallconfig"; http_uri; fast_pattern:10,20; pcre:"/\/gate\.php\?cmd=getinstallconfig$/U"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016902; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Registration Rev3"; flow:established,to_server; content:"/gate.php?id="; http_uri; pcre:"/\/gate\.php\?id=[a-z]{15}$/U"; content:"(compatible|3b| Synapse)"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016909; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Get Command Rev3"; flow:established,to_server; content:"/get"; http_uri; pcre:"/\/get$/U"; content:"(compatible|3b| Synapse)"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016910; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Briba CnC POST Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index"; http_uri; depth:6; content:".asp"; http_uri; distance:9; within:4; content:" MSIE "; http_header; content:"Host|3A| update.microsoft.com"; http_header; content:"Content-Length|3a| 00"; http_header; fast_pattern:only; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html; reference:url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A; classtype:trojan-activity; sid:2016911; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Antavmu.guw Checkin"; flow:to_server,established; content:"/smadstat.php?mac="; fast_pattern:only; http_uri; content:"&key="; http_uri; content:"&name="; http_uri; content:"&os="; http_uri; content:"&build="; http_uri; content:"&old="; http_uri; content:"&comp="; http_uri; content:"User-Agent|3a| Smart-RTP|0d 0a|"; http_header; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:url,www.securelist.com/en/descriptions/16150989/Trojan.Win32.Antavmu.guw?print_mode=1; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; classtype:trojan-activity; sid:2016914; rev:1; metadata:created_at 2013_05_22, updated_at 2013_05_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; content:"/search?hl="; http_uri; content:"q="; http_uri; content:"meta="; fast_pattern:only; http_uri; content:"Windows NT 5."; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; pcre:"/meta=(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?(?:&?id=[a-z]+)?$/U"; content:!"sogou.com"; http_header; metadata: former_category TROJAN; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2013_05_28, malware_family HIMAN, performance_impact Moderate, updated_at 2017_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Safe User Agent Fantasia"; flow:established,to_server; content:"User-Agent|3A| Fantasia|0D 0A|"; http_header; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf; classtype:trojan-activity; sid:2016934; rev:1; metadata:created_at 2013_05_28, updated_at 2013_05_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Variant.Kazy.174106 Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; pcre:"/^[^\r\n]+?\.php\?T=/R"; content:"User-Agent|3a| Tesla"; fast_pattern:only; reference:md5,ff7a263e89ff01415294470e1e52c010; classtype:trojan-activity; sid:2016939; rev:1; metadata:created_at 2013_05_28, updated_at 2013_05_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vobfus Check-in"; flow:established,to_server; content:".php?page="; http_uri; content:"&style=LED_g&nbdigits="; http_uri; distance:0; fast_pattern; content:"User-Agent|3a 20|Opera"; http_header; nocase; classtype:trojan-activity; sid:2016940; rev:1; metadata:created_at 2013_05_28, updated_at 2013_05_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN Possible Win32.Bicololo Checkin"; flow:established,to_server; content:"GET "; depth:4; pcre:"/^\/stat\/[a-z]{3,4}\/\d{1,4}\sHTTP\/1\./R"; content:"/stat/"; nocase; fast_pattern:only; flowbits:set,ET.Bicololo.Request; reference:md5,252c95327ce556a21bdd7e9a322e206c; reference:url,www.virusradar.com/Win32_Bicololo.A/description; classtype:trojan-activity; sid:2016946; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET TROJAN Win32.Bicololo Response 1"; flow:established,to_client; content:"Set-Cookie|3a| ci_session="; content:"|0d 0a 0d 0a|7|0d 0a|ne_unik|0d 0a|0"; fast_pattern; distance:0; pcre:"/^(\r\n)+?$/R"; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016947; rev:1; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET TROJAN Win32.Bicololo Response 2"; flow:established,to_client; flowbits:isset,ET.Bicololo.Request; content:"|0d 0a|Set-Cookie|3a| ci_session="; content:"|0d 0a 0d 0a|2|0d 0a|ok|0d 0a|0"; fast_pattern; distance:0; pcre:"/^(\r\n)+?$/R"; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016948; rev:1; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Backdoor.Linux.Tsunami Outbound HTTP request"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.75 [en] (X11|3b| U|3b| Linux 2.2.16-3 i686)|0d 0a|"; http_header; fast_pattern:12,20; content:"|3a|80|0d 0a|"; http_header; reference:url,malwaremustdie.blogspot.jp/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html; classtype:trojan-activity; sid:2016949; rev:1; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; content:"/ip.txt"; http_uri; nocase; fast_pattern:only; pcre:"/ip\.txt$/Ui"; pcre:"/^User-Agent\x3a(?!\x20Mozilla\/)[^\r\n]+\r?$/Hm"; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; http_header; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (AuthenticAMD)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"AuthenticAMD|3b|"; http_header; fast_pattern:only; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+AuthenticAMD\x3b/H"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016960; rev:8; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (GenuineIntel)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"GenuineIntel|3b|"; http_header; fast_pattern:only; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+GenuineIntel\x3b/H"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016961; rev:9; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Swizzor User-Agent (Swizz03r)"; flow:established,to_server; content:"GET"; http_method; content:"Swizz03r Download Agent"; nocase; http_header; reference:md5,5d232faca6d2b082b450b8ee4e238483; classtype:trojan-activity; sid:2018765; rev:2; metadata:created_at 2013_06_03, updated_at 2013_06_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Symmi Remote File Injector Initial CnC Beacon"; flow:established,to_server; content:"/ggu.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; http_header; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:trojan-activity; sid:2016967; rev:1; metadata:created_at 2013_06_03, updated_at 2013_06_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Travnet.A Internet Connection Check (microsoft.com)"; flow:to_server,established; content:"GET"; http_method; content:"/info/privacy_security.htm"; http_uri; content:!"Referer|3a 20|"; http_header; content:"microsoft.com|0d 0a|"; http_header; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; classtype:trojan-activity; sid:2016969; rev:4; metadata:created_at 2013_06_04, updated_at 2013_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [442,443,446,447,8001] (msg:"ET TROJAN Win32/Ramnit Checkin"; flow:established,to_server; dsize:6; content:"|00 ff|"; depth:2; content:"|00 00|"; distance:1; within:2; metadata: former_category TROJAN; reference:md5,3fc81e102825a74b27faabbcd9408993; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; reference:md5,5740a73856128270b37ec4afae870d12; classtype:trojan-activity; sid:2018558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2013_06_05, malware_family Ramnit, performance_impact Low, updated_at 2017_07_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Sality-GR Checkin"; flow:to_server,established; content:".gif?"; http_uri; fast_pattern:only; content:"User-Agent|3a| "; depth:12; http_header; content:!"Accept"; distance:0; http_header; content:!"Referer"; distance:0; http_header; pcre:"/\.gif\x3f[0-9a-f]{4,8}\x3d\x2d?\d+(?:&id\x3d\d+)?$/U"; reference:md5,3a03a20bfefe3fdd01659d47d2ed76c8; classtype:trojan-activity; sid:2018340; rev:5; metadata:created_at 2013_06_06, updated_at 2013_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor Login"; flow:to_server,established; content:"|c4 4c 87 3f 11 1e c4 1a|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016986; rev:2; metadata:created_at 2013_06_07, updated_at 2013_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor SysInfo Response header"; flow:to_server,established; content:"|ac 09 7b 09 4b 2a 92 bd ac 00|"; depth:10; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016987; rev:2; metadata:created_at 2013_06_07, updated_at 2013_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor File Manager Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00|"; depth:14; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016988; rev:3; metadata:created_at 2013_06_07, updated_at 2013_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor File Download Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 0c bd 55 2a 04 bd b3 6c ac 00|"; depth:15; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016989; rev:2; metadata:created_at 2013_06_07, updated_at 2013_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor File Upload Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff cf 50 04 bd b3 6c ac 00|"; depth:13; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016990; rev:2; metadata:created_at 2013_06_07, updated_at 2013_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Alina Server Response Code"; flow: established,from_server; content:" 666 OK|0d 0a|"; fast_pattern:only; content:"666"; http_stat_code; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; reference:md5,7d6ec042a38d108899c8985ed7417e4a; classtype:trojan-activity; sid:2016991; rev:3; metadata:created_at 2013_06_07, updated_at 2013_06_07;)

#alert ip $HOME_NET any -> [195.22.26.231,195.22.26.232] any (msg:"ET TROJAN Connection to AnubisNetworks Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016993; rev:3; metadata:created_at 2013_06_10, updated_at 2013_06_10;)

#alert ip $HOME_NET any -> [50.57.148.87,166.78.144.80] any (msg:"ET TROJAN Connection to Georgia Tech Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016994; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)

#alert ip $HOME_NET any -> 212.227.20.19 any (msg:"ET TROJAN Connection to 1&1 Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016995; rev:3; metadata:created_at 2013_06_10, updated_at 2013_06_10;)

#alert ip $HOME_NET any -> 176.31.62.76 any (msg:"ET TROJAN Connection to Zinkhole Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016996; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)

#alert ip $HOME_NET any -> 91.233.244.106 any (msg:"ET TROJAN Connection to Dr Web Sinkhole IP(Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016997; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)

#alert ip $HOME_NET any -> 193.166.255.171 any (msg:"ET TROJAN Connection to Fitsec Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016998; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)

#alert ip $HOME_NET any -> [199.2.137.0/24,207.46.90.0/24] any (msg:"ET TROJAN Connection to Microsoft Sinkhole IP (Possbile Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016999; rev:4; metadata:created_at 2013_06_10, updated_at 2013_06_10;)

#alert ip $HOME_NET any -> 148.81.111.111 any (msg:"ET TROJAN Connection to a cert.pl Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017001; rev:2; metadata:created_at 2013_06_10, updated_at 2013_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Tobfy.S"; flow:established,from_client; content:"/upload/img.jpg"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]{3,}\/upload\/img\.jpg$/U"; content:!"Referer|3a|"; http_header; reference:md5,ac03c5980e2019992b876798df2df9ab; classtype:trojan-activity; sid:2017004; rev:3; metadata:created_at 2013_06_12, updated_at 2013_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KimJongRAT cnc exe pull"; flow:established,to_server; content:"POST"; nocase; http_method; content:"subject="; nocase; http_client_body; depth:8; content:"&data="; nocase; http_client_body; pcre:"/^subject=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})_(?:(?:list|que)_done|ini(?:_done)?)&data/P"; reference:url,malware.lu/Pro/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf; classtype:trojan-activity; sid:2017009; rev:3; metadata:created_at 2013_06_12, updated_at 2013_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TripleNine RAT Checkin"; flow:established,to_server; content:"/999"; fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/999$/U"; content:!"Referer|3a 20|"; http_header; content:".0|0d 0a|Host"; http_header; classtype:trojan-activity; sid:2017021; rev:4; metadata:created_at 2013_06_14, updated_at 2013_06_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Webserver Backdoor"; flow:established,to_server; content:"User-Agent|3a 20|SEX/1"; nocase; http_header; fast_pattern:only; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017026; rev:1; metadata:created_at 2013_06_17, updated_at 2013_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Webserver Backdoor Domain (google-analytcs)"; flow:established,to_server; content:"google-analytcs.com|0d 0a|"; nocase; http_header; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017027; rev:1; metadata:created_at 2013_06_17, updated_at 2013_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Activity related to APT.Seinup Checkin 1"; flow:established,to_server; urilen:>87; content:"GET"; nocase; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"User-Agent|3a|"; depth:11; http_header; content:" MSIE 6.0|3b|"; http_header; distance:0; content:".NET CLR 1.1.4322"; distance:0; http_header; pcre:"/\.php\?[a-zA-Z0-9]+?=[a-zA-Z0-9]+?&[a-zA-Z0-9]+?=(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})(&[a-zA-Z0-9]+?=[a-f0-9]{32}){2}$/U"; reference:url,fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; classtype:trojan-activity; sid:2017036; rev:1; metadata:created_at 2013_06_19, updated_at 2013_06_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Drive DDoS Check-in"; flow:established,to_server;  content:"k="; fast_pattern; http_client_body; depth:2; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|17|0d 0a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/-urlencoded\r\n(\r\n)?$/H"; pcre:"/^k=[a-z0-9]{15}$/P"; pcre:"/^k=[0-9]*?[a-z]/P"; flowbits:set,ET.Drive.DDoS.Checkin; classtype:trojan-activity; sid:2017045; rev:2; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving GET DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-get http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017046; rev:2; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving POST1 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post1 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017047; rev:4; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving POST2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post2 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017048; rev:2; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving IP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017049; rev:2; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving IP2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip2 "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017050; rev:3; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving UDP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-udp "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017051; rev:2; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy [victim beacon]"; flow:established; dsize:48; content:"|a160339a8a1b3bc0d1ab956cf98855a8|"; offset: 16; depth:16; classtype:trojan-activity; sid:2017052; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_06_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PoisonIvy [server response]"; flow:established; dsize:48; content:"|b8abf415033717b74132d503b6ea381d|"; offset:16; depth:16; classtype:trojan-activity; sid:2017053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_06_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Berbew Check-in"; flow:to_server,established; content:"POST"; http_method; content:".NET CLR 00000000"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2017128; rev:6; metadata:created_at 2013_07_10, updated_at 2018_07_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Cryptmen FakAV page Title"; flow:established,from_server; file_data; content:"<title>Viruses were found on your computer</title>"; classtype:trojan-activity; sid:2017137; rev:1; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kelihos.F exe Download 2"; flow:to_server,established; content:"GET"; http_method; urilen:<13; content:".exe"; fast_pattern:only; http_uri; pcre:"/^\/[^\x2f]+?\.exe$/Ui"; content:"User-Agent|3a| "; depth:12; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:".ru|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; distance:0; http_header; pcre:"/^User-Agent\x3a [^\r\n]+?\r\nHost\x3a [^\r\n]+?\.ru\r\nCache-Control\x3a no-cache\r\n\r\n$/H"; content:!"Accept"; http_header; content:!"Referer"; http_header; reference:md5,1303188d039076998b170fffe48e4cc0; classtype:trojan-activity; sid:2017190; rev:3; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kelihos.F Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:<13; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[^\x2f]+?\.htm$/U"; content:!"BridgitAgent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Content-Type"; http_header; content:"Content-Length|3a 20|"; content:!"0|0d 0a|"; within:3; content:"|0d 0a|"; distance:0; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:trojan-activity; sid:2017191; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic - POST To .php w/Extended ASCII Characters"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; content:" MSIE "; http_header; pcre:"/[\x80-\xff]/P"; classtype:trojan-activity; sid:2017259; rev:9; metadata:created_at 2013_07_31, updated_at 2013_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SmokeLoader Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; nocase; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; depth:11; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?\bMSIE\b/Hi"; pcre:"/application\/x-www-form-urlencoded\r\n(\r\n)?$/Hi"; pcre:"/^\d+$/P"; classtype:trojan-activity; sid:2017261; rev:2; metadata:created_at 2013_07_31, updated_at 2013_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Comfoo Checkin"; flow:established,to_server; content:"GET "; depth:4; pcre:"/^\/[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{5}\/\d+\/\d{2}[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{3}\/\sHTTP\//R"; pcre:"/^User-Agent\x3a[^\r\n]*?\x3bWindows/mi"; content:"|3b|Windows"; nocase; fast_pattern:only; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2017262; rev:2; metadata:created_at 2013_07_31, updated_at 2013_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN StealRat Checkin"; flow:established,to_server; content:"/d/"; http_uri; depth:3; fast_pattern; content:".jpg"; http_uri; distance:0; pcre:"/^\/d\/[a-z]+\d+\.jpg$/U"; content:!"Referer|3a|"; http_header; content:"Host|3a 20|www.google.com|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2017263; rev:1; metadata:created_at 2013_07_31, updated_at 2013_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CBReplay Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; urilen:10; content:"filename="; http_client_body; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2017264; rev:1; metadata:created_at 2013_07_31, updated_at 2013_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CBReplay.P Ransomware"; flow:established,to_server; content:"MSIE 9.0|3b|"; fast_pattern:only; http_header; content:!"Accept|3a|"; http_header; content:"User-Agent|3a|"; depth:11; http_header; urilen:33; pcre:"/^\/[a-f0-9]{32}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s[^\r\n]+\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n(\r\n)?$/Hi"; classtype:trojan-activity; sid:2017269; rev:1; metadata:created_at 2013_08_01, updated_at 2013_08_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/StealRat.SpamBot Configuration File Request"; flow:established,to_server; content:"/lts.txt"; fast_pattern:only; http_uri; pcre:"/^\x2Flts\x2Etxt$/U"; flowbits:set,et.stealrat.config; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017274; rev:1; metadata:created_at 2013_08_05, updated_at 2013_08_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/StealRat.SpamBot CnC Server Configuration File Response"; flowbits:isset,et.stealrat.config; flow:established,to_client; file_data; content:"<repo"; distance:0; content:"<dudp>"; within:50; content:"<|2F|dudp>"; within:100; content:"<pudp>"; within:50; content:"<|2F|pudp>"; within:100; content:"<tbd>"; within:50; content:"<dom>"; within:50; content:"<|2F|dom>"; within:100; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017275; rev:1; metadata:created_at 2013_08_05, updated_at 2013_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/StealRat.SpamBot Email Template Request"; flow:established,to_server; content:"/ae1.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; http_header; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017276; rev:1; metadata:created_at 2013_08_05, updated_at 2013_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Rovnix.I Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/ld.aspx?key="; depth:13; http_uri; content:"User-Agent|3a| FWVersionTestAgent"; http_header; content:!"Accept|3a| "; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:md5,605daaa9662b82c0d5982ad3a742d2e7; classtype:trojan-activity; sid:2017279; rev:1; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Ransom.Win32.Blocker.bjat"; flow:established,to_server; content:"?&"; http_uri; content:"User-Agent|3a| Update|0d 0a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2017281; rev:1; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - net user - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"net user"; within:200; classtype:trojan-activity; sid:2017283; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - net localgroup - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net localgroup"; within:200; classtype:trojan-activity; sid:2017284; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - net add PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"net"; within:200; content:"/add"; within:100; classtype:trojan-activity; sid:2017285; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - netsh - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"netsh"; within:50; classtype:trojan-activity; sid:2017286; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - ipconfig - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"ipconfig"; within:100; classtype:trojan-activity; sid:2017287; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot -  reg - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"reg "; within:50; content:"HKEY_"; within:20; classtype:trojan-activity; sid:2017288; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - The command completed successfully - PRIVMSG Response"; flow:established,from_client; content:"PRIVMSG "; content:"The command completed successfully."; distance:0; classtype:trojan-activity; sid:2017289; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - PRIVMSG Response - Directory Listing"; flow:established,from_client; content:"PRIVMSG "; content:"  <DIR>"; within:200; classtype:trojan-activity; sid:2017290; rev:3; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - PRIVMSG Response - net command output"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:trojan-activity; sid:2017291; rev:5; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - PRIVMSG Response - ipconfig command output"; flow:established,from_client; content:"PRIVMSG "; content:"Windows IP"; within:200; classtype:trojan-activity; sid:2017292; rev:4; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - PRIVMSG Response - Directory Listing *nix"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-rw-r--r--"; within:300; classtype:trojan-activity; sid:2017303; rev:5; metadata:created_at 2013_08_08, updated_at 2013_08_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN Win32/Cridex Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/([a-z0-9+]+?\/){3}$/Ui"; content:"Accept|3a| */*|0d 0a|Host|3a| "; depth:19; http_header; pcre:"/^Accept\x3a \*\/\*\r\nHost\x3a \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080\r\nContent-Length\x3a \d{3}\r\nConnection\x3a Keep-Alive\r\nCache-Control\x3a no-cache\r\n\r\n$/H"; content:!"Referer"; http_header; content:!"User-Agent|3a| "; http_header; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:trojan-activity; sid:2017305; rev:3; metadata:created_at 2013_08_08, updated_at 2013_08_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/DirCrypt.Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3A| form-data|3B| name=|22|cmd|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|botid|22|"; http_client_body; fast_pattern:24,20; content:"Content-Disposition|3A| form-data|3B| name=|22|lid|22|"; http_client_body; reference:url,anubis.iseclab.org/?action=result&task_id=19e3b6cbfdf8d6bd429ecc75ed016fb91; reference:url,blog.avast.com/2013/11/21/ransomware-annoys-its-victims-by-displaying-child-pornography-pictures/#more-20393; reference:url,blog.avast.com/2013/10/24/what-to-do-if-your-computer-is-attacked-by-ransomware/; reference:url,johannesbader.ch/2015/03/the-dga-of-dircrypt; classtype:trojan-activity; sid:2017308; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FortDisco Reporting Status"; flow:established,to_server; content:"POST"; http_method; content:"/cmd.php"; http_uri; fast_pattern:only; content:"|3b| Synapse"; http_header; content:"status="; http_client_body; depth:7; pcre:"/^status=\d$/P"; content:"/cmd.php HTTP/1.0|0d 0a|Host|3a|"; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017309; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible FortDisco Reporting Hacked Accounts"; flow:established,to_server; content:"POST"; http_method; content:"/bruteres.php"; http_uri; fast_pattern:only; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; classtype:trojan-activity; sid:2017311; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Pift DNS TXT CnC Lookup ppidn.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|ppidn|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2017312; rev:4; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; pcre:"/&z\d{1,3}=/Pi"; content:"POST"; nocase; http_method; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PRISM Backdoor"; content:"PRISM v"; pcre:"/^\d+?\.\d+?\sstarted/R"; classtype:trojan-activity; sid:2017314; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.Win32.Agent.bay Covert Channel (VERSONEX and Mr.Black)"; content:"VERSONEX|3a|"; depth:64; fast_pattern; content:"Mr.Black"; within:50; classtype:trojan-activity; sid:2017315; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Yayih.A Checkin 2"; flow:to_server,established; content:"POST"; depth:5; content:"/bbs/search.asp"; offset:5; depth:15; fast_pattern; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; distance:0; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:2017325; rev:1; metadata:created_at 2013_08_13, updated_at 2013_08_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Yayih.A Checkin 3"; flow:to_server,established; content:"GET "; depth:4; content:"/search.asp?newsid="; offset:4; fast_pattern; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; distance:0; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:2017326; rev:1; metadata:created_at 2013_08_13, updated_at 2013_08_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Spy.KeyLogger.OCI CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"pcname="; http_client_body; depth:7; content:"&note="; http_client_body; distance:0; content:"&country="; http_client_body; distance:0; content:"&user="; http_client_body; distance:0; content:"&log="; http_client_body; distance:0; reference:url,www.virusradar.com/en/Win32_Spy.KeyLogger.OCI/description; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis/; classtype:trojan-activity; sid:2017343; rev:1; metadata:created_at 2013_08_19, updated_at 2013_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxychecker Lookup"; flow:established,to_server; content:"/proxy/proxychecker/"; http_uri; nocase; fast_pattern:only; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis; classtype:trojan-activity; sid:2017344; rev:2; metadata:created_at 2013_08_19, updated_at 2013_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.admin@388 Keepalive to CnC"; flow:established,to_server; content:"|b0 f6 8f d3 1c 2b 0e 50 7e 16 85 de 0c ae 6e 67|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.th3bug Keepalive to CnC"; flow:established,to_server; content:"|35 d1 50 14 94 b2 24 ac 9b 00 2e f1 99 a0 82 4d|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.keaidestone Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.suzuki Keepalive to CnC"; flow:established,to_server; content:"|d4 77 eb ff b6 94 cc d1 25 b6 30 12 23 d7 2e 24|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.happyyongzi Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.key@123 Keepalive to CnC"; flow:established,to_server; content:"|ef 80 7b ec 93 e6 92 06 17 12 27 be e3 e2 e1 19|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.gwx@123 Keepalive to CnC"; flow:established,to_server; content:"|6c 6e d3 08 a6 26 34 c7 bf c6 d3 d9 df 04 25 97|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.wwwst@Admin Keepalive to CnC"; flow:established,to_server; content:"|b4 7d 56 44 f3 23 e2 a2 1d 74 18 b6 bc 72 66 2a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.xiaoxiaohuli Keepalive to CnC"; flow:established,to_server; content:"|4e c3 69 55 10 ad 3f 34 31 cc d1 73 30 ae 16 64|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.smallfish Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.XGstone Keepalive to CnC"; flow:established,to_server; content:"|ed d2 c6 f2 b9 ca 1e df 5c ba b7 0c 59 8e 9c 49|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_08_21, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Napolar.A Getting URL"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36|0d 0a|Host"; fast_pattern:94,26; depth:126; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017362; rev:1; metadata:created_at 2013_08_21, updated_at 2013_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SUSPICIOUS UA (iexplore)"; flow:established,to_server; content:"User-Agent|3A 20|iexplore"; http_header; nocase; fast_pattern:only; content:!"Host|3a 20|su.pctools.com|0d 0a|"; nocase; http_header; content:!".advent.com|0d 0a|"; nocase; http_header; reference:md5,b0e8ce16c42dee20d2c1dfb1b87b3afc; classtype:bad-unknown; sid:2017365; rev:4; metadata:created_at 2013_08_21, updated_at 2013_08_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Win32/Napolar.A URL Response"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"!http|3a|//"; within:8; pcre:"/^[^\r\n]+?\$$/R"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017367; rev:1; metadata:created_at 2013_08_22, updated_at 2013_08_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Avatar RootKit Yahoo Group Search"; flow:to_server,established; content:"/search?query="; http_uri; depth:14; content:"&sort=relevance"; distance:8; within:15; http_uri; content:"Host|3a 20|groups.yahoo.com|0d 0a|"; http_header; content:!"Referer|3a|"; pcre:"/^\/search\?query=[A-Z0-9]{8}&sort=relevance$/U"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:1; metadata:created_at 2013_08_22, updated_at 2013_08_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bitcoin variant Checkin"; flow:to_server,established; content:!"|0d 0a|Referer"; nocase; http_header; content:"/register_slave.php"; http_uri; fast_pattern:only; reference:url,blog.avast.com/2013/08/01/malicious-bitcoin-miners-target-czech-republic/; classtype:trojan-activity; sid:2017369; rev:1; metadata:created_at 2013_08_23, updated_at 2013_08_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win64/Vabushky.A Malicious driver download"; flow:established,to_server; content:".bmp.gz"; http_uri; fast_pattern:only; pcre:"/\/[a-z]{2,3}\/(?:\d{3,4}x\d{3,4}|default)\.bmp\.gz$/Ui"; reference:url,welivesecurity.com/2013/08/27/the-powerloader-64-bit-update-based-on-leaked-exploits/; classtype:trojan-activity; sid:2017377; rev:1; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool get command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgwKH08DHh4bVURA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017378; rev:4; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool long command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgcABQhLAh4fH1FA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017379; rev:4; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool smart command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhgCCh0fSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017380; rev:4; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool post1 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtaSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017381; rev:4; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool post2 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtZSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017382; rev:4; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgkWHwpL"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017383; rev:4; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgIMBh9L"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017384; rev:4; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.Dunihi Checkin 1"; flow:established,to_server; content:"POST "; depth:5; content:"/is-ready HTTP/1."; within:17; nocase; reference:md5,d2e799904582f03281060689f5447585; classtype:trojan-activity; sid:2017516; rev:3; metadata:created_at 2013_08_27, updated_at 2017_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr Checkin 2"; flow:established,to_server; content:"POST "; depth:5; content:"/is-sending"; fast_pattern; within:12; nocase; content:".exe HTTP/1."; distance:0; reference:md5,d2e799904582f03281060689f5447585; classtype:trojan-activity; sid:2017517; rev:2; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Dirtjump Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"req="; depth:4; http_client_body; pcre:"/^req=[A-Za-z0-9]{15}([A-Za-z0-9]{19})?$/P"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; reference:md5,50a538221e015d77cf4794ae78978ce2; classtype:trojan-activity; sid:2017385; rev:1; metadata:created_at 2013_08_27, updated_at 2013_08_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC ([country|so version|CPU])"; flow:established,to_server; content:"NICK {"; content:"x86"; within:12; content:"}"; distance:0; pcre:"/NICK {[a-z]{2,3}\x2D.+?x86[a-z]}[a-z]/i"; flowbits:set,ET.IRC.BOT.CntSOCPU; classtype:trojan-activity; sid:2017395; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 110 (msg:"ET TROJAN Gh0st_Apple Checkin"; flow:to_server,established; content:"GET "; depth:4; content:".gif?pid"; offset:4; depth:10; fast_pattern; content:"&v="; distance:0; content:"HTTP/1.1|0d 0a|"; distance:0; content:"User-Agent|3a| Mozilla/4.0("; distance:0; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; reference:md5,82644661f6639c9fcb021ad197b565f7; classtype:trojan-activity; sid:2017412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_09_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EvilGrab/Vidgrab Checkin"; flow:to_server,established; content:"|7c 28|"; pcre:"/^\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/R"; content:"|29 7c|"; within:2; pcre:"/^\d{1,5}/R"; content:"|7c|Win"; within:4; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017413; rev:3; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Keep-Alive (OUTBOUND)"; flow:to_server,established; content:"P[endof]"; dsize:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017418; rev:2; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Checkin"; flow:to_server,established; content:"lv"; depth:2; content:"[endof]"; isdataat:!1,relative; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017419; rev:2; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (File Manager)"; flow:from_server,established; content:"FM|7c 27 7c 27 7c|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017420; rev:1; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (File Manager)"; flow:to_server,established; content:"rn|7c 27 7c 27 7c|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017421; rev:1; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Remote Desktop)"; flow:from_server,established; content:"sc~|7c 27 7c 27 7c|"; depth:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017422; rev:1; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (Remote Desktop)"; flow:to_server,established; content:"scPK|7c 27 7c 27 7c|"; depth:9; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017423; rev:1; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Remote Cam)"; flow:from_server,established; content:"CAM|7c 27 7c 27 7c|"; depth:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017424; rev:1; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (Remote Cam)"; flow:to_server,established; content:"USB Video Device[endof]"; depth:23; fast_pattern:3,20; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017425; rev:1; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Remote Shell)"; flow:from_server,established; content:"rs|7c 27 7c 27 7c|"; depth:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017426; rev:1; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (Process listing)"; flow:to_server,established; content:"proc|7c 27 7c 27 7c|"; depth:9; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017427; rev:1; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Kill Process)"; flow:from_server,established; content:"k|7c 27 7c 27 7c|"; depth:6; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017428; rev:1; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Registry)"; flow:from_server,established; content:"RG|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017429; rev:4; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Keylogger)"; flow:from_server,established; content:"kl|7c 27 7c 27 7c|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017430; rev:7; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Get Passwords)"; flow:from_server,established; content:"ret|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017431; rev:5; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (Get Passwords)"; flow:to_server,established; content:"pl|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017432; rev:5; metadata:created_at 2013_09_05, updated_at 2013_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac FACEPUNCH Traffic Detected"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"Referer|3a 20|Mozilla|0d 0a|"; nocase; http_header; content:"User-Agent|3a| Mozilla"; http_header; content:"X-Request-Kind-Code|3a 20|"; http_header; fast_pattern:only; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_infiltrating_the_waledac_botnet_v2.pdf; classtype:trojan-activity; sid:2017455; rev:5; metadata:created_at 2013_09_11, updated_at 2013_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy Checkin"; flow:to_server,established; content:"/get_"; http_uri; content:"did="; http_uri; content:"&file_id="; fast_pattern:only; http_uri; content:"User-Agent|3a| Downloader"; http_header; reference:md5,73d2dd466df92b77a4c34adcd13e8b50; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/28/new-kazy-variant-kazy-forces; classtype:trojan-activity; sid:2018341; rev:4; metadata:created_at 2013_09_11, updated_at 2013_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess P2P Module v6 Reporting"; flow:to_server,established; content:"dj02LjAmaWQ9"; http_uri; offset:13; depth:12; content:!"Referer|3a|"; http_header; reference:url,dnsamplificationattacks.blogspot.gr/p/blog-page.html; classtype:trojan-activity; sid:2017462; rev:1; metadata:created_at 2013_09_13, updated_at 2013_09_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Hesperus.Banker Tr-mail Variant Sending Data To CnC"; flow:established,to_server; content:"/gr-mail/tr-mail.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:trojan-activity; sid:2017464; rev:1; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Hesperus.Banker Nlog.php Variant Sending Data To CnC"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"/nlog/nlog"; http_uri; fast_pattern:only; content:".php"; http_uri; content:"Content-Length|3a|"; http_header; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:trojan-activity; sid:2017465; rev:4; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Dipverdle.A Activity"; flow:to_server,established; content:"POST"; http_method; content:"/cp/?"; http_uri; nocase; fast_pattern:only; pcre:"/\/cp\/\?(?:logo\.jpg|adm)/Ui"; content:!"Referer|3a|"; http_header; content:"token="; nocase; http_client_body; depth:6; reference:md5,182ea2f564f6211d37a6c35a4bd99ee6; classtype:trojan-activity; sid:2017475; rev:1; metadata:created_at 2013_09_16, updated_at 2013_09_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zzinfor.A Retrieving Instructions From CnC Server"; flow:established,to_server; content:"/static/hotkey.txt"; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Accept-"; http_header; reference:md5,7e37a407a8fb0df3b2835419ad16f500; reference:md5,422b926dbbe03d0e4555328282c8f32b; classtype:trojan-activity; sid:2017489; rev:1; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.Mevade.FBV CnC Beacon"; flow:established,to_server; urilen:42; content:"/updater/"; http_uri; pcre:"/^\/updater\/[a-f0-9]{32}\/[0-9]$/Ui"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/; reference:url,blog.damballa.com/archives/2135; classtype:trojan-activity; sid:2017490; rev:1; metadata:created_at 2013_09_19, updated_at 2013_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !25 (msg:"ET TROJAN Gh0st Trojan CnC 2"; flow:established,to_server; dsize:<250; content:"Gh0st"; offset:8; depth:5; classtype:trojan-activity; sid:2017505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_09_20, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN APT.Agtid callback"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|Agtid|3a| "; fast_pattern; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:trojan-activity; sid:2017511; rev:1; metadata:created_at 2013_09_23, updated_at 2013_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (/iam-ready)"; flow:established,to_server; content:"POST "; depth:5; content:"/iam-ready"; fast_pattern; within:10; nocase; content:"|3c 7c 3e|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017518; rev:1; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (is-enum-driver)"; flow:established,to_server; content:"POST "; depth:5; content:"/is-enum-driver"; fast_pattern; within:15; nocase; content:"|3c 7c 3e|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017519; rev:1; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (is-enum-folder)"; flow:established,to_server; content:"POST "; depth:5; content:"/is-enum-fa"; fast_pattern; within:11; nocase; content:"|3c 7c 3e|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017520; rev:1; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (is-enum-process)"; flow:established,to_server; content:"POST "; depth:5; content:"/is-enum-process"; fast_pattern; within:16; nocase; content:"|3c 7c 3e|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017521; rev:1; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (is-cmd-shell)"; flow:established,to_server; content:"POST "; depth:5; content:"/is-cmd-shell"; fast_pattern; within:13; nocase; content:"|3c 7c 3e|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017522; rev:1; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command response"; flow:established,from_server; content:"|0d 0a|send|3c 7c 3e|"; pcre:"/^[A-Z]\x3a\x5f/R"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017523; rev:2; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Hiloti/Mufanom CnC Response"; flow:established,from_server; flowbits:isset,ET.Hiloti; file_data; content:"<!-- vbe -->"; distance:0; classtype:trojan-activity; sid:2017526; rev:2; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DATA-BROKER BOT Activity"; flow:established,to_server; content:"POST"; http_method; content:"g="; depth:2; http_client_body; content:"&cmd="; http_client_body; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^g=[A-Z0-9]+&cmd=/P"; reference:url,krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/; reference:md5,adcfe50aaaa0928adf2785fefe7307cc; classtype:trojan-activity; sid:2017524; rev:2; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Leverage.A Checkin"; flow:established,to_server; content:"|00 00|"; offset:0; depth:2; content:"|00 00 00 01|"; distance:2; within:4; content:"RAM|0a 7c|"; pcre:"/^\d+\w+\/\d+\w+ free \(\d+% used\)/R"; classtype:trojan-activity; sid:2017525; rev:2; metadata:created_at 2013_09_25, updated_at 2013_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; flow:to_server,established;dsize:>11; content:"|7b 9e|"; fast_pattern:only; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2eed956920934a78200899ef05ace0d8; classtype:trojan-activity; sid:2017548; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_09_30, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mevade Checkin "; flow:to_server,established; content:"GET"; http_method; content:"/attachments/ip.php"; http_uri; classtype:trojan-activity; sid:2017558; rev:1; metadata:created_at 2013_10_04, updated_at 2013_10_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN SSH Connection on 443 - Mevade Banner"; flow:to_server,established; content:"SSH-2.0-PuTTY_Local|3a|_Feb__5_2013_18|3a|26|3a|54"; depth:41; classtype:trojan-activity; sid:2017559; rev:2; metadata:created_at 2013_10_04, updated_at 2013_10_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Qadars Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"AAAA"; offset:10; depth:4; fast_pattern; http_client_body; content:"="; offset:7; depth:1; http_client_body; content:!"Referer|3A|"; http_header; content:!"Connection|3A|"; http_header; content:!"Accept"; http_header; pcre:"/^[a-zA-Z]{7}=(?:[A-Za-z0-9+/]|%2[FB]){2}AAAA[a-z]A[^\s=]+=?=?$/P"; reference:md5,d611a633e8ceabdc9c2f5b0b9dd4f19e; reference:md5,a55b312d4e2006b5698e8f5ae8e5d735; reference:md5,3b4c2d3447bc49f057d76a92e7cae96b; reference:md5,08833cd7564f29f7f499a65a7be82d02; reference:url,www.lexsi-leblog.com/cert-en/qadars-new-banking-malware-with-fraudulent-mobile-application-component.html; classtype:trojan-activity; sid:2023588; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2013_10_09, malware_family Qadars, performance_impact Low, updated_at 2016_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Chthonic Checkin"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:6; metadata:created_at 2013_10_11, updated_at 2017_06_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel Activity POST"; flow:to_server,established; urilen:15; content:"POST"; http_method; content:"/pk/request.flv"; http_uri; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,a354873df6dbce59e801380cee39ac17; classtype:trojan-activity; sid:2017582; rev:4; metadata:created_at 2013_10_11, updated_at 2013_10_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoLocker EXE Download"; flow:to_server,established; content:"/crypt_"; http_uri; content:"sell"; content:".exe"; http_uri; pcre:"/\/crypt_[^\/]*?sell[^\/]*?\d\.exe$/U"; classtype:trojan-activity; sid:2017583; rev:2; metadata:created_at 2013_10_11, updated_at 2013_10_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible W32/KanKan tools.ini Request"; flow:established,to_server; content:"/tools.ini"; http_uri; fast_pattern:only; pcre:"/^\/tools\.ini$/U"; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017585; rev:2; metadata:created_at 2013_10_13, updated_at 2013_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible W32/KanKan Update officeaddinupdate.xml Request"; flow:established,to_server; content:"/officeaddinupdate.xml"; http_uri; pcre:"/^\/officeaddinupdate\.xml$/U"; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017586; rev:1; metadata:created_at 2013_10_13, updated_at 2013_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Kelihos.F EXE Download Common Structure"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; pcre:"/^(?:\/[a-z]+\d*?)?\/\d?\w+\d*?\.exe$/U"; pcre:"/^Host\x3A\x20[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x0D\x0A\x0D?\x0A?$/H"; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,f5bcc28e7868a68e473373d684a8c54a; classtype:trojan-activity; sid:2017598; rev:6; metadata:created_at 2013_10_15, updated_at 2013_10_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Nemim Checkin"; flow:to_server,established; content:".php?a1="; nocase; fast_pattern:only; http_uri; content:"&a2="; http_uri; nocase; content:"&a3="; http_uri; nocase; pcre:"/\.php\?a1=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&a2=[a-f0-9]{32}&a3=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; reference:url,symantec.com/connect/blogs/infostealernemim-how-pervasive-infostealer-continues-evolve; classtype:trojan-activity; sid:2017599; rev:3; metadata:created_at 2013_10_15, updated_at 2013_10_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Egobot Checkin"; flow:to_server,established; content:".php?arg1="; nocase; fast_pattern:only; http_uri; content:"&arg2="; http_uri; pcre:"/&arg2=((?:[a-f0-9]{32})|(?:[A-Za-z0-9\x2b\x2f]{4})*(?:[A-Za-z0-9\x2b\x2f]{2}==|[A-Za-z0-9\x2b\x2f]{3}=|[A-Za-z0-9\x2b\x2f]{4}))(?:&|$)/Ui"; reference:url,symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign; classtype:trojan-activity; sid:2017600; rev:2; metadata:created_at 2013_10_15, updated_at 2013_10_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Onkod.Downloader Executable Download"; flow:established,to_server; content:"/js/"; http_uri; content:".exe"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| rv|3a|22.0) Gecko/20100101 Firefox/22.0|0D 0A|"; http_header; pcre:"/\x2Fjs\x2F[\r\n]*\x2Eexe$/U"; reference:url,blog.fortinet.com/Avoiding-Heuristic-Detection/; classtype:trojan-activity; sid:2017617; rev:2; metadata:created_at 2013_10_18, updated_at 2013_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kuluoz Activity"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"name=|22|key|22|"; http_client_body; nocase; content:"filename=|22|key.bin|22|"; http_client_body; nocase; content:"name=|22|data|22|"; http_client_body; nocase; content:"filename=|22|data.bin|22|"; http_client_body; nocase; pcre:"/\/[A-F0-9]+$/U"; reference:md5,c71416a9ec5414fe487167b5bfd921ec; classtype:trojan-activity; sid:2017620; rev:2; metadata:created_at 2013_10_21, updated_at 2013_10_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN W32/Kegotip CnC Beacon"; flow:established,to_server; content:"QXNka"; depth:5; metadata: former_category TROJAN; reference:url,www.soleranetworks.com/blogs/cryptolocker-kegotip-medfos-malware-triple-threat/; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FKegotip.C; classtype:trojan-activity; sid:2017627; rev:3; metadata:created_at 2013_10_22, updated_at 2017_04_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 1"; flow:established,to_server;  content:"POST"; http_method; content:"port="; fast_pattern; http_client_body; content:"&uname="; distance:0; http_client_body; content:"&uuid="; http_client_body; distance:0; pcre:"/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/P";content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http_header; content:!"User-Agent|3A|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; classtype:trojan-activity; sid:2017642; rev:2; metadata:created_at 2013_10_30, updated_at 2013_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 2"; flow:established,to_server; content:"POST"; http_method; content:"b=1&name="; http_client_body; depth:9; fast_pattern; content:"&uuid="; http_client_body; distance:0; pcre:"/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/P"; content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http_header; content:!"User-Agent|3A|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; classtype:trojan-activity; sid:2017643; rev:4; metadata:created_at 2013_10_30, updated_at 2013_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN possible TRAT proxy component user agent detected"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0.1.3|3b 20|"; nocase; http_header; fast_pattern:37,14; reference:url,www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html; classtype:trojan-activity; sid:2017646; rev:2; metadata:created_at 2013_10_30, updated_at 2013_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Install"; flow:established,to_server; content:"GET"; http_method; content:"/api/stats/debug/"; fast_pattern:only; http_uri; content:"/?ts="; http_uri; content:"&ver="; http_uri; content:"&group="; http_uri; content:"&token="; http_uri; reference:md5,d1663e13314a6722db7cb7549b470c64; classtype:trojan-activity; sid:2017647; rev:1; metadata:created_at 2013_10_30, updated_at 2013_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Spy.Win32.Zbot.qgxi Checkin"; flow:to_server,established; content:".php?bot="; http_uri; fast_pattern:only; content:"bot="; depth:4; http_cookie; reference:md5,0b450a92f29181065bc6601333f01b07; reference:md5,548fbf4dde27e725c0a1544f61362b50; reference:url,arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising; classtype:trojan-activity; sid:2018412; rev:6; metadata:created_at 2013_10_31, updated_at 2013_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Badur.Spy User Agent lawl"; flow:established,to_server; content:"User-Agent|3A| lawl|0D 0A|"; http_header; reference:md5,4f5d28c43795b9c4e6257bf26c52bdfe; classtype:trojan-activity; sid:2017655; rev:1; metadata:created_at 2013_11_01, updated_at 2013_11_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/InstallMonster.Downloader Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/api"; http_uri; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; fast_pattern:12,20; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a 20|"; http_header; content:"HTTP/1.0"; pcre:"/Library\x29\r$/Hm"; metadata: former_category TROJAN; reference:md5,70a6d9cb37e346b4dfd28bd4ea1f8671; classtype:trojan-activity; sid:2017656; rev:3; metadata:created_at 2013_11_01, updated_at 2017_10_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Known Sinkhole Response Header"; flow:established,from_server; content:"X-Sinkholed-Domain|3a|"; http_header; reference:md5,723a90462a417337355138cc6aba2290; classtype:trojan-activity; sid:2017662; rev:2; metadata:created_at 2013_11_04, updated_at 2013_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan/Win32.FraudPack User-Agent (Downloader MLR 1.0.0)"; flow:to_server,established; content:"User-Agent|3a| Downloader MLR 1.0.0|0d 0a|"; http_header; reference:md5,c9d54e9086357491bd1fdf8d8d804dce; classtype:trojan-activity; sid:2018112; rev:2; metadata:created_at 2013_11_04, updated_at 2013_11_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Backdoor.Adwind Download"; flow:established,from_server; file_data; content:"plugins/AdwindServer.class"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; classtype:attempted-user; sid:2017668; rev:3; metadata:created_at 2013_11_05, updated_at 2013_11_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Possible Schneebly Posting ScreenShot"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/viewimage.php?s="; http_uri; nocase; content:!"&"; http_uri; distance:0; content:!"Referer|3a|"; http_header; content:"filename="; http_client_body; content:"JFIF"; distance:0; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017689; rev:1; metadata:created_at 2013_11_07, updated_at 2013_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel.Arx Variant CnC Beacon 1"; flow:established,to_server; content:"/rssfeed.php?a="; http_uri; pcre:"/rssfeed\.php\?a=[^&]+?&\d+$/U"; content:!"Referer|3a|"; http_header; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:trojan-activity; sid:2017690; rev:1; metadata:created_at 2013_11_07, updated_at 2013_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel.Arx Varient CnC Beacon 2"; flow:established,to_server; content:"/psp.php?p="; http_uri; content:"&g="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&r="; http_uri; content:!"Referer|3a|"; http_header; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:trojan-activity; sid:2017691; rev:1; metadata:created_at 2013_11_07, updated_at 2013_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FaceBook IM & Web Driven Facebook Trojan Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/tsone/ajuno.php"; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"u="; http_client_body; depth:2; content:"&p="; http_client_body; distance:0; content:"&l="; distance:0; http_client_body; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017697; rev:4; metadata:created_at 2013_11_08, updated_at 2013_11_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Stitur Secondary Download"; flow:established,from_server; content:".file|0d 0a|"; http_header; fast_pattern:only; pcre:"/filename=[a-f0-9]{13}\.file\r\n/H"; content:"Content-Description|3a 20|File Transfer|0d 0a|"; http_header; content:"Content-Transfer-Encoding|3a 20|binary|0d 0a|"; http_header; classtype:trojan-activity; sid:2017700; rev:2; metadata:created_at 2013_11_08, updated_at 2013_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Trojan.APT.9002 POST"; flow:established,to_server; content:"POST "; depth:5; pcre:"/^\/[a-f0-9]+\s/R"; content:!"|0d 0a|Referer|3a|"; distance:0; content:"User-Agent|3a 20|lynx|0d 0a|"; distance:0; fast_pattern; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:trojan-activity; sid:2017702; rev:3; metadata:created_at 2013_11_10, updated_at 2013_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [!11000,!11001,!12000] (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 4"; flow:to_server,established; dsize:>11; content:"|79 9e|"; fast_pattern:only; pcre:"/^[\x20-\x7e]*?.{8}\x79\x9e/s"; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017707; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_11_12, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bamital checkin"; flow:established,to_server; content:".php?subid="; http_uri; content:"&os="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; classtype:trojan-activity; sid:2017710; rev:2; metadata:created_at 2013_11_13, updated_at 2013_11_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Taidoor Checkin"; flow:to_server,established; content:".jsp?"; offset:4; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+? HTTP\/1\.1/R"; content:"|0d 0a|User-Agent|3a| "; within:14; content:!"Referer"; distance:0; content:!"Accept"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017713; rev:4; metadata:created_at 2013_11_13, updated_at 2013_11_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX Checkin"; flow:to_server,established; content:"POST "; depth:5; pcre:"/^\/[A-F0-9]{24} HTTP\/1\.1/R"; content:"|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|"; within:15; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; content:!"Referer"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:5; metadata:created_at 2013_11_13, updated_at 2013_11_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Athena Bot Nick in IRC"; flow:established,to_server; content:"NICK "; content:"|5b|"; distance:1; within:1; pcre:"/^[A-Z]{3}\|[UA]\|[DL]\|W([78]|_XP|VIS)\|x(86|64)\|/R"; reference:url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/; reference:md5,859c2fec50ba1212dca9f00aa4a64ec4; classtype:trojan-activity; sid:2017716; rev:3; metadata:created_at 2013_11_14, updated_at 2013_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Botnet Monitor Request CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/monitor.php?resp=ID|3a|"; fast_pattern:only; http_uri; pcre:"/\/monitor\.php\?resp=ID\x3a[A-Za-z]{15}/U"; content:"Target|3a|"; http_uri; content:"Message|3a|"; http_uri; content:!"Referer|3a 20|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (SEObot)|0d 0a|"; http_header; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017717; rev:2; metadata:created_at 2013_11_14, updated_at 2013_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Botnet Login Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/operator/login.php"; fast_pattern:only; http_uri; pcre:"/\/operator\/login\.php$/U"; content:!"Referer|3a 20|"; content:!"Accept"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (SEObot)|0d 0a|"; http_header; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017718; rev:2; metadata:created_at 2013_11_14, updated_at 2013_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Outbound"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:24,20; http_header; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017721; rev:1; metadata:created_at 2013_11_14, updated_at 2013_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Botnet Command Request CnC Beacon"; flow:established,to_server; content:"/gate.php?cmd="; fast_pattern:only; http_uri; pcre:"/\/gate\.php\?cmd=(?:get(?:installconfig|exe)|urls)$/U"; content:!"Referer|3a 20|"; http_header; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017723; rev:1; metadata:created_at 2013_11_14, updated_at 2013_11_14;)

alert icmp any any -> any any (msg:"ET TROJAN PWS Win32/Lmir.BMQ checkin"; dsize:19; content:"This|27|s|20|Ping|20|Packet|21|"; reference:md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ; classtype:trojan-activity; sid:2017724; rev:2; metadata:created_at 2013_11_14, updated_at 2013_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sisproc update"; flow:to_server,established; content:"/poll/update.txt"; http_uri; content:!"Referer|3A 20|"; http_header; reference:md5,f8b3fb4e5f8f1b3bd643e58f1015f9fc; classtype:trojan-activity; sid:2017725; rev:4; metadata:created_at 2013_11_15, updated_at 2013_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader (P2P Zeus dropper UA)"; flow:to_server,established; content:"User-Agent|3a 20|Updates downloader"; classtype:trojan-activity; sid:2017726; rev:4; metadata:created_at 2013_11_15, updated_at 2013_11_15;)

alert tcp $EXTERNAL_NET any -> any 22 (msg:"ET TROJAN Possible SSH Linux.Fokirtor backchannel command"; flow:established,to_server; content:"|3a 21 3b 2e|"; pcre:"/^(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})/R"; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:2017727; rev:6; metadata:created_at 2013_11_15, updated_at 2013_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic"; flow:to_server,established; content:"9002"; depth:4; reference:md5,6ef66c2336b2b5aaa697c2d0ab2b66e2; classtype:trojan-activity; sid:2017728; rev:2; metadata:created_at 2013_11_19, updated_at 2013_11_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kryptik Check-in"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"&bot_id="; http_uri; nocase; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.php\?(q|name)=/Ui"; classtype:attempted-user; sid:2017741; rev:2; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Solarbot Check-in"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"v="; depth:2; http_client_body; content:"&u="; http_client_body; content:"&w="; http_client_body; content:"&c="; http_client_body; pcre:"/&s=\{?[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}\}?(?:&|$)/Pi"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017742; rev:2; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Miuref/Boaxxe Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:>400; content:"%2b"; fast_pattern:only; content:"%2f"; http_raw_uri; content:!"Referer|3a|"; http_header; content:!"|2e|"; http_raw_uri; content:!"|3f|"; http_raw_uri; content:!"|26|"; http_raw_uri; pcre:"/^\/(?:[a-zA-Z0-9]|%2[fb]){400,}$/I"; reference:url,welivesecurity.com/2014/01/17/boaxxe-adware-a-good-advert-sells-the-product-without-drawing-attention-to-itself-part-2/; reference:url,blogs.technet.com/b/mmpc/archive/2014/05/13/msrt-may-2014-miuref.aspx; classtype:trojan-activity; sid:2018582; rev:14; metadata:created_at 2013_11_21, updated_at 2013_11_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Downloader Win32.Genome.AV"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/other.txt"; fast_pattern; http_uri; content:"User-Agent|3a 20|NSIS_Inetc|20|(Mozilla)"; http_header; content:!"|0d 0a|Referer|3a|"; http_header; content:!"|0d 0a|Accept"; http_header; flowbits:set,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017746; rev:1; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Trojan-Downloader Win32.Genome.AV server response"; flow:to_client,established; file_data; content:"|5b|Soft"; pcre:"/^\d+?\x5d/R"; content:"SoftTitle="; distance:0; flowbits:isset,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017747; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Darkness DDoS HTTP Target/EXE"; flow:from_server,established; file_data; content:"Z"; within:1; content:"PWh0dHA"; distance:2; within:9; pcre:"/^[a-z0-9\+\/]+={0,2}$/Rsi"; classtype:trojan-activity; sid:2017775; rev:6; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Darkness DDoS Common Intial Check-in Response wtf"; flow:from_server,established; file_data; content:"d3Rm"; within:4; pcre:"/^(?:\r\n|$)/R"; reference:md5,a9af388f5a627aa66c34074ef45db1b7; classtype:trojan-activity; sid:2017776; rev:6; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Checkin Generic 2"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; fast_pattern:27,20; content:!"|0d 0a|Accept|3a|"; content:!"|0d 0a|Referer|3a|"; content:"GET "; depth:4; pcre:"/^\/[A-Za-z]{2,}\/\?[a-z]\sHTTP\/1\.[0-1]\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+?(?:\x3a(443|8080|900[0-9]))?\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/R"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2017784; rev:3; metadata:created_at 2013_11_27, updated_at 2013_11_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; reference:url,blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx; classtype:trojan-activity; sid:2017816; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2013_12_06, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Zbot EXE filename Dec 09 2013"; flow:established,to_server; content:"/bc.exe"; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2017818; rev:1; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|"; http_header; depth:32; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\sMSIE\s/Hm"; content:!"passport.net|0d0a|";  http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2017836; rev:3; metadata:created_at 2013_12_11, updated_at 2017_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Connection To Known Sinkhole Domain sinkdns.org"; flow:to_server,established; content:".sinkdns.org"; http_header; nocase; pcre:"/^Host\x3a[^\r\n]*?\.sinkdns\.org(\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017838; rev:1; metadata:created_at 2013_12_11, updated_at 2013_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"Referer|3a|"; http_header; content:"id="; depth:3; http_client_body; content:"&info="; http_client_body; pcre:"/^id=[A-Z0-9]+?&info=[A-Z0-9]+?$/P"; classtype:trojan-activity; sid:2017839; rev:1; metadata:created_at 2013_12_11, updated_at 2013_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.MovieStar.APT Campaign CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/p3oahin/"; depth:9; http_uri; content:".aspx?r="; distance:0; http_uri; content:"&a="; distance:0; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017855; rev:1; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.Snake.APT Campaign CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/ke3chang/Directx.aspx?r="; depth:25; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017856; rev:1; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.MyWeb.APT Campaign CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/MYWEB/SearchX.ASpX?id1="; depth:24; http_uri; content:"&id2="; distance:0; http_uri; content:"&id3="; distance:0; http_uri; content:"&id4="; distance:0; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017857; rev:1; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.BMW.APT Campaign CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:35<>37; content:".aspx?Random="; http_uri; fast_pattern:only; pcre:"/^\x2F(?:acheb|bajree|cyacrin|dauber|eaves)\x2Easpx\x3FRandom\x3D[a-z]{16}$/Ui"; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017858; rev:1; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.Dream.APT Campaign CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/shfam9y/"; depth:9; http_uri; content:".aspx?r="; distance:0; http_uri; content:"&a="; distance:0; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017859; rev:1; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.MyWeb.APT Eourdegh Campaign CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/Eourdegh/Swdfrp.ASpX?id1="; depth:26; http_uri; content:"&id2="; distance:0; http_uri; content:"&id3="; distance:0; http_uri; content:"&id4="; distance:0; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,jsunpack.jeek.org/dec/go?report=e5f9dae61673a75db6dcb2475cb6ea8f22f66e9a; classtype:trojan-activity; sid:2017860; rev:1; metadata:created_at 2013_12_13, updated_at 2013_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Liftoh.Downloader Feed404 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/feed404/mysfeeds.php"; http_uri; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017867; rev:1; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Liftoh.Downloader Images CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/images/gx.php"; http_uri; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017868; rev:1; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Liftoh.Downloader Final.html Payload Request"; flow:established,to_server; content:"GET"; http_method; content:"/dl/"; http_uri; content:"/final.html"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017869; rev:1; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Liftoh.Downloader Get Final Payload Request"; flow:established,to_server; content:"/get/"; http_uri; content:"/final"; http_uri; content:"Cookie|3A| ip="; http_header; pcre:"/Cookie\x3A\x20ip\x3D[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}/H"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017870; rev:2; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 5"; flow:to_server,established; dsize:>11; content:"|78 9c|"; fast_pattern:only; byte_jump:4,0,little,post_offset 1; isdataat:!1,relative; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017876; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_12_17, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6"; flow:to_server,established; dsize:>11; content:"|78 9c|"; fast_pattern:only; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017877; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_12_17, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/GMUnpacker.Downloader Download Instructions Response From CnC"; flow:established,to_client; file_data; content:"<AD>"; within:4; content:"<TIPAD>"; distance:0; content:"<POPUP>"; distance:0; content:"<REG>HKEY_LOCAL_MACHINE|5c|SOFTWARE|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|"; distance:0; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:trojan-activity; sid:2017891; rev:1; metadata:created_at 2013_12_19, updated_at 2013_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kuluoz/Asprox Activity"; flow:established,to_server; content:"POST "; depth:5; pcre:"/^\/(?:[A-Fa-f0-9]+|index\.php)\sHTTP/R"; content:"|0d 0a 0d 0a 80 00 00 00|"; distance:0; content:!"|0d 0a|Referer"; flowbits:set,ET.Kuluoz; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:trojan-activity; sid:2017895; rev:9; metadata:created_at 2013_12_23, updated_at 2013_12_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Urausy.C Checkin 4"; flow:to_server,established; urilen:>80; content:"GET"; http_method; pcre:"/\/([^\x2f]+?\/)?[a-z-_]+?\.(php|html)$/Ui"; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| Trident/5.0)|0d 0a|"; fast_pattern:57,20; depth:77; http_header; content:!"Referer|3a| "; http_header; content:!"Accept|3a| "; http_header; reference:md5,0032856449dbef5e63b8ed2f7a61fff9; classtype:trojan-activity; sid:2017903; rev:2; metadata:created_at 2013_12_26, updated_at 2013_12_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7"; flow:to_server,established; dsize:>11; content:"|79 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x95/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_02, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8"; flow:to_server,established; dsize:>11; content:"|79 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,be92836bee1e8abc1d19d1c552e6c115; classtype:trojan-activity; sid:2017914; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_02, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9"; flow:to_server,established; dsize:>11; content:"|7a 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:trojan-activity; sid:2017915; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_02, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 10"; flow:to_server,established; dsize:>11; byte_jump:4,0,from_beginning,little,post_offset -1; isdataat:!1,relative; content:"|78 9c|"; fast_pattern:only; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:trojan-activity; sid:2017916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_02, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ferret DDOS Bot CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Mozilla|20|"; fast_pattern; http_header; content:"m"; depth:1; http_client_body; pcre:"/^m(?:ode)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&h(?:wid)?=/P"; reference:md5,f582667d5ce743436fb24771eb22a0e8; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:trojan-activity; sid:2017917; rev:4; metadata:created_at 2014_01_02, updated_at 2014_01_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 2012:2014 (msg:"ET TROJAN Win32.Morix.B checkin"; flow:to_server,established; content:"|00 00 42 42 43 42 43|"; offset:2; depth:7; reference:md5,25623fa3a64f6bed301822f8fe6aa9b5; classtype:trojan-activity; sid:2017922; rev:3; metadata:created_at 2014_01_02, updated_at 2014_01_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Generic - POST To gate.php with no referer"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2017930; rev:8; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning; isdataat:!6,relative; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017934; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 SET"; flow:to_server,established; dsize:8; content:"|00 00|"; offset:2; depth:2; content:"|00 00|"; distance:2; within:2; flowbits:set,ET.gh0stFmly; flowbits:noalert; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:trojan-activity; sid:2017935; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12"; flow:to_server,established; flowbits:isset,ET.gh0stFmly; content:"|78 9c 0b cf cc|"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:trojan-activity; sid:2017936; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for whoismama.ru"; flow:established,to_client; content:"www.whoismama.ru"; fast_pattern:only; nocase; reference:md5,cca1713888b0534954234cf31dd5a7d4; classtype:trojan-activity; sid:2017940; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for dewart.ru"; flow:established,to_client; content:"www.deweart.ru"; fast_pattern:only; nocase; reference:md5,6e0a6c4a06a446f70ae1463129711122; classtype:trojan-activity; sid:2017941; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for anlogtewron.ru"; flow:established,to_client; content:"www.anlogtewron.ru"; fast_pattern:only; nocase; reference:md5,c13c3e331f05d61a7204fb4599b07709; classtype:trojan-activity; sid:2017942; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for erjentronem.ru"; flow:established,to_client; content:"www.erjentronem.ru"; fast_pattern:only; nocase; reference:md5,05ddaa5b6b56123e792fd67bb03376bc; classtype:trojan-activity; sid:2017943; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_07, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Short Google Search Appliance UA Win32/Ranbyus and Others"; flow:established,to_server; content:"User-Agent|3a 20|gsa-crawler|0d 0a|"; nocase; http_header; fast_pattern:5,20; reference:url,developers.google.com/search-appliance/documentation/50/help_mini/crawl_headers; reference:md5,98b58bd8a5138a31105e118e755a3773; reference:md5,c07a6035e9c7fed2467afab1a9dbcf40; classtype:trojan-activity; sid:2017937; rev:1; metadata:created_at 2014_01_07, updated_at 2014_01_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13"; flow:to_server,established; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!7,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; content:"|7c 9e|"; offset:13; depth:8; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7c\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:trojan-activity; sid:2017938; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_07, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 14"; flow:to_server,established; dsize:>11; byte_extract:4,0,c_size,little; byte_test:4,>,c_size,4,little; content:"|08 01|"; offset:2; depth:2; content:"|79 94|"; offset:13; depth:2; pcre:"/^.{8}[\x20-\x7e]+?\x79\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,9fae15fa8ab6bb8d78d609bdceafe28e; classtype:trojan-activity; sid:2017944; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_08, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent.BAAB Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/debug/trace/"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|NSISDL/1.2|20|(Mozilla)|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/debug\/trace\/(?:Fw(?:Downloaded|Check)|N(?:oFw|sis))$/U"; metadata: former_category TROJAN; reference:md5,406fea6262d8ee05e0ab4247c1083443; reference:url,www.virustotal.com/en/file/b0baed750f09ff058e5bd28d6443da833496dc1d1ed674ee6b2caf91889f648e/analysis/1389133969/; classtype:trojan-activity; sid:2017946; rev:1; metadata:created_at 2014_01_08, updated_at 2017_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; distance:0; http_client_body; content:"&d="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; classtype:trojan-activity; sid:2017948; rev:1; metadata:created_at 2014_01_09, updated_at 2014_01_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Mevade.Variant CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"uuid|3A 20|"; http_header; content:!"User-Agent|3A|"; http_header; content:"|C8 71 04 ED 87 F6 DD 77 87|"; http_client_body; depth:9; pcre:"/^\x2F(?:policy|cache)$/U"; reference:url,labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:trojan-activity; sid:2017959; rev:1; metadata:created_at 2014_01_11, updated_at 2014_01_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN PE EXE or DLL Windows file download disguised as ASCII"; flow:established,from_server; file_data; content:"|34 44 35 41|"; depth:4; content:"|35 30 34 35 30 30|";  distance:0; classtype:trojan-activity; sid:2017962; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kishop.A checkin"; flow:to_server; content:"POST"; http_method; content:".php?mark="; http_uri; content:"&type="; http_uri; content:"&theos="; http_uri; reference:md5,bad7cd3c534c95867f5dbe5c5169a4da; classtype:trojan-activity; sid:2017964; rev:1; metadata:created_at 2014_01_13, updated_at 2014_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN StartPage jsp checkin"; flow:to_server,established; urilen:27<>40; content:"POST"; http_method; content:"/201"; http_uri; fast_pattern:only; content:".jsp"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.2|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 2.0.50727|3b 20|InfoPath.1)|0d 0a|"; http_header; content:!"Accept-Language|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; pcre:"/^\/201\d{5,8}\/\d{6,11}\/\d{5,10}\.jsp$/U"; threshold:type both,track by_src,count 2,seconds 60; reference:md5,bb7bbb0646e705ab036d73d920983256; classtype:trojan-activity; sid:2017967; rev:2; metadata:created_at 2014_01_13, updated_at 2014_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.Win32/Daceluw.A Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:12; content:"/wow/wow.asp"; depth:12; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"&WOWID="; depth:7; http_client_body; content:"&Area="; distance:0; http_client_body; content:"&WU="; distance:0; http_client_body; content:"&WP="; distance:0; http_client_body; content:"&MAX="; distance:0; http_client_body; content:"&Gold="; distance:0; http_client_body; content:"&Serv="; distance:0; http_client_body; content:"&rn="; distance:0; http_client_body; content:"&key="; distance:0; http_client_body; reference:url,xylibox.com/2014/01/trojwowspy-a.html; classtype:trojan-activity; sid:2017970; rev:2; metadata:created_at 2014_01_13, updated_at 2014_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ICEFOG JAVAFOG JAR checkin"; flow:to_server; content:"POST"; http_method; content:"?title=2.0_-"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Java"; http_header; content:"content=HostName|3a 20|"; depth:18; http_client_body; content:"|0d 0a|Java Version|3a 20|"; distance:0; http_client_body; content:"|0d 0a 20|HostIp|3a 20|"; distance:0; http_client_body; content:!"Accept-Language|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; reference:url,jsunpack.jeek.org/dec/go?report=6b63068d3259f5032a301e0d3f935b4d3f2e2998; classtype:trojan-activity; sid:2017972; rev:3; metadata:created_at 2014_01_15, updated_at 2014_01_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15"; flow:to_server,established; dsize:>11; content:"FWKJGH"; offset:8; depth:6; byte_jump:4,0,little,from_beginning,post_offset 5; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,edd8c8009fc1ce2991eef6069ae6bf82; classtype:trojan-activity; sid:2017974; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_16, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Java/Jacksbot Check-in"; flow:established,to_server; content:"|00 2d 00 68 00 20 00 32 00 66 00|"; pcre:"/^(?:4\x00[1-9a-f]|5\x00[\da])/Rs"; content:"|00 33 00 61 00|"; within:5; reference:md5,6d93fc6132ae6938013cdd95354bff4e; classtype:trojan-activity; sid:2017983; rev:3; metadata:created_at 2014_01_17, updated_at 2014_01_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16"; flow:to_server,established; dsize:>11; content:"|7d 9b|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:trojan-activity; sid:2017988; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_20, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN GoonEK Jan 21 2013"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"|5c 5c 3a|"; content:"|5c 5c 3a|"; distance:0; content:".namespaces.add"; nocase; pcre:"/^[\r\n\s]*?\([^\)]*?[\x22\x27]#/Ri"; content:!"default#VML"; within:12; pcre:"/^d(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?e(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?f(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?a(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?u(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?l(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?t(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?#(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?V(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?M(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?L[\x22\x27]/Rs"; classtype:trojan-activity; sid:2017993; rev:8; metadata:created_at 2014_01_21, updated_at 2014_01_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kryptik.BSYO Checkin 2"; flow:to_server,established; content:"/cmd?version="; fast_pattern:only; http_uri; content:"&aid="; http_uri; content:"&id="; http_uri; content:"&os="; http_uri; pcre:"/&id=[a-f0-9]{8}(-[a-f0-9]{4}){4}[a-f0-9]{8}&os=/U"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:trojan-activity; sid:2018198; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET TROJAN Minirem"; flow: established,to_server; content:"GET "; depth:4; content:"/FC001/"; fast_pattern; offset:4; depth:7; content:"User-Agent|3a 20|Microsoft Internet Explorer"; distance:0; reference:md5,d92075280872b9fe4f541f090bf0076c; classtype:trojan-activity; sid:2018664; rev:4; metadata:created_at 2014_01_22, updated_at 2014_01_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Possible Upatre Downloader SSL certificate (fake org)"; flow:established,from_server; content:"|06 03 55 04 0a|"; content:!"|03|cnc"; distance:1; within:4; pcre:"/^.{2}(?P<fake_org>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=fake_org)/Rs";  classtype:trojan-activity; sid:2018005; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_01_22, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Blackbeard Downloader"; flow:established,to_server; content:"/load"; http_uri; content:"p="; http_uri; content:"&t="; http_uri; content:"User-Agent|3a| IE|0d 0a|"; http_header; fast_pattern; pcre:"/[\?&]p=\d&t=\d(&|$)/U"; reference:md5,2f6f13eced7fce495168059530246d77; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018110; rev:4; metadata:created_at 2014_01_23, updated_at 2014_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17"; flow:to_server,established; dsize:>11; content:"AngeL"; depth:5; byte_jump:4,0,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2018007; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_23, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|networksecurityx|05|hopto|03|org|00|"; fast_pattern; nocase; distance:0; reference:md5,37782108e8b7f331a6fdeabef9c8a774; reference:md5,10fa9c6c27e6eb512d12dee8181e182f; classtype:trojan-activity; sid:2018008; rev:3; metadata:created_at 2014_01_24, updated_at 2014_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious UA (^IE[\d\s])"; flow:established,to_server; content:"User-Agent|3a 20|IE"; http_header; nocase; fast_pattern:only; content:!"symantec"; nocase; http_header; content:!"norton"; nocase; http_header; content:!".bing.com|0d 0a|"; nocase; http_header; pcre:"/^User-Agent\x3a\x20IE[\d\s]/Hmi"; reference:md5,209e6701da137084c2f60c90d64505f2; classtype:trojan-activity; sid:2018010; rev:3; metadata:created_at 2014_01_24, updated_at 2014_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1f46b1e0a7fe83d24352e98b3ab3fc3f; classtype:trojan-activity; sid:2018013; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Limitless Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Limitless Logger|20 3a 20 3a|"; nocase; fast_pattern:9,20; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018015; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Limitless Logger Sending Data over SMTP 2"; flow:to_server,established; content:"Limitless Logger successfully ran on this computer."; nocase; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018016; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET TROJAN Predator Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Predator Logger|20|"; fast_pattern:5,20; reference:md5,91f885e08d627097fb1116a3d4634b82; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018017; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Win32/Antilam.2_0 Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|CigiCigi Logger"; fast_pattern:4,20; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018018; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.WinSpy.pob Sending Data over SMTP"; flow:to_server,established; content:"filename="; content:"PC_Active_Time.txt"; within:19; content:"|0d 0a|"; within:3; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018019; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Dimegup.A Downloading Image Common URI Struct"; flow:established,to_server; content:"/444.jpg"; http_uri; fast_pattern:only; content:"postimg.org"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.postimg\.org(?:\x3a\d{1,5})?\r?$/Hmi"; reference:md5,914c58df5d868f7c3438921d682f7fe5; classtype:trojan-activity; sid:2018022; rev:4; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LockscreenBEI.Scareware Cnc Beacon"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/reboot/index.html"; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,04948b6045730d4ec626f79504c7f9ad; reference:md5,9fff65c23fe403d25c08a5cdd3dc775d; classtype:trojan-activity; sid:2018023; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Xtrat C2 Response"; flow:established,from_server; content:"S|00|T|00|A|00|R|00|T|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R"; depth:33; reference:url,threatexpert.com/report.aspx?md5=f45b1b82c849fbbea3374ae7e9200092; classtype:trojan-activity; sid:2018027; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Madness Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&mk="; http_uri; fast_pattern:only; content:"&rs="; http_uri; content:"&rq="; http_uri; content:"&ver="; http_uri; pcre:"/\?uid=\d{8}&ver=\d\.\d{2}&mk=[0-9a-zA-Z]{6}&os=[A-Za-z0-9]+&rs=[a-z]+&c=\d+&rq=\d/U"; metadata: former_category TROJAN; reference:url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/; reference:md5,f1ed53c4665d2893fd116a5b0297fc68; classtype:trojan-activity; sid:2018028; rev:5; metadata:created_at 2014_01_28, updated_at 2017_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Limitless Logger RAT HTTP Activity"; flow:established,to_server; content:"/Limitless/Login/"; http_uri; pcre:"/^Host\x3a\s*?(?:[^\r\n]+\.)?limitlessproducts\.org\r$/Hm"; classtype:trojan-activity; sid:2018030; rev:1; metadata:created_at 2014_01_28, updated_at 2014_01_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-6,little,relative,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2b0f0479b14069b378fb454c92086897; classtype:trojan-activity; sid:2018032; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Win32.Genome.boescz Checkin"; flow:to_server,established; content:"|0d 0a|Subject|3a 20|TenInfect"; fast_pattern:9,9; content:"|0d 0a 0d 0a|TenInfect"; distance:0; reference:md5,313535d09865f3629423cd0e9b2903b2; reference:url,www.virustotal.com/en/file/75c454bbcfc06375ad1e8b45d4167d7830083202f06c6309146e9a4870cddfba/analysis/; classtype:trojan-activity; sid:2018033; rev:3; metadata:created_at 2014_01_29, updated_at 2014_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Banker.AALV checkin"; flow:to_server,established; content:"CHEGOU-NOIS"; fast_pattern; content:"|20 7c 20|PLUGIN|3a|"; distance:0; content:"|20 7c 20|BROWSER|3a|"; reference:md5,74bfd81b345a6ef36be5fcf6964af6e1; classtype:trojan-activity; sid:2018034; rev:1; metadata:created_at 2014_01_29, updated_at 2014_01_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN SolarBot Plugin Download Server Response"; flow:from_server,established; file_data; content:"SOLAR|00|"; within:6; content:"MZP"; distance:0; classtype:trojan-activity; sid:2018036; rev:4; metadata:created_at 2014_01_29, updated_at 2014_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SolarBot Plugin Download MessageBox"; flow:established,to_server; content:"/MessageBox.bin"; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2018038; rev:1; metadata:created_at 2014_01_29, updated_at 2014_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SolarBot Plugin Download ComputerInfo"; flow:established,to_server; content:"/ComputerInfo.bin"; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2018039; rev:1; metadata:created_at 2014_01_29, updated_at 2014_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SolarBot Plugin Download WalletSteal"; flow:established,to_server; content:"/WalletSteal.bin"; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2018040; rev:1; metadata:created_at 2014_01_29, updated_at 2014_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jadtree Downloader rar"; flow:to_server; content:".rar"; http_uri; pcre:"/User-Agent\x3a\x20\d{4}\r\n/H"; reference:md5,13cbc8d458c6dd30e94f46b00f8bda00; classtype:trojan-activity; sid:2018046; rev:1; metadata:created_at 2014_01_30, updated_at 2014_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Neverquest.InfoStealer Configuration Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/forumdisplay.php?fid="; http_uri; content:"id="; http_client_body; depth:3; content:"&info="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/neverquest-banking-trojan-wild; classtype:trojan-activity; sid:2018047; rev:1; metadata:created_at 2014_01_31, updated_at 2014_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32/PcClient.AA Checkin"; flow:to_server,established; content:"POST /2015"; depth:10; fast_pattern; pcre:"/^\d+?\/(?:\d+?\/-?\d+?\.(?:php|jsp))? HTTP/Ri"; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.2|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50727|3b| InfoPath.1|29 0d 0a|"; distance:0; reference:md5,33439543cae709aa7efa58f94e4b2a62; classtype:trojan-activity; sid:2019201; rev:10; metadata:created_at 2014_01_31, updated_at 2014_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 20"; flow:to_server,established; dsize:>11; content:"|7d 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a037b3241c0b957efe6037b25570292f; classtype:trojan-activity; sid:2018054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Upatre Binary Download Jan 02 2014"; flow:established,from_server; content:"Content-Type|3a 20|text/plain|0d 0a|"; http_header; file_data; content:"ZZP|00|"; within:4; classtype:trojan-activity; sid:2018055; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !5800 (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 21"; flow:to_server,established; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{8}\x70\x94[\x20-\x7e]/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3ae76f6b76e743fd8063e1831236ce24; classtype:trojan-activity; sid:2018057; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA SMB Naming Format"; flow:to_server,established; content:"SMB|A2|"; content:"|5c 00|W|00|I|00|N|00|D|00|O|00|W|00|S|00 5c 00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00 5c|"; distance:0; fast_pattern:15,20; pcre:"/^(?:(?!\x00\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?\x2e\x00t\x00x\x00t/Rsi"; flowbits:set,ET.kaptoxa; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018058; rev:1; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 1"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"M1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018059; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 2"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018060; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 3"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018061; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 4"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Ml"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018062; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 5"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"T1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018063; rev:3; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 6"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018064; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 7"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Th"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018065; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 8"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018066; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 9"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018067; rev:3; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 10"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018068; rev:2; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 22"; flow:to_server,established; dsize:>11; content:"|7d 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2018069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 444 (msg:"ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading DLL"; flow:to_server,established; content:"SIZE libcurl-4.dll|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018072; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading VBS"; flow:to_server,established; content:"SIZE explore.vbs|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018073; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/StoredBt.A Activity"; flow:to_server,established; content:".php?a1="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; pcre:"/\.php\?a1=\d+&a2=(?:[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}|(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4}))(?:&a\d+=[^&]+)+$/U"; reference:md5,e8e9eb1cd4be7ab27743887be2aa28e9; classtype:trojan-activity; sid:2018074; rev:1; metadata:created_at 2014_02_05, updated_at 2014_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 23"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-18,relative,little,from_beginning, post_offset 1; isdataat:!1,relative; pcre:"/^.{8}[\x20-\x7e]+?.{2}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:trojan-activity; sid:2018075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_05, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24"; flow:to_server,established; dsize:>11; content:"|7c 9f|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7c\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,0be9e3f4507a8ee23bb0c2b6c218d1cc; classtype:trojan-activity; sid:2018076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_05, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25"; flow:to_server,established; dsize:>11; content:"|7a 5d|"; offset:8; byte_jump:4,-12,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{10}\x7a\x5d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,794eac549f98320b818037b8074da320; classtype:trojan-activity; sid:2018077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_05, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Kbot.Backdoor Variant CnC Beacon"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/stat.php"; nocase; http_uri; content:"id="; depth:3; http_client_body; content:"&build_id="; fast_pattern:only; http_client_body; pcre:"/&build_id=[A-F0-9]+$/Pi"; reference:md5,1df0ceab582ae94c83d7d2c79389e178; classtype:trojan-activity; sid:2018078; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Blackshades/Shadesrat Backdoor CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; content:"crypt"; http_client_body; depth:5; content:"="; http_client_body; within:3; reference:md5,9d11cfb7799089823483b72daec5fd2b; reference:md5,a01451eae2d47872ce796bb85f116710; classtype:trojan-activity; sid:2018079; rev:1; metadata:created_at 2014_02_05, updated_at 2014_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Request for Pdf.exe Observed in Zeus/Luminosity Link"; flow:established,to_server; content:"/pdf.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018080; rev:3; metadata:created_at 2014_02_05, updated_at 2016_10_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zeus.InfoStealer Infection Campaign Kia.exe Request"; flow:established,to_server; content:"/kia.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018081; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zeus.InfoStealer Infection Campaign Wav.exe Request"; flow:established,to_server; content:"/wav.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018082; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zeus.InfoStealer Infection Campaign Heap.exe Request"; flow:established,to_server; content:"/heap.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018083; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 26"; flow:to_server,established; dsize:>11; content:"|71 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x71\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,b316680fd2578a2781ee9497888bd1e4; classtype:trojan-activity; sid:2018085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DirtJumper Activity"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"&req="; http_client_body; pcre:"/^\d+?=\d+?(?:&ver=\d+?)?&req=\d+?(?:&r=)?$/P"; content:"Host|3a|"; http_header; depth:5; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,5474129345d9756649c871f9c8b46287; reference:md5,ff5608e00d5e6e81af9c993461479e43; classtype:trojan-activity; sid:2018094; rev:1; metadata:created_at 2014_02_06, updated_at 2014_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon"; flow:established,to_server; urilen:31; content:"/b/eve/"; http_uri; fast_pattern:only; pcre:"/^\x2Fb\x2Feve\x2F[a-f0-9]{24}$/Ui"; metadata: former_category TROJAN; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:trojan-activity; sid:2018096; rev:1; metadata:created_at 2014_02_10, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<html><body>hi!<|2F|body><|2F|html>"; within:30; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:trojan-activity; sid:2018097; rev:1; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon"; flow:established,to_server; urilen:<33; content:"POST"; http_method; content:"/b/"; http_uri; fast_pattern:only; pcre:"/^\x2Fb\x2F[a-z]{3,4}\x2F[a-f0-9]{24}$/Ui"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:trojan-activity; sid:2018098; rev:2; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rshot.Backdoor File Upload CnC Beacon"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/uploadb.php?"; fast_pattern; http_uri; content:"name=|22|archivo|22|"; http_client_body; content:".dmp|22|"; http_client_body; distance:0; reference:md5,08881eb702a1525f7792c3fef19ae9ff; classtype:trojan-activity; sid:2018100; rev:1; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon"; flow:established,to_server; dsize:<30; content:"myversion|7C|"; depth:10; pcre:"/^\d/R"; metadata: former_category TROJAN; reference:md5,dd6a13ba9177a18a8cf16b52ff643abc; classtype:trojan-activity; sid:2018101; rev:5; metadata:created_at 2014_02_10, updated_at 2017_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Woai.Dropper Config Request"; flow:established,to_server; content:"/client/config.ini"; http_uri; content:"|3B 29 0D 0A|"; http_header; pcre:"/User\x2DAgent\x3A\x20[^\r\n]*MSIE[^\r\n]*\x3B\x29\x0D\x0A/H"; reference:md5,0425a66e3b268ef8cbdd481d8e44b227; classtype:trojan-activity; sid:2018102; rev:4; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Mask C2 Traffic"; flow:established,to_server; content:".cgi?Group="; http_uri; nocase; content:"&Ver="; http_uri; nocase; content:"&Inst"; http_uri; nocase; content:"&Ask="; http_uri; nocase; content:"&Bn="; http_uri; nocase; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018105; rev:1; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Infostealer.Jackpos Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a| something|0d 0a|"; http_header; content:"mac="; fast_pattern; depth:4; http_client_body; content:"&t1="; http_client_body; content:"&t2="; http_client_body; pcre:"/^mac=([A-F0-9]{2}-){5}[A-F0-9]{2}&t1=/P"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:trojan-activity; sid:2018108; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Known Chewbacca CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5ji235jysrvwfgmb|05|onion|00|"; fast_pattern; distance:0; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,usa.visa.com/download/merchants/Alert-ChewbaccaMalware-030614.pdf; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:trojan-activity; sid:2018114; rev:2; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN FTP File Upload - BlackPOS Naming Scheme"; flow:established,to_server; content:"STOR "; depth:5; content:".txt"; pcre:"/data_\d{4}_\d{1,2}_\d{1,2}_\d{1,2}_\d{1,2}\.txt/"; reference:url,www.cyphort.com/blog/cyphort-tracks-down-new-variants-of-target-malware/; classtype:trojan-activity; sid:2018115; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET TROJAN MS Remote Desktop micros User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=micros|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018124; rev:3; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET TROJAN MS Remote Desktop edc User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=edc|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018116; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Sinkhole banner"; flow:established,to_client; content:"Server|3a 20|You got served|21|"; http_header; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2013/12/30/detecting-sinkholed-domains-in-your-environment; classtype:trojan-activity; sid:2018117; rev:2; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banking Trojan HTTP Cookie"; flow:established,to_server; content:"tcpopunder"; fast_pattern:only; content:"tcpopunder"; http_cookie; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/updates-to-the-citadel-trojan/; classtype:trojan-activity; sid:2018119; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackbeard Check-in"; flow:established,to_server; content:"/task/2000"; http_uri; pcre:"/\/task\/2000$/U"; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018120; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linkup Ransomware check-in"; flow:established,to_server; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; urilen:20; http_uri; content:"token="; http_client_body; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:2018122; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Almanahe.B Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|ClientUpdate|0d 0a|"; fast_pattern:12,14; http_header; content:!"Accept|3a 20|"; content:!"Referer|3a 20|"; reference:url,www.virustotal.com/en/file/f80fc95e44d90a8e02de4fde0ea5e58227cbbde7b6d3848c1f8afbd5ed0affe7/analysis/; reference:md5,1d331ef7d24f6316947e94f737d1f219; classtype:trojan-activity; sid:2018123; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Infostealer.Jackpos Checkin 2"; flow:to_server,established; content:"/post/echo"; fast_pattern:only; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/^\/post\/echo$/U"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:trojan-activity; sid:2018128; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Trojan-Gypikon Sending Data"; flow:established,to_server; content:"@"; pcre:"/^(?:x(?:86|64)@)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; content:" OS|3a 20|Win"; within:8; content:" CPU|3a|"; distance:0; content:"Hz|2c|RAM|3a|"; distance:0; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018129; rev:6; metadata:created_at 2014_02_13, updated_at 2014_02_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/Trojan-Gypikon Server Check-in Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00 00 00|"; content:"|40 00 00 00 00|"; distance:1; within:6; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018130; rev:3; metadata:created_at 2014_02_13, updated_at 2014_02_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET TROJAN Win32/Tapazom.A"; flow:established,to_server; content:"GIVEME|7c|"; reference:md5,dc7284b199d212e73c26a21a0913c69d; classtype:trojan-activity; sid:2018133; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET TROJAN Win32/Tapazom.A 2"; flow:established,to_server; content:"GETSERVER|7c|"; reference:md5,030f3840d2729243280d3cea3d99d8e6; classtype:trojan-activity; sid:2018134; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Android/FakeKakao checkin"; flow:to_server,established; content:"POST"; http_method; content:"androidbugreport.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"md="; http_client_body; content:"&fo="; http_client_body; content:"&ds="; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018137; rev:2; metadata:created_at 2014_02_14, updated_at 2014_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RDP Brute Force Bot Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cmd.php"; http_uri; content:"User-Agent|3a| Browser|0d 0a|"; http_header; content:"name=|22|data|22|"; http_client_body; content:"{ |22|bad|22 20 3a 20|"; http_client_body; content:", |22|bruting|22 20 3a 20|"; fast_pattern:only; http_client_body; content:", |22|checked|22 20 3a 20|"; http_client_body; reference:md5,c0c1f1a69a1b59c6f2dab18135a73919; reference:md5,e310cf7385ae4d15956e461c6d118c91; reference:md5,d316d208a66248c09986896f671f1db1; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:trojan-activity; sid:2018253; rev:2; metadata:created_at 2014_02_14, updated_at 2014_02_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz"; flow:established,to_client; content:"Set-Cookie|3a 20|snkz="; fast_pattern:only; pcre:"/^snkz\x3D\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/C"; classtype:trojan-activity; sid:2018141; rev:1; metadata:created_at 2014_02_14, updated_at 2014_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL.Zapchast Checkin"; flow:to_server,established; content:"/files/def"; http_uri; pcre:"/^\/files\/def$/U"; content:"User-Agent|3a 20|AutoIt|0d 0a|"; http_header; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,www.virustotal.com/en/file/9f41604b71d1c9a4c094d0aa2685ffa49cc0d4ba19b20b7c22467eafb671064c analysis/; reference:md5,63586aef2be494150a492d822147055a; classtype:trojan-activity; sid:2018142; rev:1; metadata:created_at 2014_02_14, updated_at 2014_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Popwin Checkin"; flow:to_server,established; content:"/soft/xiaomi"; fast_pattern:only; http_uri; content:".asp";  content:"User-Agent|3a 20|API-Guide test program|0d 0a|"; http_header; content:!"Referer|3a|"; content:!"Accept|3a 20|"; reference:url,www.virustotal.com/en/file/79dfb0ea0d788dd388a1d1856402f04ddcdc42b7134ffc80747b339937216cbb analysis/; reference:md5,dd762c69049fbd00c22f70f109baa26e; classtype:trojan-activity; sid:2018143; rev:3; metadata:created_at 2014_02_14, updated_at 2014_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Dadobra.Downloader/DNSChanger Dnsmake CnC Beacon"; flow:established,to_server; content:"/dnsmake.txt"; fast_pattern; http_uri; content:"Indy Library"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*Indy\x20Library/H"; reference:md5,dd3e5b41238a73d627c6c48108a15452; classtype:trojan-activity; sid:2018150; rev:1; metadata:created_at 2014_02_17, updated_at 2014_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 27"; flow:to_server,established; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7c\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,29aabeba14f6b5950edcd2a5d99acc94; classtype:trojan-activity; sid:2018153; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_18, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Hack.PcClient.g CnC (OUTBOUND) XOR b5"; flow:to_server,established; content:"|d0 cd d0 db d4 d8 d0|"; content:"|d9 da d2 dc db|"; distance:0; content:"|d1 da d6 d8 d1|"; distance:0; content:"|dd da c6 c1 db d4 d8 d0|"; fast_pattern; distance:0; content:"|c2 dc db d1 da c2 c6|"; distance:0; reference:md5,dfd6b93dac698dccd9ef565a172123f3; classtype:trojan-activity; sid:2018154; rev:3; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Ebury SSH Rootkit data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,cert-bund.de/ebury-faq; classtype:trojan-activity; sid:2018164; rev:1; metadata:created_at 2014_02_20, updated_at 2014_02_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gulpix/PlugX Client Request"; flow:to_server,established; content:"POST /"; depth:6; content:"HTTP/1."; distance:0; content:!"Referer"; distance:0; content:"2|3a 20|"; distance:0; fast_pattern; content:"3|3a 20|"; content:"1|3a 20|"; pcre:"/^(?P<vname>[^\r\n\x3a]+)(?P<n1>[0-4])\x3a\x20\d+\r\n(?P=vname)(?P<n2>((?!(?P=n1))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?P<n3>((?!((?P=n1)|(?P=n2)))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?:(?!((?P=n1)|(?P=n2)))[0-4])\x3a\x20\d+\r\n/m"; reference:md5,663d7774b6727a070b558676cee9fe43; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html; classtype:trojan-activity; sid:2018169; rev:3; metadata:created_at 2014_02_21, updated_at 2014_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gh0st Trojan CnC 3"; flow:established,to_server; dsize:14; content:"Gh0st"; depth:5; reference:md5,6a814cacb0c4b464d85ab874f68a5344; classtype:trojan-activity; sid:2018165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_21, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 28"; flow:to_server,established; dsize:>11; content:"|7f 9b|"; offset:8; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,52849773bc0d08eb9dfcb0df2b7caf33; classtype:trojan-activity; sid:2018166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_21, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Generic CnC"; flow:established,to_server; content:" Mini BackDoor|00|"; offset:9; depth:20; reference:md5,398b6622a2c86d472a4340d3e79e654b; classtype:trojan-activity; sid:2018167; rev:1; metadata:created_at 2014_02_21, updated_at 2014_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 29"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!1,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9af77f89a565143983fa008bbd8eedee; classtype:trojan-activity; sid:2018181; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_26, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014"; flow:established,to_client; file_data; content:"PK"; within:2; content:"pdf.exe"; distance:42; within:500; classtype:trojan-activity; sid:2018182; rev:2; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus.Downloader Campaign Unknown Initial CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/ppp/ta.php"; http_uri; fast_pattern:only; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018183; rev:3; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus.Downloader Campaign Second Stage Executable Request"; flow:established,to_server; content:"2p/"; http_uri; content:".exe"; fast_pattern; http_uri; pcre:"/\/p?2p\/[0-9]{1,2}\.exe$/U"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018184; rev:5; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN W32/FakeFlash.Dropper Initial CnC Beacon"; flow:established,to_server; dsize:8; content:"PutToken"; depth:8; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:trojan-activity; sid:2018185; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement"; flow:established,to_client; dsize:12; content:"TokenRecived"; depth:12; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:trojan-activity; sid:2018186; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN W32/FakeFlash.Dropper PutInformation CnC Beacon"; flow:established,to_server; dsize:18; content:"PutInformation_New"; depth:18; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:trojan-activity; sid:2018187; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement"; flow:established,to_client; dsize:14; content:"GetInformation"; depth:14; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:trojan-activity; sid:2018188; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.joggver backdoor initialization packet"; flow:established,to_server; dsize:32; content:"|03 01 74 80|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:14; within:14; classtype:trojan-activity; sid:2018189; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Zemot Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/b/shoe/"; depth:8; http_uri; fast_pattern; content:!"Referer"; http_header; content:"User-Agent|3a 20|Mozilla/4.0|20|"; http_header; pcre:"/^\/b\/shoe\/\d+?$/U"; reference:md5,e1cbdba0c57ddb5ab70aa1306dbacaa9; classtype:trojan-activity; sid:2018643; rev:4; metadata:created_at 2014_02_27, updated_at 2014_02_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30"; flow:to_server,established; dsize:>11; content:"|78 5e|"; offset:13; depth:2; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,aa717cce1ccfc766e0c8ad7a217f4be3; classtype:trojan-activity; sid:2018193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Matsnu.L Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?text="; http_uri; content:"&img_url=http"; distance:0; http_uri; content:"&rpt=simage&pos="; distance:0; http_uri; fast_pattern; content:" Windows NT 5.0"; http_header; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sWindows NT 5\.0/Hmi";  content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJAN%3AWIN32/MATSNU.L; reference:md5,38b1862a42a6453d8ccdf1c2d2eff018; classtype:trojan-activity; sid:2018200; rev:2; metadata:created_at 2014_03_03, updated_at 2014_03_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Geral Checkin"; flow:established,to_server; content:".asp?MAC="; nocase; http_uri; fast_pattern:only; content:"&ver="; nocase; http_uri; pcre:"/\.asp\?MAC=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&VER=[^&]+$/Ui"; content:!"Referer|3a|"; http_header; reference:md5,f01260fff3d6fb705fc8afaa3ea54564; classtype:trojan-activity; sid:2018201; rev:2; metadata:created_at 2014_03_03, updated_at 2014_03_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Qakbot.Bot Version 8 CnC Beacon"; flow:established,to_server; urilen:7<>32; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"v="; http_client_body; depth:2; content:"&c="; http_client_body; fast_pattern; pcre:"/^\/[b-u][A-Za-z0-9]{6,25}\.php$/U"; reference:url,www.anubisnetworks.com/the-return-of-qakbot/; reference:md5,e9201c8b126ac40229e9ce3f82f5c608; reference:md5,749a7bf2ad84212bd78e46d240a4f434; classtype:trojan-activity; sid:2018204; rev:2; metadata:created_at 2014_03_03, updated_at 2014_03_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kryptik.BSYO Checkin"; flow:to_server,established; content:"/log?"; http_uri; content:"|7c|aid="; fast_pattern:only; http_uri; content:"|7c|version="; http_uri; content:"|7c|id="; http_uri; content:"|7c|os="; http_uri; pcre:"/\/log\?(start|install)\x7caid=/U"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:trojan-activity; sid:2018205; rev:4; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Geodo/Emotet Downloading PE"; flow:established,to_server; content:".exe"; http_uri; pcre:"/\.exe$/Ui"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b|MSIE 7.0|3b|Windows NT 6.0)|0d 0a|"; http_header; fast_pattern:25,20; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2018224; rev:4; metadata:created_at 2014_03_04, updated_at 2014_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backoff POS Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"&op="; depth:4; http_client_body; content:"&id="; http_client_body; content:"&ui="; http_client_body; content:"&wv="; http_client_body; fast_pattern:only; content:"&bv="; http_client_body; pcre:"/^&op=\d{1,2}&id=\w+?&ui=.+?&bv=\d{1,2}\.\d{1,2}($|&)/P"; reference:md5,d0c74483f20c608a0a89c5ba05c2197f; classtype:trojan-activity; sid:2018857; rev:6; metadata:created_at 2014_03_05, updated_at 2014_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible PlugX Common Header Struct"; flow:established,to_server; content:"POST"; depth:4; content:"|3a 20|61456|0d 0a|"; content:!"Content-Length|3a 20|61456|0d 0a|"; content:!"Referer|3a 20|"; content:!"User-Agent|3a 20|Dickson/"; http_header; pcre:"/^[^\r\n\x3a]+\x3a\x2061456\r$/m"; metadata: former_category TROJAN; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:8; metadata:created_at 2014_03_06, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Darkshell.A Checkin XOR C0 Win XP"; flow:to_server,established; dsize:<512; content:"|e0 e0 e0 e0 97 89 8e 84 8f|"; content:"|98 90 e0|"; distance:2; within:3; classtype:trojan-activity; sid:2018229; rev:2; metadata:created_at 2014_03_06, updated_at 2014_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SMSHoax Riskware checkin"; flow:to_server; content:"POST"; http_method; content:"/api.php"; http_uri; content:"YWx0X2FwaV9iYXNlX3Vy"; depth:20; http_client_body; reference:md5,4b779acb1a0e726cee73fc2ca8a6a0be; classtype:trojan-activity; sid:2018230; rev:1; metadata:created_at 2014_03_06, updated_at 2014_03_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Kelihos Infection Executable Download With Malformed Header"; flow:established,from_server; content:"Last-Modified|3a|"; http_header; pcre:"/^Last-Modified\x3a(?:\s[^\r\n]{2}|[^\r\n\s]{3}),/Dm"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018241; rev:1; metadata:created_at 2014_03_08, updated_at 2014_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Zeus GameOver Connectivity Check"; flow:established,to_server; urilen:1; content:"|3b| MSIE "; fast_pattern:only; http_header; content:!"Accept-Encoding|3a 20|"; http_header; content:"Host|3a 20|www.google.com|0d 0a|"; http_header; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\sMSIE\s\d+\.\d+[^\r\n]+\r\nHost\x3a\x20www\.google\.com\r\nConnection\x3a\x20Close\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2018242; rev:3; metadata:created_at 2014_03_10, updated_at 2014_03_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Havex RAT CnC Server Response"; flow:established,from_server; file_data; content:"|3c 21 2d 2d|havexhavex|2d 2d 3e|"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018243; rev:1; metadata:created_at 2014_03_11, updated_at 2014_03_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Havex RAT CnC Server Response HTML Tag"; flow:established,from_server; file_data; content:"|3c|mega http|2d|equiv|3d|"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018244; rev:1; metadata:created_at 2014_03_11, updated_at 2014_03_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Snake rootkit usermode-centric client request"; flow:to_server,established; content:"/1/6b-558694705129b01c0"; http_uri; content:"Connection|3a 20|Keep-Alive|0d 0a|"; metadata: former_category TROJAN; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; classtype:trojan-activity; sid:2018247; rev:2; metadata:created_at 2014_03_11, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Snake rootkit usermode-centric encrypted command from server"; flow:to_client,established; content:"200"; http_stat_code; file_data; content:"|01 00 00 00 00 00 00 00|1dM3uu4j7Fw4sjnb"; fast_pattern:3,20; metadata: former_category TROJAN; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; classtype:trojan-activity; sid:2018248; rev:2; metadata:created_at 2014_03_11, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/PointOfSales.Misc CnC Beacon"; flow:established,to_server; urilen:12; content:"POST"; http_method; content:"/www/cmd.php"; fast_pattern; http_uri; content:"User-Agent|3A| Browser"; http_header; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:trojan-activity; sid:2018249; rev:1; metadata:created_at 2014_03_11, updated_at 2014_03_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/PointOfSales.Misc CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:".exe?"; http_uri; content:"User-Agent|3A| Browser"; http_header; pcre:"/\.exe\?\d{5,}$/U"; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:trojan-activity; sid:2018250; rev:1; metadata:created_at 2014_03_11, updated_at 2014_03_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Graftor EXE Download Common Header Order"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:" MSIE "; http_header; content:"Host|3a|"; depth:5; http_header; content:"Connection|3a 20|close|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nAccept-Language\x3a[^\r\n]+\r\nAccept\x3a[^\r\n]+\r\nAccept-Encoding\x3a[^\r\n]+\r\nConnection\x3a\x20close\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2018254; rev:1; metadata:created_at 2014_03_12, updated_at 2014_03_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Expiro.CD Check-in"; flow:established,to_server; content:"/gate.php?user="; http_uri; fast_pattern:only; content:"&id="; http_uri; nocase; content:"&type="; http_uri; pcre:"/\.php\?user=[a-f0-9]{32}&id=\d+&type=\d+(?:$|&)/U"; content:!"User-Agent|3a|"; http_header; reference:md5,c6e161a948f4474849d5740b2f27964a; classtype:trojan-activity; sid:2018255; rev:1; metadata:created_at 2014_03_12, updated_at 2014_03_12;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN TDLv4 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|*.city.com"; distance:1; within:11; content:"|55 04 07|"; content:"|06|Cities"; distance:1; within:7; content:"|55 04 0a|"; content:"|0a|State Corp"; distance:1; within:11; classtype:trojan-activity; sid:2018256; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_03_12, updated_at 2016_07_01;)

alert tcp any any -> any $SSH_PORTS (msg:"ET TROJAN Linux/Kimodin SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; pcre:"/^[0-9a-f]{22,46}/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:8; metadata:created_at 2014_03_12, updated_at 2014_03_12;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|vqvsaergek|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018265; rev:7; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|pbcgmmympm|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018266; rev:7; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|jmxkowzoen|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018267; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|tyixfhsfax|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018268; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|qgjhmerjec|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018269; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|njdyqrbioh|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018270; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|btloxcyrok|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018271; rev:7; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|afwyhvinmw|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018272; rev:7; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|wyfxanxjeu|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018273; rev:8; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|qemyxsdigi|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018274; rev:7; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018275; rev:8; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018276; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat C1 (no alert)"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.Netwire.HB; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018281; rev:4; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat S1 (no alert)"; flow:established,from_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.1; flowbits:set,ET.Netwire.HB.2; flowbits:noalert; metadata: former_category TROJAN; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018282; rev:3; metadata:created_at 2014_03_14, updated_at 2017_12_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:trojan-activity; sid:2018283; rev:5; metadata:created_at 2014_03_14, updated_at 2014_03_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_SLOTH.A Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:10; content:"/help.html"; http_uri; fast_pattern:only; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.0)"; http_header; reference:md5,185e930a19ad1a99c226d59ef563e28c; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/; reference:url,fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html; classtype:trojan-activity; sid:2018285; rev:2; metadata:created_at 2014_03_17, updated_at 2014_03_17;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Self-Signed Cert Observed in Various Zbot Strains"; flow:established,from_server; content:"|55 04 0a 13 02|XX"; content:"|55 04 0a 13 02|XX"; distance:0; reference:md5,00e7afce84c84cd70fe329d8bb8c0731; classtype:trojan-activity; sid:2018284; rev:2; metadata:created_at 2014_03_17, updated_at 2014_03_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 31"; flow:to_server,established; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7d\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:trojan-activity; sid:2018287; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_03_17, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN MultiThreat/Winspy.RAT Keep-Alive (flowbit set)"; flow:established,to_server; dsize:2; content:"/P"; depth:2; flowbits:set,WinSpy.KeepAlive; flowbits:noalert; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; reference:md5,815576890789003a7575c2948508c6b1; classtype:trojan-activity; sid:2018291; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN MultiThreat/Winspy.RAT Keep-Alive Server Response"; flow:established,from_server; dsize:2; content:"/P"; depth:2; flowbits:isset,WinSpy.KeepAlive; threshold:type limit,count 2,track by_src,seconds 300; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018292; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"ET TROJAN MultiThreat/Winspy.RAT SMTP Data Exfiltration"; flow:established,to_server; content:"X-Mailer|3A| SysMon v1.0.0"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018293; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET TROJAN MultiThreat/Winspy.RAT FTP File Download Command"; flow:established,to_server; dsize:>0; content:"/CD |5C 5C 5C|"; depth:9; pcre:"/^(?:(?:PCACTIV|ONLIN)ETIME|WEBSITE[DS]|CHATROOM|KEYLOGS)/Ri"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018294; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mal/Ransom-CE Connectivity Check"; flow:established,to_server; content:"POST"; http_method; content:"/windows"; fast_pattern:only; http_uri; pcre:"/\/windows$/U"; content:" MSIE "; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; depth:11; content:"Host|3a 20|www.microsoft.com|0d 0a|"; http_header; reference:md5,6faa7077de347ee0fa8c991934c2c3a5; reference:md5,a1fe3a7ff1ec997411b71212483eea33; reference:md5,97c0000473c5004d2e8c0464e322f429; classtype:trojan-activity; sid:2018295; rev:3; metadata:created_at 2014_03_18, updated_at 2014_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus GameOver Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a| default"; http_header; fast_pattern:only; content:"X-ID|3a 20|"; http_header; pcre:"/^Host\x3a\x20default(?:\x3a\d{1,5})?\r?$/Hmi"; reference:md5,bd850c21254c33cd9f6be41aafc6bf46; classtype:trojan-activity; sid:2018296; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Stoberox.B"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"Host|3a|"; http_header; depth:5; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:"Accept-Encoding|3a 20|none|0d 0a|"; http_header; fast_pattern:3,20; content:!"Referer"; http_header; pcre:"/^[a-zA-Z0-9\+\/]+={0,2}$/P"; reference:md5,6ca1690720b3726bc76ef0e7310c9ee7; classtype:trojan-activity; sid:2018300; rev:2; metadata:created_at 2014_03_20, updated_at 2014_03_20;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html; classtype:trojan-activity; sid:2018316; rev:4; metadata:created_at 2014_03_25, updated_at 2014_03_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Sisproc"; flow:established,to_server; content:"/page_"; content:"Cookie|3a 20|XX=0|3b 20|BX=0"; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,aaf73666cbd750ed22b80ed836d2b1e4; classtype:trojan-activity; sid:2018320; rev:1; metadata:created_at 2014_03_26, updated_at 2014_03_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Saker UA"; flow:established,to_server; content:"HTTP/1."; content:"User-Agent|3a 20|Mozilla/"; distance:0; content:" MSIE "; distance:0; content:"|3b| Wis NT "; distance:0; fast_pattern; content:"|3b| .NET CLR "; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+?Wis NT /mi"; metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,b362f833c9d6e5bed19aeec5a5b868ea; classtype:trojan-activity; sid:2018321; rev:3; metadata:created_at 2014_03_26, updated_at 2017_05_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Bozok.RAT checkin"; flow:to_server; content:"|00 00 00|"; offset:1; depth:4; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:64; content:"|00 7C 00|"; within:12; content:"|00 7C 00|"; within:5; content:"|00 7C 00|0|00 7c 00|2|00|"; within:32; reference:md5,a45d3564d1fa27161b33712f035a5962; reference:url,www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html; classtype:trojan-activity; sid:2018325; rev:3; metadata:created_at 2014_03_26, updated_at 2014_03_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SpeedingUpMyPC.Rootkit Install CnC Beacon"; flow:established,to_server; urilen:9; content:"POST"; http_method; content:"/install/"; http_uri; content:"q="; http_client_body; depth:2; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:trojan-activity; sid:2018331; rev:1; metadata:created_at 2014_03_28, updated_at 2014_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SpeedingUpMyPC.Rootkit CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/get/?q="; http_uri; content:"User-Agent|3A| win32|0D 0A|"; http_header; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:trojan-activity; sid:2018332; rev:1; metadata:created_at 2014_03_28, updated_at 2014_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Asprox Fake Ximian Evolution X-Mailer Header (XimianEvolution1.4.6)"; flow:established,to_server; content:"X-Mailer|3a| XimianEvolution1.4.6"; fast_pattern:10,20; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; content:!"X-Barracuda-"; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/438-asprox-botnet-trojan-run-malware-spamming-1; reference:url,stopmalvertising.com/tag/asprox.html; classtype:trojan-activity; sid:2018336; rev:5; metadata:created_at 2014_03_31, updated_at 2014_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SpeedingUpMyPC.Rootkit Successful Install GET Type CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/install/?q="; http_uri; content:"User-Agent|3A| win32"; http_header; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:trojan-activity; sid:2018345; rev:3; metadata:created_at 2014_04_01, updated_at 2014_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (hi)"; flow:established,to_server; content:"User-Agent|3A| hi|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2018381; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_04_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus.Downloader Campaign Unknown Initial CnC Beacon 10/4/2014"; flow:established,to_server; content:"POST"; http_method; content:"/ccc/tab.php"; http_uri; fast_pattern:only; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018384; rev:2; metadata:created_at 2014_04_11, updated_at 2014_04_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014"; flow:established,to_server; urilen:<11; content:"/2p/"; http_uri; content:".exe"; fast_pattern; http_uri; pcre:"/^\x2F2p\x2F[a-z]{1,2}\.exe$/U"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018385; rev:2; metadata:created_at 2014_04_11, updated_at 2014_04_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN cryptodefense Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a| multipart/form-data|3b 20|boundary="; pcre:"/^[\x2d]+(?P<boundry>[0-9]+)\r\n.+filename\x3d[\x22\x27](?P=boundry)[\x22\x27]/Rsi"; content:!"Referer"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:"filename="; fast_pattern:only; http_client_body; content:"form-data|3b| name="; pcre:"/^[\x22\x27][a-z][\x27\x22]/Ri"; classtype:trojan-activity; sid:2018386; rev:2; metadata:created_at 2014_04_14, updated_at 2014_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|55 60 67 6c 69 70 9a|"; offset:8; depth:7; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,4f0d365408b439eb9aaf0b2352abb662; classtype:trojan-activity; sid:2018390; rev:1; metadata:created_at 2014_04_15, updated_at 2014_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN plasmabot Checkin"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"crypt="; depth:6; http_client_body; fast_pattern; content:!"User-Agent|3a|"; http_header; reference:url,blogs.mcafee.com/mcafee-labs/plasma-http-botnet-steals-stored-passwords-chrome-filezilla; reference:md5,ffbf380abaa7c56b45edd2784feecf36; classtype:trojan-activity; sid:2018393; rev:3; metadata:created_at 2014_04_16, updated_at 2014_04_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Upatre Header Structure"; flow:to_server,established; content:"GET"; http_method; content:"Accept|3a 20|text/*,|20|application/*|0d 0a|User-Agent|3a 20|"; http_header; depth:44; fast_pattern:11,20; content:!"Mozilla"; within:7; http_header; content:"|0d 0a|Host|3a 20|"; distance:0; http_header; content:!"Taitus"; http_header; content:!"Sling/"; http_header; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\n(?:Connection\x3a Keep-Alive\r\n)?(?:\r\n)?$/H"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2018394; rev:6; metadata:created_at 2014_04_16, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2"; flow:to_server,established; content:"od"; offset:2; depth:2; nocase; http_uri; content:".exe"; nocase; http_uri; fast_pattern:only; pcre:"/^\/[mp]od[12]\/[^\/]+?\.exe$/Ui"; content:!"User-Agent|3a|"; http_header; nocase; content:"Host|3a|"; depth:5; http_header; reference:md5,9db28205c8dd40efcf7f61e155a96de5; classtype:trojan-activity; sid:2018395; rev:3; metadata:created_at 2014_04_16, updated_at 2014_04_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoDefense DNS Domain Lookup"; content:"|10|rj2bocejarqnpuhm"; nocase; pcre:"/^[^\x00]+?\x00/Rs"; classtype:trojan-activity; sid:2018397; rev:3; metadata:created_at 2014_04_16, updated_at 2014_04_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN BitCrypt site accessed via .onion SSL Proxy"; flow:established,from_server; content:"|55 04 03|"; content:"kphijmuo2x5expag."; nocase; distance:2; within:17; classtype:trojan-activity; sid:2018399; rev:2; metadata:created_at 2014_04_17, updated_at 2014_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BitCrypt Ransomware Domain"; flow:established,to_server; content:"bitcrypt.cc"; nocase; http_header; pcre:"/Host\x3a\x20(?:[^\r\n]+\.)?bitcrypt\.cc(?:\x3a\d{1,5})?\r\n/Hmi"; classtype:trojan-activity; sid:2018400; rev:1; metadata:created_at 2014_04_17, updated_at 2014_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Kazy Checkin"; flow:established,to_server; content:"AAA=="; http_uri; fast_pattern:only; urilen:65; content:!"mvds1.org"; http_header; pcre:"/\/[\x2f\x2bA-Za-z0-9]{59}AAA==$/U"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2018401; rev:2; metadata:created_at 2014_04_18, updated_at 2018_01_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\.exe$/U"; content:"|0d 0a|Connection|3a 20|Close|0d 0a|"; http_header; content:" MSIE "; http_header; content:!"|0d 0a|Accept-Encoding|3a|"; http_header; content:!"|0d 0a|Referer|3a|"; http_header; content:!"microsoft.com|0d 0a|"; http_header; content:!"adobe.com|0d 0a|"; http_header; content:!"360safe.com|0d 0a|"; http_header; content:!"download_helper.ns"; http_uri; content:!"softdl.360tpcdn.com"; content:!"cfbeta.razersynapse.com"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2018403; rev:8; metadata:created_at 2014_04_21, updated_at 2017_03_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GreenDou Downloader User-Agent (hello crazyk)"; flow:established,to_server; content:"User-Agent|3A 20|hello crazyk"; http_header; reference:md5,67d52ae285ac82f959b3675550de8a2d; reference:md5,e668a501bd107de161378a9fd9c5d1f2; classtype:trojan-activity; sid:2018404; rev:1; metadata:created_at 2014_04_21, updated_at 2014_04_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; content:"GET"; http_method; content:"/11"; fast_pattern; http_uri; depth:3; content:!"Referer|3a| "; http_header; content:!"Accept-Language|3a| "; http_header; content:" MSIE "; http_header; pcre:"/^\/1+$/U"; classtype:trojan-activity; sid:2018413; rev:3; metadata:created_at 2014_04_23, updated_at 2014_04_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ftpchk3.php upload attempted"; flow:to_server,established; content:"STOR ftpchk3.php|0d 0a|"; nocase; fast_pattern:only; flowbits:set,ET.ftpchk3; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018416; rev:2; metadata:created_at 2014_04_23, updated_at 2014_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ftpchk3.php possible upload success"; flow:to_client,established; content:"226 Transfer complete"; nocase; flowbits:isset,ET.ftpchk3; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018417; rev:2; metadata:created_at 2014_04_23, updated_at 2014_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"User-Agent|3A| Opera/9.25 (Windows NT 6.0|3B| U|3B|"; http_header; fast_pattern:12,20; content:"Host|3A| windowsupdate.microsoft.com"; http_header; content:"Connection|3A| Close"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header; reference:md5,aa696180cd0369e264ed8e9137a4f254; classtype:trojan-activity; sid:2018419; rev:5; metadata:created_at 2014_04_24, updated_at 2014_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN hacker87 checkin"; flow:to_server,established; content:"POST"; http_method; content:"/AppEn.php"; fast_pattern:only; http_uri; content:"parameter="; depth:10; http_client_body; reference:md5,0d7dd2a6c69f2ae7e575ee8640432c4b; classtype:trojan-activity; sid:2018420; rev:1; metadata:created_at 2014_04_24, updated_at 2014_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot downloader Installing Zeus"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; depth:30; http_header; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.0|3b 29 0d 0a|Host|3a| "; distance:0; http_header; pcre:"/User-Agent: [^\r]*\r\nHost: [^\r]*\r\nCache-Control: no-cache\r\n\r\n$/H"; classtype:trojan-activity; sid:2018421; rev:1; metadata:created_at 2014_04_24, updated_at 2014_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Banker.AAQD Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"valor="; depth:6; http_client_body; content:"verde"; http_client_body; content:"branco"; http_client_body; content:"vermelho"; fast_pattern:only; http_client_body; content:!"Referer|3a 20|"; http_header; metadata: former_category TROJAN; reference:md5,759db11b07f3a370338f2e0a28eb1def; reference:url,www.virusradar.com/en/Win32_Spy.Banker.AAQD/description; classtype:trojan-activity; sid:2018516; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_04_24, performance_impact Low, updated_at 2018_03_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Upatre Binary Download April 28 2014"; flow:established,from_server; file_data; content:"|ff d1 4e 8d|"; within:4; classtype:trojan-activity; sid:2018422; rev:2; metadata:created_at 2014_04_28, updated_at 2014_04_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Eclipse.DDOSBot CnC Beacon Response"; flow:established,to_client; file_data; content:"<base>PGNtZD"; within:12; reference:url,www.arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising/; classtype:trojan-activity; sid:2018423; rev:1; metadata:created_at 2014_04_28, updated_at 2014_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest - Post Data Form 01"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/post.aspx?"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/post\.aspx\?[^&]+=[0-9]{9,10}$/U"; classtype:trojan-activity; sid:2018425; rev:1; metadata:created_at 2014_04_28, updated_at 2014_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Netwire RAT Check-in"; flow:established,to_server; dsize:>68; content:"|41 00 00 00 03|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018426; rev:2; metadata:created_at 2014_04_28, updated_at 2014_04_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Netwire RAT Check-in"; flow:established,to_client; dsize:>68; content:"|41 00 00 00 05|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018427; rev:3; metadata:created_at 2014_04_28, updated_at 2014_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Hicrazyk.A Downloader Install CnC Beacon"; flow:established,to_server; content:"/setup/?name="; http_uri; fast_pattern:only; content:"&ini="; http_uri; content:"&v="; http_uri; content:"User-Agent|3A| NSISDL/"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FHicrazyk.A&ThreatID=-2147281007; reference:md5,ddb8110ec415b7b6f43c0ef2b4076d45; classtype:trojan-activity; sid:2018435; rev:4; metadata:created_at 2014_04_29, updated_at 2014_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/check_value.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"identifiant="; http_client_body; depth:12; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:trojan-activity; sid:2018443; rev:1; metadata:created_at 2014_05_05, updated_at 2014_05_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sefnit Checkin"; flow:established,to_server; content:"/0001"; http_uri; fast_pattern:only; pcre:"/^\/j\/[a-f0-9]{8}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{12}\/0001\/?$/U"; reference:url,www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103; classtype:trojan-activity; sid:2018448; rev:3; metadata:created_at 2014_05_05, updated_at 2014_05_05;)

alert tcp any 443 -> any any (msg:"ET TROJAN Potential Sefnit C2 traffic (from server)"; flow: from_server,established; content:"SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1"; classtype:trojan-activity; sid:2018449; rev:8; metadata:created_at 2014_05_05, updated_at 2016_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoWall Check-in"; flow:established,to_server; urilen:<134; content:"="; offset:1; depth:1; http_client_body; content:" MSIE "; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; content:!"|0d 0a|Accept-"; nocase; http_header; content:!"Referer|3a|"; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:13; metadata:created_at 2014_05_05, updated_at 2014_05_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Downloader 2p (Zeus) May 07 2014"; flow:to_server,established; content:"2p/"; http_uri; fast_pattern:only; content:!"Accept-Language"; http_header; content:!"Referer|3A|"; http_header; pcre:"/\/p?2p\/[a-z]{3}$/U"; classtype:trojan-activity; sid:2018453; rev:4; metadata:created_at 2014_05_07, updated_at 2014_05_07;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26"; content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4; within:5; byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; metadata: former_category TROJAN; classtype:trojan-activity; sid:2018455; rev:5; metadata:created_at 2014_05_08, updated_at 2018_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ELF/Mayhem Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Pragma|3a 20|1337|0d 0a|"; http_header; fast_pattern:only; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:trojan-activity; sid:2018456; rev:2; metadata:created_at 2014_05_08, updated_at 2014_05_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Possible Upatre Downloader SSL certificate (fake loc)"; flow:established,from_server; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<fake_loc>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x07.{2}(?P=fake_loc)/Rs"; classtype:trojan-activity; sid:2018457; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_05_09, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Fsysna.Downloader CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"Mozilla/4.0 (compatible|3B| MSIE "; http_header; content:".0|3B| Win32|29 3B 20|"; http_header; distance:1; within:15; fast_pattern; content:"Content-Type|3a 20|*/*|0d 0a|"; http_header; depth:19; pcre:"/^User-Agent\x3a\x20Mozilla\/4\.0 \(compatible\x3b MSIE \d+\.0\x3b Win32\)\x3b \d+\r?$/Hm"; reference:url,blogs.mcafee.com/mcafee-labs/targeted-attacks-japanese-firm-use-old-activex-vulnerability; reference:md5,2b91011e122364148698a249c2f4b7fe; reference:md5,6c040be9d91083ffba59405f9b2c89bf; classtype:trojan-activity; sid:2018462; rev:3; metadata:created_at 2014_05_09, updated_at 2014_05_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN possible OneLouder header structure"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.0|3b|)|0d 0a|Host|3a|"; http_header; fast_pattern:38,20; content:!"Accept-Encoding|3a|"; content:!"Referer"; http_header; flowbits:set,ET.OneLouder.Header; flowbits:noalert; classtype:trojan-activity; sid:2018463; rev:8; metadata:created_at 2014_05_12, updated_at 2014_05_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouder.Header; file_data; content:"MZ"; within:2; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2018464; rev:6; metadata:created_at 2014_05_12, updated_at 2014_05_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Backdoor.Adwind Download 2"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"Adwin"; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018465; rev:5; metadata:created_at 2014_05_13, updated_at 2014_05_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Backdoor.Unrecom Download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"Unrecom"; nocase; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018466; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PandoraRat/Refroso.bsp Activity"; flow:established,to_server; content:"|c3 b8 ba ab a0 bc b0 b1 c1 7c|"; depth:10; content:"|7c|N|7c|"; within:200; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018467; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PandoraRat/Refroso.bsp Directory Listing Sent To Server"; flow:established,to_server; content:"|7C|DIR#0#bin|7C|DIR#0"; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018468; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/HelloBridge.Backdoor Register CnC Beacon"; flow:established,to_server; urilen:55; content:"/el/sregister.php?name="; http_uri; fast_pattern:only; pcre:"/^\x2Fel\x2Fsregister\x2Ephp\x3Fname\x3D[a-f0-9]{32}$/U"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:trojan-activity; sid:2018474; rev:1; metadata:created_at 2014_05_14, updated_at 2014_05_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/HelloBridge.Backdoor Login CnC Beacon"; flow:established,to_server; urilen:51; content:"/el/slogin.php?uid="; http_uri; fast_pattern:only; pcre:"/^\x2Fel\x2Fslogin\x2Ephp\x3Fuid\x3D[a-f0-9]{32}$/U"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:trojan-activity; sid:2018475; rev:1; metadata:created_at 2014_05_14, updated_at 2014_05_14;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Tesch.A Server CnC Checkin Reply"; flow:established,to_client; content:"|02 00 06|"; depth:3; content:"|01 BB|"; distance:4; within:2; fast_pattern; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:trojan-activity; sid:2018477; rev:1; metadata:created_at 2014_05_15, updated_at 2014_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Downloader.Win32.Tesch.A Bot Command Checkin 1"; flow:established,to_server; dsize:51; content:"|03 00 30 01 01 00|"; fast_pattern; depth:6;  flowbits:set,ET.Tesch; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:trojan-activity; sid:2018478; rev:2; metadata:created_at 2014_05_15, updated_at 2014_05_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Tesch.A Server CnC Sending Executable"; flow:established,to_client; content:"This Program must be"; fast_pattern:only; content:"|0B 00|"; depth:2; content:"|00|MZ"; distance:14; within:3; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,28173e257188ce3b3cc663be661bc2c4; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:trojan-activity; sid:2018479; rev:1; metadata:created_at 2014_05_15, updated_at 2014_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Zendran ELF IRCBot Joining Channel"; flow:established,to_server; content:"USER ass localhost localhost"; nocase; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018482; rev:2; metadata:created_at 2014_05_18, updated_at 2014_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Zendran ELF IRCBot Joining Channel 2"; flow:established,to_server; content:"PASS eYmUrmyAfG"; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018483; rev:2; metadata:created_at 2014_05_18, updated_at 2014_05_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Zendran ELF IRCBot Server Banner"; dsize:>14; flow:established,from_server; content:"|3a|Hell.Network|0d 0a|"; depth:15; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018484; rev:2; metadata:created_at 2014_05_18, updated_at 2014_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:to_server,established; dsize:>11; content:"|7a 98|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:trojan-activity; sid:2018485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 33"; flow:to_server,established; dsize:>11; content:"|70 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2acd1b235e12dc9b961e7236f6db8144; classtype:trojan-activity; sid:2018486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 34"; flow:to_server,established; dsize:>11; content:"|74 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3063e7406947d00b792cb013ca667a69; classtype:trojan-activity; sid:2018487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 35"; flow:to_server,established; dsize:>11; content:"|7e 95|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,17274afd768cd0cbc2aa236cf82ab951; classtype:trojan-activity; sid:2018488; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Antifulai.APT CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:".php?secue="; http_uri; fast_pattern:only; content:"&pro="; http_uri; content:"|2c|"; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:url,secureworks.com/resources/blog/research/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761/; reference:md5,1c29b24d4d4ef7568f519c470b51bbed; classtype:trojan-activity; sid:2018631; rev:3; metadata:created_at 2014_05_19, updated_at 2014_05_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Miniduke Checkin"; flow:to_server,established; content:"/create.php?"; fast_pattern:only; http_uri; content:!"maplelegends.com"; http_header; content:!"violinlab.com"; http_header; pcre:"/^\/[^\x2f]+?\/create\.php\?[a-z0-9]+\x3d[a-z0-9\x5f\x2d]+?$/Ui"; metadata: former_category TROJAN; reference:url,welivesecurity.com/2014/05/20/miniduke-still-duking/; classtype:trojan-activity; sid:2018491; rev:4; metadata:created_at 2014_05_20, updated_at 2018_03_22;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Upatre SSL Cert May 20 2014"; flow:established,from_server; content:"|11|www.myparadis.com"; reference:md5,ba7debd3ff51356135866a76116f595b; reference:md5,8a49c032efb6aa3a347a173d196a8bcb; classtype:trojan-activity; sid:2018492; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_05_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|11|bloggershop.co.vu"; distance:1; within:19; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018494; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_05_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Geodo Checkin"; flow:established,to_server; urilen:17<>19; content:!"Accept-"; http_header; content:" MSIE "; fast_pattern; http_header; content:"POST"; http_method; content:"/"; offset:8; depth:2; http_uri; content:"/"; offset:16; depth:3; http_uri; pcre:"/^\/[a-f0-9]{7,8}\/[a-f0-9]{7,8}\/$/U"; content:!"Referer"; http_header; reference:md5,fa50062b7763487b3dd6f9ed0a2f3549; reference:url,pastebin.com/qnLmpKuQ; classtype:trojan-activity; sid:2018496; rev:7; metadata:created_at 2014_05_21, updated_at 2014_05_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Urausy.C response"; flow:from_server,established; file_data; content:"|0d 0a|<?xml version="; depth:16; content:"<interval>"; distance:0; content:"</interval>"; distance:0; content:"<timeout>"; distance:0; content:"</timeout>"; distance:0; content:"|d1 81 d1 81 d1 8b d0 bb d0 be d0 ba 20|c&c -->"; fast_pattern:only; reference:md5,6213597f40ecb3e7cf2ab3ee5c8b1c70; classtype:trojan-activity; sid:2018499; rev:2; metadata:created_at 2014_05_23, updated_at 2014_05_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zeus.BitcoinMiner Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"sysin="; fast_pattern; depth:6; http_client_body; content:"?user="; http_uri; nocase; content:"&type="; http_uri; nocase; content:"&id="; http_uri; nocase; content:!"Referer|3A|"; http_header; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/05/16/zeuscoiner-detection-zeus-variant-engages-in-bitcoining; classtype:trojan-activity; sid:2018504; rev:1; metadata:created_at 2014_05_28, updated_at 2014_05_28;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Upatre Compromised Site hot-buys"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|hot-buys.org"; distance:1; within:14; nocase; reference:md5,bad758023d2e3cc17b61423720cdb5b7; classtype:trojan-activity; sid:2018506; rev:1; metadata:created_at 2014_05_28, updated_at 2014_05_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Agent.ksja"; flow:established,to_server; content:".php?m="; http_uri; fast_pattern:only; content:"User-Agent|3a| Mozilla/4.0 (Compatible|3b| MSIE 6.0|3b 29 0d 0a|Host|3a|"; depth:54; http_header; content:!"Accept|3a|"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?m=[A-F0-9]{12}/U"; reference:md5,3b440e052da726942763d11cf9e3f72c; classtype:trojan-activity; sid:2018507; rev:2; metadata:created_at 2014_05_29, updated_at 2014_05_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Enosch.A gtalk connectivity check"; flow:to_server; content:"/index.html"; http_uri; content:"User-Agent|3A 20|gtalk|0d 0a|"; depth:19 ; http_header; pcre:"/^User-Agent\x3a\x20gtalk\r\nHost\x3a\x20www\.google\.com\r\n(?:\r\n)?$/H"; reference:md5,b13db8b21289971b3c88866d202fad49; classtype:trojan-activity; sid:2018508; rev:3; metadata:created_at 2014_05_30, updated_at 2014_05_30;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Observed with Unkown Trojan (statswas)"; flow:established,from_server; content:"|0c|statswas.com"; nocase; fast_pattern:only; reference:md5,9c087d528beefd22743666af772465fc; classtype:trojan-activity; sid:2018515; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_06_03, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya C2 User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|rome0321|0d 0a|"; http_header; fast_pattern:12,8; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018519; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya C2 User-Agent (default)"; flow:established,to_server; content:".php"; http_uri; content:"User-Agent|3a 20|default|0d 0a|"; http_header; fast_pattern:1,20; content:"mode="; depth:5; http_client_body; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018522; rev:2; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya C2 User-Agent (rhyno321)"; flow:established,to_server; content:"User-Agent|3a 20|rhyno321|0d 0a|"; http_header; fast_pattern:12,10; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018523; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya C2 User-Agent (SBTCM)"; flow:established,to_server; content:"User-Agent|3a 20|SBTCM|0d 0a|"; http_header; fast_pattern:12,7; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018524; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya C2 User-Agent (slayer)"; flow:established,to_server; content:"User-Agent|3a 20|slayer|0d 0a|"; http_header; fast_pattern:12,8; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018525; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya C2 User-Agent (Vulture)"; flow:established,to_server; content:"User-Agent|3a 20|Vulture|0d 0a|"; http_header; fast_pattern:12,9; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018526; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya C2 User-Agent (VHIbot/1.0)"; flow:established,to_server; content:"User-Agent|3a 20|VHIbot/1.0|0d 0a|"; http_header; fast_pattern:12,12; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018527; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya C2 User-Agent (xehanort321)"; flow:established,to_server; content:"User-Agent|3a 20|xehanort321|0d 0a|"; http_header; fast_pattern:12,13; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018528; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya C2 User-Agent (x09)"; flow:established,to_server; content:"User-Agent|3a 20 09 0d 0a|"; http_header; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018529; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Trojan.Agent.U3D7V0 Checkin"; flow:established, to_server; content: "GET"; http_method; content:"/getc"; http_uri; content:"/?c="; http_uri; fast_pattern:only; pcre:"/^\/getc(?:loud|onf)\/\?c=/Ui"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5, 97572a7a0690ba1643525bf6666b74c6; classtype:trojan-activity; sid:2018530; rev:2; metadata:created_at 2014_06_04, updated_at 2014_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EtumBot Registration Request"; flow:established,to_server; content:"GET"; http_method; content:"/image/"; http_uri; content:".jpg"; http_uri; pcre:"/^\x2fimage\x2f[A-Za-z0-9\+_-]+\x2ejpg$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; fast_pattern:55,20; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018546; rev:5; metadata:created_at 2014_06_09, updated_at 2014_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EtumBot Ping"; flow:established,to_server; content:"GET"; http_method; content:"/history/"; fast_pattern; depth:9; http_uri; content:".asp"; http_uri; pcre:"/^\x2fhistory\x2f[A-Za-z0-9+_-]+\x2easp$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018547; rev:2; metadata:created_at 2014_06_09, updated_at 2014_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EtumBot Command Status Message"; flow:established,to_server; content:"GET"; http_method; content:"/tech/s.asp?m="; fast_pattern; depth:14; http_uri; pcre:"/^\x2ftech\x2fs\x2easp\x3fm\x3d[A-Za-z0-9+_-]+$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018548; rev:3; metadata:created_at 2014_06_09, updated_at 2014_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EtumBot PUT File Response"; flow:established,to_server; content:"GET"; http_method; content:"/docs/name="; fast_pattern; depth:11; http_uri; pcre:"/^\x2fdocs\x2fname\x3d\x2f[A-Za-z0-9+_-]+$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018549; rev:2; metadata:created_at 2014_06_09, updated_at 2014_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EtumBot GET File Initial Response"; flow:established,to_server; content:"GET"; http_method; content:"/manage/asp/item.asp?id="; fast_pattern; depth:24; http_uri; pcre:"/^\x2fmanage\x2fasp\x2fitem\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26mux\x3d[A-Za-z0-9+_-]+$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018550; rev:3; metadata:created_at 2014_06_09, updated_at 2014_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EtumBot GET File Data Upload"; flow:established,to_server; content:"GET"; http_method; content:"/article/30441/Review.asp?id="; fast_pattern; depth:29; http_uri; pcre:"/^\x2farticle\x2f30441\x2fReview\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26data\x3d[A-Za-z0-9+_-]+$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018551; rev:3; metadata:created_at 2014_06_09, updated_at 2014_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Etumbot.B Requesting RC4 Key"; flow:to_server,established; content:"/home/index.asp?typeid="; nocase; http_uri; fast_pattern:only; content:"Referer|3a| http|3a|//www.google.com/|0d 0a|"; http_header; pcre:"/^\/home\/index\.asp\?typeid=(?:1[13]?|[3579])$/Ui"; reference:md5,82d4850a02375a7447d2d0381b642a72; reference:md5,ff5a7a610746ab5492cc6ab284138852; reference:url,arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf; classtype:trojan-activity; sid:2018552; rev:2; metadata:created_at 2014_06_09, updated_at 2014_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pandemiya User-Agent"; flow:to_server,established; content:"User-Agent|3a| Hello 2.0|0d 0a|"; http_header; reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants; classtype:trojan-activity; sid:2018553; rev:1; metadata:created_at 2014_06_10, updated_at 2014_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Putter Panda HTTPClient CnC HTTP Request"; flow:established,to_server; content:"GET"; http_method; content:"/Microsoft"; nocase; http_uri; content:"/default.asp"; http_uri; distance:0; content:"?tmp="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/default\.aspx?\?tmp=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:url,resources.crowdstrike.com/putterpanda/; reference:md5,544fca6eb8181f163e2768c81f2ba0b3; classtype:trojan-activity; sid:2018554; rev:3; metadata:created_at 2014_06_10, updated_at 2014_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Putter Panda 3PARA RAT initial beacon"; flow:established,to_server; content:"|c4 65 f1 b3 cf a5 7e e2 c0 1a d4 7f 78 46 26 b5 86 15 f9 34 9c 3d 67 84 6a 48 aa df dc 30 60 24|"; depth:2000; reference:url,resources.crowdstrike.com/putterpanda/; classtype:trojan-activity; sid:2018555; rev:2; metadata:created_at 2014_06_10, updated_at 2014_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dyreza RAT Checkin"; flow:established,to_server; content:"GET|20|"; depth:4; content:"_W"; distance:0; content:"|2e|"; distance:6; within:1; content:"/publickey/"; distance:0; fast_pattern; content:"HTTP/1."; distance:0; content:!"Accept|3a|"; distance:0; content:!"Connection|3a|"; distance:0; content:!"Referer|3a|"; distance:0; reference:md5,b61145a54698753cecf8748359c9d81e; classtype:trojan-activity; sid:2018579; rev:7; metadata:created_at 2014_06_12, updated_at 2014_06_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Dyreza RAT Checkin Response"; flow:established,to_client; content:"|a5 46 da 53 0a 00 68 00 65 00 6c 00 6c 00 6f|"; offset:4; depth:15; reference:md5,b61145a54698753cecf8748359c9d81e; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018596; rev:3; metadata:created_at 2014_06_12, updated_at 2014_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dyreza RAT Ex-filtrating Data"; flow:established,to_server; content:"POST"; http_method; content:"POST /"; depth:6; http_client_body; fast_pattern; content:"User-Agent|3a| Wget/"; http_header; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018578; rev:5; metadata:created_at 2014_06_13, updated_at 2014_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hangover related campaign Checkin"; flow:established,to_server; content:"post.php?filename="; fast_pattern; http_uri; content:"&folder="; http_uri; distance:0; pcre:"/\/\/?$/U"; content:!"Referer|3a|"; http_header; reference:md5,0392fb51816dd9583f9cb206a2cf02d9; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:trojan-activity; sid:2018566; rev:1; metadata:created_at 2014_06_16, updated_at 2014_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Hangover related campaign Response"; flow:established,to_client; content:"200"; http_stat_code; content:!"Referer|3a|"; http_header; file_data; content:"|3a 5c|Bootfile|5c|firewall|5c|1"; pcre:"/^[C-J]\r\n/R"; reference:md5,f761060ced467394a6f87fd2204c6a74; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:trojan-activity; sid:2018567; rev:2; metadata:created_at 2014_06_16, updated_at 2014_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to a *.su domain with direct request/fakebrowser (multiple families flowbit set) "; flow:to_server,established; content:".su"; nocase; fast_pattern; http_header; content:!"|0d 0a|Referer|3a|"; http_header; content:!"|0d 0a|Accept-Language|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\.su(\x3a\d{1,5})?\r$/Hmi"; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; classtype:trojan-activity; sid:2018570; rev:2; metadata:created_at 2014_06_16, updated_at 2014_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to a *.pw domain with direct request/fake browser (multiple families flowbit set) "; flow:to_server,established; content:".pw"; nocase; fast_pattern; http_header; content:!"|0d 0a|Referer|3a|"; http_header; content:!"|0d 0a|Accept-Language|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\.pw(\x3a\d{1,5})?\r$/Hmi"; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; classtype:trojan-activity; sid:2018571; rev:2; metadata:created_at 2014_06_16, updated_at 2014_06_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) "; flow:from_server,established; flowbits:isset,ET.Suspicious.Domain.Fake.Browser; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018572; rev:1; metadata:created_at 2014_06_16, updated_at 2014_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox.Bot Knock Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; pcre:"/^\x2F[A-F0-9]{20,}+$/U"; content:!"Referer"; http_header; content:"<knock>"; fast_pattern; http_client_body; depth:7; content:"<ID>"; http_client_body; within:6; content:"<group>"; http_client_body; distance:0; content:"<version>"; http_client_body; distance:0; content:"<status>"; http_client_body; distance:0; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})\r$/Hmi"; reference:url,www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html; classtype:trojan-activity; sid:2018574; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Andromeda download with fake Zip header (1)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,64,0,relative; classtype:trojan-activity; sid:2018575; rev:2; metadata:created_at 2014_06_17, updated_at 2014_06_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Andromeda download with fake Zip header (2)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,20,1,relative; classtype:trojan-activity; sid:2018576; rev:3; metadata:created_at 2014_06_17, updated_at 2017_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neutrino Checkin"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"cmd="; http_client_body; content:"version="; http_client_body; content:"quality="; http_client_body; fast_pattern:only; content:"av="; http_client_body; metadata: former_category TROJAN; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2018580; rev:4; metadata:created_at 2014_06_18, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Single char EXE direct download likely trojan (multiple families)"; flow:to_server,established; content:".exe"; nocase; fast_pattern:only; http_uri; pcre:"/\/[a-z0-9A-Z]\.exe$/Ui"; classtype:trojan-activity; sid:2018581; rev:1; metadata:created_at 2014_06_18, updated_at 2014_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asterope Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?ver="; http_uri; content:"&id="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&res="; distance:0; http_uri; content:"Accept-Asterope|3a|"; http_header; fast_pattern:only; reference:md5,19190ef53877979191f6889c6a795f31; classtype:trojan-activity; sid:2018750; rev:2; metadata:created_at 2014_06_23, updated_at 2014_06_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/file.php"; fast_pattern:only; http_uri; content:"Content-Length|3a| 128|0d 0a|"; nocase; http_header; content:!"Referer"; http_header; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|"; http_header; depth:25; pcre:"/^\/[A-Za-z0-9]+?\/file\.php$/U"; flowbits:set,et.citadel; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:trojan-activity; sid:2018598; rev:2; metadata:created_at 2014_06_24, updated_at 2014_06_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Citadel Download From CnC Server /files/ attachment"; flow:established,to_client; flowbits:isset,et.citadel; content:"Content-Disposition|3a| attachment|3b| filename=|22 25 32 65|/files/"; fast_pattern:33,20; http_header; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:trojan-activity; sid:2018599; rev:6; metadata:created_at 2014_06_24, updated_at 2014_06_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Andromeda Downloading Module"; flow:to_server,established; content:"GET"; http_method; content:".pack"; nocase; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.pack$/Ui"; content:"Mozilla"; http_header; pcre:"/^User-Agent\x3a\x20Mozilla(?:\/4\.0)?\r?$/Hmi"; reference:md5,65125129418e07ce1000aa677b66b72f; classtype:trojan-activity; sid:2018604; rev:4; metadata:created_at 2014_06_24, updated_at 2014_06_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Likely CryptoWall .onion Proxy DNS lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kpai7ycr7jxqkilp"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2018609; rev:1; metadata:created_at 2014_06_26, updated_at 2014_06_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Likely CryptoWall .onion Proxy domain in SNI"; flow:established,to_server; content:"kpai7ycr7jxqkilp."; fast_pattern:only; classtype:trojan-activity; sid:2018610; rev:1; metadata:created_at 2014_06_26, updated_at 2014_06_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Sharik Checkin"; flow:established,to_server; dsize:10; content:"34feGaeRAd"; fast_pattern:only; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:trojan-activity; sid:2018614; rev:1; metadata:created_at 2014_06_30, updated_at 2014_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Sharik C2 Incoming Traffic"; flow:established,from_server; dsize:18; content:"|0d 00 07 01 00 81 7c e4 04 c0 d4 01 00 19 c0 c2 04 00|"; fast_pattern:only; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:trojan-activity; sid:2018615; rev:1; metadata:created_at 2014_06_30, updated_at 2014_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Sharik C2 Incoming Crafted Request"; flow:established,from_server; content:"|4d 00 02 02 00|"; depth:5; fast_pattern; content:"/"; distance:4; within:5; content:" HTTP/1."; distance:0; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:trojan-activity; sid:2018616; rev:1; metadata:created_at 2014_06_30, updated_at 2014_06_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible W32/VBKlip BAN Download"; flow:established,to_server; content:"Accept|20|Language|3a| en-us|0d 0a|"; fast_pattern:4,20; http_header; reference:url,cert.pl/news/8478/langswitch_lang/en; classtype:trojan-activity; sid:2018618; rev:1; metadata:created_at 2014_07_01, updated_at 2014_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Downloader.Win32.Tesch.A Bot Command Checkin 2"; flow:established,to_server; dsize:51; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; flowbits:set,ET.Tesch; classtype:trojan-activity; sid:2018620; rev:5; metadata:created_at 2014_07_01, updated_at 2014_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Downloader.Win32.Tesch.A Bot Command (OK acknowledgement)"; flow:established,to_server; flowbits:isset,ET.Tesch; dsize:3; content:"|0a 00 00|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018622; rev:6; metadata:created_at 2014_07_01, updated_at 2014_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Tesch.A Bot Command (Proxy command)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:28; content:"|09 00 19|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018623; rev:5; metadata:created_at 2014_07_01, updated_at 2014_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|02 00 06|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018624; rev:5; metadata:created_at 2014_07_01, updated_at 2014_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port) 2"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|04 00 06|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018625; rev:5; metadata:created_at 2014_07_01, updated_at 2014_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Tesch.A Server Command (bot is ready to start receiving commands)"; flow:established,from_server; dsize:4; flowbits:isset,ET.Tesch; content:"|05 00 01 01|"; depth:4; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018626; rev:5; metadata:created_at 2014_07_01, updated_at 2014_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Trojan.Karagany C&C Response"; flow:from_server,established; file_data; content:"work|3a|"; depth:5; content:"|7c|downexec|20|"; distance:0; within:20; content:".jpg|3b 0d 0a|"; distance:0; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf; classtype:trojan-activity; sid:2018629; rev:1; metadata:created_at 2014_07_01, updated_at 2014_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Antifulai.APT CnC Beacon 2"; flow:established,to_server; content:".php?file"; http_uri; fast_pattern:only; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Ffile(?:index\x3D[A-Z]|n\x3Dnoexist|wh\x3Dfalse)/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:trojan-activity; sid:2018632; rev:2; metadata:created_at 2014_07_03, updated_at 2014_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Antifulai.APT CnC Beacon 3"; flow:established,to_server; content:".php?Re="; http_uri; fast_pattern:only; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3FRe\x3D/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:trojan-activity; sid:2018633; rev:1; metadata:created_at 2014_07_03, updated_at 2014_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Antifulai.APT CnC Beacon 4"; flow:established,to_server; content:".php?verify="; http_uri; fast_pattern:only; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Fverify\x3D/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:trojan-activity; sid:2018634; rev:1; metadata:created_at 2014_07_03, updated_at 2014_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Miniduke variant FTP upload"; flow:to_server,established; content:"USER "; pcre:"/^(?:(?:menelao|ho[mr]u)s|adair|johan|kweku)\r\n/R"; reference:md5,e175be029dd2b78c059278a567b3ada1; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:trojan-activity; sid:2023911; rev:3; metadata:created_at 2014_07_03, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Miniduke variant C&C activity"; flow:to_server,established; content:"&Auth="; http_uri; content:"&Session="; http_uri; distance:0; content:"&DataID="; http_uri; distance:0; content:"&FamilyID="; http_uri; distance:0; reference:md5,8bbc55ec1a7e86cb21d3cda5ccb43e1e; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:trojan-activity; sid:2023909; rev:2; metadata:created_at 2014_07_03, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Upatre Header Structure 2"; flow:to_server,established; content:"GET"; http_method; content:"Accept|3a 20|text/*,|20|application/*|0d 0a|User-Agent|3a 20|"; http_header; depth:44; fast_pattern:11,20; content:!"Taitus"; http_header; content:!"Sling/"; http_header; content:!"sophosupd.com"; http_header; content:!"sophosupd.net"; http_header; pcre:"/^Accept\x3a\x20text\/\*,\x20application\/\*\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\n(?:Connection\x3a Keep-Alive\r\n)?(?:\r\n)?$/H"; classtype:trojan-activity; sid:2018635; rev:9; metadata:created_at 2014_07_03, updated_at 2014_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 36"; flow:to_server,established; dsize:>11; content:"|79 da|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xda/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5b50cc5215694841b9faea0fde472648; classtype:trojan-activity; sid:2018636; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_07_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 37"; flow:to_server,established; dsize:>11; content:"|79 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,f80fc82b5ff8f65f02ba7af363f84264; classtype:trojan-activity; sid:2018637; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_07_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 38"; flow:to_server,established; dsize:>11; content:"|49 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa5/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,c8564898ab2598a075cbb478d104e750; classtype:trojan-activity; sid:2018638; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_07_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3134e62b117f9994e173c262b1bcbca5; classtype:trojan-activity; sid:2018639; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_07_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Trojan with Fake Java User-Agent"; flow:established,to_server; content:"GET /1.php HTTP/1.1|0d  0a|"; fast_pattern; content:"User-Agent|3a| Java/"; depth:17; http_header; content:"Host|3a| "; distance:0; http_header; content:"Accept|3a| text/html, image/gif, image/jpeg, *|3b| q=.2, */*|3b| q=.2|0d 0a|"; distance:0; http_header; content:"Connection|3a| keep-alive|0d 0a 0d 0a|"; distance:0; http_header; classtype:trojan-activity; sid:2018640; rev:2; metadata:created_at 2014_07_03, updated_at 2014_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BANKER.WIN32.BANBRA.BEEC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/black/?"; fast_pattern:only; http_uri; content:"tipo="; depth:5; http_client_body; content:"&cliente="; http_client_body; reference:md5,ceb6684ffce35dcbfae4afde3b6fd4bd; classtype:trojan-activity; sid:2018641; rev:2; metadata:created_at 2014_07_03, updated_at 2014_07_03;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole Microsoft NO-IP Domain"; content:"|00 01 00 01|"; content:"|00 04 cc 5f 63|"; distance:4; within:5; classtype:trojan-activity; sid:2018642; rev:2; metadata:created_at 2014_07_03, updated_at 2014_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Zemot Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/mod_articles"; depth:13; http_uri; fast_pattern; content:"User-Agent|3a|"; http_header; content:!"|0d 0a|Accept-"; http_header; content:!"Referer"; http_header; pcre:"/\/$/U"; reference:md5,9a705a2c25a8b30de80e59dbb9adab83; classtype:trojan-activity; sid:2018644; rev:2; metadata:created_at 2014_07_07, updated_at 2014_07_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET TROJAN TrojanSpy.Win32/Banker.AMB SQL Checkin"; flow:established,to_server; content:"I|00|N|00|S|00|E|00|R|00|T"; content:"I|00|N|00|T|00|O"; distance:0; content:"B|00|R|00|O|00|W|00|S|00|E|00|R|00|L|00|O|00|G|00|U|00|S|00|B|00|"; reference:md5,dd141287cb45a2067592eeb9d3aa7162; classtype:trojan-activity; sid:2018645; rev:2; metadata:created_at 2014_07_07, updated_at 2014_07_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Infostealer.Bancos Checkin via SMTP"; flow:to_server,established; content:"Subject|3a| "; content:"Foi Instalado"; nocase; fast_pattern:only; pcre:"/^Subject\x3a [^\r\n]+?Foi Instalado/mi"; metadata: former_category TROJAN; reference:md5,7f5709c924bb1417a180a4fa8311a2e9; classtype:trojan-activity; sid:2018646; rev:1; metadata:tag Banking_Trojan, created_at 2014_07_07, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Banload.BTQP Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:".asp?IDPC="; fast_pattern:only; http_uri; pcre:"/\.asp\?IDPC=[^\x26]*?\x26(?:Status=|Msg=)[^\x26]*?$/Ui"; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; content:!"Referer"; http_header; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:trojan-activity; sid:2018649; rev:2; metadata:created_at 2014_07_08, updated_at 2014_07_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Banload.BTQP Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:".asp?IDPC="; fast_pattern:only; http_uri; content:"&so="; nocase; http_uri; content:"&user"; http_uri; nocase; content:"&versao"; http_uri; nocase; content:"&pcname="; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:!"Referer"; http_header; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:trojan-activity; sid:2018650; rev:3; metadata:created_at 2014_07_08, updated_at 2014_07_08;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Upatre SSL Cert July 7 2014"; flow:established,from_server; content:"|16 03 00|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"smalbach2424@hotmail.com"; distance:2; within:24; reference:md5,52084660d2ae0ee8f033621a9252cfb9; classtype:trojan-activity; sid:2018651; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Banload2.KZU Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"OPC="; nocase; fast_pattern:only; http_client_body; pcre:"/^OPC=\d/Pi"; content:"Accept-Encoding|3a| identity|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:!"Referer"; http_header; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:trojan-activity; sid:2018653; rev:1; metadata:created_at 2014_07_08, updated_at 2014_07_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Banload2.KZU Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:".hlp"; nocase; fast_pattern:only; http_uri; content:"Accept-Encoding|3a| identity|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:!"Referer"; http_header; pcre:"/^\/[^\x2f]+?\.hlp$/Ui"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:trojan-activity; sid:2018654; rev:2; metadata:created_at 2014_07_08, updated_at 2014_07_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CyberGate RAT Checkin"; flow:to_server,established; content:".php?"; http_uri; content:"email="; http_uri; content:"&serverid="; http_uri; content:"User|3a|"; http_uri; content:"PC|3a|"; http_uri; content:!"Referer"; http_header; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:trojan-activity; sid:2018659; rev:1; metadata:created_at 2014_07_09, updated_at 2014_07_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CyberGate RAT User-Agent (USER_CHECK)"; flow:to_server,established; content:"User-Agent|3a| USER_CHECK"; http_header; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:trojan-activity; sid:2018660; rev:1; metadata:created_at 2014_07_09, updated_at 2014_07_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Zemot Config Download"; flow:established,to_server; content:"GET"; http_method; content:"/soft"; http_uri; content:".dll"; http_uri; fast_pattern:only; pcre:"/\/soft(?:32|64)\.dll$/Ui"; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; http_header; content:"User-Agent|3a|"; http_header; content:!"Referer"; http_header; reference:md5,5a99a6a6cd8600ea88a8fcc1409b82f4; classtype:trojan-activity; sid:2018661; rev:2; metadata:created_at 2014_07_09, updated_at 2014_07_09;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url, blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Zeus P2P Variant Check-in"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/update"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:biz|com|net|org)/H"; metadata: former_category TROJAN; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018667; rev:2; metadata:created_at 2014_07_11, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Uroburos/Turla CnC (OUTBOUND) 1"; flow:established,to_server; content:"GET"; http_method; content:"/auth.cgi?mode="; http_uri; fast_pattern:only; content:"&id="; http_uri; content:"&serv="; distance:0; http_uri; content:"&lang="; distance:0; http_uri; content:"&q="; distance:0; http_uri; content:"&date="; distance:0; http_uri; reference:url,circl.lu/pub/tr-25/; classtype:trojan-activity; sid:2018669; rev:1; metadata:created_at 2014_07_11, updated_at 2014_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Uroburos/Turla CnC (OUTBOUND) 2"; flow:established,to_server; content:"/default.asp?act="; http_uri; fast_pattern:only; content:"&id="; http_uri; content:"&item="; distance:0; http_uri; content:"&cln="; distance:0; http_uri; content:"&flt="; distance:0; http_uri; content:"&serv="; distance:0; http_uri; content:"&t="; distance:0; http_uri; content:"&mode="; distance:0; http_uri; content:"&lang="; distance:0; http_uri; content:"&date="; distance:0; http_uri; reference:url,circl.lu/pub/tr-25/; classtype:trojan-activity; sid:2018670; rev:2; metadata:created_at 2014_07_11, updated_at 2014_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET TROJAN Troj/ReRol.A Checkin 1"; flow:established,to_server; content:"POST "; depth:5; content:"/project/check.asp"; distance:0; within:18; fast_pattern; content:"Content-Length|3a 20|"; distance:11; within:16; content:"User-Agent|3a 20|Mozilla/4.0|20 28|compatible|3b 29 0d 0a|"; distance:0; content:!"Referer|3a 20|"; content:"|0d 0a 0d 0a|"; distance:0; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,12854bb8d1e6a590e1bd578267e4f8c9; classtype:trojan-activity; sid:2018882; rev:3; metadata:created_at 2014_07_14, updated_at 2014_07_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Troj/ReRol.A Checkin 2"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/dr.asp"; http_uri; fast_pattern:only; content:"Content-Length|3a 20|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0|20 28|compatible|3b 29 0d 0a|"; distance:0; http_header; content:!"Referer|3a 20|"; http_header; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,c0656b66b9f4180e59e1fd2f9f1a85f2; classtype:trojan-activity; sid:2018883; rev:2; metadata:created_at 2014_07_14, updated_at 2014_07_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux DDoS bot Antiq IRC"; flow:established,to_server; content:"PRIVMSG|20|#"; content:"status checking progam online"; within:60; reference:url,deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2018675; rev:1; metadata:created_at 2014_07_14, updated_at 2014_07_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke Loader Adobe Connectivity check"; flow:established,to_server; urilen:18; content:"POST"; http_method; content:"/support/main.html"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,3a128a9e8668c0181d214c20898f4a00; classtype:trojan-activity; sid:2018676; rev:3; metadata:created_at 2014_07_14, updated_at 2016_11_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; content:"POST"; http_method; content:"/kb/"; http_uri; depth:4; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; pcre:"/^\/kb\/\d{4,8}$/U"; reference:md5,193494912a6f549c0da40bf22c3384ee; classtype:trojan-activity; sid:2018677; rev:2; metadata:created_at 2014_07_15, updated_at 2016_11_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Common URI Struct July 15 2014"; flow:established,to_server; content:"/0/"; http_uri; content:"Service Pack "; http_uri; distance:2; within:13; pcre:"/\/0\/$/U"; content:!"Referer|3a|"; http_header; reference:md5,79772d72082a082a0048569ba2dfe5a3; classtype:trojan-activity; sid:2018678; rev:2; metadata:created_at 2014_07_15, updated_at 2014_07_15;)

alert udp any any -> any 53 (msg:"ET TROJAN DNS Possible User trying to visit POSHCODER.A .onion link outside of torbrowser"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zpwibfsmoowehdsm|05|onion|00|"; nocase; distance:0; reference:md5,01f4b1d9b2aafb86d5ccfa00e277fb9d; classtype:trojan-activity; sid:2018679; rev:1; metadata:created_at 2014_07_15, updated_at 2014_07_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Soraya Credit Card Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"&ccnum="; http_client_body; fast_pattern:only; content:"mode="; depth:5; http_client_body; content:"&compinfo="; distance:0; http_client_body; content:"&type="; distance:0; http_client_body; content:"&track="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; reference:url,fortinet.com/sites/default/files/whitepapers/soraya_WP.pdf; classtype:trojan-activity; sid:2018680; rev:1; metadata:created_at 2014_07_16, updated_at 2014_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Kazy.325252 Variant CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:".php?p="; fast_pattern; http_uri; offset:2; depth:7; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:"Accept|3A| text/*, application/*, */*|0D 0A|"; http_header; pcre:"/^\x2F[a-z]\x2Ephp\x3Fp\x3D[a-z0-9]{30,}$/Ui"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:trojan-activity; sid:2018681; rev:2; metadata:created_at 2014_07_16, updated_at 2014_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Kazy.325252 Variant CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/track/?ip="; fast_pattern; http_uri; depth:11; content:"&data="; http_uri; distance:0; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:"Accept|3A| text/*, application/*, */*|0D 0A|"; http_header; pcre:"/^\x2Ftrack\x2F\x3Fip\x3D\d&data\x3D/U"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:trojan-activity; sid:2018682; rev:2; metadata:created_at 2014_07_16, updated_at 2014_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dyreza RAT Checkin 2"; flow:established,to_server; content:"GET|20|"; depth:4; content:"_W"; distance:0; content:"|2e|"; distance:6; within:1; content:"/NAT/"; distance:0; fast_pattern; content:" NAT/"; distance:0; content:"HTTP/1."; distance:0; content:!"Accept|3a|"; distance:0; content:!"Connection|3a|"; distance:0; content:!"Referer|3a|"; reference:md5,2a835747b7442b1d58ab30abc90d3b0f; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018683; rev:5; metadata:created_at 2014_07_16, updated_at 2014_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Aibatook checkin"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"m="; depth:2; http_client_body; content:"AA=="; http_client_body; fast_pattern:only; pcre:"/\.asp$/U"; pcre:"/^m=(?:[A-Za-z0-9+/]{4}){11}(?:(?:[A-Za-z0-9+/]{4}){6})?AA==/Pi"; reference:md5,57a0af91f3b35ef1cf54502e77cc2904; reference:url,www.welivesecurity.com/2014/07/16/win32aibatook/; classtype:trojan-activity; sid:2018685; rev:2; metadata:created_at 2014_07_16, updated_at 2014_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Aibatook checkin 2"; flow:established,to_server; content:"GET"; http_method; urilen:7; content:"/u.html"; http_uri; fast_pattern:only; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| Trident/6.0)"; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; reference:url,welivesecurity.com/2014/07/16/win32aibatook/; reference:md5,d5e8adfefbcc3667734b8df4ae066be6; classtype:trojan-activity; sid:2018687; rev:1; metadata:created_at 2014_07_17, updated_at 2014_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET TROJAN Predator Pain Sending Data over SMTP"; flow:established,to_server; content:"Subject|3a 20|Predator Pain v"; fast_pattern:4,20; reference:md5,e774a7e6ca28487db649458f48230199; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018688; rev:3; metadata:created_at 2014_07_17, updated_at 2014_07_17;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.newdomaininfo.ru"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018692; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|duosecure.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018696; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018719; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET TROJAN Pain File Stealer sending wallet.dat via SMTP"; flow:to_server,established; content:"Subject|3a| Pain File Stealer"; fast_pattern:9,17; content:"Content|2d|Type|3a 20|application|2f|octet|2d|stream|3b 20|name|3d|wallet.dat"; reference:url,www.cyphort.com/blog/nighthunter-massive-campaign-steal-credentials-revealed; classtype:trojan-activity; sid:2018738; rev:1; metadata:created_at 2014_07_18, updated_at 2014_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kuluoz / Asprox checkin"; flow:established,to_server; content:"/api/"; http_uri; fast_pattern:only; pcre:"/^\/(?:components|wp-content|tmp)/api/[a-zA-Z0-9\/\x20]{43}=\/(?:toll|inv|notice|get_label)$/U"; reference:url,garwarner.blogspot.com/2014/07/e-zpass-spam-leads-to-location-aware.html; reference:url,blog.malcovery.com/blog/more-information-on-this-weeks-e-zpass-scam; classtype:trojan-activity; sid:2018739; rev:1; metadata:created_at 2014_07_18, updated_at 2014_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dyreza RAT Checkin 3"; flow:established,to_server; content:"GET|20|"; depth:4; content:"_W"; distance:0; content:"|2e|"; distance:6; within:1; content:"/replace/"; distance:0; fast_pattern; content:"HTTP/1."; distance:0; content:!"Accept|3a|"; distance:0; content:!"Connection|3a|"; distance:0; content:!"Referer|3a|"; distance:0; reference:md5,4d1d43789e038c6a03c07083ca0b0809; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018749; rev:5; metadata:created_at 2014_07_21, updated_at 2014_07_21;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|0d|fuck@abuse.ch"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018745; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN PE downloaded malicious SSL certificate (CZ Solutions)"; flow:established,to_client; flowbits:isset,ET.http.binary; file_data; content:"|43 5a 20 53 6f 6c 75 74 69 6f 6e 20 43 6f 2e 2c 20 4c 74 64 2e|"; reference:url,www.fireeye.com/blog/technical/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html; classtype:trojan-activity; sid:2018748; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic .bin download from Dotted Quad"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\.bin$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; content:!"User-Agent|3a 20|McAfee Agent|0d 0a|"; http_header; content:!"User-Agent|3a 20|NetClient/"; http_header; classtype:trojan-activity; sid:2018752; rev:10; metadata:created_at 2014_07_22, updated_at 2014_07_22;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Possible Upatre Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f4 4b cc 89 9e b7 45 a8|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:md5,55f8682aab1089b68a8a391b927d7a74; classtype:trojan-activity; sid:2018759; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2014_07_23, malware_family Upatre, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|sslbl.abuse.ch"; distance:1; within:15; content:"|1b|we_love_selfsigned@abuse.ch"; distance:0; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:trojan-activity; sid:2018767; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Likely Malicious SSL Cert With Script Tags"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"<script>"; content:"</script>"; distance:0; content:"|55 04 03|"; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:trojan-activity; sid:2018768; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Dridex/Bugat/Feodo Cookie"; flow:established,to_client; content:"tfardci_session="; fast_pattern:only; http_header; content:"tfardci_session="; depth:16; http_cookie; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:trojan-activity; sid:2018770; rev:1; metadata:created_at 2014_07_24, updated_at 2014_07_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dridex/Bugat/Feodo POST Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|59|0d 0a|Host|3a 20|"; depth:26; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n(?:\r\n)?$/Hmi"; pcre:"/^\/[\/a-z0-9]+$/Ui"; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:trojan-activity; sid:2018771; rev:3; metadata:created_at 2014_07_24, updated_at 2014_07_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dridex/Bugat/Feodo GET Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:>25; content:"Host|3a 20|"; depth:6; http_header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; http_header; fast_pattern:7,20; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\nConnection\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nContent-Type\x3a\x20octet\/binary\r\nAccept\x3a\x20\*\/\*\r\nAccept-Language\x3a[^\r\n]+?\r\n(?:\r\n)?$/H"; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:trojan-activity; sid:2018772; rev:3; metadata:created_at 2014_07_24, updated_at 2014_07_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pykspa.C Public IP Check"; flow:established,to_server; urilen:1; content:!"Accept-"; http_header; content:!"Referer"; http_header; content:"myip"; http_header; nocase; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US|3b| rv|3a|1.9.1.3) Gecko/20090824 Firefox/3.5.3|0d 0a|Connection|3a 20|close"; http_header; fast_pattern:87,20; pcre:"/^Host\x3a[^\r\n]+myip/Hmi"; reference:md5,b94e213153a1929db2f414f23d891d76; reference:md5,324ff262da1233ef874ff29213cf8f19; classtype:trojan-activity; sid:2018773; rev:1; metadata:created_at 2014_07_24, updated_at 2014_07_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dyreza RAT Fake Server Header"; flow:established,to_client; content:"HTTP/1."; depth:7; content:"Server|3A| Stalin"; fast_pattern:only; reference:md5,7e3e28320d209a586917668e3b8eac40; classtype:trojan-activity; sid:2018775; rev:2; metadata:created_at 2014_07_25, updated_at 2014_07_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neurevt.A/Betabot Check-in 4"; flow:to_server,established; content:"POST"; http_method; content:!".aspx"; http_uri; content:!"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; content:!"id1="; http_client_body; content:"1="; http_client_body; content:"2="; http_client_body; distance:0; content:"3="; http_client_body; distance:0; content:"4="; distance:0; http_client_body; fast_pattern; content:!"Referer"; http_header; pcre:"/&(?P<vname>[a-z]+)1=[A-F0-9]+&(?P=vname)2=[A-F0-9]+&(?P=vname)3=[A-F0-9]+&(?P=vname)4=[A-F0-9]/P"; content:!"lavasoft.com|0d 0a|"; http_header; content:!"User-Agent|3a 20|SmadavStat"; http_header; metadata: former_category TROJAN; reference:md5,5eada3ed47d7557df375d8798d2e0a8b; classtype:trojan-activity; sid:2018784; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_07_25, malware_family Neurevt, performance_impact Low, updated_at 2017_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Locker DL URI Struct Jul 25 2014"; flow:to_server,established; content:"/wp-content/themes/"; http_uri; depth:19; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/wp-content\/themes\/[^\x2f]+\/[a-z0-9]+$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a11\.0)[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,dc4d0bd7fb9e647501c3b0d75aa2be65; classtype:trojan-activity; sid:2018787; rev:1; metadata:created_at 2014_07_25, updated_at 2014_07_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EUPUDS.A Requests for Boleto replacement "; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; fast_pattern; content:"Content-Type|3a|"; http_header; content:"Content-Length|3a| "; http_header; content:!"Referer"; http_header; content:!"User-Agent|3a| "; http_header; content:!"Cache-Control|3a| "; http_header; content:!"Accept"; content:!"Connection|3a| "; http_header; pcre:"/^[a-f0-9]{8}\x3d(?:[A-Za-z0-9-_]{4})*(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=|[A-Za-z0-9-_]{4})$/Pi"; reference:url,blogs.rsa.com/wp-content/uploads/2015/07/Bolware-Fraud-Ring-RSA-Research-July-2-FINALr2.pdf; classtype:trojan-activity; sid:2018793; rev:2; metadata:created_at 2014_07_28, updated_at 2014_07_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Infostealer.KLPROXY Checkin via SMTP"; flow:to_server,established; content:"Subject|3a|"; content:"C-H-E-G-O A-V-I-S-O! |2e 3a 3a|Infect|3a 3a 2e|"; distance:5; within:33; reference:md5,422ce789b284eb5aa32124a6bbe86000; classtype:trojan-activity; sid:2018798; rev:2; metadata:created_at 2014_07_28, updated_at 2014_07_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32/Gatak Activity"; flow:established,to_server; content:!"Accept"; content:!"Referer|3a|"; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0)|0d 0a|Host|3a|"; fast_pattern:49,20; content:"POST "; depth:5; pcre:"/^[^\r\n]*?\/(?:[a-z]{4,9}\/[a-z]{3,10}\?[a-z_]{2,9}=[0-9]{2,8}|[a-z]{10})&[a-z]{5,9}=[a-zA-Z0-9_*]{30,}\sHTTP\/1\./R"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32/Gatak; reference:url,www.malwaresigs.com/2013/01/30/trojan-gatak-post-compromise/; classtype:trojan-activity; sid:2018799; rev:1; metadata:created_at 2014_07_28, updated_at 2014_07_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DoS.Linux/Elknot.G Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|Linux|20|"; offset:2; depth:21; fast_pattern:1,20; pcre:"/^\d/R"; reference:md5,917a2a3d8c30282acbe7b1ff121a4336; classtype:trojan-activity; sid:2018808; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|badsokspad.in"; distance:1; within:14; reference:md5,c4fe829fc49bb9efec92fe4a8a5d29fc; classtype:trojan-activity; sid:2018852; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible ClickFraud Trojan Socks5 Connection"; flow:to_server,established; content:"socks5init|3a|"; depth:11; threshold: type limit,track by_src, count 1, seconds 300; flowbits:set,ET.2018855; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; classtype:trojan-activity; sid:2018855; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Windows executable base64 encoded"; flow: established,from_server; file_data; content:"TVqQA"; pcre:"/^[A-Za-z0-9]{3}(?:[A-Za-z0-9+/]{4}|\s){100}/Rs"; reference:md5,49aca228674651cba776be727bdb7e60; classtype:trojan-activity; sid:2018856; rev:10; metadata:created_at 2014_07_31, updated_at 2014_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Pgift.Backdoor APT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/pgift.asp"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B|)|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:trojan-activity; sid:2018869; rev:3; metadata:created_at 2014_08_01, updated_at 2014_08_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Tor based locker .onion Proxy domain in SNI July 31 2014"; flow:established,to_server; content:"iet7v4dciocgxhdv."; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018872; rev:2; metadata:created_at 2014_08_01, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tor based locker Ransom Page"; flow:established,to_server; content:"/buy.php?"; http_uri; content:"iet7v4dciocgxhdv."; nocase; fast_pattern; http_header; classtype:trojan-activity; sid:2018873; rev:1; metadata:created_at 2014_08_01, updated_at 2014_08_01;)

alert udp any any -> any 53 (msg:"ET TROJAN Tor based locker .onion Proxy DNS lookup July 31 2014"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iet7v4dciocgxhdv"; nocase; metadata: former_category TROJAN; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018874; rev:2; metadata:created_at 2014_08_01, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Tor based locker knowledgewiki.info in SNI July 31 2014"; flow:established,to_server; content:"knowledgewiki.info"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018877; rev:2; metadata:created_at 2014_08_01, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 40"; flow:to_server,established; dsize:>11; content:"|7c 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:trojan-activity; sid:2018880; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_08_01, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Troj/ReRol.A Checkin 4"; flow:established,to_server; content:"POST"; http_method; content:"/qsc.asp"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B|)|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:trojan-activity; sid:2018884; rev:1; metadata:created_at 2014_08_04, updated_at 2014_08_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows Command Prompt OUTBOUND"; flow:established,to_server; content:"Microsoft Windows"; content:"[Version|20|"; distance:0; pcre:"/^\d\.\d\.\d{4}\]\r\n\(C\)\x20Copyright\x20\d{4}(\x2d\d{4})?\x20Microsoft Corp(:?\.|oration)/Ri"; content:"|0d 0a 0d 0a|C|3a 5c 3e|"; fast_pattern; distance:0; isdataat:!1,relative; classtype:trojan-activity; sid:2018885; rev:1; metadata:created_at 2014_08_04, updated_at 2014_08_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"System Idle Process"; fast_pattern:only; content:"|49 6d 61 67 65 20 4e 61 6d 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 50 49 44 20 53 65 73 73 69 6f 6e 20 4e 61 6d 65 20 20 20 20 20 53 65 73 73 69 6f 6e 23 20 20 20 20 4d 65 6d 20 55 73 61 67 65 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0d 0a|"; content:"svchost.exe"; content:"winlogon.exe"; classtype:trojan-activity; sid:2018886; rev:1; metadata:created_at 2014_08_04, updated_at 2014_08_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Infostealer.Mysayad Checkin 1"; flow:established,to_server; content:"HEAD"; http_method; urilen:17; content:"/GlobalUpdate.upt"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:trojan-activity; sid:2018889; rev:1; metadata:created_at 2014_08_04, updated_at 2014_08_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Infostealer.Mysayad Checkin 2"; flow:established,to_server; content:"HEAD"; http_method; urilen:9; content:"/all.wipe"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:trojan-activity; sid:2018890; rev:1; metadata:created_at 2014_08_04, updated_at 2014_08_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kronos Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"/upfornow/connect.php"; http_uri; fast_pattern:only; content:"Content-Length|3a| "; http_header; reference:md5,f085395253a40ce8ca077228c2322010; reference:url,securityblog.s21sec.com/2014/08/kronos-is-here.html; classtype:trojan-activity; sid:2018891; rev:1; metadata:created_at 2014_08_04, updated_at 2014_08_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Zbot .onion Proxy domain in SNI Aug 04 2014"; flow:established,to_server; content:"zxjfcvfvhqfqsrpz."; fast_pattern:only; metadata: former_category TROJAN; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018892; rev:2; metadata:created_at 2014_08_04, updated_at 2017_05_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Zbot .onion Proxy DNS lookup July 31 2014"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zxjfcvfvhqfqsrpz"; fast_pattern; nocase; distance:0; metadata: former_category TROJAN; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018893; rev:2; metadata:created_at 2014_08_04, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; content:"GET"; http_method; urilen:4; content:"/333"; http_uri; fast_pattern:only; content:!"Referer|3a| "; http_header; content:!"Accept-Language|3a| "; http_header; content:" MSIE "; http_header; classtype:trojan-activity; sid:2018894; rev:4; metadata:created_at 2014_08_04, updated_at 2014_08_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ddex Loader Check-in"; flow:established,to_server; content:"GET"; http_method; content:".php?t="; http_uri; content:"&o="; http_uri; content:"&i="; http_uri; content:"&task_id="; http_uri; content:!"Referer|3a 20|"; http_header; reference:url,securelist.com/files/2014/07/Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf; classtype:trojan-activity; sid:2018895; rev:1; metadata:created_at 2014_08_05, updated_at 2014_08_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN BitcoinMiner C2 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.webanalyticsystem.com"; distance:1; within:26; reference:url,www.malware-traffic-analysis.net/2014/07/28/index.html; classtype:trojan-activity; sid:2018896; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pushdo.S CnC response"; flow:established,from_server; flowbits:isset,ET.Pushdo.S; content:"X-GeoIP-Country-Code|3a| "; http_header; content:"X-Real-IP|3a| "; http_header; reference:md5,27aef1d328da442d3bd02c50c1a6b651; classtype:trojan-activity; sid:2018897; rev:1; metadata:created_at 2014_08_05, updated_at 2014_08_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BITTERBUG Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php?compname="; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\.php\?compname=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}_/U"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:trojan-activity; sid:2018900; rev:1; metadata:created_at 2014_08_06, updated_at 2014_08_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN  BITTERBUG Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/vtris"; fast_pattern:only; http_uri; content:".php?srs="; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\/vtris\d?\.php\?srs=\d{1,10}$/U"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:trojan-activity; sid:2018901; rev:1; metadata:created_at 2014_08_06, updated_at 2014_08_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|kreb"; distance:1; within:5; content:"|0d|kreb|40|kreb.com"; fast_pattern:only; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018902; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018912; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lurk Downloader Check-in"; flow:to_server,established; content:"GET"; http_method; content:"/lolo/"; fast_pattern; http_uri; content:".html"; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0)"; http_header; pcre:"/^\/lolo\/[0-9]+\/[0-9]+\/[0-9]+\/[0-9]+\.html$/U"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018926; rev:1; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lurk Click fraud Template Request"; flow:to_server,established; content:"GET"; http_method; content:"/log/"; http_uri; content:"/?id="; fast_pattern; http_uri; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"Host|3a 20|"; http_header; pcre:"/^\/log\/[0-9]+\/[0-9]+\/\?id=[0-9]+$/U"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018927; rev:1; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|12|alohafriends12.com"; distance:1; within:19; reference:md5,9c98ef776a651cc4269acde3755d3a5a; classtype:trojan-activity; sid:2018935; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Trojan Dropped By Archie.EK"; flow:to_server,established; content:"GET /"; depth:5; content:".e%78e"; distance:0; fast_pattern; content:"|20|HTTP/1."; distance:0; content:!"Referer|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; pcre:"/^GET \/[56]\d{4}%2C[^\r\n]*?%2C[A-Z]%3A%5C[^\r\n]+?\.e%78e/i"; reference:md5,e6c91ab176887e5c79bb59277c651dfd; classtype:trojan-activity; sid:2018928; rev:2; metadata:created_at 2014_08_13, updated_at 2014_08_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OneLouder Common URI Struct"; flow:established,to_server; content:"/ord/"; http_uri; fast_pattern:only; content:".exe"; http_uri; nocase; pcre:"/\/ord\/[^\x2f]+?\.exe$/Ui"; classtype:trojan-activity; sid:2018929; rev:1; metadata:created_at 2014_08_13, updated_at 2014_08_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Suspicious X-mailer Synapse"; flow:established,to_server; content:"produced by Synapse"; fast_pattern:only; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:md5,954acc71ffaa7010c603d74e76dfc70b; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2018936; rev:1; metadata:created_at 2014_08_14, updated_at 2014_08_14;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1f|kpai7ycr7jxqkilp.totortoweb.com"; distance:1; within:32; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018939; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_14, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ClickFraud Trojan Socks5 Init Response"; flow:established,from_server; flowbits:isset,ET.2018855; dsize:7<>8; content:"|fe|"; depth:1; content:"|1f|"; distance:4; within:1; reference:md5,de31e17ff4b3791c92a93b72d779e61f; classtype:trojan-activity; sid:2018941; rev:1; metadata:created_at 2014_08_14, updated_at 2014_08_14;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|koskoskos11.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018942; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|atspotfto.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018943; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.securessl.in"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018944; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_18, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win.Trojan.Chewbacca connectivity check"; flow:established,to_server; content:"GET"; http_method; content:"/ip/"; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3b| Synapse|29 0d 0a|"; http_header; fast_pattern:36,11; content:!"Accept"; http_header; content:!"Referer"; http_header; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,www.symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:trojan-activity; sid:2019162; rev:3; metadata:created_at 2014_08_18, updated_at 2014_08_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|zao-sky.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018947; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_18, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Likely Synolocker .onion DNS lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cypherxffttr7hho"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2018948; rev:1; metadata:created_at 2014_08_18, updated_at 2014_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/PSW.Steam.NBP Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/data2.php?file="; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| Synapse)"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,17d2b62f2fa20f407485437de17787fb; reference:md5,bec091077138a1cac49db00495d456e7; classtype:trojan-activity; sid:2018949; rev:1; metadata:created_at 2014_08_18, updated_at 2014_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tor Based Locker Page (Torrentlocker)"; flow:established,to_server; content:"/buy.php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/Host\x3a\x20[a-z0-9]{16}\.[^\r\n]*?(?:tor|onion)/Hmi"; classtype:trojan-activity; sid:2018951; rev:3; metadata:created_at 2014_08_18, updated_at 2014_08_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ShellBot.C retrieval"; flow:from_server,established; file_data; content:"my $processo"; content:"my @adms="; distance:0; content:"my @canais="; distance:0; content:"|23|gh|30|sts"; distance:0; within:10; reference:md5,3e44252394078c8fd792da1583525d0c; reference:url,pastebin.com/0dAciksC; reference:url,pastebin.com/C0arvGxU; classtype:trojan-activity; sid:2018953; rev:1; metadata:created_at 2014_08_18, updated_at 2014_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroLocker Downloading Config"; flow:established,to_server; content:"/zConfig/"; http_uri; fast_pattern:only; pcre:"/\/zConfig\/\d+$/U"; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-99; classtype:trojan-activity; sid:2018960; rev:1; metadata:created_at 2014_08_19, updated_at 2014_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroLocker Activity"; flow:established,to_server; content:"/zImprimer/"; http_uri; fast_pattern:only; pcre:"/\/zImprimer\/\d+-/U"; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018961; rev:2; metadata:created_at 2014_08_19, updated_at 2014_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroLocker Activity"; flow:established,to_server; content:"/enc/1"; http_uri; fast_pattern:only; pcre:"/\/enc\/1$/U"; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018962; rev:2; metadata:created_at 2014_08_19, updated_at 2014_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux.DDoS Checkin"; flow:established,to_server; dsize:1024; content:"VERSONEX|3a|"; depth:9; content:"|7c|Hacker|00 00 00|"; distance:0; reference:md5,0eab12cebbf1c8f25d82c65f34aab9d7; classtype:trojan-activity; sid:2019172; rev:4; metadata:created_at 2014_08_19, updated_at 2014_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Variant.Strictor Dropper"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"os="; http_uri; content:"&osbit="; http_uri; content:"&antiv="; http_uri; content:"User-Agent|3a| Access|0d 0a|"; fast_pattern:12,8; depth:20; http_header; reference:md5,909b91071c60fc68c27789d912ccf68a; classtype:trojan-activity; sid:2018964; rev:5; metadata:created_at 2014_08_19, updated_at 2014_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Python.Ragua Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/WebCam/Cam.txt"; nocase; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Python-urllib/"; nocase; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:url,securelist.com/blog/research/66108/el-machete/; reference:md5,a8602b4c35f426107c9667d804470745; classtype:trojan-activity; sid:2018968; rev:1; metadata:created_at 2014_08_20, updated_at 2014_08_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; content:"GET"; http_method; urilen:4; content:"/222"; http_uri; fast_pattern:only; content:!"Referer|3a| "; http_header; content:!"Accept-Language|3a| "; http_header; content:" MSIE "; http_header; classtype:trojan-activity; sid:2018971; rev:2; metadata:created_at 2014_08_20, updated_at 2014_08_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Hoic.zip retrieval"; flow:from_server,established; file_data; content:"Hoic/buttons2/PK"; content:"Hoic/buttons2/buttons.rar"; distance:0; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018976; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Miras C2 Activity"; flow:established,to_server; content:"|36 36 36 36 58 36 36 36|"; offset:2; depth:8; reference:md5,98a3a68f76ed2eba763eb7bfb6648562; classtype:trojan-activity; sid:2018979; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Machete FTP activity"; flow:established,to_server; content:"CWD |2e 2e 2f|KeyLog_History"; depth:21; classtype:trojan-activity; sid:2018980; rev:1; metadata:created_at 2014_08_21, updated_at 2014_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PlugX variant"; flow:to_server,established; content:"GET"; http_method; content:"/p/"; depth:3; http_uri; pcre:"/^\/p\/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/U"; content:"code.google.com"; fast_pattern:only; http_header; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; threshold: type both, count 1, seconds 30, track by_src; reference:md5,f92e9e3e86856b5c0ee465f77a440abb; reference:url,researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; classtype:trojan-activity; sid:2018984; rev:4; metadata:created_at 2014_08_21, updated_at 2014_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; content:"GET"; http_method; urilen:2<>5; content:!"Referer|3a| "; http_header; content:!"Accept-Language|3a| "; http_header; content:" MSIE "; http_header; fast_pattern:only; pcre:"/^\/(?P<n>\d)(?P=n){1,2}$/U"; flowbits:set,ET.Onelouder.bin; flowbits:noalert; classtype:trojan-activity; sid:2018981; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P) exe download"; flow:established,to_client; flowbits:isset,ET.Onelouder.bin; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2018982; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:2<>6; content:!"Accept-Language|3a| "; http_header; content:!"Referer|3a| "; http_header; content:"|20|MSIE|20|"; http_header; fast_pattern:only; pcre:"/\/\d+$/U"; flowbits:set,ET.OneLouderHeader; flowbits:noalert; classtype:trojan-activity; sid:2018983; rev:5; metadata:created_at 2014_08_21, updated_at 2014_08_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Asteria md5)"; flow:to_server,established; content:"User-Agent|3a| d9d385b3522b242398af91fd425b386d"; http_header; reference:md5,56c16ad7da8cecb429dccb168aef46b7; classtype:trojan-activity; sid:2018985; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_08_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Xema dropping file"; flow:to_server,established; content:"/pruebas.doc"; http_uri; fast_pattern:only; content:!"Referer"; http_header; reference:md5,f5fbdb120594f4da7f638122d6635933; classtype:trojan-activity; sid:2018994; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Tuscas"; flow:established,to_server; content:"?version="; http_uri; fast_pattern:only; content:"&group="; http_uri; content:"&client="; http_uri; content:"&computer="; http_uri; content:"&os="; http_uri; content:"&latency="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,stopmalvertising.com/malware-reports/analysis-of-tuscas.html; classtype:trojan-activity; sid:2018999; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows ipconfig Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Windows IP Configuration|0d|"; fast_pattern:8,16; content:"Ethernet adapter Local Area Connection|3a|"; distance:0; content:"Physical Address"; content:"IP Address"; content:"Subnet Mask"; content:"Default Gateway"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019000; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows net start Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"These Windows services are started|3a 0d|"; fast_pattern:8,16; content:"The command completed successfully|2e|"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019001; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows systeminfo Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Host Name|3a|"; content:"OS Name|3a|"; content:"OS Version|3a|"; content:"OS Manufacturer|3a|"; content:"Microsoft Corporation"; distance:0; content:"OS Configuration|3a|"; content:"OS Build Type|3a|"; content:"Registered Owner|3a|"; content:"Registered Organization|3a|"; content:"Product ID|3a|"; content:"Original Install Date|3a|"; content:"System Up Time|3a|"; content:"System Manufacturer|3a|"; content:"System Model|3a|"; content:"System type|3a|"; content:"Processor|28|s|29 3a|"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019002; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Active Connections|0d|"; content:"Proto"; content:"Local Address"; content:"Foreign Address"; content:"State"; distance:0;  reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019003; rev:2; metadata:created_at 2014_08_25, updated_at 2014_08_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 b8 68 97 9e dc 1f a8 cc|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|local.domain"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019009; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 f3 e5 76 ad 16 4c 88 ff|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019069; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9a a1 97 0b 99 2b 46 07|"; distance:0; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|03|GER"; distance:1; within:4; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019070; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"?id="; http_uri; content:"/0"; http_uri; pcre:"/\/0[0-2]\/.+?\/[a-f0-9]+\?id=[a-f0-9]+$/Ui"; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http_header; fast_pattern:26,20; pcre:"/^User-Agent\x3a[^r\n]+?(?:MSIE|rv\x3a11)/Hmi"; classtype:trojan-activity; sid:2019074; rev:3; metadata:created_at 2014_08_27, updated_at 2014_08_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 fc 61 00 6b e6 e5 a0 17|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019079; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_28, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Interface|3a|"; content:"--- 0x"; distance:0; content:"Internet Address"; content:"Physical Address"; fast_pattern; distance:0; content:"Type"; content:"dynamic"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019080; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows set Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"ALLUSERSPROFILE="; fast_pattern; content:"APPDATA="; distance:0; content:"CLIENTNAME="; content:"CommonProgramFiles="; distance:0; content:"COMPUTERNAME="; content:"ComSpec="; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019081; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows route Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Route Table"; content:"Active Routes|3a|"; fast_pattern; content:"Network Destination"; content:"Netmask"; content:"Gateway"; content:"Interface"; content:"Metric";  reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019082; rev:2; metadata:created_at 2014_08_28, updated_at 2014_08_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41"; flow:to_server,established; dsize:>11; content:"|c3 70|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\xc3\x70/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,23bb9c2ed95e942f886d544fefd20d70; classtype:trojan-activity; sid:2019083; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_08_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Syrian Malware Checkin"; flow:established,to_server; content:"|2f|j|7c|n|5c|"; offset:2; depth:5; content:"[endof]"; fast_pattern; distance:0; reference:url,fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html; reference:md5,a8cf815c3800202d448d035300985dc7; classtype:trojan-activity; sid:2019084; rev:1; metadata:created_at 2014_08_29, updated_at 2014_08_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Unknown Trojan Dropped by Angler Aug 29 2014"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 c4 a8 4b da 47 94 14 c1|"; within:35; content:"|55 04 0b|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|06|office"; distance:1; within:7; classtype:trojan-activity; sid:2019086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Angler, tag Exploit_Kit, signature_severity Critical, created_at 2014_08_29, malware_family Angler, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouderHeader; file_data; content:"MZ"; within:2; content:"PE|00 00|"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019103; rev:3; metadata:created_at 2014_09_02, updated_at 2014_09_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 7a 4e 2c 6d 48 5c a6|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019106; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 c6 af 2f 81 7b a2 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019107; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b2 a7 52 d6 65 0d 28 9f|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019108; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 c0 04 78 81 0c 5a 2d|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019109; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_03, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HighTide trojan Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?"; http_uri; depth:2; content:"Trident/5.0|29 0d 0a|"; fast_pattern; http_header; content:"Referer|3A| http|3A|//www.google.com/|0D  0A|"; http_header; pcre:"/^\/\?\d(?:[A-Za-z0-9~_]{4})*(?:[A-Za-z0-9~_]{2}--|[A-Za-z0-9~_]{3}-|[A-Za-z0-9~_]{4})$/U"; reference:md5,6e59861931fa2796ee107dc27bfdd480; reference:url,fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:trojan-activity; sid:2019113; rev:1; metadata:created_at 2014_09_04, updated_at 2014_09_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Threebyte.APT Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/UID"; fast_pattern; depth:4; http_uri; content:".jsp?"; distance:0; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/UID\d+\.jsp\?/U"; reference:url,fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:trojan-activity; sid:2019114; rev:1; metadata:created_at 2014_09_04, updated_at 2014_09_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN W32/Waterspout.APT Backdoor CnC Beacon"; flow:to_server,established; content:"GET "; depth:4; content:".php?"; distance:0; content:"_id="; distance:3; within:4; fast_pattern; pcre:"/\/(?P<s1>[a-z]{3})[a-z]\.php\?(?P=s1)_id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\sHTTP\/1\./"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:trojan-activity; sid:2019115; rev:2; metadata:created_at 2014_09_04, updated_at 2014_09_04;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 15 14 ca 74 7c 3d 96|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019120; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_04, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Upatre C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 11 bb c5 32 1e 9d 79|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019121; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bc 2a 7f f9 ef 67 4e ef|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019122; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_04, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain (erhitnwfvpgajfbu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|erhitnwfvpgajfbu"; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019123; rev:3; metadata:created_at 2014_09_05, updated_at 2014_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain in SNI"; flow:established,to_server; content:"erhitnwfvpgajfbu."; fast_pattern:only; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019124; rev:2; metadata:created_at 2014_09_05, updated_at 2014_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bapy.Downloader PE Download Request"; flow:established,to_server; content:"GET"; http_method; urilen:9; content:"/tmps."; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/[a-z]\d{2}$/U"; reference:md5,e256976cedda8c9d07a21ca0e5c2f86c; classtype:trojan-activity; sid:2019127; rev:1; metadata:created_at 2014_09_05, updated_at 2014_09_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bravix.Dropper CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/get.php?file=cmds/main"; http_uri; content:!"Referer|3A|"; http_header; reference:md5,19484a240a16c7faea84dcac0c38d118; classtype:trojan-activity; sid:2019128; rev:1; metadata:created_at 2014_09_05, updated_at 2014_09_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a5 72 6e 95 1a 1d 22|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019135; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT OSX.XSLCmd CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/compose.aspx?s="; http_uri; fast_pattern:only; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)"; http_header; content:"Accept-Language|3a| zh-cn|0d 0a|"; http_header; reference:url,fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html; classtype:trojan-activity; sid:2019136; rev:1; metadata:created_at 2014_09_08, updated_at 2014_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Poweliks GET Request"; flow:established,to_server; content:"GET"; http_method; urilen:4; content:"/dll"; http_uri; fast_pattern:only; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/01/index3.html; classtype:trojan-activity; sid:2019138; rev:2; metadata:created_at 2014_09_08, updated_at 2014_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot POST Request to C2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Accept\x3a \*\/\*\r\nUser-Agent\x3a[^\r\n]+?\r\nHost\x3a[^\r\n]+?\r\nContent-Length\x3a[^\r\n]+?\r\n(?:Proxy-)?Connection\x3a[^\r\n]+?\r\n(?:Pragma|Cache-Control)\x3a[^\r\n]+?\r\n(?:\r\n)?$/H"; reference:md5,c86f7ec18b78055a431f7cd1dca65b82; classtype:trojan-activity; sid:2019141; rev:2; metadata:created_at 2014_09_08, updated_at 2014_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Frosparf.B Downloading Hosts File"; flow:established,from_server; file_data; content:"9.9.9.9 "; within:8; pcre:"/^(?:[a-zA-Z0-9\x2d\x5f]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]*?9\.9\.9\.9\s+?(?:[a-zA-Z0-9\_\-]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]/R"; reference:md5,4ad55877464aa92e49231d913d00eb69; classtype:trojan-activity; sid:2019142; rev:2; metadata:created_at 2014_09_09, updated_at 2014_09_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019147; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea c4 eb c7 a8 ae c0 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019148; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|groundbellsinc2@yahoo.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019149; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 10 d6 2f a9 1d 55 7b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019150; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 2c 97 86 ef 94 08 62|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019151; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019152; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 69 ac|"; within:30; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0f|serveradmin.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019153; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Zeus GameOver Connectivity Check 2"; flow:established,to_server; urilen:1; content:"Connection|3a 20|Close"; http_header; fast_pattern:only; content:"Host|3a 20|windowsupdate.microsoft.com|0d 0a|"; http_header; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,236bde81355e075e7ed6bcdc60daefcb; classtype:trojan-activity; sid:2019155; rev:1; metadata:created_at 2014_09_10, updated_at 2014_09_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Malicious Invoice EXE"; flow:established,to_server; content:"GET"; http_method; content:"/invoice"; nocase; http_uri; fast_pattern:only; pcre:"/\/invoice[^a-z\/]*?\.(?:exe|zip|7z|rar|com|vbs|ps1)$/Ui"; metadata: former_category TROJAN; reference:md5,bdf12366779ce94178c2d1e495565d2b; classtype:trojan-activity; sid:2019158; rev:4; metadata:created_at 2014_09_11, updated_at 2017_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stobox Connectivity Check"; flow:established,to_server; content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; http_uri; fast_pattern:28,20; content:"Host|3a 20|update.microsoft.com|0d 0a|"; http_header; depth:28; content:!"Accept-Language|3a|"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"|0d 0a 0d 0a|"; threshold: type both, count 5, seconds 300, track by_src; reference:md5,aba20c8289b37b10d42979730674a2ca; classtype:trojan-activity; sid:2019166; rev:3; metadata:created_at 2014_09_11, updated_at 2014_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN TSPY_POCARDL.U Possible FTP Login"; flow:established,to_server; content:"USER user drupalzf"; reference:md5,ceb5b99c13b107cf07331bcbddb43b1f; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019159; rev:1; metadata:created_at 2014_09_11, updated_at 2014_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DecebalPOS Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?&co="; http_uri; fast_pattern:only; content:"&us="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&tr2="; http_uri; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019160; rev:1; metadata:created_at 2014_09_11, updated_at 2014_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DecebalPOS User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Decebalv"; http_header; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019161; rev:1; metadata:created_at 2014_09_11, updated_at 2014_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Alina.POS-Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Accept|3a 20|application/octet-stream|0d 0a|"; http_header; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:"|20|InfoPath|2e|"; http_header; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+\x20InfoPath\x2e\d[^\x29]+\r?$/Hmi"; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019163; rev:3; metadata:created_at 2014_09_11, updated_at 2014_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JackPOS XOR Encoded HTTP Client Body (key AA)"; flow:established,to_server; content:"|AB AB|"; depth:2; http_client_body; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; http_client_body; fast_pattern:only; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019164; rev:1; metadata:created_at 2014_09_11, updated_at 2014_09_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Banload Downloading Executable"; flow:established,from_server; flowbits:isset,ET.autoit.ua; content:"Content-Type|3a 20|image/"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:md5,838ab7aacac590ea2e170888b2502a63; classtype:trojan-activity; sid:2019165; rev:2; metadata:created_at 2014_09_11, updated_at 2014_09_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DoS.Linux/Elknot.E Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|10 27 60 ea|Linux|20|"; offset:4; depth:64; reference:md5,9a2a00f4bba2f3e0b1211a1f0cb48896; classtype:trojan-activity; sid:2019171; rev:2; metadata:created_at 2014_09_12, updated_at 2014_09_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:2; metadata:created_at 2014_09_12, updated_at 2014_09_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Tinba Server Response"; flow:established,to_client; flowbits:isset,ET.Tinba.Checkin; file_data; content:"|64 b4 dc a4|"; within:4; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019169; rev:1; metadata:created_at 2014_09_12, updated_at 2014_09_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/AES.DDoS Sending Real/Fake CPU&BW Info"; flow:established,to_server; content:"INFO|3a|"; depth:5; pcre:"/^\d/R"; content:"|25 7c|"; distance:0; threshold: type both, count 1, seconds 30, track by_src; reference:md5,d8059b555dde05e184c0b16bbff523f1; classtype:trojan-activity; sid:2019177; rev:3; metadata:created_at 2014_09_15, updated_at 2014_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Spy.RapidStealer.B Checkin"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/key/index.php"; http_uri; fast_pattern:only; content:"dir="; depth:4; http_client_body; content:"&data="; distance:0; http_client_body; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,c14690b90459744a300a02f45b32168a; reference:url,quequero.org/2014/09/win32-blackberrybbc-malware-analysis/; classtype:trojan-activity; sid:2019179; rev:1; metadata:created_at 2014_09_16, updated_at 2014_09_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Kuluoz/Asprox CnC Response"; flow:from_server,established; flowbits:isset,ET.Kuluoz; content:"|0d 0a 0d 0a|"; content:"|0d 0a 80 00 00 00|"; distance:2; within:6; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:trojan-activity; sid:2019187; rev:2; metadata:created_at 2014_09_17, updated_at 2014_09_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Infostealer.Banprox Proxy.pac Download 2"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; pcre:"/^(?P<q>[\x22\x27])(?:(?!(?P=q))[^\r\n\x2c])+?(?P=q)\s*?\+\s*?[\x22\x27][^\r\n\x2c]*?[cg][\x22\x27\+\s]*?[o][\x22\x27\+\s]*?[vm][\x22\x27\+\s]*?\.[\x22\x27\+\s]*?b[\x22\x27\+\s]*?r[\x22\x27\+\s]*?\x2c/m"; reference:md5,6e4a990b1540fa6b5896034b976ccecf; classtype:trojan-activity; sid:2019190; rev:13; metadata:created_at 2014_09_18, updated_at 2014_09_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Infostealer.Banprox Proxy.pac Download 3"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"return |22|PROXY"; pcre:"/^[^\x3b]+\\x(?:[57][0-9a]|4[0-9a-f]|6[1-9a-f]|3[0-9])/Ri"; reference:md5,6f2dc4ba05774f3e5ebf6c502db48a71; classtype:trojan-activity; sid:2019191; rev:12; metadata:created_at 2014_09_18, updated_at 2014_09_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 27 b3 4f ab ba bf 8b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019192; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_18, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NewPosThings Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)"; fast_pattern:7,20; http_header; content:"cs="; http_client_body; content:"&p="; http_client_body; content:"&m="; http_client_body; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019197; rev:1; metadata:created_at 2014_09_19, updated_at 2014_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NewPosThings Data Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)"; fast_pattern:7,20; http_header; content:"cs="; http_client_body; content:"&m="; http_client_body; content:"&ls="; http_client_body; reference:md5,4196c67648003a18f61573a77b6d3be6; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019198; rev:1; metadata:created_at 2014_09_19, updated_at 2014_09_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NewPosThings POST with Fake UA and Accept Header"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)"; fast_pattern:7,20; http_header; content:"Accept|3a 20 3f 2a 0d 0a|"; depth:12; http_header; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019199; rev:1; metadata:created_at 2014_09_19, updated_at 2014_09_19;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 e8 dc 5d 2a ee 44 a3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019205; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 b7 93 80 9f 87 5d ab|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c 31 30 38 2e 36 31 2e 34 39 2e 33 30|"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019206; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/BillGates Checkin"; flow:established,to_server; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 f4 01 00 00 32 00 00 00 e8 03|"; distance:0; content:"|01 01 02 00 00 00 01 00 00 00|"; distance:0; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:trojan-activity; sid:2019207; rev:1; metadata:created_at 2014_09_22, updated_at 2014_09_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/BillGates Checkin Response"; flow:established,from_server; dsize:20; content:"|08 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 e8 fd 00 00|"; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:trojan-activity; sid:2019208; rev:1; metadata:created_at 2014_09_22, updated_at 2014_09_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neutrino ping"; flow:to_server,established; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"ping=1|0a|"; depth:7; http_client_body; fast_pattern; content:"Content-Length|3a 20|7|0d 0a|"; nocase; http_header; threshold: type both, count 1, seconds 60, track by_src; metadata: former_category TROJAN; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2019211; rev:3; metadata:created_at 2014_09_22, updated_at 2017_03_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN Bossabot DDoS tool RFI attempt"; flow:to_server,established; content:"POST"; http_method; content:"php?-d|20|allow_url"; http_uri; fast_pattern; content:"auto_prepend_file|3d|php|3a 2f|"; http_uri; content:"<?php|0d 0a|"; depth:7; http_client_body; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p23965; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823; classtype:trojan-activity; sid:2019212; rev:1; metadata:created_at 2014_09_22, updated_at 2014_09_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2"; flow:to_server,established; content:"|12 12|"; offset:2; depth:2; content:!"|12 12|"; within:2; content:"|12 12|"; distance:2; within:2; content:!"|12 12|"; within:2; content:"|12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12|"; pcre:"/[^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12/R"; reference:md5,00ccc1f7741bb31b6022c6f319c921ee; classtype:trojan-activity; sid:2019202; rev:3; metadata:created_at 2014_09_22, updated_at 2014_09_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3"; flow:to_server,established; content:"|33 33|"; offset:2; depth:2; content:!"|33 33|"; within:2; content:"|33 33|"; distance:2; within:2; content:!"|33 33|"; within:2; content:"|33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33|"; pcre:"/[^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33/R"; reference:md5,c150f9738142278e2d39417a7ef53cae; classtype:trojan-activity; sid:2019203; rev:2; metadata:created_at 2014_09_22, updated_at 2014_09_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET ![445,139] (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND)"; flow:to_server,established; content:"|18 18|"; offset:2; depth:2; content:!"|18 18|"; within:2; content:"|18 18|"; distance:2; within:2; content:!"|18 18|"; within:2; content:"|18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18|"; pcre:"/[^\x18][^\x44\x32\x33\x25\x64\x22\x23\x3a\x27\x24\x26\x34\x3b\x12][\x20\x21\x28-\x2f\x70-\x77\x79-\x7f\x60-\x63\x65\x66\x67-\x6f\x50-\x5f\x40-\x42\x46-\x4f\x30\x31\x35\x36\x38\x3e\x39\x3b]{1,14}\x18/R"; reference:md5,16549f8a09fd5724f2107a8f18dca10b; classtype:trojan-activity; sid:2019204; rev:10; metadata:created_at 2014_09_22, updated_at 2016_11_22;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)"; flow:established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|00|CAP|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00cap\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019214; rev:2; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00mic\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019215; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00msg\x7c/i";  reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019216; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rs\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019217; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00srv\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019218; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019219; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00proc\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019220; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00fm\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019221; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00kl\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019222; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 1f ee 3e 8f cb 87 80|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019225; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/Yangji.A Checkin"; flow:established,to_server; dsize:1024; content:"cngameanti|7c|"; depth:11; pcre:"/^\x2d?\d/R"; reference:md5,b5badeb16414cba66999742601c092b8; classtype:trojan-activity; sid:2019229; rev:1; metadata:created_at 2014_09_24, updated_at 2014_09_24;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|03|com"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; content:!"|08|sophosxl|03|"; reference:md5,1044af21a7c4cbc291ab418a47de52b4; reference:url,seculert.com/blog/2014/09/tiny-tinba-trojan-could-pose-big-threat.html; reference:url,garage4hackers.com/entry.php?b=3086; classtype:trojan-activity; sid:2019230; rev:2; metadata:created_at 2014_09_24, updated_at 2014_09_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET TROJAN Pushdo v3 Checkin"; flow:established,to_server; dsize:20; content:"|02 00 00 00|"; depth:4; reference:md5,776d6c20a7016cb0f0db354785fe0d71; classtype:trojan-activity; sid:2019235; rev:1; metadata:created_at 2014_09_24, updated_at 2014_09_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Infostealer.Boleteiro checking stolen boleto payment information"; flow:to_server,established; content:"Vencimento="; fast_pattern:only; http_uri; content:"&Valor="; http_uri; content:"&Sacado="; http_uri; content:"&URL="; http_uri; content:"&Browser=Chrome"; http_uri; reference:md5,3cffb955c08f6c1546bfeae37a215787; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-091718-2034-99&tabid=2; classtype:trojan-activity; sid:2019243; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/DDoS.M distributed via CVE-2014-6271 Checkin"; flow:established,to_server; content:"BUILD "; depth:6; pcre:"/^(?:MIPS(?:EL)?|POWERPC|ARM|X86)\x0a$/R"; flowbits:set,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; classtype:trojan-activity; sid:2019242; rev:2; metadata:created_at 2014_09_26, updated_at 2014_09_26;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019279; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019280; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy v2 POST Request"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; content:"&bid="; http_client_body; content:"&dv="; http_client_body; content:"&dpv="; http_client_body; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,948cd0bf83a670c05401c8b67d2eb310; classtype:trojan-activity; sid:2019281; rev:1; metadata:created_at 2014_09_26, updated_at 2014_09_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy POST Request"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; depth:3; http_client_body; content:"&bid="; distance:0; http_client_body; fast_pattern; content:"&t="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,72372ffac0ee73dc8b6d237878e119c1; classtype:trojan-activity; sid:2019283; rev:1; metadata:created_at 2014_09_26, updated_at 2014_09_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Job314 EK Payload Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/knock"; depth:6; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Mozilla/5.0 (X11|3b| Ubuntu|3b| Linux x86_64|3b| rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_header; classtype:trojan-activity; sid:2019286; rev:2; metadata:created_at 2014_09_26, updated_at 2014_09_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot Reporting IP"; flow:established,to_server; dsize:<24; content:"My IP|3A| "; depth:7; pcre:"/My\x20IP\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019294; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC Server Message"; flow:established,to_client; dsize:13; content:"! GETLOCALIP|0A|"; depth:13; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019295; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot Ping CnC Server Message"; flow:established,to_client; dsize:7; content:"! PING|0A|"; depth:7; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019296; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot Scanner CnC Server Message"; flow:established,to_client; dsize:12<>15; content:"! SCANNER "; depth:10; pcre:"/\x21\x20SCANNER\x20(ON|OFF)\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019297; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot Execute Shell Command CnC Server Message"; flow:established,to_client; content:"! SH"; depth:4; pcre:"/^[^\r\n]+?\n$/R"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019298; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot Random Byte Flood CnC Server Message"; flow:established,to_client; content:"! JUNK "; depth:7; pcre:"/\x21\x20JUNK\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019299; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot UDP Flood CnC Server Message"; flow:established,to_client; content:"! UDP "; depth:6; pcre:"/\x21\x20UDP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019300; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot TCP Flood CnC Server Message"; flow:established,to_client; content:"! TCP "; depth:6; pcre:"/\x21\x20TCP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019301; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood CnC Server Message"; flow:established,to_client; content:"! HOLD "; depth:7; pcre:"/\x21\x20HOLD\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019302; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot Kill Attack CnC Server Message"; flow:established,to_client; dsize:11; content:"! KILLATTK|0A|"; depth:11; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019303; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message"; flow:established,to_client; dsize:12; content:"! LOLNOGTFO|0A|"; depth:12; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019304; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Dyre SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 2d 8e ea 67 c4 08 ea|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019305; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Dyre SSL Cert 2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8b 77 b3 d1 92 8c 7d 48|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019306; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Dyre SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b f5 c0 6b 03 3a 00 3f|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,510b4db9aa400583e7927afa5f956179; classtype:trojan-activity; sid:2019307; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 20000: (msg:"ET TROJAN Sourtoff Download Simda Request"; flow:established,to_server; dsize:18; content:"|0a 10|"; depth:2; flowbits:set,ET.TROJAN.Sourtoff; flowbits:noalert; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019312; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET 20000: -> $HOME_NET 1024: (msg:"ET TROJAN Sourtoff Receiving Simda Payload"; flow:established,from_server; flowbits:isset,ET.TROJAN.Sourtoff; dsize:1300<>1500; content:"|0a c0|"; depth:2; metadata: former_category TROJAN; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019313; rev:3; metadata:created_at 2014_09_29, updated_at 2018_01_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 75 2c 71 a2 5b fd 9f|"; within:35; content:"|55 04 07|"; distance:0; content:"|07|Houston"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019316; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_29, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019317; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-2"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M[ACDEFGHKLMNOPQRSTUVWXYZ]|B[ABDEFGHIJLMNOQRSTVWYZ]|S[ABCDEGHIJKLMNORSTVXYZ]|C[ACDFGHIKLMNORUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|A[DEFGILMOQRSTUWXZ]|T[CDFGHJKLMNORTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRUZ]|K[EGHIMNPRWYZ]|L[ABCIKRSTUVY]|I[DELMNOQRST]|E[CEGHRST]|V[ACEGINU]|D[EJKMOZ]|F[IJKMOR]|H[KMNRTU]|U[AGMSYZ]|R[EOSUW]|J[EMOP]|Z[AMW]|W[FS]|Y[ET]|OM|QA)\b/R"; classtype:trojan-activity; sid:2019326; rev:6; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-3"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M(?:A[CFR]|D[AGV]|N[EGP]|L[IT]|Y[ST]|[MS]R|CO|EX|HL|KD|OZ|RT|TQ|US|WI)|S(?:L[BEV]|[DEH]N|[JOP]M|G[PS]|V[KN]|W[EZ]|Y[CR]|[MU]R|AU|RB|SD|TP)|B(?:L[MRZ]|R[ABN]|E[LN]|G[DR]|H[RS]|[FW]A|DI|IH|MU|OL|TN|VT)|C(?:O[DGKLM]|H[ELN]|A[FN]|Y[MP]|[IP]V|[MX]R|CK|RI|UB|ZE)|A(?:R[EGM]|T[AFG]|L[AB]|N[DT]|U[ST]|BW|FG|GO|IA|SM|ZE)|G(?:R[CDL]|U[FMY]|I[BN]|N[BQ]|[AM]B|BR|EO|GY|HA|LP|TM)|T(?:U[NRV]|C[AD]|K[LM]|[GT]O|[HZ]A|[OW]N|JK|LS)|P(?:R[IKTY]|A[KN]|[HO]L|CN|ER|LW|NG|SE|YF)|N(?:[CPZ]L|I[CU]|[EO]R|AM|FK|GA|LD|RU)|L(?:B[NRY]|[CKV]A|[AS]O|IE|TU|UX)|I(?:R[LNQ]|S[LR]|[DM]N|ND|OT|TA)|K(?:[AG]Z|[IO]R|EN|HM|NA|WT)|E(?:S[HPT]|CU|GY|RI|TH)|V(?:[ACU]T|EN|GB|IR|NM)|D(?:[MZ]A|EU|JI|NK|OM)|F(?:R[AO]|IN|JI|LK|SM)|H(?:[MN]D|KG|RV|TI|UN)|U(?:[GS]A|KR|MI|RY|ZB)|J(?:AM|EY|OR|PN)|R(?:[EO]U|US|WA)|Z(?:AF|MB|WE)|W(?:LF|SM)|OMN|QAT|YEM)\b/R"; classtype:trojan-activity; sid:2019327; rev:6; metadata:created_at 2014_10_01, updated_at 2014_10_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 7e e9 92 50 35 4f 1e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019328; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 90 47 1b dd 5a 78 af e5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019329; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_01, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 ea 18 ab 15 ab 25 ad|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019330; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_01, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cryptolocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:11; content:"/random.php"; http_uri; fast_pattern:only; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5."; pcre:"/^\d{2,7}\r\n/R"; reference:md5,01be3fc3243d582d9f93d01401c4f95e; classtype:trojan-activity; sid:2019353; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Reply Sinkhole - irc-sinkhole.cert.pl"; flow:established,from_server; content:"|3a|irc|2d|sinkhole|2e|cert|2e|pl"; nocase; fast_pattern:only; content:"|3a|End of MOTD command|2e|"; classtype:trojan-activity; sid:2019354; rev:1; metadata:created_at 2014_10_06, updated_at 2014_10_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SpyClicker.ClickFraud CnC Beacon"; flow:established,to_server; content:"GET /feed.dll?pub_id="; depth:21; content:"&ua="; distance:0; content:!"Referer|3A|"; distance:0; content:!"User-Agent|3A|"; distance:0; pcre:"/GET\x20\x2Ffeed\x2Edll\x3Fpub\x5Fid\x3D[^\r\n]*\x26ua\x3D/smi"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:trojan-activity; sid:2019355; rev:2; metadata:created_at 2014_10_06, updated_at 2014_10_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SpyClicker.ClickFraud Query Instructions CnC Response"; flow:established,to_client; content:"|0D 0A 0D 0A|{|22|query|22 3A|"; content:"|22|tasks|22 3A|"; distance:0; content:"|22|referer|22 3A|"; distance:0; content:"|22|useragent|22 3A|"; distance:0; content:"|22|clickurl|22 3A|"; distance:0; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:trojan-activity; sid:2019357; rev:1; metadata:created_at 2014_10_06, updated_at 2014_10_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 57 49 5f fb bc c6 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019360; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 31 cd 1f 49 b2 be 4c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019361; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.reomesoess.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019363; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Ursnif Checkin"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Length|3a 20|2|0d 0a|Connection|3a 20|"; fast_pattern:10,20; http_header; content:!"Referer|3a|"; http_header; content:"no-cache|0d 0a 0d 0a 0d 0a|"; isdataat:!1,relative; pcre:"/^(?:\/\w{3,12}){2,4}\?[a-z]{3,12}=(?:[A-Za-z0-9+/\x20]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/U"; reference:md5,dfeaae9cb1bc24ac467411955e48483b; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019377; rev:4; metadata:created_at 2014_10_09, updated_at 2014_10_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:100<>325; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"/index.php"; http_uri; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"desktopad.com"; http_header; content:!"DriverUpdate"; http_header; content:!"act=bkw9"; http_uri; nocase; content:!"mydlink.com"; http_header; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019378; rev:11; metadata:created_at 2014_10_09, updated_at 2017_02_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/PSW.Papras.CK file upload"; flow:established,to_server; content:"POST"; http_method; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern:6,20; http_client_body; pcre:"/^\x2f[a-zA-Z]{4,}\x2ephp\x3f[a-zA-Z]{2,10}\x3d(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,5e7cbe7e62a6c5de45092ad0c4852d1a; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019379; rev:2; metadata:created_at 2014_10_09, updated_at 2014_10_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi/Ursnif/Papras Connectivity Check"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/usdeclar.txt"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,5f3530edbe1fce44e05ad0c96e54efb4; reference:md5,279fc5e6181d58f883a15d5089ce541b; reference:url,krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019380; rev:3; metadata:created_at 2014_10_09, updated_at 2014_10_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Ursnif Connectivity Check"; flow:established,to_server; content:"GET"; http_method; urilen:21; content:"/proto/netstrings.txt"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9134651a7c642798414d867874bdfe2f; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019381; rev:2; metadata:created_at 2014_10_09, updated_at 2014_10_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Neverquest Request URI Struct"; flow:established,to_server; content:"POST"; http_method; content:".php?sid="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/\d\.php\?sid=[0-9A-F]{32}$/U"; classtype:trojan-activity; sid:2019384; rev:2; metadata:created_at 2014_10_09, updated_at 2014_10_09;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|whaugirls.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019388; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_10, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|server4love|02|ru|00|"; nocase; fast_pattern:only; reference:md5,8d2e901583b60631dc333d4b396e158b; classtype:trojan-activity; sid:2019396; rev:2; metadata:created_at 2014_10_14, updated_at 2014_10_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Bedep Connectivity Check"; flow:established,to_server; content:"GET"; http_method; content:"/stats/eurofxref/eurofxref-hist-90d.xml?"; http_uri; fast_pattern:20,20; pcre:"/\?[a-z0-9]{32}$/U"; content:"Host|3a 20|www.ecb.europa.eu|0d 0a|"; http_header; classtype:trojan-activity; sid:2019400; rev:4; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/BlackEnergy Dirconf CnC Beacon"; flow:established,to_server; content:"/dirconf/check.php"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,www.f-secure.com/weblog/archives/00002721.html; classtype:trojan-activity; sid:2019412; rev:1; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 d5 29 cf 78 44 88 25|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019414; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_15, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN FrameworkPOS Covert DNS CnC Beacon 1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"dc"; nocase; distance:7; content:"|06|beacon"; nocase; offset:12; fast_pattern; pcre:"/^[\x0e-\x1e](?:[a-f0-9]{2}){1,3}(?:dc(?:[a-f0-9]{2}){1,3}){3}.[a-f0-9]{2}/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:trojan-activity; sid:2019454; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN FrameworkPOS Covert DNS CnC Beacon 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"dc978a97"; nocase; distance:6; content:"|05|alert"; nocase; offset:12; fast_pattern; pcre:"/^[\x08-\xFF](?:[a-f0-9]{2})*?dc978a97/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:trojan-activity; sid:2019455; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/U"; content:"Windows NT"; http_header; classtype:trojan-activity; sid:2019457; rev:10; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Zemot URI Struct"; flow:established,to_server; content:"GET"; http_method; content:"/catalog/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"nap.edu|0d 0a|"; http_header; pcre:"/\/catalog\/\d{3,}$/U"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019458; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Zemot Requesting PE"; flow:established,to_server; content:"GET"; http_method; content:"/mod_jshoppi"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/mod_jshoppi(?:-|ng|\/)/U"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019459; rev:1; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|www.arrystreamre.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019466; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.KeyLogger.ODN Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:19; content:"/newage.txt"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:trojan-activity; sid:2019467; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 9e 90 15 d2 12 7f c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019477; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_20, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dridex POST Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:>20; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; http_header; fast_pattern:7,20; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\nConnection\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nContent-Type\x3a\x20octet\/binary\r\nAccept\x3a\x20\*\/\*\r\nAccept-Language\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d+?\r\n(?:\r\n)?$/H"; reference:md5,68459c32587e08d953d319ceb2d0888b; classtype:trojan-activity; sid:2019478; rev:1; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible IRCBot.DDOS Common Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?\x3a[^\r\n]*?(?:port(?:scan)?|udp[1-3]|tcp|http|download)[^\r\n]+?(?:\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|https?\x3A\x2F\x2F)/Ri"; reference:md5,ef54080af1782dd29356032b7ff20849; classtype:trojan-activity; sid:2019471; rev:3; metadata:created_at 2014_10_20, updated_at 2014_10_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible IRC Bot Common PRIVMSG Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?(?:p[ao]rt|udp|c?tcp|http|d(?:ie|ownload)|mail|c?back|(?:msg|notice)?flood)/Ri"; classtype:trojan-activity; sid:2019486; rev:1; metadata:created_at 2014_10_21, updated_at 2014_10_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/24x7Help.ScareWare CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/api/client.asmx/SendData"; http_uri; content:"User-Agent|3A| mFramework HTTPGet"; http_header; fast_pattern:12,18; content:"CFG="; http_client_body; depth:4; content:"&Lng="; http_client_body; distance:0; content:"&sinst="; http_client_body; distance:0; reference:md5,8d2dec745b9ac380beb2a0ea66427d06; classtype:trojan-activity; sid:2019498; rev:2; metadata:created_at 2014_10_23, updated_at 2014_10_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a|ok"; fast_pattern:only; file_data; content:"ok"; within:2; byte_test:1,<,0x1b,0,relative; content:"|00|"; distance:1; within:1; flowbits:isset,ET.Vawtrak; classtype:trojan-activity; sid:2019499; rev:3; metadata:created_at 2014_10_24, updated_at 2014_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"=0"; http_uri; content:"=0000"; http_uri; distance:3; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http_header; content:!"Referer|3a|"; http_header; pcre:"/=0[0-2](?:&\w+=[a-fA-F0-9]{8}){2}&\w+=[a-fA-F0-9]+$/U"; classtype:trojan-activity; sid:2019500; rev:1; metadata:created_at 2014_10_24, updated_at 2014_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0"; http_uri; content:"0000"; http_uri; distance:1; within:4; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http_header; content:!"Referer|3a|"; http_header; pcre:"/0[0-2]0000[a-fA-F0-9]{16,}$/U"; classtype:trojan-activity; sid:2019501; rev:1; metadata:created_at 2014_10_24, updated_at 2014_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Wonton-JH Checkin"; flow:established,to_server; content:"POST"; http_method; content:".asp?M00="; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/4.0 (Compatible|3b| MSIE 6.0|3b 29 0d 0a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.asp\?M00=\d+$/U"; reference:url,blog.cylance.com/emerging-threat-alert-cve-2014-4114; reference:md5,37ca2ecb5e1fc89f73c6adc188ff685d; classtype:trojan-activity; sid:2019502; rev:1; metadata:created_at 2014_10_24, updated_at 2014_10_24;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN BlackEnergy SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9a ba cb 13 6d 76 5b 79|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019504; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN BlackEnergy SSL Cert"; flow:from_server,established; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0b|"; distance:0; content:"|07|NETWORK"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|144.76.119.48"; distance:1; within:14; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019505; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_24, updated_at 2016_07_01;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - IP - 161.69.13.44"; content:"|00 01 00 01|"; content:"|00 04 A1 45 0D 2C|"; distance:4; within:6; content:!"|07|sa-live|03|com"; classtype:trojan-activity; sid:2019508; rev:3; metadata:created_at 2014_10_27, updated_at 2014_10_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JST Perl IrcBot download"; flow:to_client,established; file_data; content:"JST Perl IrcBot"; fast_pattern:only; content:!"<html"; reference:url,pastebin.com/HK8riv9Q; reference:url,www.binarydefense.com/bds/active-shellshock-smtp-botnet-campaign/; reference:md5,77a6c50a06b59df0f3d099b1819a01d9; classtype:trojan-activity; sid:2019509; rev:1; metadata:created_at 2014_10_27, updated_at 2014_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Siggen.Dropper CnC Beacon"; flow:established,to_server; content:".jpg?log="; fast_pattern:only; http_uri; content:"&ts="; offset:11; http_uri; content:"&act="; distance:0; http_uri; content:"client|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,ee363de2168aab353c829434189350e4; classtype:trojan-activity; sid:2019515; rev:1; metadata:created_at 2014_10_27, updated_at 2014_10_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Backoff CnC)"; flow:from_server,established; content:"|55 04 08|"; content:"|0a|Some-State"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0d|cyberwise.biz"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019516; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|rikitifer.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019517; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32/Chanitor.A Domain in SNI"; flow:established,to_server; content:"svcz25e3m4mwlauz."; fast_pattern:only; classtype:trojan-activity; sid:2019518; rev:1; metadata:created_at 2014_10_27, updated_at 2014_10_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Chanitor.A DNS Lookup "; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|svcz25e3m4mwlauz"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2019519; rev:1; metadata:created_at 2014_10_27, updated_at 2014_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sednit/AZZY Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"/"; offset:1; http_uri; content:"User-Agent|3a 20|MSIE|20|"; depth:17; http_header; fast_pattern; pcre:"/^User-Agent\x3a MSIE \d+\.\d+\r\n/Hi"; pcre:"/\/$/U"; reference:md5,7c373c607c8724f8be461d61016ed272; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:url,securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/; classtype:trojan-activity; sid:2019534; rev:3; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OLDBAIT Checkin sptr"; flow:established,to_server; content:"/~"; http_uri; depth:2; content:"/cgi-bin/sptr.cgi?"; http_uri; content:"_"; http_uri; reference:md5,3983c859a217740bf9c5dd67a4647a9d; reference:md5,771bfe5d64138ef4e11e969b408ee0d7; reference:url,thegoldenmessenger.blogspot.de/2012/12/3-disclosure-of-another-0day-malware.html; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019535; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OLDBAIT Checkin 2 brvc"; flow:established,to_server; content:"/~"; http_uri; depth:2; content:"/cgi-bin/brvc.cgi?"; http_uri; content:"_"; http_uri; reference:md5,3983c859a217740bf9c5dd67a4647a9d; reference:md5,771bfe5d64138ef4e11e969b408ee0d7; reference:url,thegoldenmessenger.blogspot.de/2012/12/3-disclosure-of-another-0day-malware.html; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019536; rev:5; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Chopstick Checkin (APT28 Related)"; flow:to_server,established; content:"POST"; http_method; content:"/webhp?rel="; http_uri; fast_pattern; content:"ai="; http_uri; distance:0; pcre:"/^(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})+/Rm"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,6fc8602c8b3a18765bb6d2307d8a4ae1; classtype:trojan-activity; sid:2019537; rev:1; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransom.Win32.Blocker.fwlm Checkin"; flow:established,to_server; dsize:>500; content:"GET "; depth:4; content:".bin HTTP/1."; distance:493; within:12; fast_pattern; content:!"Referer|3a|"; distance:0; pcre:"/^GET \/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.bin HTTP\/1\./"; reference:url,vxsecurity.sg/2014/10/25/technical-teardown-hongkong-protest-malware/; classtype:trojan-activity; sid:2019538; rev:1; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Coreshell Checkin (APT28 Related)"; flow:to_server,established; content:"POST"; http_method; content:"/~xh/sn.cgi?"; http_uri; fast_pattern; pcre:"/\/~xh\/sn\.cgi\?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/Ui"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,272f0fde35dbdfccbca1e33373b3570d; classtype:trojan-activity; sid:2019539; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy Request Outbound"; flow:established,to_server; content:"/?"; http_uri; content:"&ai="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"Windows NT"; http_header; content:!"&adurl="; http_uri; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/U"; classtype:trojan-activity; sid:2019545; rev:1237; metadata:created_at 2014_10_28, updated_at 2016_09_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request adawareblock.com"; flow:established,to_server; content:"Host|3a 20|adawareblock.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019546; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request adobeincorp.com"; flow:established,to_server; content:"Host|3a 20|adobeincorp.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019547; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request azureon-line.com"; flow:established,to_server; content:"Host|3a 20|azureon-line.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019548; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup adawareblock.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|adawareblock|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019564; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup adobeincorp.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|adobeincorp|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019565; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request checkmalware.info"; flow:established,to_server; content:"Host|3a 20|checkmalware.info|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019549; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup azureon-line.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|azureon-line|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019566; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup checkmalware.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|checkmalware|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019567; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request checkwinframe.com"; flow:established,to_server; content:"Host|3a 20|checkwinframe.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019550; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup checkwinframe.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|checkwinframe|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019568; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup check-fix.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|check-fix|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019569; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup hotfix-update.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|hotfix-update|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019570; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request check-fix.com"; flow:established,to_server; content:"Host|3a 20|check-fix.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019551; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup microsofi.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|microsofi|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019571; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup microsof-update.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|microsof-update|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019572; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request hotfix-update.com"; flow:established,to_server; content:"Host|3a 20|hotfix-update.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019552; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup scanmalware.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|scanmalware|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019573; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup secnetcontrol.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|secnetcontrol|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019574; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup securitypractic.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securitypractic|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019575; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup symanttec.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|symanttec|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019576; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request microsofi.org"; flow:established,to_server; content:"Host|3a 20|microsofi.org|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019553; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup testservice24.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|testservice24|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019577; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request microsof-update.com"; flow:established,to_server; content:"Host|3a 20|microsof-update.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019554; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup testsnetcontrol.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|testsnetcontrol|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019578; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup updatepc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|updatepc|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019579; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request scanmalware.info"; flow:established,to_server; content:"Host|3a 20|scanmalware.info|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019555; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup updatesoftware24.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|updatesoftware24|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019580; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup windows-updater.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|windows-updater|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019581; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request secnetcontrol.com"; flow:established,to_server; content:"Host|3a 20|secnetcontrol.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019556; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup checkmalware.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|checkmalware|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019582; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request securitypractic.com"; flow:established,to_server; content:"Host|3a 20|securitypractic.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019557; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request testservice24.net"; flow:established,to_server; content:"Host|3a 20|testservice24.net|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019558; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request testsnetcontrol.com"; flow:established,to_server; content:"Host|3a 20|testsnetcontrol.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019559; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request updatepc.org"; flow:established,to_server; content:"Host|3a 20|updatepc.org|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019560; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request updatesoftware24.com"; flow:established,to_server; content:"Host|3a 20|updatesoftware24.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019561; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request windows-updater.com"; flow:established,to_server; content:"Host|3a 20|windows-updater.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019562; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request checkmalware.org"; flow:established,to_server; content:"Host|3a 20|checkmalware.org|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019563; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request symanttec.org"; flow:established,to_server; content:"Host|3a 20|symanttec.org|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019583; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN CORESHELL Malware Response from server"; flow:from_server,established; file_data; content:"O|00|K|00 00|"; within:5; pcre:"/^\x00(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019584; rev:2; metadata:created_at 2014_10_29, updated_at 2014_10_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request msonlinelive.com"; flow:established,to_server; content:"Host|3a 20|msonlinelive.com|0d 0a|"; http_header; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019585; rev:1; metadata:created_at 2014_10_29, updated_at 2014_10_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup msonlinelive.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|msonlinelive|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019586; rev:1; metadata:created_at 2014_10_29, updated_at 2014_10_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/ZxShell Server Checkin Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:trojan-activity; sid:2019587; rev:1; metadata:created_at 2014_10_29, updated_at 2014_10_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/ZxShell Checkin"; flow:established,from_server; dsize:16; content:"|86 19 00 00 04 01 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:trojan-activity; sid:2019588; rev:1; metadata:created_at 2014_10_29, updated_at 2014_10_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|b6 8b ac d3 d7 e0 e7 36 f0 b5 63 65 1e 1a 31 ae|"; offset:16; depth:16; reference:md5,184a9d13616702154fb10ff9c5d67041; classtype:trojan-activity; sid:2019589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2014_10_29, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|01 ec 7e 05 1d 5f 65 ab db 1c df 93 99 cd 06 21|"; offset:16; depth:16; reference:md5,09d4c2f1f24fbdcb1c286b2f4c5589d2; classtype:trojan-activity; sid:2019590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2014_10_29, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,2b825e46ae60a9d15b5a731e57410425; classtype:trojan-activity; sid:2019592; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2014_10_29, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|3e 5c d1 68 e7 8c 47 8c ea 2f da 02 fe 43 62 47|"; offset:16; depth:16; reference:md5,afc4d73bde2a536d7a9b7596288ce180; classtype:trojan-activity; sid:2019593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2014_10_29, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4"; flow:to_server,established; content:"|28 28|"; offset:2; depth:2; content:!"|28 28|"; within:2; content:"|28 28|"; distance:2; within:2; content:!"|28 28|"; within:2; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; pcre:"/[^\x28][^\x76\x74\x02\x03\x15\x54\x12\x13\x0a\x17\x14\x16\x04\x0b\x22][\x05\x09\x0b\x0e\x08\x06\x1a-\x1f\x10\x11\x18\x19\x40-\x47\x48-\x4f\x50-\x53\x55\x56\x58-\x5e\x60-\x68\x6a-\x6f\x70\x72\x76-\x7e]{1,14}\x28/R"; reference:md5,0c2cb38062e0fb6b040518a384418b7b; classtype:trojan-activity; sid:2019601; rev:6; metadata:created_at 2014_10_30, updated_at 2014_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 43"; flow:to_server,established; dsize:>11; content:"|83 7f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x83\x7f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f0c10c1705783d3f32742bce3b2aea5; classtype:trojan-activity; sid:2019602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_10_30, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 39 70 34 44 e2 04 31|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019603; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 0e 11 0a 91 e9 ea 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019604; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Ropest.H CnC - INBOUND set"; flow:established,from_server; content:"|28 00 00 00 00 01 00 00|"; depth:8; flowbits:set,ET.Zberp; flowbits:noalert; metadata: former_category TROJAN; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:trojan-activity; sid:2025068; rev:1; metadata:created_at 2014_10_30, updated_at 2017_11_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Ropest.H CnC - INBOUND"; flow:established,from_server; flowbits:isset,ET.Zberp; dsize:24; content:"|10 00 00 00 00 01 00 00|"; depth:8; metadata: former_category TROJAN; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:trojan-activity; sid:2025069; rev:1; metadata:created_at 2014_10_30, updated_at 2017_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poweliks Abnormal HTTP Headers high likelihood of Poweliks infection"; flow:established,to_server; content:"builddate|3a 20|"; http_header; fast_pattern:only; content:"version|3a 20|"; http_header; content:"id|3a 20|"; http_header; content:"GET"; http_method; metadata: former_category TROJAN; classtype:trojan-activity; sid:2019606; rev:3; metadata:created_at 2014_10_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoBot Downloading Files"; flow:established,to_server; content:"GET"; http_method; content:"btc"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/[a-z]+\.k(?:ey)?btc$/U"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3563; classtype:trojan-activity; sid:2019607; rev:1; metadata:created_at 2014_10_30, updated_at 2014_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HB_Banker16 Get"; flow:to_server,established; content:"GET"; http_method; content:"Content-Type|3a 20|text/html|0d 0a|Host|3a|"; http_header; depth:30; fast_pattern:10,20; content:!"Referer|3a|"; content:!"Accept-"; http_header; content:!"Indy Library"; http_header; content:"Firefox/12.0"; http_header; pcre:"/^Content-Type\x3a\x20text\/html\r\nHost\x3a\x20[^\r\n]+?\r\nAccept\x3a\x20text\/html,\x20\*\/\*\r\nUser-Agent\x3a\x20[^\r\n]+?\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2019608; rev:2; metadata:created_at 2014_10_30, updated_at 2014_10_30;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold:type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019609; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible EITest Flash Redirect"; flow:established,to_client; file_data; content:"|20|name=|22|EITest|22 20|"; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019610; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Hikit Server Authentication Response"; flow:established; content:"ETag|3a 20|"; content:"75BCD15"; fast_pattern:only; pcre:"/^ETag\x3a\x20\x22\d+75BCD15\d+\x3a[a-f0-9]{1,6}/mi"; reference:url,www.novetta.com/files/9914/1446/8050/Hikit_Analysis-Final.pdf; classtype:trojan-activity; sid:2019621; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cohhoc RAT CnC Request"; flow:established,to_server; content:"GET"; http_method; content:"gAAAA"; offset:2; depth:5; http_uri; content:"AAAAAAAAAAAAAAMjAx"; distance:1; within:18; http_uri; content:"MiR"; distance:4; within:3; http_uri; content:!"Referer|3a|"; http_header; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:trojan-activity; sid:2019625; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Cohhoc RAT CnC Response"; flow:established,from_server; content:"Content-Length|3a 20|64|0d 0a|"; file_data; content:"gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:1; within:63; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:trojan-activity; sid:2019626; rev:1; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

alert tcp [195.22.26.192/26,195.22.28.192/27,195.38.137.100,195.22.4.21,195.157.15.100,212.61.180.100] 443 -> $HOME_NET any (msg:"ET TROJAN AnubisNetworks Sinkhole SSL Cert lolcat - specific IPs"; flow:established,to_client; content:"|06|lolcat"; fast_pattern:only; flowbits:isnotset,ET.invalid.cab; metadata: former_category TROJAN; classtype:trojan-activity; sid:2019628; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_03, updated_at 2017_03_06;)

#alert tcp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET TROJAN AnubisNetworks Sinkhole TCP Connection"; flow:to_server; classtype:trojan-activity; sid:2019629; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

#alert udp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET TROJAN AnubisNetworks Sinkhole UDP Connection";  classtype:trojan-activity; sid:2019632; rev:4; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

alert tcp 195.22.26.192/26 $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN AnubisNetworks Sinkhole HTTP Response - 195.22.26.192/26"; flow:established,to_client; content:"Server|3A|HTTPServerX"; http_header; file_data; content:"14|0D 0A|"; within:4; content:"|0D 0A|0|0D 0A 0D 0A|"; distance:0; classtype:trojan-activity; sid:2019630; rev:1; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32.TrojanProxy Configuration file Download"; flow:established,from_server; file_data; content:"@$@"; fast_pattern; within:3; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x40\x24\x40$/Ri"; reference:url,fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html; classtype:trojan-activity; sid:2019631; rev:1; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DirectsX Checkin Response"; flow:established,from_server; dsize:25; content:"|19 00 00 00|"; offset:17; depth:4; content:!"|00 00|"; within:2; content:!"|ff ff|"; within:2; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:trojan-activity; sid:2019633; rev:1; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ROM/BackOff C2 SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed fd 42 65 de 77 35 ea|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware; classtype:trojan-activity; sid:2019635; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_04, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backoff Variant Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?a=start&id="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/&id=[A-F0-9]+$/U"; reference:md5,d8e7983004c5545df6de868bc0c5a947; classtype:trojan-activity; sid:2019636; rev:1; metadata:created_at 2014_11_04, updated_at 2014_11_04;)

alert tcp any any -> $EXTERNAL_NET any (msg:"ET TROJAN Shellshock Backdoor.Perl.Shellbot.F C2"; flow:to_server,established; content:"JOIN #shock 777"; content:"PRIVMSG #shock|20 3a|uid="; distance:0; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:trojan-activity; sid:2019637; rev:1; metadata:created_at 2014_11_04, updated_at 2014_11_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup malwarecheck.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|malwarecheck|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:trojan-activity; sid:2019640; rev:1; metadata:created_at 2014_11_04, updated_at 2014_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sofacy HTTP Request malwarecheck.info"; flow:established,to_server; content:"Host|3a 20|malwarecheck.info|0d 0a|"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:trojan-activity; sid:2019641; rev:1; metadata:created_at 2014_11_04, updated_at 2014_11_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Shellshock Backdoor.Perl.Shellbot.F retrieval"; flow:to_client,established; file_data; content:"#you got shellshocked???"; depth:24; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:trojan-activity; sid:2019644; rev:1; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Bedep SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; fast_pattern; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019645; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Bedep SSL Cert"; flow:established,from_server; content:"|09 00 c9 80 9a 85 50 97 cc 97|"; fast_pattern:only; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019646; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 33 b2 e5 24 44 a4 09|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019648; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 08 2f bd 75 7f 25 39|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019649; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Banker.ABCG Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"act="; depth:4; http_client_body; content:"&atom="; distance:0; fast_pattern; http_client_body; content:"&id="; distance:0; http_client_body; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:!"Referer|3a|"; http_header; reference:md5,acad4be4c587b9db9f39268cc4c0c192; reference:md5,b07a6a590c729fcd47ebce37fdd6c90b; classtype:trojan-activity; sid:2019653; rev:1; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.FakeMS Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:!"Referer"; http_header; content:"|20|(64|20|=|20|"; http_client_body; content:")|20|EXE|20|=|20|"; distance:1; within:8; http_client_body; pcre:"/^\x5b[^\r\n]+\(64\s=\s\d\)\sEXE\s=/P"; reference:md5,e606e56a222f788ab5cbcf40842cbc39; reference:md5,099dc535bdd09d6a7bc4edabc8ded5de; classtype:trojan-activity; sid:2019654; rev:7; metadata:created_at 2014_11_05, updated_at 2014_11_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/WireLurker User-agent (globalupdate)"; flow:to_server,established; content:"User-Agent|3a 20|globalupdate"; fast_pattern:only; http_header; flowbits:set,ET.WireLurkerUA; reference:url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; classtype:trojan-activity; sid:2019660; rev:2; metadata:created_at 2014_11_06, updated_at 2014_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/WireLurker Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/mac_log/?appid="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; flowbits:set,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019661; rev:2; metadata:created_at 2014_11_06, updated_at 2014_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/WireLurker CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/getversion.php?sn="; http_uri; fast_pattern:only; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019662; rev:2; metadata:created_at 2014_11_06, updated_at 2014_11_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN OSX/WireLurker CnC Beacon"; flow:established,from_server; file_data; content:"|7b 22|result|22 3a 7b 22|version|22 3a 22|"; flowbits:isset,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019663; rev:2; metadata:created_at 2014_11_06, updated_at 2014_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN iOS/WireLurker CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/getversion.php?v="; http_uri; fast_pattern:only; content:"&adid="; offset:18; http_uri; content:!"Referer|3a|"; http_header; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019664; rev:1; metadata:created_at 2014_11_06, updated_at 2014_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/WireLurker checkin"; flow:established,to_server; content:"GET"; http_method; content:"/mac/update.zip"; http_uri; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019665; rev:1; metadata:created_at 2014_11_06, updated_at 2014_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/WireLurker HTTP Request for www.comeinbaby.com"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|www.comeinbaby.com"; http_header; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019666; rev:3; metadata:created_at 2014_11_06, updated_at 2014_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/WireLurker DNS Query Domain www.comeinbaby.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|comeinbaby|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019667; rev:3; metadata:created_at 2014_11_06, updated_at 2014_11_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e0 62 d9 f2 16 04 d1 be|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019670; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 de 17 24 ba 29 9a a6 c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019671; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_07, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ursnif Checkin"; flow:established,to_server; content:"/?user="; http_uri; fast_pattern:only; content:"os="; http_uri; content:"&os2="; http_uri; content:"&ver="; http_uri; content:"&host="; http_uri; content:!"|2e|"; http_uri; content:"type="; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2019678; rev:2; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Archie EK Payload Checkin POST"; flow:established,to_server; content:"POST /"; depth:6; content:"|20|HTTP/1."; distance:0; content:!"Referer|3a|"; distance:0; content:"|0a 0a|integritylvl="; distance:0; content:"&osversion="; distance:0; content:"&iselevated="; distance:0; content:"&iever="; distance:0; content:"&isnet20inst="; distance:0; fast_pattern; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:trojan-activity; sid:2019679; rev:1; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Archie EK Payload Checkin GET"; flow:established,to_server; content:"GET /log?log="; depth:13; content:"|20|HTTP/1."; distance:0; content:!"Referer|3a|"; distance:0; content:!"gigwise.com|0d 0a|"; http_header; content:!"Host|3a| cleanerapp.net"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:trojan-activity; sid:2019680; rev:3; metadata:created_at 2014_11_07, updated_at 2016_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Miuref/Boaxxe Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"bB"; offset:2; depth:2; http_client_body; content:"MqrU"; within:20; http_client_body; content:"VAMU"; within:29; fast_pattern; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,79d1c8c33062324388d3d563f193a43b; reference:md5,ee3c562151cc9181c6d87602bbf0a285; reference:md5,a42797315c50e335f3de87f6cea61b77; classtype:trojan-activity; sid:2019683; rev:5; metadata:created_at 2014_11_07, updated_at 2014_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Roficor.A (Darkhotel) Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/images/view.php"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/images\/view\.php$/U"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:trojan-activity; sid:2019687; rev:1; metadata:created_at 2014_11_10, updated_at 2014_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Roficor.A (Darkhotel) Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/txt/read.php"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/txt\/read\.php$/U"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:trojan-activity; sid:2019688; rev:1; metadata:created_at 2014_11_10, updated_at 2014_11_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 db 12 6f 49 21 41 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019691; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_11, updated_at 2016_07_01;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1; metadata:created_at 2014_11_11, updated_at 2014_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emotet Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"/"; offset:1; http_uri; content:"/"; distance:0; http_uri; content:"MSIE 7.0|3b|"; http_header; fast_pattern; content:"Windows NT 6.0"; within:15; http_header; pcre:"/^\/[A-Za-z0-9]+\/[A-Za-z0-9]+\/$/U"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019693; rev:3; metadata:created_at 2014_11_11, updated_at 2014_11_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ponmocup Post Infection DNS Lookup intohave"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|intohave|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2019694; rev:1; metadata:created_at 2014_11_11, updated_at 2014_11_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ponmocup Post Infection DNS Lookup fasternation"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|fasternation|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2019695; rev:1; metadata:created_at 2014_11_11, updated_at 2014_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emotet CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"<email_accounts_list>"; http_client_body; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,e24831e3f808116b30d85731c545e3ee; classtype:trojan-activity; sid:2019704; rev:1; metadata:created_at 2014_11_12, updated_at 2014_11_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 a5 38 e3 56 d4 39 67|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019708; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 9b 4d b2 c7 f6 6f f2|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019709; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBS/Autorun.J Checkin"; flow:established,to_server; content:".asp?i=0&v=o10.1"; http_uri; fast_pattern:only; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AVBS%2FAutorun.J#tab=2; classtype:trojan-activity; sid:2019710; rev:1; metadata:created_at 2014_11_14, updated_at 2014_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8003,9004:] (msg:"ET TROJAN W32Autorun.worm.aaeh Checkin"; flow:established,to_server; content:"Host|3a| ns1.help"; pcre:"/^Host\x3a\x20ns1\.help(?:update(?:d\.(?:com?|net?|org?)|k\.(?:at?|eu?|tw)|r\.net|s\.com)|checks\.net)/mi"; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456; classtype:trojan-activity; sid:2019711; rev:4; metadata:created_at 2014_11_14, updated_at 2014_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 15525 (msg:"ET TROJAN W32/Keylogger.CI Checkin"; flow:established,to_server; dsize:5; content:"|47 00 46 00 49|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpyWin32/Keylogger.CI#tab=2; reference:url,www.virustotal.com/en/file/95c65d44a2dd717b27c8008470f95fe46637f624b20d9e19e0c06573b94d20f9/analysis/; classtype:trojan-activity; sid:2019712; rev:2; metadata:created_at 2014_11_14, updated_at 2014_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Asprox Pizza"; flow:established,to_server; content:"/title.php?pizza="; http_uri; pcre:"/\/title\.php\?pizza=[a-zA-Z0-9+/]{43}/U"; reference:url,www.malware-traffic-analysis.net/2014/10/28/index.html; classtype:trojan-activity; sid:2019713; rev:1; metadata:created_at 2014_11_14, updated_at 2014_11_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Windows executable base64 encoded in XML"; flow: established,from_server; file_data; content:"bin.base64"; nocase; content:"<file"; nocase; content:"<stream"; nocase; content:"<?xml"; nocase; content:"TVqQA"; fast_pattern; pcre:"/^[A-Za-z0-9\s/+]{100}/Rs"; classtype:trojan-activity; sid:2019716; rev:8; metadata:created_at 2014_11_14, updated_at 2014_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Alureon Checkin"; flow:established,to_server; content:"winver="; depth:7; content:"&ver="; distance:0; pcre:"/^winver=\d+&ver=\d+$/"; reference:md5,2155b7942ddc6d7a82e7d96a8c594501; classtype:trojan-activity; sid:2019717; rev:1; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/WireLurker HTTP Request for manhuaba.com.cn"; flow:established,to_server; content:"GET"; http_method; content:"manhuaba.com.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*?\bmanhuaba\.com\.cn\r?$/Hsmi"; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019731; rev:2; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/WireLurker DNS Query Domain manhuaba.com.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|manhuaba|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019718; rev:1; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 60 aa 87 c5 4a 56 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|fvhch6y1sszzgbh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019720; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 63 1a 95 03 94 55 2e|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0c|HAMBURG GMBH"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019721; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Malware Connectivity Check to Google"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|Host|3a| google.com|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|29 0d 0a 0d 0a|"; fast_pattern:76,20; classtype:trojan-activity; sid:2019729; rev:2; metadata:created_at 2014_11_17, updated_at 2014_11_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Likely CryptoWall 2.0 .onion Proxy domain lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|paytordmbdekmizq"; fast_pattern; nocase; distance:0; reference:url,malware-traffic-analysis.net/2014/11/14/index.html; classtype:trojan-activity; sid:2019736; rev:1; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN AlienSpy RAT Checkin Set"; flow:established,to_server; dsize:4; content:"|ac ed|"; depth:2; flowbits:set,ET.rat.alienspy; flowbits:noalert; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:trojan-activity; sid:2019738; rev:2; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 6d|"; distance:4; within:11; pcre:"/^[\x53\x54]/R"; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:trojan-activity; sid:2019739; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 75 54|"; distance:4; within:12; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:trojan-activity; sid:2019740; rev:2; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Matsnu.Backdoor CnC Beacon"; flow:established,to_server; content:"id="; http_uri; content:"&mynum="; http_uri; content:"&ver="; http_uri; content:"&cvr="; http_uri; content:"&threadid="; http_uri; fast_pattern:only; content:"&lang="; http_uri; content:"&os="; http_uri; reference:url,www.seculert.com/blog/2014/11/dgas-a-domain-generation-evolution.html; classtype:trojan-activity; sid:2019741; rev:1; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ELF_BASHLITE.SMB Dropping Files"; flow:established,to_server; content:"/.ni|67 67|ers/bin"; http_uri; fast_pattern; content:".sh"; http_uri; distance:0; within:5; content:"User-Agent|3a 20|Wget/"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/; classtype:trojan-activity; sid:2019747; rev:1; metadata:created_at 2014_11_19, updated_at 2014_11_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bamital Connectivity Check"; flow:established,to_server; content:"GET"; http_method; content:"/ncsi.txt"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/5.0)"; http_header; fast_pattern:62,20; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Host|3a|"; depth:5; http_header; classtype:trojan-activity; sid:2019754; rev:1; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bamital Headers - Likely CnC Beacon"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/5.0)"; http_header; fast_pattern:62,20; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nAccept\x3a[^\r\n]+\r\nConnection\x3a[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r?$/Hsmi"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2019755; rev:1; metadata:created_at 2014_11_20, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bamital Checkin"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/5.0)"; http_header; fast_pattern:62,20; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; pcre:"/^\/[a-z0-9.&-]+(?:[a-z0-9]{4}-){3}[a-z0-9.&+-]+$/Ii"; classtype:trojan-activity; sid:2019756; rev:1; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bamital Checkin Response 1"; flow:established,from_server; file_data; content:"$$$$"; within:4; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>/Ri"; classtype:trojan-activity; sid:2019757; rev:1; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bamital Checkin Response 2"; flow:established,from_server; file_data; content:"$$$$"; fast_pattern:only; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>$$$$/i"; classtype:trojan-activity; sid:2019758; rev:1; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Zemot Requesting PE"; flow:established,to_server; content:"GET"; http_method; content:"ho"; http_uri; content:"ping/mod_"; within:10; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/$/U"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:3; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rerdom/Asprox CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/b/pkg/"; http_uri; fast_pattern:only; pcre:"/\/b\/pkg\/[A-Za-z0-9]{14,15}$/U"; reference:url,malware-traffic-analysis.net/2014/08/24/index.html; reference:url,www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf; classtype:trojan-activity; sid:2019760; rev:1; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/FakePAV Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?0="; depth:4; http_uri; fast_pattern; content:"=i"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/\?0=(?:[^&]+?&\d+?=)+?[^=&]+?$/Ui"; reference:md5,6829306e92cfa811b12d9b028eb56a2d; classtype:trojan-activity; sid:2019767; rev:3; metadata:created_at 2014_11_21, updated_at 2014_11_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/AntiBreach Possible Activation Attempt"; flow:established,to_server; content:"/buy.php?id="; http_uri; content:"&sub_id="; http_uri; content:"&install_id="; http_uri; content:"&project_id="; http_uri; content:"&serial="; http_uri; reference:url,www.malware-traffic-analysis.net/2014/11/21/index.html; classtype:trojan-activity; sid:2019771; rev:1; metadata:created_at 2014_11_21, updated_at 2014_11_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoinVault POST M1"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"hwid="; depth:5; http_client_body; content:"&func="; http_client_body; fast_pattern:only; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^hwid=[A-F0-9]{4}(?:-[A-F0-9]{4}){7}&func=/P"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019776; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoinVault POST M2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer"; http_header; content:"func=getemailurl"; http_client_body; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019777; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 34 4a fb 16 96 9d 25|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|ewgcetiyu"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019786; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 90 3b 8c 56 23 94 93|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0b|1234567egeg"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019787; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_24, updated_at 2016_07_01;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious cvredirect.no-ip.net Domain - CoinLocker Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|cvredirect|05|no-ip|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019788; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to a *.cvredirect.no-ip.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.no-ip.net"; fast_pattern:only; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.no-ip.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019789; rev:3; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious cvredirect.ddns.net Domain - CoinLocker Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|cvredirect|04|ddns|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019790; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to a *.cvredirect.ddns.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.ddns.net"; fast_pattern:only; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.ddns.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019791; rev:1; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET TROJAN W32/DoubleTap.APT Downloader CnC Beacon"; flow:established,to_server; content:"|05 01 00 01 c0 b8 3c e5 00 51|"; depth:10; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:trojan-activity; sid:2019808; rev:2; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1913 (msg:"ET TROJAN W32/DoubleTap.APT Downloader Socks5 Setup Request"; flow:established,to_server; content:"|05 01 00|"; depth:3; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:trojan-activity; sid:2019809; rev:2; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 d9 8a 80 b1 c5 98 08|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|tvd5w4gytsfheyh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019810; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|11|b85937-static.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019811; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 b6 2a 4d 61 3d fa c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|09|vgergvwtd"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019812; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Hesperbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 02 6f 9a b5 ff c3 9c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019813; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 f1 2d d7 7c 92 29 6b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019814; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 5c 3f 2b dc 29 86 c4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019815; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Regin Init CnC Beacon TCP"; flow:established,to_server; content:"A"; depth:1; content:"AAA"; distance:1; within:4; base64_decode; base64_data; content:"s"; offset:8; depth:1; content:"h"; distance:8; within:1; content:"i"; distance:8; within:1; content:"t"; distance:8; within:1; reference:url,symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; reference:url,securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf; classtype:trojan-activity; sid:2019816; rev:2; metadata:created_at 2014_11_26, updated_at 2014_11_26;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Regin Init CnC Beacon UDP"; content:"A"; depth:1; content:"AAA"; distance:1; within:4; base64_decode; base64_data; content:"s"; offset:8; depth:1; content:"h"; distance:8; within:1; content:"i"; distance:8; within:1; content:"t"; distance:8; within:1; reference:url,symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; reference:url,securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf; classtype:trojan-activity; sid:2019817; rev:1; metadata:created_at 2014_11_26, updated_at 2014_11_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 73 b3 58 98 16 a7 5b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0d|cewceawf2c4ed"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019818; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e7 df 16 fb ce 8d dc 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0c|wrgw4r3gwrgh"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019819; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_26, updated_at 2016_07_01;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Regin Init CnC Beacon ICMP"; itype:8; content:"A"; depth:1; content:"AAA"; distance:1; within:4; base64_decode; base64_data; content:"s"; offset:8; depth:1; content:"h"; distance:8; within:1; content:"i"; distance:8; within:1; content:"t"; distance:8; within:1; reference:url,symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; reference:url,securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf; classtype:trojan-activity; sid:2019820; rev:1; metadata:created_at 2014_11_26, updated_at 2014_11_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Hyteod.Downloader CnC Beacon"; flow:established,to_server; content:"/payment_gateway/"; http_uri; content:".gz"; http_uri; content:"User-Agent|3A| OperaMini|0D 0A|"; http_header; pcre:"/^\x2Fpayment_gateway\x2F[a-z0-9]{3,}\x2Egz$/U"; reference:md5,8258c3d8bab63cacf143cf034e2e7c1a; classtype:trojan-activity; sid:2019824; rev:1; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Coinminer.Backdoor CnC Beacon"; flow:established,to_server; content:".php?id="; http_uri; content:"User-Agent|3A| Mozzilla/4.0 (copmatible|3B|"; http_header; fast_pattern:12,20; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:trojan-activity; sid:2019826; rev:1; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Wadolin.Downloader CnC Beacon"; flow:established,to_server; content:"/upgrade-functions.php?v="; fast_pattern; http_uri; content:"&id="; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.1|3B| Windows XP)"; http_header; reference:md5,693c007d651bb5a8c6d2a4f5ed65a69c; classtype:trojan-activity; sid:2019827; rev:1; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan/W32.KRBanker.60928.C Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/upload.php"; http_uri; content:"|0d 0a|Accept-Language|3a| zh-cn|0d 0a|"; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|29 0d 0a|"; http_header; content:"name=|22|upload_file1|22 3b 20|"; fast_pattern:only; http_client_body; content:".zip|22 0d 0a|"; http_client_body; content:"Content-Type|3a| application/x-zip-compressed|0d 0a|"; http_client_body; pcre:"/filename=\x22[A-Z]\x3a\\.+?\\[a-f0-9]{32}\.zip\x22\r\n/P"; reference:md5,ec5d7bc9d84551066fff51e36bc41d4d; reference:md5,13bd584bb12ee5dc15c35f5911912b09; classtype:trojan-activity; sid:2019828; rev:2; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Fin4.InfoStealer Uploading User Credentials CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?msg="; fast_pattern:only; http_uri; content:"&uname="; http_uri; content:"&pword="; http_uri; reference:url,www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html; classtype:trojan-activity; sid:2019829; rev:3; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dridex v2 POST Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:>20; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; http_header; fast_pattern:7,20; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\nConnection\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nContent-Type\x3a\x20octet\/binary\r\nAccept\x3a\x20\*\/\*\r\nAccept-Language\x3a[^\r\n]+?\r\nAuthorization\x3a\x20Basic[^\r\n]+?\r\nContent-Length\x3a\x20\d+?\r\n(?:\r\n)?$/H"; reference:url,securityblog.s21sec.com/2014/11/dridex-learns-new-trick-p2p-over-http.html; classtype:trojan-activity; sid:2019830; rev:1; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Syndicasec.Backdoor CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"cstype="; http_client_body; depth:7; content:"&authname="; http_client_body; distance:0; content:"&hostname="; http_client_body; distance:0; content:"&ostype="; http_client_body; distance:0; content:"&owner="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations; classtype:trojan-activity; sid:2019831; rev:2; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Dyre SSL Cert (fake org name)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|55 04 08|"; distance:0; content:"|0a|Some-State"; distance:1; within:11; content:"|06 03 55 04 0a|"; distance:0; pcre:"/^.{2}(?=[a-z]{0,15}\d)(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2019832; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET TROJAN Possible Dyre SSL Cert (fake state)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|06 03 55 04 08|"; distance:0; content:!"|0a|Some-State"; distance:1; within:11; pcre:"/^.{2}(?=[A-Z]{0,32}[^A-Z01])(?P<var>[^01]{4,33}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2019833; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_01, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HompesA Activity"; flow:established,to_server; content:"/me/"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; pcre:"/^\/me\/(?:get(?:ref|ua)\.php|videos\.txt)$/U"; reference:md5,8cc58bc4d63f4b78b635d45aa69108f7; classtype:trojan-activity; sid:2019838; rev:1; metadata:created_at 2014_12_02, updated_at 2014_12_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|03 15 45 cd|"; within:35; content:"|55 04 03|"; distance:0; content:"|14|static-630567398.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019839; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_02, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan/MSIL.bfsx Checkin"; flow:to_server,established; content:"/infect"; fast_pattern:only; http_uri; content:".php"; offset:7; http_uri; content:"User-Agent|3a 20|Microsoft|0d 0a|"; http_header; pcre:"/\/infect(?:-\d)?\.php$/U"; reference:md5,506cd65bdd06f41f8219cd1ed78eac7d; reference:md5,0c39b39ee4a59a8ac5fc1df500da2a88; classtype:trojan-activity; sid:2019840; rev:3; metadata:created_at 2014_12_02, updated_at 2014_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Swrort.A Checkin 2"; flow:to_server,established; content:"POST /"; depth:6; pcre:"/^[A-Za-z0-9-_]{30,}\/\x20/R"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.1|3b| Windows NT|29 0d 0a|"; distance:0; content:"|0d 0a 0d 0a|RECV"; distance:0; fast_pattern; reference:md5,61dacbf1fc20af3afdc432a0dd78eaf3; reference:md5,a3ef217825ce310c41e6edaee2db5eb9; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32/Swrort.A; classtype:trojan-activity; sid:2019841; rev:2; metadata:created_at 2014_12_02, updated_at 2014_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:".php?i="; http_uri; content:"&data="; http_uri; distance:0; content:"&hash="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/&hash=[^&]+$/U"; flowbits:set,ET.Vawtrak; reference:md5,13c982c3b9c1ef714770820ffa278d2e; classtype:trojan-activity; sid:2019843; rev:2; metadata:created_at 2014_12_02, updated_at 2014_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Upatre Common URI Struct Dec 01 2014"; flow:established,to_server; content:"GET|20|"; depth:4; content:"-SP"; distance:0; fast_pattern; content:"/0/"; distance:0; content:!"Referer|3a|"; distance:0; content:!"Accept-"; distance:0; pcre:"/^[A-Z]* HTTP\/1\./R"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\r?$/mi"; reference:md5,fd0f57fd1f93c13b7bd63f811ac7939e; classtype:trojan-activity; sid:2019847; rev:7; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

#alert tcp $HOME_NET any -> [88.53.215.64,217.96.33.164,203.131.222.102,208.105.226.235,212.31.102.100,58.185.154.99,200.87.126.116] any (msg:"ET TROJAN Sony Breach Wiper Callout"; flow:established; threshold:type limit,count 2,track by_src,seconds 300; reference:url,krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data; classtype:trojan-activity; sid:2019848; rev:3; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Sony Breach Wiper Malware Download"; flow:established,to_server; content:"GET"; http_method; content:"/igfxtpers.exe"; http_uri; fast_pattern:only; reference:url,logfile.packetninjas.net/related-malware-to-sony-breach; classtype:trojan-activity; sid:2019849; rev:1; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|doosan-job|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019851; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|downloadsservers|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019852; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|drivercenterupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019853; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|easyresumecreatorpro|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019854; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|googleproductupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019855; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|googleproductupdate|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019856; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0C|kundenpflege|06|menrad|02|de|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019857; rev:3; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|microsoftactiveservices|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019858; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|microsoftmiddleast|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019859; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|16|microsoftonlineupdates|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019860; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|microsoftserverupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019861; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|microsoftupdateserver|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019862; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|19|microsoftwindowsresources|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019863; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|16|microsoftwindowsupdate|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019864; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|northropgrumman|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019865; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|teledyne-jobs|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019866; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|windowscentralupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019867; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|windowssecurityupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019868; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|windowsserverupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019869; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|windowsupdateserver|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019870; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gesunddurchsjahr|02|de|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019871; rev:2; metadata:created_at 2014_12_03, updated_at 2014_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Destover RAT Check-in"; flow:established,to_server; content:"|17 03 01 00 0C E2 C4 Fd D9 E8 E3 F2 9F|"; reference:md5,d1c27ee7ce18675974edf42d4eea25c6; reference:url,www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-korea; classtype:trojan-activity; sid:2019878; rev:2; metadata:created_at 2014_12_05, updated_at 2014_12_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 62 ab fb 64 b9 bc de|"; within:35; content:"|55 04 03|"; distance:0; content:"|05|USTiD"; distance:1; within:6; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019879; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Chthonic Check-in"; flow:to_server,established; content:"POST"; http_method; content:" MSIE "; fast_pattern:only; http_header; content:!"Content-Type"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; pcre:"/^\/(?:[a-z]+\/)?$/U"; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a|"; http_header; depth:24; pcre:"/^Accept\x3a\x20\*\/\*\r\nUser-Agent\x3a\x20Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows NT \d+\.\d+\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20\d{3,}\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2019881; rev:3; metadata:created_at 2014_12_06, updated_at 2014_12_06;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.cc)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|cc|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019882; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.ws)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ws|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019883; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.to)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|to|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019884; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.in)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|in|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019885; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.hk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|hk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019886; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.cn)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ck|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019887; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.tk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|tk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019888; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.so)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|so|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019889; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ee 63 19 d5 6a 4c 09 cf|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|UA"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019890; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN W32/Dridex POST CnC Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv|3A|11.0) like Gecko|0d 0a|"; http_header; fast_pattern:38,20; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:"Content-Type|3a 20|octet/binary|0d 0a|"; http_header; content:!"Referer|3A|"; http_header; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; metadata: former_category TROJAN; reference:md5,d37256439d5ab7f25561cc390d8aa1ea; classtype:trojan-activity; sid:2019891; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_12_08, malware_family Dridex, performance_impact Moderate, updated_at 2017_05_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Linux.Turla Download"; flow:from_server,established; flowbits:isset,ET.ELFDownload; content:"__we_are_happy__"; content:"__TREX__STOP__STRING__"; distance:0; content:"/dev/random"; distance:1; within:11; reference:url,securelist.com/blog/research/67962/the-penquin-turla-2/; reference:md5,19fbd8cbfb12482e8020a887d6427315; classtype:trojan-activity; sid:2019896; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN VirRansom/VirLock Checkin"; flow:established,to_server; dsize:4; content:"|94 00 00 00|"; fast_pattern:only; flowbits:set,ET.VirLock; flowbits:noalert; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:trojan-activity; sid:2019901; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN VirRansom/VirLock Checkin Response"; flow:established,from_server; dsize:4; content:"|74 01 00 00|"; fast_pattern:only; flowbits:isset,ET.VirLock; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:trojan-activity; sid:2019902; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Cridex CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 00 83 69 b1 31 15 7b|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|176.99.6.57"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019906; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_10, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Critroni Tor DNS Proxy lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|23bteufi2kcqza2l"; distance:0; nocase; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019909; rev:3; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Cloud Atlas haarmannsi.cz"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|haarmannsi|02|cz|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019910; rev:2; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Cloud Atlas sanygroup.co.uk"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|sanygroup|02|co|02|uk|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019911; rev:3; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Cloud Atlas ecolines.es"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|ecolines|02|es|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019912; rev:3; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Cloud Atlas blackberry-support.herokuapp.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|blackberry-support|09|herokuapp|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019913; rev:3; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cloud Atlas Request to WebDAV CloudMe"; flow:established,to_server; content:"/CloudDrive/"; nocase; http_uri; content:"webdav.cloudme.com"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+?webdav\.cloudme\.com[^\r\n]*?\r?$/Hmi"; pcre:"/^\/(?:b(?:i(?:llder1405|mm4276)|rowner8674935)|c(?:arter0648|h(?:ak2488|hloe7400)|orn6814)|d(?:aw0996|epp3353)|fr(?:anko7046|ogs6352)|garristone|hurris4124867|james9611|lisa\.walker|parker2339915|sa(?:mantha2064|nmorinostar)|tem5842|young0498814)\/CloudDrive\//Ui"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019915; rev:2; metadata:created_at 2014_12_10, updated_at 2014_12_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Cloud Atlas CnC Beacon"; flow:established,to_server; content:"POST /check.jsp HTTP/1."; depth:23; content:!"Referer|3a|"; distance:0; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:0; threshold:type limit, count 1, seconds 120, track by_src; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019919; rev:1; metadata:created_at 2014_12_11, updated_at 2014_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LinuxNet.perlbot Checkin Via IRC"; flow:to_server,established; content:"NICK|20 7c|GNU|7c 0a|"; depth:12; fast_pattern; content:"USER|20|GNU|20|"; distance:0; within:9; pcre:"/(?:\d{1,3}\.){3}\d{1,3} (?:\d{1,3}\.){3}\d{1,3} \x3a(?:Linux|FreeBSD|SunOS)/R"; content:"|0a|JOIN|20|"; distance:0; classtype:trojan-activity; sid:2019921; rev:1; metadata:created_at 2014_12_11, updated_at 2014_12_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Dalexis.A Possible SSL Cert (smartoptionsinc.com)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|05 11 32 08 1d 81|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019923; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Dalexis.A Possible SSL Cert (ppc.cba.pl)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 00 81 3d 59 00 8d f2 04 04 8c 3a d3 d0 8e 36 d4 2a|"; distance:9; within:40; content:"|55 04 03|"; distance:0; content:"|06|cba.pl"; distance:1; within:7; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019924; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Dalexis.A Possible SSL Cert (cargol.cat)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 a7 5c ad 38 d2 d7 fe|"; distance:9; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Tirabol Produccions"; distance:1; within:20; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019925; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN HawkEye Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| HawkEye Keylogger"; nocase; reference:md5,3bbd5ae250b2d912a701f8d74d85353b; classtype:trojan-activity; sid:2019926; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Beastdoor Keylogger Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; content:"Victim IP-"; reference:md5,ad99a0a85e1410559030464aac390969; classtype:trojan-activity; sid:2019927; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Probable Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; classtype:trojan-activity; sid:2019928; rev:2; metadata:created_at 2014_12_12, updated_at 2014_12_12;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Trojan.SpamBanker Report via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|Keylogger"; fast_pattern:only; nocase; content:"X-Library|3a 20|Indy"; pcre:"/^Keylogger\r$/m"; reference:md5,9c1aac05bd3212a3abcd7cce9c6c4c77; classtype:trojan-activity; sid:2019931; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Trojan/Win32.Espy Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"SUBJECT|3a| I Q - S P Y KeyLogger ["; content:"victim computer name"; reference:md5,1a9a06b11aa537734931f8098bae6b00; classtype:trojan-activity; sid:2019932; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Trojan/Downloader.Fosniw.sap Reporting via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|keylogger(v0."; fast_pattern:only; nocase; content:"@UserName"; content:"@ComputerName"; reference:md5,e36469241764b8c954a700146ca4c43f; classtype:trojan-activity; sid:2019933; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Known OphionLocker Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|smu743glzfrxsqcl"; fast_pattern; nocase; distance:0; reference:url,f-secure.com/weblog/archives/00002777.html; reference:md5,e17da8702b71dfb0ee94dbc9e22eed8d; classtype:trojan-activity; sid:2019934; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AutoIt Downloading EXE - Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:".exe"; nocase; http_uri; content:"User-Agent|3a 20|AutoIt|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.exe$/Ui"; classtype:trojan-activity; sid:2019935; rev:1; metadata:created_at 2014_12_15, updated_at 2014_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN SpamBanker message"; flow:to_server,established; content:"NEGOCIO_ONLINE|2e|"; fast_pattern:only; nocase; content:"|0d 0a|Content-Disposition|3a| attachment"; content:"filename|3d|"; nocase; distance:0; pcre:"/^[\x22\x27]NEGOCIO_ONLINE(\.(?:zip|exe))[\x27\x22]\x0d\x0a/Ri"; reference:url,tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=36677; classtype:trojan-activity; sid:2019937; rev:3; metadata:created_at 2014_12_15, updated_at 2014_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Infostealer.Bancos Sending Stolen info SMTP"; flow:to_server,established; content:"X-Library|3a| Indy"; content:"BIGFONE TOCOU"; fast_pattern:only; content:"Nome Comp"; metadata: former_category TROJAN; reference:md5,f71c41b816eadf221e188f6618798969; classtype:trojan-activity; sid:2019938; rev:1; metadata:tag Banking_Trojan, created_at 2014_12_15, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 10001 (msg:"ET TROJAN Win32.Bumrat.B Checkin"; flow:established,to_server; dsize:19; content:"|0f 00 00 00|"; depth:4; content:"mconfig_10"; reference:md5,647edeb30a04eeb30b7f8921645c7369; classtype:trojan-activity; sid:2019941; rev:1; metadata:created_at 2014_12_15, updated_at 2014_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TinyZBot Checkin (Operation Cleaver)"; flow:established,to_server; content:"POST"; http_method; content:"/checkupdate.asmx"; http_uri; fast_pattern:only; content:"SOAPAction|3a 20 22|http|3a|//tempuri.org/GetServerTime|22 0d 0a|"; http_header; content:"GetServerTime xmlns=|22|http|3a|//tempuri.org/"; http_client_body; content:!"|0d 0a|Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,68cfc418c72b58b770bdccf19805703e; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019942; rev:2; metadata:created_at 2014_12_15, updated_at 2014_12_15;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN ZhCAT.HackTool Operation Cleaver HTTP CnC Beacon"; flow:established,to_server; content:"POST file.php HTTP/1."; depth:21; content:"|20 28 20|compatible"; fast_pattern:only; reference:url,www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019943; rev:3; metadata:created_at 2014_12_15, updated_at 2014_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Agent.AIXD Checkin"; flow:to_server,established; content:"/cnc.php?id="; fast_pattern:only; http_uri; content:"&uid="; http_uri; content:"User-Agent|3a| AppleMac|0d 0a|"; http_header; reference:md5,801e450679e9d60f8c64675c432aab33; reference:md5,ad2e8210ca7c2b4b433b3fba65e87b94; reference:md5,f6ea10f719885fbcfb6743724faa94f7; classtype:trojan-activity; sid:2019945; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Farfli.BHQ!tr Dropper CnC Beacon"; flow:established,to_server; content:"GET /php.php HTTP/1."; fast_pattern; depth:20; content:"User-Agent|3A| Mozilla/4.0 (compatible)"; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:md5,cb53a6e8d65d86076fc0c94dac62aa77; classtype:trojan-activity; sid:2019946; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TRCrypt.ULPM Downloader CnC Beacon"; flow:established,to_server; content:".aspx?id="; http_uri; content:"&macaddress="; http_uri; content:"&pcname="; http_uri; content:"&username="; http_uri; content:"&osversion="; http_uri; content:"&versaoatual="; http_uri; fast_pattern; content:"&winkey="; http_uri; reference:md5,3b4f77eefd208f699e6a540878e753a8; classtype:trojan-activity; sid:2019947; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Symmi.46846 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/notify.php"; http_uri; fast_pattern:only; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MyApp)"; http_header; content:!"Referer|3A|"; http_header; reference:md5,fe5dc2a4ee8aa084c9da42cd2d1ded2e; classtype:trojan-activity; sid:2019948; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Banker.AAXV Retrieving key from Pinterest"; flow:established,to_server; content:"GET"; http_method; content:"/pin/"; depth:5; http_uri; content:"User-Agent|3a 20|Internet Explorer 6.0|0d 0a|"; http_header; fast_pattern:15,20; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,f25a8e3f5265a57269590b84a506b672; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/malware-campaign-targets-south-korean-banks-uses-pinterest-as-cc-channel/; classtype:trojan-activity; sid:2019961; rev:2; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c8 da 58 e3 bc 80 72 25|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019962; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/AGENT.NXNX checkin"; flow:established,to_server; content:"|24 5d 3b 30 2e 29 23 28 30 34 3b 14 1e 14 13 02 0a 54 55 59|"; reference:url,ahnlabasec.tistory.com/1007; classtype:trojan-activity; sid:2019964; rev:1; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FinancialStatement Keylogger POSTing keystrokes"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/log/index.php"; http_uri; fast_pattern:only; content:"text="; depth:5; http_client_body; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,techhelplist.com/index.php/spam-list/695-financial-statement-malware; classtype:trojan-activity; sid:2019965; rev:1; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Poweliks.A Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/query?version="; http_uri; fast_pattern:only; content:"&sid="; http_uri; content:"&builddate="; distance:0; http_uri; content:"&q="; distance:0; http_uri; content:"&ua="; http_uri; content:"&lang="; http_uri; content:"&wt="; http_uri; content:"&lr="; distance:0; http_uri; content:"&ls="; distance:0; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2019966; rev:1; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Syrian.Slideshow Sending Information via SMTP"; flow:established,to_server; content:"Subject|3a 20|repo|0d 0a|"; content:"filename=|22|mxtd|22|"; reference:md5,f8bfb82aa92ea6a8e4e0b378781b3859; reference:url,citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics; classtype:trojan-activity; sid:2019975; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cryptolocker Ransom Page"; flow:established,to_server; content:"/buy.php?user_code="; fast_pattern:only; http_uri; content:"&user_pass="; http_uri; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019978; rev:1; metadata:created_at 2014_12_19, updated_at 2014_12_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|r2bv3u64ytfi2ssf"; fast_pattern; nocase; distance:0; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019979; rev:2; metadata:created_at 2014_12_19, updated_at 2014_12_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ymleyd4xs3it55m7"; fast_pattern; nocase; distance:0; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019984; rev:2; metadata:created_at 2014_12_19, updated_at 2014_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tendrit CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/css.ashx?"; depth:10; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/css\.ashx\?[a-z]{2,}=(?:%[A-F0-9]{2})+&/I"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:trojan-activity; sid:2019985; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tendrit CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/favicon?"; depth:9; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/favicon\?[a-z]{2,}=(?:%[A-F0-9]{2})+&/I"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:trojan-activity; sid:2019986; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 8c 5b 96 3a e7 56 95|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2019987; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_22, updated_at 2016_07_01;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Wiper 2"; flow:established; content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|"; depth:16; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019994; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 1"; flow:established; content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|"; depth:22; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019995; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 2"; flow:established; content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019996; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert ip any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 3"; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; classtype:trojan-activity; sid:2019997; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert ip any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 4"; content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|"; depth:23; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019998; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert ip any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 5"; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|"; depth:22; classtype:trojan-activity; sid:2019999; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 6"; flow:established; content:"|09 22 33 30 28 35 2c|"; fast_pattern:only; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020000; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 7"; flow:established; content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern:only; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020001; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 8"; flow:established; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020002; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 9"; flow:established; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020003; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 10"; flow:established; content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020004; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 11"; flow:established; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020005; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Listening Implant 12"; flow:established; content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020006; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any 488 -> any any (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 1"; flow:established,from_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern:only; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020007; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any 488 (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 2"; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern:only; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020008; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 3"; flow:established; content:"|4c 4c|"; depth:2; offset:16; content:"|75 14 2a 2a|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020009; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 4"; flow:established; content:"|8a 10 80 c2 67 80 f2 24 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 24 80 ea 67 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020010; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any 488 -> any any (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 5"; flow:established,from_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern:only; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020011; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any 488 (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 6"; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern:only; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020012; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any [547,8080,133,117,189,159] -> any any (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 7"; flow:established,from_server; content:"|7b 08 2a 2a|"; offset:17; content:"|08 2a 2a 01 00|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020013; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 8"; flow:established; content:"|8a 10 80 ea 62 80 f2 b4 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 b4 80 c2 62 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020014; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 9"; flow:established; content:"|8a 10 80 c2 4e 80 f2 79 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 79 80 ea 4e 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020015; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 10"; flow:established; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern:only; content:"BC435@PRO62384923412!@3!"; nocase; content:!"content|3a 22|BC435@PRO62384923412!@3!|22 3b|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020016; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Proxy Tool 1"; flow:established; content:"|8a 10 80 c2 3a 80 f2 73 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 73 80 ea 3a 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020017; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Proxy Tool 2"; flow:established; content:!"HTTP/1"; content:"|e2 1d 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020018; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any any (msg:"ET TROJAN US-CERT TA14-353A Proxy Tool 3"; flow:established; content:"|82 f4 de d4 d3 c2 ca f5 c8 c8 d3 82 fb f4 de d4 d3 c2 ca 94 95 fb d4 d1 c4 cf c8 d4 d3 89 c2 df c2 87 8a cc 87 00|"; fast_pattern:only; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020019; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp any any -> any [8000,8080] (msg:"ET TROJAN US-CERT TA14-353A WIPER4"; flow:established,to_server; dsize:42; content:"|28 00|"; depth:2; content:"|04 00 00 00|"; offset:38; depth:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020020; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Operation Poisoned Helmand jar download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jre7u61windows/x86/Update.class"; reference:url,threatconnect.com/news/operation-poisoned-helmand/; classtype:trojan-activity; sid:2020021; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Possible VirLock Connectivity Check"; flow:established,to_server; dsize:36; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; fast_pattern:16,20; threshold:type both,track by_src,count 2,seconds 10; metadata: former_category TROJAN; reference:md5,94c9c2fddc99217e310d5c687adfc2f7; classtype:trojan-activity; sid:2020022; rev:2; metadata:created_at 2014_12_22, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN US-CERT TA14-353A Network Propagation Wiper"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"taskhost"; content:".exe"; distance:2; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020023; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 1"; flow:established,to_server; dsize:24; content:"|08 00 1b 00 00 00 1b 00 00 00 02 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; content:"|00 00 00 00 |"; offset:20; depth:4; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020024; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 2"; flow:established,to_server; dsize:27; content:"bestpobeda"; depth:10; pcre:"/^[a-f0-9]+$/R"; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020025; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT TCP Keep-Alive"; flow:established,to_server; dsize:24; content:"|09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00|"; depth:20; threshold:type both, track by_src, count 1, seconds 120; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020026; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 1"; flow:established,to_server; content:"GET"; http_method; urilen:>100; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; content:"Accept|3a 20 2a 2f 2a 0d 0a 0d 0a|"; fast_pattern:only; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/U"; pcre:"/^Host\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a\x20\x2a\x2f\x2a\r\n(?:\r\n)?$/Hmi"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?: MSIE |rv\x3a11)/Hmi"; flowbits:set,ET.Anunanak.HTTP.1; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020027; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 1"; flow:established,from_server; content:"Content-Length|3a 20|11|0d 0a|"; http_header; file_data; content:"no commands"; fast_pattern:only; flowbits:isset,ET.Anunanak.HTTP.1; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020028; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:>100; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; content:"w-form-urlencoded|0d 0a 0d 0a|"; fast_pattern:only; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/U"; pcre:"/^Host\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{4}\r\nContent-Type\x3a\x20application\/x-www-form-urlencoded\r\n(?:\r\n)?$/Hmi"; flowbits:set,ET.Anunanak.HTTP.2; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020029; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 2"; flow:established,from_server; content:"Content-Length|3a 20|9|0d 0a|"; http_header; file_data; content:"no result"; fast_pattern:only; flowbits:isset,ET.Anunanak.HTTP.2; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020030; rev:1; metadata:created_at 2014_12_22, updated_at 2014_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Nurjax Retrieving Domains via JS"; flow:established,to_server; content:".txt?dummy="; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; http_header; content:!"|0d 0a|Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.txt\?dummy=\d+$/U"; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; classtype:trojan-activity; sid:2020031; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Nurjax Downloading PE"; flow:established,to_server; content:".exe?dummy="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe\?dummy=\d+$/U"; reference:md5,6b7759565454fb7d02fb5bc638136f31; classtype:trojan-activity; sid:2020032; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Trojan.Nurjax SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.njaxjs.me"; distance:1; within:14; classtype:trojan-activity; sid:2020033; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Nurjax Checkin"; flow:established,to_server; content:"update.php?"; http_uri; content:"&key="; http_uri; distance:0; content:"&dummy="; http_uri; fast_pattern; distance:0; content:!"Referer|3a|"; http_header; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-121000-1027-99&tabid=2; classtype:trojan-activity; sid:2020034; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (great-codes.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|great-codes|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020035; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (adguard.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|adguard|04|name|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020036; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (coral-trevel.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|coral-trevel|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020037; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (ddnservice10.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ddnservice10|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020038; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (paradise-plaza.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|paradise-plaza|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020039; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (worldnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|worldnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020040; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (update-java.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|update-java|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; reference:md5,0ad4892ead67e65ec3dd4c978fce7d92; classtype:trojan-activity; sid:2020041; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (allwayshappy.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|allwayshappy|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020044; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (casinoroyal7.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|casinoroyal7|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020045; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (cryptdomain.dp.ua)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|cryptdomain|02|dp|02|ua|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020046; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (deadwalk32.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|deadwalk32|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020047; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (doubleclickads.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|doubleclickads|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020048; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (it-newsblog.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|it-newsblog|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020049; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (js-static.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|js-static|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020050; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (lagosadventures.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|lagosadventures|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020051; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (lebanonwarrior.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|lebanonwarrior|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020052; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (nigerianbrothers.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nigerianbrothers|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020053; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (octoberpics.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|octoberpics|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020054; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (princeofnigeria.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|princeofnigeria|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020055; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (royalgourp.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|royalgourp|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020056; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (server38.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|server38|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020057; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (ssl-server24.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ssl-server24|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020058; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (tweeterplanet.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|tweeterplanet|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020059; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (tweeter-stat.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|tweeter-stat|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020060; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (updatemyhost.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|updatemyhost|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020061; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (walkingdead32.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|walkingdead32|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020062; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (worldnews247.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|worldnews247|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020063; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex Post Check-in Activity"; flow:established,to_server; content:"POST "; depth:5; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| Trident/7.0|3b| rv|3a|10.0) like Gecko|0d 0a|"; fast_pattern:53,20; content:"Connection|3a 20|Close|0d 0a|"; content:"HTTP/1.1|0d 0a|Host|3a 20|"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/R"; threshold:type limit,track by_src,count 1,seconds 60; reference:md5,ac6ea1e500de772341a2075a7d916d63; classtype:trojan-activity; sid:2020064; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (ddnservice11.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ddnservice11|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020065; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (financialnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|financialnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020066; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)

alert udp any any -> 1.1.1.0 80 (msg:"ET TROJAN TROJ_WHAIM.A message"; content:"|57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 00|"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2020069; rev:3; metadata:created_at 2014_12_26, updated_at 2014_12_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Dropped by RIG EK"; flow:established,to_server; content:"/Prack"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|InetURL/1.0|0d 0a|"; http_header; reference:md5,18fa3ab45c6fa9da218dd4c35688c5f4; classtype:trojan-activity; sid:2020070; rev:3; metadata:created_at 2014_12_26, updated_at 2014_12_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|tdmodsecur.pw"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020075; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Andromeda Checkin Dec 29 2014"; flow:established,to_server; content:"POST"; nocase; http_method; content:"EPF#"; depth:4; fast_pattern; http_client_body; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; content:"Connection|3a 20|close|0d 0a|"; reference:md5,7a1ad388bdcebcbc4cc48a2eff71775f; classtype:trojan-activity; sid:2020076; rev:1; metadata:created_at 2015_12_29, updated_at 2015_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kronos Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:"/connect.php?a=1"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Content-Type|3a|"; http_header; classtype:trojan-activity; sid:2020077; rev:1; metadata:created_at 2015_12_29, updated_at 2015_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RocketKitten APT Checkin"; flow:to_server,established; content:"/index.php?c="; http_uri; content:"&r="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; fast_pattern:5,20; http_header; content:!"Referer|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/Rocket+Kitten+Is+it+still+APT+if+you+can+buy+it+off+the+shelf/19123; reference:md5,f89a4d4ae5cca6d69a5256c96111e707; classtype:trojan-activity; sid:2020078; rev:2; metadata:created_at 2015_12_29, updated_at 2015_12_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5e db d7 9c 6d e0 4f|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020079; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kronos Checkin"; flow:established,to_server; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"POST"; http_method; content:!"Content-Type"; http_header; content:"Content-Length|3a 20|74|0d 0a|"; http_header; fast_pattern:only; pcre:"/^(?P<v1>.).{33}(?P=v1).{9}(?P<v2>.)(?:.{4}(?P=v2)){3}/Ps"; classtype:trojan-activity; sid:2020080; rev:1; metadata:created_at 2015_12_29, updated_at 2015_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9090 (msg:"ET TROJAN Win32.Akdoor Reporting MAC Address"; flow:to_server,established; dsize:20; content:"|01 00 00 00 0c 00 00 00|"; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; reference:md5,f5ba42117dd02f50b12542131dcd8b5f; classtype:trojan-activity; sid:2020081; rev:1; metadata:created_at 2015_12_29, updated_at 2015_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win64/Havex Checkin"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d{30}\w{6}-\d{2}-\d{3}-\d{9}$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/64-bit-version-of-havex-spotted/; classtype:trojan-activity; sid:2020083; rev:1; metadata:created_at 2015_12_30, updated_at 2015_12_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Htbot.B Checkin"; flow:to_server,established; content:".php?command="; fast_pattern:only; http_uri; content:"User-Agent|3A| pb|0D 0A|"; http_header; pcre:"/\.php\?command=(g(hl|et(ip|id|backconnect))|update2?|dl|log)($|&)/U"; reference:md5,bdd2328d466e563a650bb7ccdb9aca79; reference:md5,ba1404af71ecf3ca8b0e30a2b365f6fd; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FHtbot.B; classtype:trojan-activity; sid:2020089; rev:5; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Generic.5325921 Checkin"; flow:to_server,established; content:"?p="; http_uri; content:"&botmajor="; http_uri; content:"&botminor="; http_uri; content:"&osmajor="; http_uri; content:"&osminor="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=203cec547d7d7d7b3a51084ad1abd793; classtype:trojan-activity; sid:2020090; rev:4; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neutrino Cookie"; flow:to_server,established; content:"=21232f297a57a5a743894a0e4a801fc3"; fast_pattern:only; content:"=21232f297a57a5a743894a0e4a801fc3"; http_cookie; metadata: former_category TROJAN; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020093; rev:4; metadata:created_at 2015_01_05, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neutrino CC dump"; flow:to_server,established; content:"POST"; http_method; content:"dumpgrab="; http_client_body; fast_pattern:only; content:"track_type="; http_client_body; content:"track_data="; http_client_body; content:"process_name="; http_client_body; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020094; rev:2; metadata:created_at 2015_01_05, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Steam Stealer"; flow:to_server,established; content:"GET"; http_method; content:"/uploads/images/201"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/\.png$/U"; reference:md5,5f50e810668942e8d694faeabab08260; reference:url,blog.0x3a.com/post/107195908164/analysis-of-steam-stealers-and-the-steam-stealer; classtype:trojan-activity; sid:2020095; rev:2; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fd 0c f3 42 0f 46 07 68|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|xx"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020104; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 86 c7 7d 23 ec c3 18 fb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020149; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.A Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 32 32|"; fast_pattern:only; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020150; rev:1; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.A Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 64 32|"; fast_pattern:only; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020151; rev:1; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.A Sending UUID and Processes x86"; content:"|00 00 00 02 00 00 00 00 00 00 32 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020152; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.A Sending UUID and Processes x64"; content:"|00 00 00 02 00 00 00 00 00 00 64 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020153; rev:3; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9000:10000 (msg:"ET TROJAN Win32/Recslurp.D C2 Request (no alert)"; flow:established,to_server; dsize:4; content:"|e8 03 00 00|"; fast_pattern:only; flowbits:set,ET.Reslurp.D.Client; flowbits:noalert; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:trojan-activity; sid:2020154; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert tcp $EXTERNAL_NET 9000:10000 -> $HOME_NET any (msg:"ET TROJAN Win32/Recslurp.D C2 Response"; flow:established,from_server; flowbits:isset,ET.Reslurp.D.Client; content:"|e8 03 00 00|"; depth:4; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:trojan-activity; sid:2020155; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Emotet.C Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:1; content:"MASE|0d 0a|"; http_header; content:"name=|22|c1|22 0d 0a 0d 0a|c"; http_client_body; reference:md5,37d530ffa0bf1129f2db63b75fccce28; classtype:trojan-activity; sid:2020156; rev:6; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Emotet.C Variant Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/download.php?listfiles="; http_uri; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,cd74438c04b09baa5c32ad0e5a0306e7; classtype:trojan-activity; sid:2020157; rev:1; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Mini/Cosmic Duke variant FTP upload"; flow:established,to_server; content:"STOR "; pcre:"/^[A-F0-9]{48}\.bin\r\n/R"; content:".bin|0d 0a|"; fast_pattern:only; reference:url,f-secure.com/weblog/archives/00002780.html; classtype:trojan-activity; sid:2020158; rev:1; metadata:created_at 2015_01_08, updated_at 2015_01_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0000"; offset:2; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[^\x2f]+\/0000[A-F0-9]{4}\/0[0-2]\/[A-F0-9]{8}$/Ui"; metadata: former_category TROJAN; reference:md5,1a5ee37a6075b5a95faf8f07ad060cc9; classtype:trojan-activity; sid:2025087; rev:2; metadata:created_at 2015_01_08, updated_at 2017_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0"; depth:2; http_uri; content:"/0000"; distance:2; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/0[0-2]\/[^\x2f]+\/0000[A-F0-9]{4}\/[^\x2f]+\/[A-F0-9]{8}$/Ui"; flowbits:set,ET.Vawtrak; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025088; rev:1; metadata:created_at 2015_01_08, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M JUNK command"; flow:established,to_client ; content:"JUNK "; depth:5; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020162; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M GETLOCALIP command"; flow:established,to_client ; content:"GETLOCALIP "; depth:11; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020163; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M SCANNER command"; flow:established,to_client ; content:"SCANNER "; depth:8; pcre:"/^(?:ON|OFF)/R"; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020164; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M KILLATTK command"; flow:established,to_client ; content:"KILLATTK "; depth:9; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020165; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M LOLNOGTFO command"; flow:established,to_client ; content:"LOLNOGTFO "; depth:10; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020166; rev:2; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert tcp any any -> any 1024: (msg:"ET TROJAN Linux/DDoS.M Admin console status"; flow:established,to_client ; content:"|1b 5d 30 3b|Bots connected|3a 20|"; content:"|7c 20|Clients connected|3a 20|"; distance:0; threshold: type both, count 1, seconds 10, track by_src; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020167; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Spy.Obator .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|t2upiokua37wq2cx"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3671; classtype:trojan-activity; sid:2020168; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"ET TROJAN Hong Kong SWC Attack PcClient CnC Beacon"; flow:established,to_server; content:"|BB 4E 4E BC BC BC 7E 7E|"; nocase; offset:160; depth:8; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:trojan-activity; sid:2020169; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Office Doc with Embedded VBA containing Reverse Meterpreter Shell"; flow:established,from_server; flowbits:isset,et.DocVBAProject; file_data; content:"windows/meterpreter/reverse_"; nocase; reference:url,github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1; classtype:trojan-activity; sid:2020170; rev:3; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Hong Kong SWC Attack DNS Lookup (aoemvp.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aoemvp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:trojan-activity; sid:2020171; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Known Sinkhole Response Header CERT.PL"; flow:established,from_server; content:"Content-Length|3a| 24|0d 0a|"; http_header; file_data; content:"Sinkholed by CERT.PL"; within:24; fast_pattern; classtype:trojan-activity; sid:2020172; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|msuta64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020173; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020174; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020175; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020176; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020177; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020178; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Brontok User-Agent Detected (Rivest)"; flow:established,to_server; content:"User-Agent|3a| Rivest|0d 0a|"; http_header; nocase; reference:md5,c83b55ab56f3deb60858cb25d6ded8c4; classtype:trojan-activity; sid:2020179; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WIN32/KOVTER.B Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"|0d 0a|Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http_header; depth:61; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nContent-Length\x3a[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; content:!".foxitservice.com|0d 0a|"; http_header; reference:md5,7943a103d7b79f87843655e6b2f8e80c; classtype:trojan-activity; sid:2020181; rev:8; metadata:created_at 2015_01_14, updated_at 2015_01_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptowall 3.0 .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|paytoc4gtpn5czl2"; nocase; distance:0; fast_pattern; reference:url,malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html; classtype:trojan-activity; sid:2020182; rev:1; metadata:created_at 2015_01_14, updated_at 2015_01_14;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 7d f1 a1 50 bc 27 18|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020187; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/ChinaZ DDoS Bot Checkin"; flow:established,to_server; content:"|00 00 00 00|"; depth:4; content:!"|00|"; within:1; content:"MHz|00|"; distance:0; content:"|20 2a 20|"; distance:-12; within:5; pcre:"/^\d+MHz\x00/R"; content:"|20|MB|00|"; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3682; classtype:trojan-activity; sid:2020188; rev:1; metadata:created_at 2015_01_15, updated_at 2015_01_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 36 ff 20 e3 b5 4d 15|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020196; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Filename svchost.exe Download - Common Hostile Filename"; flow:established,to_client; content:"filename="; http_header; content:"svchost.exe"; nocase; http_header; fast_pattern; within:11; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]svchost\.exe[\x22\x27]\r\n/Hmi"; classtype:trojan-activity; sid:2020198; rev:4; metadata:created_at 2015_01_16, updated_at 2015_01_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Filename explorer.exe Download - Common Hostile Filename"; flow:established,to_client; content:"filename="; http_header; content:"explorer.exe"; nocase; http_header; within:13; fast_pattern; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]explorer\.exe[\x22\x27]\r\n/Hmi"; classtype:trojan-activity; sid:2020199; rev:5; metadata:created_at 2015_01_16, updated_at 2015_01_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Filename hkcmd.exe Download - Common Hostile Filename"; flow:established,to_client; content:"filename="; http_header; content:"hkcmd.exe"; nocase; http_header; within:10; fast_pattern; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]hkcmd\.exe[\x22\x27]\r\n/Hmi"; classtype:trojan-activity; sid:2020200; rev:2; metadata:created_at 2015_01_16, updated_at 2015_01_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Filename server.exe Download - Common Hostile Filename"; flow:established,to_client; content:"filename="; http_header; content:"server.exe"; nocase; http_header; within:11; fast_pattern; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]server\.exe[\x22\x27]\r\n/Hmi"; classtype:trojan-activity; sid:2020201; rev:1; metadata:created_at 2015_01_16, updated_at 2015_01_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Zeprox.B Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?a=n|60|e|3e|"; http_uri; fast_pattern:only; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"Proxy-Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,bc27f28e5fe47b78202fd3108d39aac1; reference:md5,38c89cca7806fde08bba82b3cb533e5a; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3AWin32/Zeprox.B; classtype:trojan-activity; sid:2020203; rev:4; metadata:created_at 2015_01_16, updated_at 2015_01_16;)

alert tcp $EXTERNAL_NET 1025 -> $HOME_NET any (msg:"ET TROJAN Possible Mailer Dropped by Dyre SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; reference:md5,dbcdaf617e19d2a35f763ac996cf8cd7; classtype:trojan-activity; sid:2020205; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_19, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtrudrukmurps7tc"; nocase; distance:0; fast_pattern; reference:md5,35a7f70c5e0cd4814224c96e3c62fa42; classtype:trojan-activity; sid:2020206; rev:1; metadata:created_at 2015_01_19, updated_at 2015_01_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Win32.ChinaZ.DDoSClient Checkin"; flow:established,to_server; content:"Windows "; depth:8; content:"|20|MHZ|00|"; fast_pattern; distance:0; content:"|00|Win"; distance:0; content:"|00|"; distance:2; within:2; reference:md5,8643a44febdf73159b2d5c437dc40cd3; classtype:trojan-activity; sid:2020209; rev:2; metadata:created_at 2015_01_19, updated_at 2015_01_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tzsvejrzduo52siy"; nocase; distance:0; fast_pattern; reference:md5,49e988b04144b478e3f52b2abe8a5572; classtype:trojan-activity; sid:2020210; rev:1; metadata:created_at 2015_01_19, updated_at 2015_01_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7n4p5o6vlkdiqiee"; nocase; distance:0; fast_pattern; reference:md5,18dfcf3479bbd3878c0f19b80a01e813; classtype:trojan-activity; sid:2020213; rev:2; metadata:created_at 2015_01_19, updated_at 2015_01_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800,!445] (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5"; flow:to_server,established; content:"|15 15|"; offset:2; depth:2; content:!"|15 15|"; within:2; content:"|15 15|"; distance:2; within:2; content:!"|15 15|"; within:2; content:"|15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15|"; pcre:"/[^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15/R"; metadata: former_category TROJAN; reference:md5,05054afcfc6a651a057e47cd0f013c7b; classtype:trojan-activity; sid:2020215; rev:5; metadata:created_at 2015_01_20, updated_at 2017_10_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (URLzone CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 84 73 78 53 8f 36 69|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020216; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Banking_Trojan, signature_severity Major, created_at 2015_01_20, malware_family URLZone, updated_at 2018_04_23;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 91 eb 37 30 e6 41 f6|"; within:35; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|CN"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|ST"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020217; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e b5 fa 1e d4 7a 9e 36|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020218; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 1c c2 15 72 83 e3 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020219; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_20, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 44"; flow:to_server,established; dsize:>11; content:"|96 71|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x96\x71/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a09c176351398922770153bdd54c594; classtype:trojan-activity; sid:2020214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_01_20, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ae 79 0b f9 9e bd 14 a1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020220; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_20, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.A Checkin 2"; flow:from_client,established; dsize:260; content:"MB|00 00|"; content:"Windows|20|"; distance:0; content:"V1.0|00 00|"; offset:180; fast_pattern; reference:md5,b9096b87cf643c5f86789d995e9e773d; classtype:trojan-activity; sid:2020222; rev:1; metadata:created_at 2015_01_21, updated_at 2015_01_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Known Sinkhole Response abuse.ch"; flow:established,from_server; dsize:22; content:"Sinkholed by abuse.ch|0a|"; fast_pattern:only; classtype:trojan-activity; sid:2020223; rev:1; metadata:created_at 2015_01_21, updated_at 2015_01_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ohmva4gbywokzqso"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020226; rev:1; metadata:created_at 2015_01_21, updated_at 2015_01_21;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy1-1-1.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy1-1-1|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020228; rev:1; metadata:created_at 2015_01_21, updated_at 2015_01_21;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy2-2-2.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy2-2-2|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020229; rev:1; metadata:created_at 2015_01_21, updated_at 2015_01_21;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy3-3-3.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy3-3-3|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020230; rev:1; metadata:created_at 2015_01_21, updated_at 2015_01_21;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy4-4-4.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy4-4-4|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020231; rev:1; metadata:created_at 2015_01_21, updated_at 2015_01_21;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy5-5-5.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy5-5-5|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020232; rev:1; metadata:created_at 2015_01_21, updated_at 2015_01_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall CryptoWall 3.0 Check-in"; flow:established,to_server; content:"POST http|3a 2f 2f|proxy"; depth:17; fast_pattern; content:"i2p|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept-"; content:!"Referer|3a|"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020233; rev:2; metadata:created_at 2015_01_21, updated_at 2015_01_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mazilla Suspicious User-Agent Jan 15 2015"; flow:established,to_server; content:"GET /"; depth:5; content:"HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; content:"User-Agent|3a| Mazilla/"; distance:0; fast_pattern:12,7; reference:url,malware-traffic-analysis.net/2015/01/15/index.html; classtype:trojan-activity; sid:2020235; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2015_01_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Inception APT malware"; flow:established,to_server; content:"|0d 0a|username=|22|bimm"; nocase; http_header; fast_pattern; content:"/bimm"; distance:0; nocase; http_header; reference:url,www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware; classtype:trojan-activity; sid:2020237; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.TurlaCarbon.A C2 HTTP Request"; flow:to_server,established; content:"POST"; http_method; content:"?uid="; http_uri; content:"&context="; http_uri; distance:0; content:"&mode=text&"; http_uri; fast_pattern; distance:0; content:"data="; http_uri; pcre:"/\?uid=\d+&context=\w+&mode=text&data=\w+$/U"; reference:url,blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html; classtype:trojan-activity; sid:2020241; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 24 74 c1 1f 18 de bb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020242; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Scieron Possible SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|10 6d 7a 85 10 89 c8 6f bb 41 41 46 e6 96 f2 68 cd|"; within:45; content:"|55 04 03|"; distance:0; content:"|10|RibbonLocalHTTPS"; distance:1; within:17; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020243; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_22, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (apple.dynamic-dns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|apple|0b|dynamic-dns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020244; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (autocar.ServeUser.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|autocar|09|ServeUser|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020245; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (blackblog.chatnook.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|blackblog|08|chatnook|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020246; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (bulldog.toh.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|bulldog|03|toh|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020247; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (cew58e.xxxy.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|cew58e|04|xxxy|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020248; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (coastnews.darktech.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|coastnews|08|darktech|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020249; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (demon.4irc.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|demon|04|4irc|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020250; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (dynamic.ddns.mobi)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|dynamic|04|ddns|04|mobi|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020251; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (expert.4irc.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|expert|04|4irc|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020252; rev:2; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (football.mrbasic.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|football|07|mrbasic|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020253; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (gjjb.flnet.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|gjjb|05|flnet|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020254; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (imirnov.ddns.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|imirnov|04|ddns|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020255; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (jingnan88.chatnook.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|jingnan88|08|chatnook|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020256; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (lehnjb.epac.to)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|lehnjb|04|epac|02|to|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020257; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (logoff.25u.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|logoff|03|25u|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020258; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (logoff.ddns.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|logoff|04|ddns|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020259; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (ls910329.my03.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|ls910329|04|my03|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020260; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (mailru.25u.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|mailru|03|25u|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020261; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (Markshell.etowns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|Markshell|06|etowns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020262; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (mydear.ddns.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|mydear|04|ddns|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020263; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (nazgul.zyns.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|nazgul|04|zyns|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020264; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (newdyndns.scieron.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|newdyndns|07|scieron|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020265; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (newoutlook.darktech.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|newoutlook|08|darktech|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020266; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (photocard.4irc.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|photocard|04|4irc|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020267; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (pricetag.deaftone.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|pricetag|08|deaftone|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020268; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (rubberduck.gotgeeks.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|rubberduck|08|gotgeeks|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020269; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (shutdown.25u.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|shutdown|03|25u|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020270; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (sorry.ns2.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|sorry|03|ns2|04|name|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020271; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (sskill.b0ne.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|sskill|04|b0ne|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020272; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (text-First.flnet.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|text-First|05|flnet|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020273; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (uudog.4pu.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|uudog|03|4pu|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020274; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (will-smith.dtdns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|will-smith|05|dtdns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020275; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (ndcinformation.acmetoy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|ndcinformation|07|acmetoy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020276; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (service.authorizeddns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|service|0d|authorizeddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020277; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (text-first.trickip.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|text-first|07|trickip|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020278; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (yellowblog.flnet.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|yellowblog|05|flnet|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020279; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious crptarv4hcu24ijv Domain - CryptoWall Domains"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|crptarv4hcu24ijv"; fast_pattern; distance:0; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020280; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious crptbfoi5i54ubez Domain - CryptoWall Domains"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|crptbfoi5i54ubez"; fast_pattern; distance:0; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020281; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious crptcj7wd4oaafdl Domain - CryptoWall Domains"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|crptcj7wd4oaafdl"; fast_pattern; distance:0; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020282; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious tolotor.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tolotor|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020284; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious boltotor.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|boltotor|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020285; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious bonytor2.com Domain -Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|bonytor2|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020286; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious speecostor.com Domain -Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|speecostor|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020287; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Generic DNS Query for Suspicious CryptoWall (crpt) Domains"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|crpt"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9]{12}/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020292; rev:1; metadata:created_at 2015_01_22, updated_at 2015_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Adrom.Backdoor CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?page="; http_uri; content:"&enckey="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\x26enckey\x3D[A-F0-9]+$/U"; reference:md5,c621055803c68e89f3cb141608fd0894; reference:md5,3c2be5202d2d68047c76bdf7e1dfc2be; classtype:trojan-activity; sid:2020293; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Upatre.Downloader Encoded Binary Download Request"; flow:established,to_server; content:"/mandoc/"; fast_pattern; http_uri; depth:8; content:".pdf"; distance:0; http_uri; content:"Accept|3A| text/*, application/*|0D 0A|User-Agent|3A 20|"; depth:43; http_header; reference:url,phishme.com/evolution-upatre-dyre/; classtype:trojan-activity; sid:2020294; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Upatre Header Structure 3"; flow:to_server,established; content:"GET"; http_method; content:"Accept|3a 20|text/*,|20|application/*|0d 0a|User-Agent|3a 20|"; http_header; depth:43; fast_pattern:11,20; content:!"Mozilla"; within:7; http_header; content:!"Taitus"; http_header; pcre:"/^Accept\x3a\x20text\/\*,\x20application\/\*\r\nUser-Agent\x3a\x20[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\nConnection\x3a Keep-Alive\r\nHost\x3a[^\r\n]+?\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2020295; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Scieron Retrieving Information"; flow:established,to_server; content:"GET"; http_method; urilen:7; content:"/ip.txt"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020296; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Scieron Retrieving Information Response"; flow:established,from_server; file_data; content:"system"; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})system$/R"; flowbits:isset,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020297; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Scieron-A UA (HTClient)"; flow:established,to_server; content:"User-Agent|3a 20|HTClient|3b|"; http_header; fast_pattern:12,9; reference:md5,15deb1167a383d20b4232503b2f22b24; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020298; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Scieron-A Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|HTClient|3b|"; http_header; fast_pattern:12,9; pcre:"/^\/\d+$/U"; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,15deb1167a383d20b4232503b2f22b24; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020299; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dridex POST CnC Beacon 2"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Referer|3A|"; http_header; content:"HTTP/1.1|0d 0a|Host|3a 20|"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/Rmi"; content:"Content-Type|3a 20|text/css|0d 0a|Accept|3a 20|image/**|0d 0a|"; distance:0; http_header; fast_pattern:21,20; content:"|0d 0a 0d 0a|"; byte_extract:1,0,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:trojan-activity; sid:2020301; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex Post Checkin Activity 2"; flow:established,to_server; content:"|20|/"; offset:3; depth:3; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; distance:20; within:97; content:!"Referer|3a|"; distance:0; pcre:"/^(?=[a-z0-9]{0,19}[A-Z])(?=[A-Z0-9]{0,19}[a-z])[a-zA-Z0-9]{4,20}\.[a-z]{2,3}/R"; content:"|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|Mozilla/"; within:41; fast_pattern:4,20; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:trojan-activity; sid:2020302; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/AGENT.NXNX Checkin 2"; flow:to_server,established; dsize:200; content:"D|3a 00 00 00|"; offset:7; depth:13; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}D\x3a\x00+?$/"; reference:md5,fdcf0e3e3ad69cdd570387c4ce9aa8b3; reference:url,ahnlabasec.tistory.com/1007; reference:url,global.ahnlab.com/global/upload/download/asecreport/ASEC Report_Vol.58_Eng.pdf; classtype:trojan-activity; sid:2020303; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 12 4e cf d7 61 de 81|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020307; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dyre Downloading Mailer"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"|20|HTTP/1."; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36|0d 0a|Host|3a|"; distance:3; within:132; fast_pattern:50,20; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/R"; pcre:"/\.tar$/U"; classtype:trojan-activity; sid:2020308; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Regin Hopscotch Module Accessing SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|6|00|f|00|b|00|e|00|8|00|7|00|a|00|-|00|4|00|3|00|7|00|2|00|-|00|1|00|f|00|5|00|1|00|-|00|1|00|0|00|1|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|0|00|4|00|3|00|1|00|2|00|7|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020309; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Regin Hopscotch Module Accessing SMB Named Pipe (Unicode) 2"; flow:to_server,established; content:"|FF|SMB"; offset:4; depth:4; content:"|00|{|00|4|00|4|00|f|00|d|00|g|00|2|00|3|00|a|00|-|00|1|00|5|00|2|00|2|00|-|00|6|00|f|00|9|00|e|00|-|00|d|00|0|00|5|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|1|00|7|00|6|00|1|00|3|00|8|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020310; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 10 f0 a9 8b a2 9b 82|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020313; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 95 bf 9b 4f 7d 85 0e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020314; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KL-Remote / Cryp_Banker14 RAT connection"; flow:established,to_server; dsize:13; content:"|3c 7c|PRINCIPAL|7c 3e|"; fast_pattern:only; flowbits:set,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020315; rev:1; metadata:created_at 2015_01_27, updated_at 2015_01_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN KL-Remote / Cryp_Banker14 RAT response"; flow:established,from_server; dsize:6; content:"|3c 7c|OK|7c 3e|"; fast_pattern:only; flowbits:isset,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020316; rev:1; metadata:created_at 2015_01_27, updated_at 2015_01_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 98 f4 2b 01 ee fc d3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020322; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_28, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Mailer CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/action.php?action="; http_uri; fast_pattern:only; content:"&sent_all="; http_uri; content:"&sent_success="; distance:0; http_uri; content:"&active_connections="; distance:0; http_uri; content:"&queue_connections="; distance:0; http_uri; content:"User-Agent|3a 20|Send Mail|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:trojan-activity; sid:2020329; rev:1; metadata:created_at 2015_01_29, updated_at 2015_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Mailer CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/action.php?action=get_"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Send Mail|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/action\.php\?action=get_(?:mails|red)$/U"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:trojan-activity; sid:2020330; rev:1; metadata:created_at 2015_01_29, updated_at 2015_01_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 45 b9 f1 e8 a9 d8 52|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020331; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Agent.PYO Retrieving Update"; flow:established,to_server; content:"GET"; http_method; content:"/data_updater.dat"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/data_updater\.dat$/U"; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020333; rev:1; metadata:created_at 2015_01_30, updated_at 2015_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Agent.PYO Retrieving Config"; flow:established,to_server; content:"GET"; http_method; content:"/data.cfg"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/data\.cfg$/U"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020334; rev:1; metadata:created_at 2015_01_30, updated_at 2015_01_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN MSIL/Agent.PYO Receiving Config"; flow:established,from_server; file_data; content:"path = "; within:7; content:"|0a|delay = "; distance:0; pcre:"/^\d+\n/R"; content:"hash = "; within:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020335; rev:1; metadata:created_at 2015_01_30, updated_at 2015_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.PYO Possible net.tcp CnC Beacon (stat)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/stat\x03\x08\x0c$/R"; content:"/stat|03 08 0c|"; fast_pattern:only; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020336; rev:1; metadata:created_at 2015_01_30, updated_at 2015_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.PYO Possible net.tcp CnC Beacon (control)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/control\x03\x08\x0c$/R"; content:"/control|03 08 0c|"; fast_pattern:only; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020337; rev:1; metadata:created_at 2015_01_30, updated_at 2015_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/hello.php"; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020339; rev:1; metadata:created_at 2015_01_30, updated_at 2015_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?admin="; fast_pattern:only; content:"&id="; http_uri; content:"&nat="; http_uri; content:"&os="; http_uri; content:"&video="; http_uri; content:"&arch_type="; http_uri; content:"&v="; http_uri; content:"&av_list="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020340; rev:4; metadata:created_at 2015_01_30, updated_at 2015_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN f0xy Download"; flow:to_server,established; content:"/bn_versions/"; http_uri; fast_pattern:only; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/\/bn_versions\/\d+?\.exe$/U"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020341; rev:3; metadata:created_at 2015_01_30, updated_at 2015_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ArcDoor User-Agent (ALIZER)"; flow:established,to_server; content:"User-Agent|3a 20|ALIZER|0d 0a|"; http_header; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:trojan-activity; sid:2020344; rev:1; metadata:created_at 2015_02_02, updated_at 2015_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ArcDoor Intial Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept"; http_header; content:"Content-Length|3a 20|28|0d 0a|"; fast_pattern:only; pcre:"/^[a-z0-9]{11}=\d{16}$/P"; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:trojan-activity; sid:2020345; rev:1; metadata:created_at 2015_02_02, updated_at 2015_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper YABROD Downloading Files"; flow:from_client,established; urilen:11; content:"/Yabrod.pdf"; content:"User-Agent|3a 20|n1|0d 0a|"; fast_pattern:12,4; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,44df02ac28d80deb45f5c7c48b56a858; reference:url,fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020346; rev:1; metadata:created_at 2015_02_02, updated_at 2015_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BePush/Kilim Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/ok.txt"; http_uri; content:"User-Agent|3a 20|AutoHotkey"; http_header; fast_pattern:2,20; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; pcre:"/\/ok\.txt$/U"; flowbits:set,ET.FB.troj; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020348; rev:2; metadata:created_at 2015_02_03, updated_at 2015_02_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN BePush/Kilim Checkin response"; flow:established,from_server; file_data; content:"Server_ok"; depth:9; flowbits:isset,ET.FB.troj; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020349; rev:1; metadata:created_at 2015_02_03, updated_at 2015_02_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BePush/Kilim payload retrieval"; flow:established,to_server; content:"GET"; http_method; content:"/app.exe"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Wget"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\/app\.exe$/U"; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020350; rev:3; metadata:created_at 2015_02_03, updated_at 2015_02_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sgqjml3dstgmarn3"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020357; rev:1; metadata:created_at 2015_02_04, updated_at 2015_02_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3fdzgtam4qk625n6"; nocase; distance:0; fast_pattern; reference:md5,adb0de790bd3fb88490a60f0dddd90fa; classtype:trojan-activity; sid:2020358; rev:1; metadata:created_at 2015_02_04, updated_at 2015_02_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rmxlqabmvfnw4wp4"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020359; rev:1; metadata:created_at 2015_02_04, updated_at 2015_02_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jssestaew3e7ao3q"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020360; rev:1; metadata:created_at 2015_02_04, updated_at 2015_02_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fizxfsi3cad3kn7v"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020361; rev:1; metadata:created_at 2015_02_04, updated_at 2015_02_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN Common Upatre URI/Headers Struct"; flow:established,to_server; content:"GET /"; depth:5; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"/"; distance:0; content:"/"; distance:1; within:2; content:"/"; distance:1; within:1; pcre:"/^GET \/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*\x20HTTP/"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\r?$/mi"; content:" HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; classtype:trojan-activity; sid:2020369; rev:2; metadata:created_at 2015_02_05, updated_at 2015_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre External IP Check"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"checkip.dyndns.org"; http_header; fast_pattern:only; pcre:"/^(?:Accept\x3a\x20text\/\*, application\/\*\r\n)?User-Agent\x3a[^\r\n\x3b\x28\x29]+\r\nHost\x3a[^\r\n]+checkip\.dyndns\.org\r\nCache-Control\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2020370; rev:3; metadata:created_at 2015_02_05, updated_at 2015_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 45"; flow:to_server,established; dsize:>11; content:"|7a 9a|"; offset:13; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x7a\x9a/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,eb7909105fd05064b14a21465742952c; classtype:trojan-activity; sid:2020371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_02_05, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 86 c5 19 74 50 39 69 7a|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020372; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_02_05, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible DEEP PANDA C2 Activity"; flow:established,to_server; content:"POST /"; depth:6; content:"User-Agent|3a 20|Mozilla/4.0+(compatible|3b|+MSIE+8.0|3b|+Windows+NT+5.1|3b|+SV1|29 0d 0a|"; fast_pattern:39,20; content:!"Referer|3a|"; content:!"Content-Type|3a|"; content:!"Accept"; content:"|0d 0a 0d 0a|"; content:"|00 00 00 00 00|"; distance:0; classtype:trojan-activity; sid:2020373; rev:3; metadata:created_at 2015_02_05, updated_at 2015_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast C2 Activity"; flow:established,to_server; content:"POST"; http_method; content:".asp?cstring="; http_uri; fast_pattern:only; content:"&tom="; http_uri; content:"&id="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"|00 00 00 00|"; depth:4; http_client_body; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020378; rev:1; metadata:created_at 2015_02_06, updated_at 2015_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Deep Panda User-Agent"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|29 0d 0a|"; http_header; fast_pattern:83,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Host|3a 20|iecvlist.microsoft.com"; http_header; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020380; rev:2; metadata:created_at 2015_02_06, updated_at 2015_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html; classtype:trojan-activity; sid:2020381; rev:3; metadata:created_at 2015_02_06, updated_at 2015_02_06;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB2 Traffic "; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|16 00|"; distance:0; content:"m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:21; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020382; rev:5; metadata:created_at 2015_02_06, updated_at 2015_02_06;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|12 00|"; distance:0; content:"o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020383; rev:4; metadata:created_at 2015_02_06, updated_at 2015_02_06;)

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET TROJAN Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|0e 00|"; distance:0; content:"o|00|l|00|e|00|.|00|d|00|l|00|l"; distance:8; within:13; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020384; rev:2; metadata:created_at 2015_02_06, updated_at 2015_02_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7tno4hib47vlep5o"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,9377710d4787d1a9ee1c724dce8bf13a; classtype:trojan-activity; sid:2024106; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2015_02_09, updated_at 2017_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/Xnote Keep-Alive"; flow:established,to_server; dsize:17; content:"|11 00 00 00 01 00 00 00 78 9c 4b 05 00 00 66 00 66|"; fast_pattern:only; reference:url,deependresearch.org/2015/02/linuxbackdoorxnote1-indicators.html; classtype:trojan-activity; sid:2020389; rev:1; metadata:created_at 2015_02_10, updated_at 2015_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rovnix.J Checkin 2"; flow:established,to_server; content:"[0]|0d 0a|LP="; http_client_body; content:"|0a|VID="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; content:"POST"; http_method; reference:md5,9471e926eda81b4f797b6cfe273e4e79; classtype:trojan-activity; sid:2020396; rev:3; metadata:created_at 2015_02_11, updated_at 2015_02_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Nivdort Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?email="; http_uri; content:"&method=post"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:" HTTP/1.0|0d 0a|"; metadata: former_category TROJAN; reference:md5,a80440b3d9cb09898c0f12aaa05980c0; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2025020; rev:5; metadata:created_at 2015_02_11, updated_at 2017_11_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_11, updated_at 2015_02_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN MSIL/Golroted.B Keylogger FTP"; flow:established,to_server; content:"STOR Logger_"; reference:md5,b2b82fd662dd0ddf53aa37bb9025bf92; classtype:trojan-activity; sid:2020411; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Predator Pain Keylogger FTP"; flow:established,to_server; content:"STOR Predator_Pain"; reference:md5,c9025c9835d1b7d6f0dd2390ea7d5e18; classtype:trojan-activity; sid:2020412; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tinba Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:2,2,Tinba.Pivot,relative; byte_test:2,=,Tinba.Pivot,2,relative; byte_test:2,!=,Tinba.Pivot,5,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,7af6d8de2759b8cc534ffd72fdd8a654; classtype:trojan-activity; sid:2020418; rev:4; metadata:created_at 2015_02_12, updated_at 2015_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Gulcrypt.B Downloading components - set"; flow:established,to_server; urilen:8; content:"GET"; http_method; content:"/manager"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; flowbits:set,ET.Gulcrypt; flowbits:noalert; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020420; rev:1; metadata:created_at 2015_02_13, updated_at 2015_02_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Gulcrypt.B Downloading components"; flow:established,from_server; flowbits:isset,ET.Gulcrypt; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020421; rev:1; metadata:created_at 2015_02_13, updated_at 2015_02_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Advtravel Campaign GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/sys/"; http_uri; fast_pattern; pcre:"/t=1?\d\/[0-3]?\d\/201\d [0-2]?\d\x3a[0-5]\d\x3a[0-5]\d [AP]M$/U"; pcre:"/^\/sys\/(?:who|genid|data|upload|update)/U"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:attempted-admin; sid:2020431; rev:3; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Arid Viper APT Advtravel Campaign GET Keepalive"; flow:to_server,established; content:"GET"; http_method; content:"/index.php/customer/onlin"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Internet Explorer|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:attempted-admin; sid:2020432; rev:4; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Arid Viper APT Advtravel Campaign POST"; flow:to_server,established; content:"POST"; http_method; content:"/index.php/customer/do_it"; http_uri; content:"User-Agent|3a 20|Internet|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:"pn="; http_client_body; content:"&data="; http_client_body; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:attempted-admin; sid:2020433; rev:4; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:".php?name="; http_uri; fast_pattern:only; content:"&user="; http_uri; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/&user=\d+$/U"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020434; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Exfiltrating files"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"account="; depth:8; http_client_body; content:"&name="; http_client_body; content:"&folder="; http_client_body; fast_pattern:only; content:"&fname="; http_client_body; content:"&s="; http_client_body; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020435; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Checking filename"; flow:established,to_server; content:"GET"; http_method; content:".php?name="; http_uri; fast_pattern:only; content:"path="; http_uri; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020437; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT File information"; flow:established,to_server; content:"GET"; http_method; content:".php?name="; http_uri; fast_pattern:only; content:"&user="; http_uri; content:"&file="; distance:0; http_uri; content:"&type="; distance:0; http_uri; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020438; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Transmitting Serial"; flow:established,to_server; content:".php?name="; http_uri; fast_pattern:only; content:"&serial="; http_uri; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020439; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Transmitting Date"; flow:established,to_server; content:".php?name="; http_uri; fast_pattern:only; content:"&date="; http_uri; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020440; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Possible User-Agent (SK)"; flow:established,to_server; content:"User-Agent|3a 20|SK|0d 0a|"; nocase; http_header; fast_pattern:only; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020441; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Possible User-Agent (Skype)"; flow:established,to_server; content:"User-Agent|3a 20|Skype|0d 0a|"; nocase; http_header; fast_pattern:only; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020442; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Possible User-Agent (Skypee)"; flow:established,to_server; content:"User-Agent|3a 20|Skypee|0d 0a|"; nocase; http_header; fast_pattern:only; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020443; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (pstcmedia.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|pstcmedia|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020444; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (mixedwork.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|mixedwork|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020445; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (ahmedfaiez.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|ahmedfaiez|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020446; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (flushupdate.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|flushupdate|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020447; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (flushupate.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|flushupate|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020448; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (ineltdriver.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|ineltdriver|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020449; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (mediahitech.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|mediahitech|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020450; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (plmedgroup.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|plmedgroup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020451; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT Advtravel Campaign DNS Lookup (advtravel.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|advtravel|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020452; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT Advtravel Campaign DNS Lookup (fpupdate.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|fpupdate|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020453; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT Advtravel Campaign DNS Lookup (linksis.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|linksis|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020454; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arid Viper APT Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"_rtemp.php?n="; http_uri; fast_pattern:only; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,5efc02d416b15554b25d9acec362148e; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020436; rev:1; metadata:created_at 2015_02_16, updated_at 2015_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Carbanak APT CnC Beacon 1"; flow:established,to_server; dsize:24; content:"|08|"; depth:1; byte_extract:1,1,Carbanak.Pivot,relative; byte_test:1,!=,Carbanak.Pivot,0,relative; byte_test:1,=,Carbanak.Pivot,3,relative; content:"|00 00 00 02 00 00 00 00 00 00 00 00 00|"; distance:4; within:13; fast_pattern; content:!"|00 00 00|"; within:3; reference:md5,6ae1bb06d10f253116925371c8e3e74b; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:trojan-activity; sid:2020455; rev:2; metadata:created_at 2015_02_17, updated_at 2015_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Carbanak APT CnC Beacon 2"; flow:established,to_server; content:"|00 00|OS|3a 20|"; offset:10; depth:6; fast_pattern; content:"|2c 20|Domain|3a 20|"; distance:0; content:"|2c 20|User|3a 20|"; distance:0; content:"|00|"; distance:0; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:trojan-activity; sid:2020456; rev:1; metadata:created_at 2015_02_17, updated_at 2015_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Chanitor Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ukzo73z4inzpenmq"; nocase; distance:0; fast_pattern; reference:md5,53752a41ed21172343f678423d6c9a44; classtype:trojan-activity; sid:2020458; rev:1; metadata:created_at 2015_02_17, updated_at 2015_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon APT DNS Lookup (linkedim.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|linkedim|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020459; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon APT DNS Lookup (iwork-sys.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|iwork-sys|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020472; rev:2; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon APT DNS Lookup (androcity.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|androcity|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020461; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon APT DNS Lookup (liptona.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|liptona|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020462; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (nauss-lab.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|nauss-lab|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020464; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (nice-mobiles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0C|nice-mobiles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020465; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (facebook-emoticons.bitblogoo.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|facebook-emoticons|09|bitblogoo|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020466; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (abuhmaid.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|abuhmaid|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020467; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (blogging-host.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0D|blogging-host|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020468; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (tvgate.rocks)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|tvgate|05|rocks|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020469; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dridex POST Retrieving Second Stage"; flow:established,to_server; content:"POST / HTTP/1.1|0d 0a|"; depth:17; content:"Host|3a 20|"; pcre:"/^[^\r\n]+\x20[a-z]/Ri"; content:"|0d 0a 0d 0a|"; distance:0; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/R"; reference:md5,6948d4f22e8d57369988be219ab70335; classtype:trojan-activity; sid:2020470; rev:3; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Babar POST Request"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSI 6.0|3b 20|"; http_header; fast_pattern:24,20; content:!"Referer|3a 20|"; http_header; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020471; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Babar POST Request"; flow:established,to_server; content:"POST"; http_method; content:"/n.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; http_client_body; depth:3; content:"&Action="; http_client_body; distance:0; fast_pattern; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020474; rev:1; metadata:created_at 2015_02_18, updated_at 2015_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Beaugrit.gen.AAAA"; flow:established,to_server; content:"GET"; http_method; content:"/attach/1759CB3B5124F217143044"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; reference:md5,fbfe6c2673aec9098e1fc9bf6d7fc059; classtype:trojan-activity; sid:2020479; rev:1; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.NSIS.Comame.A Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/9.php?safe="; http_uri; fast_pattern:only; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29 0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,6a15f19a3ccd05f74537464e6df64dab; classtype:trojan-activity; sid:2020480; rev:2; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SuperFish CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/set.php?ID="; depth:12; http_uri; content:"&Action="; distance:0; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020489; rev:1; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SuperFish CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/verify.php?version="; http_uri; fast_pattern:only; content:"&GUID=|7b|"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020490; rev:2; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Bedep Connectivity Check (2)"; flow:established,to_server; content:"POST"; http_method; urilen:13; content:"/timezone/0/0"; http_uri; fast_pattern:only; content:"Host|3a 20|www.earthtools.org|0d 0a|"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/09/09/index.html; classtype:trojan-activity; sid:2020491; rev:5; metadata:created_at 2015_02_19, updated_at 2015_02_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SuperFish Possible SSL Cert CnC Traffic"; flow:established,from_server; content:"|55 04 0a|"; content:"|0e|Superfish Inc."; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|19|*.best-deals-products.com"; distance:1; within:26; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020492; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_02_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SuperFish Possible SSL Cert Signed By Compromised Root CA"; flow:established,from_server; content:"|55 04 0a|"; content:"|0f|Superfish, Inc."; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0f|Superfish, Inc."; distance:1; within:16; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020493; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_02_19, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/HydraCrypt CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/upd.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; pcre:"/\/upd.php$/U"; pcre:"/^(?:Referer\x3a[^\r\n]+\r\n)?Host\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:trojan-activity; sid:2020503; rev:3; metadata:created_at 2015_02_23, updated_at 2016_12_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/LockScreen CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; urilen:8; content:"/cou.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:trojan-activity; sid:2020504; rev:1; metadata:created_at 2015_02_23, updated_at 2015_02_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Sality.3 Checkin"; flow:to_server,established; content:"/?f"; http_uri; fast_pattern:only; content:!"User-Agent|3a| "; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Cache-Control|3a 20|"; http_header; pcre:"/\/\?f$/U"; reference:md5,df9516919e75853742e63db318e7d346; classtype:trojan-activity; sid:2020505; rev:1; metadata:created_at 2015_02_23, updated_at 2015_02_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020564; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (2kjb7.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|2kjb7|03|net|00|"; fast_pattern; distance:0; nocase; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024105; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, tag Ransomware, signature_severity Major, created_at 2015_02_24, malware_family TeslaCrypt, performance_impact Low, updated_at 2017_03_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Netwire RAT Client HeartBeat"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; flowbits:isset,ET.NetwireRAT.Client; threshold: type both,track by_src, count 3, seconds 300; metadata: former_category TROJAN; reference:md5,495eef9238282e8f69f2284ca75d2ddc; classtype:trojan-activity; sid:2020566; rev:1; metadata:created_at 2015_02_24, updated_at 2017_12_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020567; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tinba Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/"; offset:1; http_uri; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|text/html, application/xhtml+xml, */*|0d 0a|"; depth:47; http_header; fast_pattern:27,20; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"|00 00 00 00|"; depth:4; http_client_body; content:"|00|"; offset:4; depth:1; http_client_body; byte_jump:4,0,relative,little,post_offset -1; isdataat:!1,relative; pcre:"/\/$/U"; reference:md5,e610d3c383a4f1c8a27aaf018b12c370; classtype:trojan-activity; sid:2020568; rev:2; metadata:created_at 2015_02_25, updated_at 2015_02_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET !1433 (msg:"ET TROJAN Unknown Trojan Downloading PE via MSSQL Connection to Non-Standard Port"; flow:from_server,established; flowbits:isset,ET.MSSQL; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,754b48c57a00b7c9f0e0640166ac7bb5; classtype:trojan-activity; sid:2020569; rev:1; metadata:created_at 2015_02_25, updated_at 2015_02_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Chanitor .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|brk7tda32wtkxjpa"; nocase; distance:0; fast_pattern; reference:md5,34ad24860495397c994f8ae168d0e639; classtype:trojan-activity; sid:2020581; rev:1; metadata:created_at 2015_02_27, updated_at 2015_02_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a5 39 20 2d fb d7 22|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020582; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_02, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 46"; flow:to_server,established; dsize:>11; content:"|84 60|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x84\x60/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,019ab136fd79147b10ddb3e4162709db; classtype:trojan-activity; sid:2020586; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Xunpf.A Retrieving DLL"; flow:established,to_server; content:"GET"; http_method; content:"/web_"; http_uri; fast_pattern:only; content:".jpg"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/\/web_[0-9A-F]{12}\.jpg$/U"; reference:md5,dfb7dd8b6975b73dc9c731319a05f86d; classtype:trojan-activity; sid:2020601; rev:1; metadata:created_at 2015_03_03, updated_at 2015_03_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LogPOS Sending Data"; flow:established,to_server; content:"GET"; http_method; content:"?encoding="; http_uri; fast_pattern; content:"&t="; http_uri; distance:0; content:"&cc="; http_uri; distance:0; content:"&process="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:url,morphick.net/blog/2015/2/27/mailslot-pos; classtype:trojan-activity; sid:2020602; rev:1; metadata:created_at 2015_03_03, updated_at 2015_03_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 47"; flow:to_server,established; dsize:>11; content:"|79 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5ad0bb62806297fb8bf159d94f82dbb9; classtype:trojan-activity; sid:2020606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 48"; flow:to_server,established; dsize:>11; content:"|da 41|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\xda\x41/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,69ffa441a8c3cf4d8fe643174bebb51d; classtype:trojan-activity; sid:2020607; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 49"; flow:to_server,established; dsize:>11; content:"|79 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2e99b9462f95154e9f5b94eeed33a6e3; classtype:trojan-activity; sid:2020608; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 50"; flow:to_server,established; dsize:>11; content:"|7b 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1701f8c71b5861a2f2890dc609ef6eda; classtype:trojan-activity; sid:2020609; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 51"; flow:to_server,established; dsize:>11; content:"|7a 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4b70f302c72c94d0b9214808d9f72419; classtype:trojan-activity; sid:2020610; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 52"; flow:to_server,established; dsize:>11; content:"|7f 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,61c03cdd39f0618d1643af15594da3e4; classtype:trojan-activity; sid:2020611; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 53"; flow:to_server,established; dsize:>11; content:"|70 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5a0e030383c472f7d94c0bcd6af71a90; classtype:trojan-activity; sid:2020612; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 54"; flow:to_server,established; dsize:>11; content:"|70 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4d6e0de81f57461337ccfbcce6dc1056; classtype:trojan-activity; sid:2020613; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 55"; flow:to_server,established; dsize:>11; content:"|39 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f42a5b709bf9a1377d2464f936fc841; classtype:trojan-activity; sid:2020614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Teerac/CryptoFortress .onion Proxy Domain (3v6e2oe5y5ruimpe)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3v6e2oe5y5ruimpe"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020615; rev:1; metadata:created_at 2015_03_04, updated_at 2015_03_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Teerac/CryptoFortress .onion Proxy Domain (h63rbx7gkd3gygag)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|h63rbx7gkd3gygag"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020616; rev:1; metadata:created_at 2015_03_04, updated_at 2015_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Bayrob Keepalive"; flow:established,to_server; content:"GET"; http_method; urilen:9; content:"/isup.php"; http_uri; fast_pattern:only; content:"Accept-Encoding|3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,a4a3fab712b04ee901f491d4c704b138; classtype:trojan-activity; sid:2020621; rev:1; metadata:created_at 2015_03_05, updated_at 2015_03_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 0b f5 0a 93 34 88 77|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020625; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Trapwot FakeAV Post Infection CnC Beacon"; flow:established,to_server; content:"/rp?"; http_uri; fast_pattern:only; content:"v="; http_uri; content:"a="; http_uri; content:"u="; http_uri; content:"d="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/(?:[^\x2f]+\/)?rp\?[a-z]=/U"; reference:md5,fc962cb08f62e3d6368500a8e747cf73; classtype:trojan-activity; sid:2020645; rev:1; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Trapwot FakeAV Checkin"; flow:established,to_server; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"v="; http_uri; content:"a="; http_uri; content:"u="; http_uri; content:"i=0"; http_uri; fast_pattern:only; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; pcre:"/^\/(?:[a-z]+\/)?[a-z_]+\?[a-z]=/U"; reference:md5,baf71ace207afd3f330c4aba3784e074; classtype:trojan-activity; sid:2020646; rev:3; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 11 9a 92 44 f0 ee 1a|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020647; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_09, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaoutra.ru)"; flow:to_server,established; content:"bagacaoutra.ru|0d 0a|"; fast_pattern:only; http_header; pcre:"/^Host\x3a[^\r\n]+bagacaoutra\.ru\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020650; rev:3; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacavoltou.ru)"; flow:to_server,established; content:"bagacavoltou.ru|0d 0a|"; fast_pattern:only; http_header; pcre:"/^Host\x3a[^\r\n]+bagacavoltou\.ru/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020651; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaveia.ru)"; flow:to_server,established; content:"bagacaveia.ru|0d 0a|"; fast_pattern:only; http_header; pcre:"/^Host\x3a[^\r\n]+bagacaveia\.ru/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020652; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Firefox Plug-In Download"; flow:to_client,established; file_data; content:"PK|03 04|"; distance:0; content:"/addon-sdk/"; content:"|00 00|resources|2f|numberchangerfirefox|2f|PK"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020653; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Checkin 1"; flow:to_server,established; content:"/rico.php"; fast_pattern:only; content:".asia|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.asia\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020654; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Checkin 2"; flow:to_server,established; content:"/rico.php"; fast_pattern:only; content:".ru|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.ru\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020655; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Boleto Fraud JS_BROBAN.SM Checkin 3"; flow:to_server,established; content:"/rico.php"; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020656; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible malicious Office doc hidden in XML file"; flow:established,from_server; file_data; content:"<?xml"; within:5; content:"<?mso-application progid=|22|Word.Document|22|?>"; nocase; distance:0; content:"macrosPresent=|22|yes|22|"; distance:0; fast_pattern; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/; classtype:trojan-activity; sid:2020657; rev:1; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain (juf5pjk4sl7uojh4)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|juf5pjk4sl7uojh4"; fast_pattern; distance:0; nocase; reference:md5,499a46c23afe23de49346adf1b4f3a4f; reference:url,www.mogozobo.com/?p=2371; classtype:trojan-activity; sid:2020670; rev:1; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rofin.A CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|dd aa 99 66|"; depth:4; byte_jump:4,4,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; reference:md5,6b71398418c7c6b01cf8abb105bc884d; classtype:trojan-activity; sid:2020671; rev:1; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gamarue/Andromeda Downloading Payload"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern:5,20; http_header; pcre:"/^\/[a-z]+\/[a-z]+\.exe$/U"; reference:md5,85d925a76909f29c3f370f35faedb9ea; classtype:trojan-activity; sid:2020683; rev:1; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Zbot .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mmc65z4xsgbcbazl"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020684; rev:2; metadata:created_at 2015_03_12, updated_at 2015_03_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain (4elcqmis624seeo7)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|4elcqmis624seeo7"; fast_pattern; distance:0; nocase; reference:url,teknoseyir.com/durum/291421; classtype:trojan-activity; sid:2020685; rev:1; metadata:created_at 2015_03_12, updated_at 2015_03_12;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a3 08 37 22 97 2f 50|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020687; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 2b 72 5e 83 81 97 47|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020688; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a7 90 ac fd cd 02 3c 0d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020689; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_13, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vicepass CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?data="; depth:16; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/Hmi"; reference:md5,5f1997927e94b98982e5ee2cea095956; classtype:trojan-activity; sid:2020690; rev:1; metadata:created_at 2015_03_13, updated_at 2015_03_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 56"; flow:to_server,established; dsize:>11; content:"|2e 96|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x2e\x96/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fc4f20426ab1da2c705a4523d3baa0b; classtype:trojan-activity; sid:2020691; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 57"; flow:to_server,established; dsize:>11; content:"|7b 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,06be359c6e6396fe105e8b59ac5a992e; classtype:trojan-activity; sid:2020692; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 58"; flow:to_server,established; dsize:>11; content:"|31 ad|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x31\xad/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,20a72c5af06e054ff840915b6632965f; classtype:trojan-activity; sid:2020693; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 59"; flow:to_server,established; dsize:>11; content:"|44 df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x44\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6a263de8d3f6d82e73330c84a83057bf; classtype:trojan-activity; sid:2020694; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 60"; flow:to_server,established; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fbca8d9f71265f44513e4f885587301; classtype:trojan-activity; sid:2020695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 61"; flow:to_server,established; dsize:>11; content:"|3f a6|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3f\xa6/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0045ce5ce7d697ecc86f1e44398bf404; classtype:trojan-activity; sid:2020696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 a9 58 45 25 d7 de 84|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020697; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN MWI Maldoc Exploit Kit Stats Callout"; flow:established,from_server; flowbits:isset,ETPRO.RTF; file_data; content:"INCLUDEPICTURE "; pcre:"/^\s*?[\x22\x27][^\x22\x27]+\.php\?id=\d+[\x22\x27]/Rs"; classtype:trojan-activity; sid:2020700; rev:2; metadata:created_at 2015_03_16, updated_at 2015_03_16;)

alert tcp any any -> any $HTTP_PORTS (msg:"ET TROJAN Generic - Mozilla 4.0 EXE Request"; flow:established,to_server; urilen:7<>14; content:".exe"; http_uri; content:"|3a| Mozilla/4.0|0D 0A|Host|3a|"; http_header; classtype:trojan-activity; sid:2020705; rev:3; metadata:created_at 2015_03_18, updated_at 2015_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Content-T"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d+$/U"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,693ca229558aab99e0a9d3385cacc40c; classtype:trojan-activity; sid:2020706; rev:1; metadata:created_at 2015_03_18, updated_at 2015_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VaultCrypt Uploading Files"; flow:to_server,established; content:"POST"; http_method; urilen:6; content:"/v.php"; http_uri; fast_pattern:only; content:"|0d 0a|UA-CPU|3a 20|"; http_header; content:"Content-Type|3a 20|application/upload|0d 0a|"; content:"boundary=---------------------------0123456789012"; http_header; content:"name=|22|pf|22 3b|"; http_client_body; reference:url,www.bleepingcomputer.com/forums/t/570390/vaultcrypt-uses-batch-files-and-open-source-gnupg-to-hold-your-files-hostage; classtype:trojan-activity; sid:2020707; rev:2; metadata:created_at 2015_03_18, updated_at 2015_03_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Agent.WMN CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent"; depth:59; http_header; fast_pattern:31,20; content:"="; offset:4; depth:9; http_client_body; content:"=&"; distance:55; within:2; http_client_body; pcre:"/^[a-z]{4,12}=(?:[A-Za-z0-9+/]{4})*[A-Za-z0-9+/]{3}=&[a-z]{4,12}=[A-Za-z0-9+/]{4}/P"; reference:md5,3031604f1cf95ee4ccc339c9e4d5b92f; classtype:trojan-activity; sid:2020708; rev:1; metadata:created_at 2015_03_18, updated_at 2015_03_18;)

alert udp any any -> any 53 (msg:"ET TROJAN 9002 RAT C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|cache|05|dnsde|03|com|00|"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2020713; rev:1; metadata:created_at 2015_03_19, updated_at 2015_03_19;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,465,587] (msg:"ET TROJAN HOMEUNIX/9002 CnC Beacon"; flow:established,to_server; dsize:48; content:!"|00 00 00|"; offset:1; depth:3; byte_extract:3,1,xor_key; byte_test:3,=,xor_key,9; byte_test:3,=,xor_key,13; byte_extract:1,1,same_test; byte_test:1,!=,same_test,8; byte_test:1,!=,same_test,33; pcre:!"/^[\x20-\x7e\r\n]+$/"; reference:md5,256438747bae78c9101c9a0d4efe5572; classtype:trojan-activity; sid:2020714; rev:8; metadata:created_at 2015_03_19, updated_at 2015_03_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M1"; flow:established,to_server; content:"GET"; http_method; content:"/state"; http_uri; fast_pattern:only; content:".php?"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/state[^\x2f]*\.php\?[A-Za-z0-9+/]*={0,2}$/U"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:trojan-activity; sid:2020717; rev:3; metadata:created_at 2015_03_20, updated_at 2015_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M2"; flow:established,to_server; content:"GET"; http_method; content:".php?U3ViamVjdD1"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:trojan-activity; sid:2020718; rev:2; metadata:created_at 2015_03_20, updated_at 2015_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FindPOS Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"oprat="; http_client_body; fast_pattern:only; content:"&uid="; http_client_body; content:"&uinfo="; http_client_body; content:"&win="; http_client_body; content:"&vers="; http_client_body; reference:md5,fe0f997d81d88bc11cc03e4d1fd61ebe; classtype:trojan-activity; sid:2020723; rev:2; metadata:created_at 2015_03_20, updated_at 2015_03_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyLogger related to FindPOS CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"uid="; depth:4; http_client_body; content:"&win="; distance:0; http_client_body; content:"&vers="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,593af622a90f2038e35ee980e09c1c3c; reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:2020724; rev:1; metadata:created_at 2015_03_20, updated_at 2015_03_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Zbot .onion Proxy Domain (3bjpwsf3fjcwtnwx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3bjpwsf3fjcwtnwx"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020727; rev:1; metadata:created_at 2015_03_23, updated_at 2015_03_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Adwind SSL Cert (assylias.Inc)"; flow:established,from_server; content:"|0b|"; content:"|04 1f 23 9d bd|"; distance:18; within:20; content:"|55 04 0a|"; distance:0; content:"|0c|assylias.Inc"; distance:1; within:13; fast_pattern; reference:md5,4e5c28fab23b35dea2d48a1c2db32b56; classtype:trojan-activity; sid:2020728; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fileless infection dropped by EK CnC Beacon"; flow:established,to_server; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"google."; http_header; content:"hl="; http_uri; content:"source="; http_uri; content:"aq="; http_uri; content:"aqi="; http_uri; content:"aql="; http_uri; fast_pattern:only; content:"oq="; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:49; http_header; classtype:trojan-activity; sid:2020734; rev:1; metadata:created_at 2015_03_24, updated_at 2015_03_24;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 74 65 6a f0 91 13 26|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020735; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/TrojanProxy.JpiProx.B CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/sync"; depth:5; http_uri; content:"/?ext="; within:7; http_uri; fast_pattern; content:"&pid="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,aa9542f02b26a554650a9649d2239181; classtype:trojan-activity; sid:2020737; rev:1; metadata:created_at 2015_03_24, updated_at 2015_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/TrojanProxy.JpiProx.B CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/sync"; depth:5; http_uri; content:"ext="; http_uri; content:"&pid="; http_uri; content:"&country="; http_uri; content:"&regd="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2020738; rev:1; metadata:created_at 2015_03_24, updated_at 2015_03_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Chanitor .onion Proxy Domain (l7gbml27czk3kvr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|l7gbml27czk3kvr5"; fast_pattern; distance:0; nocase; reference:md5,83c0b99427c026aad36b0d8204377702; classtype:trojan-activity; sid:2020739; rev:2; metadata:created_at 2015_03_24, updated_at 2015_03_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (iezqmd4s2fflmh7n)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iezqmd4s2fflmh7n"; fast_pattern; distance:0; nocase; reference:md5,1d578c11069c7446ca6d05ff7623a972; classtype:trojan-activity; sid:2020740; rev:1; metadata:created_at 2015_03_24, updated_at 2015_03_24;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|su|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020741; rev:1; metadata:created_at 2015_03_24, updated_at 2015_03_24;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020742; rev:1; metadata:created_at 2015_03_24, updated_at 2015_03_24;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 72 08 75 83 27 6f ba|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020745; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/en-us/"; depth:7; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; pcre:"/^\/en-us\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; content:!"/im/"; http_uri; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:8; metadata:created_at 2015_03_25, updated_at 2015_03_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Chroject.B Requesting ClickFraud Commands from CnC"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/"; offset:1; http_uri; content:"="; distance:0; http_uri; content:"Host|3a|"; depth:5; http_header; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?$/Hmi"; content:" like Gecko|29| Chrome/"; http_header; fast_pattern; flowbits:set,ET.Chroject; metadata: former_category TROJAN; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020747; rev:4; metadata:created_at 2015_03_25, updated_at 2017_11_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32.Chroject.B Receiving ClickFraud Commands from CnC 1"; flow:from_server,established; file_data; content:"/title><script>window.setTimeout(function () { window.location="; fast_pattern:14,20; content:"<title>"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title/R"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020748; rev:7; metadata:created_at 2015_03_25, updated_at 2015_03_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32.Chroject.B Receiving ClickFraud Commands from CnC 2"; flow:from_server,established; file_data; content:"<html><title>"; within:13; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title><\/html>$/R"; content:"</title></html>"; fast_pattern:only; flowbits:isset,ET.Chroject; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020749; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Chroject.B ClickFraud Request"; flow:to_server,established; content:"GET"; http_method; content:"/item/fmt?ct="; depth:13; http_uri; fast_pattern; content:"Referer|3a 20|http|3a|//"; http_header; pcre:"/^Referer\x3a\x20http\x3a\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r?$/Hmi"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020750; rev:2; metadata:created_at 2015_03_25, updated_at 2015_03_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Vawtrak/NeverQuest .onion Proxy Domain (otsaa35gxbcwvrqs)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|otsaa35gxbcwvrqs"; nocase; distance:0; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020759; rev:1; metadata:created_at 2015_03_26, updated_at 2015_03_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Vawtrak/NeverQuest .onion Proxy Domain (4bpthx5z4e7n6gnb)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|4bpthx5z4e7n6gnb"; nocase; distance:0; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020760; rev:1; metadata:created_at 2015_03_26, updated_at 2015_03_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Vawtrak/NeverQuest .onion Proxy Domain (bc3ywvif4m3lnw4o)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bc3ywvif4m3lnw4o"; nocase; distance:0; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020761; rev:1; metadata:created_at 2015_03_26, updated_at 2015_03_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Vawtrak/NeverQuest .onion Proxy Domain (llgerw4plyyff446)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|llgerw4plyyff446"; nocase; distance:0; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020762; rev:1; metadata:created_at 2015_03_26, updated_at 2015_03_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 62"; flow:to_server,established; dsize:>11; content:"|7b 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,bcb626c7cca304f927ec97450008e600; classtype:trojan-activity; sid:2020763; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 63"; flow:to_server,established; dsize:>11; content:"|71 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,00d4c1faeacaf45cfb02c592efe61a1d; classtype:trojan-activity; sid:2020764; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 64"; flow:to_server,established; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2a6c1f4e14533d9f2af8d9e4fcf53338; classtype:trojan-activity; sid:2020765; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 65"; flow:to_server,established; dsize:>11; content:"|40 a3|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x40\xa3/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a2ae5eada44872675561a97ea56c0df; classtype:trojan-activity; sid:2020766; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 66"; flow:to_server,established; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ec6b10b55732f68a174bb5b751bff840; classtype:trojan-activity; sid:2020767; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 67"; flow:to_server,established; dsize:>11; content:"|7d 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,142b8df89b9ae5019c1f1855d2212e9f; classtype:trojan-activity; sid:2020768; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 68"; flow:to_server,established; dsize:>11; content:"|7b 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8026990bea6f95613f6111b9a5506941; classtype:trojan-activity; sid:2020769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 69"; flow:to_server,established; dsize:>11; content:"|7a 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,262d04177c4bec3215db085fc4c44493; classtype:trojan-activity; sid:2020770; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 70"; flow:to_server,established; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,d9d1fd5025f47caaaa276d747657e01b; classtype:trojan-activity; sid:2020771; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 71"; flow:to_server,established; dsize:>11; content:"|79 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8b69118f7c25f79c4c7de5b0830dda39; classtype:trojan-activity; sid:2020772; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 72"; flow:to_server,established; dsize:>11; content:"|78 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1bb5562b08bae781086095c439fc9e8b; classtype:trojan-activity; sid:2020773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 73"; flow:to_server,established; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9c44da3c6326deb5b802b1494b202a1d; classtype:trojan-activity; sid:2020774; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 74"; flow:to_server,established; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,178f7f122f1de5c759a6538d78d67277; classtype:trojan-activity; sid:2020775; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 75"; flow:to_server,established; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9a3309620c23d821ea4e2f41538454a7; classtype:trojan-activity; sid:2020776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 76"; flow:to_server,established; dsize:>11; content:"|3b df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1e3f91c46410d5205c7b6f6b53a45cff; classtype:trojan-activity; sid:2020777; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 77"; flow:to_server,established; dsize:>11; content:"|70 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,010c49cb69591e1738b7bdd78a54d8f8; classtype:trojan-activity; sid:2020778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78"; flow:to_server,established; dsize:>11; content:"|3b d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,844ddc8d762f94e8cf04bbc6eb483121; classtype:trojan-activity; sid:2020779; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 79"; flow:to_server,established; dsize:>11; content:"|7d 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6168f11bb42ff767a224396c2656ea87; classtype:trojan-activity; sid:2020780; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 80"; flow:to_server,established; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,132c66e47afb0c1b969140713b09d625; classtype:trojan-activity; sid:2020781; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 81"; flow:to_server,established; dsize:>11; content:"|7e 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7e\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,733d252921fa9b74b268c1e451d2e0c8; classtype:trojan-activity; sid:2020782; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 82"; flow:to_server,established; dsize:>11; content:"|40 d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x40\xd8/s"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2978e52da3503e33c65cd286a322bd2; classtype:trojan-activity; sid:2020783; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2017_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 83"; flow:to_server,established; dsize:>11; content:"|47 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x47\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4bd54550a23cb5bf40e0924dea7bad76; classtype:trojan-activity; sid:2020784; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 84"; flow:to_server,established; dsize:>11; content:"|4a d5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xd5/s"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,096fd620508d929b3422c6dca836e718; classtype:trojan-activity; sid:2020785; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2017_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 85"; flow:to_server,established; dsize:>11; content:"|7f 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9f/s"; content:!"POST /"; content:!"microsoft.com"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6bc0070240a714175e44dd2d6bf98481; classtype:trojan-activity; sid:2020786; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2017_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 86"; flow:to_server,established; dsize:>11; content:"|70 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4af85987c9aca11196eb1a603b40b18d; classtype:trojan-activity; sid:2020787; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 87"; flow:to_server,established; dsize:>11; content:"|7a 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,32652a6c74e5358549a7c536c3080d58; classtype:trojan-activity; sid:2020788; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 88"; flow:to_server,established; dsize:>11; content:"|7c 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,e3ac512a1978cec5eb8bc12fbb384e1f; classtype:trojan-activity; sid:2020789; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 89"; flow:to_server,established; dsize:>11; content:"|30 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x30\xa5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3fb6b63928996a2fab06ba634710740b; classtype:trojan-activity; sid:2020790; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90"; flow:to_server,established; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1fa6460563cddcb165511c6b17ff4637; classtype:trojan-activity; sid:2020791; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2017_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91"; flow:to_server,established; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3d10b1c4471c7d29e968d9059f844aab; classtype:trojan-activity; sid:2020792; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 92"; flow:to_server,established; dsize:>11; content:"|7f 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1dabf462f9c07878f6cd0b58cabf6538; classtype:trojan-activity; sid:2020793; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 93"; flow:to_server,established; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,29ac81a0607f6456bc886f6099fdb5c8; classtype:trojan-activity; sid:2020794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 94"; flow:to_server,established; dsize:>11; content:"|7b 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,7403a3a7c924a50cb205c5936cb57821; classtype:trojan-activity; sid:2020795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 95"; flow:to_server,established; dsize:>11; content:"|71 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9d/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,599fc172ebcd9f41557ba1293522f424; classtype:trojan-activity; sid:2020796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 96"; flow:to_server,established; dsize:>11; content:"|49 a2|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa2/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0928c98b9702e3c8df4e44f31bea56ac; classtype:trojan-activity; sid:2020797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 97"; flow:to_server,established; dsize:>11; content:"|7d 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0c014b17729784f905f55e43347469ed; classtype:trojan-activity; sid:2020798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 98"; flow:to_server,established; dsize:>11; content:"|79 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,79dd610cc7a62ad237d21c050eae32ec; classtype:trojan-activity; sid:2020799; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 99"; flow:to_server,established; dsize:>11; content:"|39 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\x99/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2499b8a890b084b9d4eb76d2bfaeff56; classtype:trojan-activity; sid:2020800; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Skyfall fake Skype install link"; flow:established,to_server; content:"/video/?n="; http_uri; depth:10; reference:url,www.windowstechupdates.com/omg-video-httpskypepopvideo-netvideonskype-user-name-virus/; reference:url,securelist.com/blog/incidents/69065/skyfall-meets-skype/; classtype:trojan-activity; sid:2020801; rev:2; metadata:created_at 2015_03_30, updated_at 2015_03_30;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ac 19 e6 fb 11 28 a2 20|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020802; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Volatile Cedar Win32.Explosive CnC Beacon 1"; flow:established,to_server; content:"==gKg5XI+BmK"; depth:12; reference:md5,11657162940dcc1c124e607b0f248039; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020807; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Volatile Cedar Win32.Explosive CnC Beacon 2"; flow:established,to_server; content:"|3C 2A 60|"; depth:3; fast_pattern; content:"|60 2A 3E|"; distance:0; pcre:"/^\x3c\x2a\x60[\x20-\x7e]+\x60\x2a\x3e$/"; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020808; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Volatile Cedar Win32.Explosive CnC Beacon 3"; flow:established,to_server; content:">Explosive"; offset:4; depth:10; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020809; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Volatile Cedar Win32.Explosive Fake User-Agent"; flow:established,to_server; content:"Host|3a|"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| MSIE 6.0|3b| Windows NT 5.1|3b| .NET CLR 2.0.50727)"; fast_pattern:37,20; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020810; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Volatile Cedar Win32.Explosive External IP Leak"; flow:established,from_server; content:"|0d 0a 0d 0a|<span id=|22|lblIPBehindProxy|22|>{"; distance:0; fast_pattern:13,20; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020811; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; content:".php?win="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| MSIE 6.0|3b| Windows NT 5.1|3b| .NET CLR 2.0.50727)"; http_header; fast_pattern:37,20; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020812; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; content:".php?micro="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| MSIE 6.0|3b| Windows NT 5.1|3b| .NET CLR 2.0.50727)"; http_header; fast_pattern:37,20; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020813; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (saveweb.wink.ws)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|saveweb|04|wink|02|ws|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020814; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (carima2012.site90.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|carima2012|06|site90|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020815; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (explorerdotnt.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|explorerdotnt|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020816; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (dotnetexplorer.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dotnetexplorer|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020817; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (dotntexplorere.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dotntexplorere|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020818; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (xploreredotnet.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|xploreredotnet|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020819; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (erdotntexplore.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|erdotntexplore|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020820; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Hyteod CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"|5f 5e 5b 8b e5 5d|"; http_header; fast_pattern:only; content:!"Accept-"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; reference:md5,f2ad19a08063171b039accd24b0c27ca; classtype:trojan-activity; sid:2020821; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP POST to WP Theme Directory Without Referer"; flow:established,to_server; content:"POST"; http_method; content:"/wp-content/themes/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"citytv.com"; http_uri; pcre:"/^[^&=?]*\/wp-content\/themes\//Ui"; classtype:bad-unknown; sid:2020822; rev:4; metadata:created_at 2015_03_31, updated_at 2016_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dridex POST Retrieving Second Stage M2"; flow:established,to_server; content:"POST / HTTP/1.1|0d 0a|"; depth:17; content:"|0d 0a 0d 0a|"; distance:0; byte_extract:1,4,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/R"; content:"Host|3a 20|"; http_header; pcre:"/^Host\x3a (?=[a-z0-9]{0,19}[A-Z])(?:(?=[A-Z0-9]{0,19}[a-z])|(?=[A-Za-z]{0,19}\d)|(?=[A-Z]+\.))[a-zA-Z0-9]{3,20}[\x2e\x20][a-z]{2,3}\r?$/Hm"; reference:md5,148112df459ba40b9127f7d4f1c08df2; classtype:trojan-activity; sid:2020825; rev:5; metadata:created_at 2015_04_01, updated_at 2015_04_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/LockScreen.BW Payment Info"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"spShopId="; http_client_body; content:"&spShopPaymentId="; fast_pattern; http_client_body; distance:0; content:"&spCurrency="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020827; rev:2; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/LockScreen.BW Payment Info 2"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"action=showPaymentForm&"; fast_pattern:3,20; http_client_body; content:"psAgreement="; http_client_body; distance:0; content:"&paymentSystemId="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020828; rev:1; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/LockScreen.BW Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"locker_ver="; fast_pattern; http_client_body; content:"&i_firstboot="; http_client_body; distance:0; content:"&harddiskserial="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020829; rev:1; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mikey Variant HTTP CnC Beacon 1"; flow:established,to_server; content:!"Accept-"; http_header; content:"Referer|3a 20|HTTP/1.0|0d 0a|"; depth:19; http_header; fast_pattern; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:trojan-activity; sid:2020833; rev:1; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mikey Variant HTTP CnC Beacon 2"; flow:established,to_server; content:"Accept|3a 20|*/*, "; http_header; pcre:"/^Accept\x3a\x20\*\/\*,[^\r\n]+, MZ/Hmi"; content:", MZ"; http_header; fast_pattern:only; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:trojan-activity; sid:2020834; rev:1; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mikey Variant HTTP CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"/index.php?N="; http_uri; content:"["; distance:0; http_uri; content:"]"; distance:0; http_uri; content:"["; distance:0; http_uri; content:"]"; distance:0; http_uri; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:trojan-activity; sid:2020835; rev:1; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET TROJAN IRC Bot dropped by Mikey Variant CnC Beacon"; flow:established,to_server; content:"["; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; content:"|0d 0a|NICK|20|"; pcre:"/^[a-z0-9]+\[\d+\]/R"; content:"-"; distance:0; content:"["; distance:0; pcre:"/^\d+\]\r\n$/R"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:trojan-activity; sid:2020836; rev:1; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (63ghdye17.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|63ghdye17|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020839; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, tag Ransomware, signature_severity Major, created_at 2015_04_03, malware_family TeslaCrypt, performance_impact Low, updated_at 2017_03_28;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a1 b6 29 6e e4 aa ec fe|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020843; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7hwr34n18.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|7hwr34n18|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020844; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, tag Ransomware, signature_severity Major, created_at 2015_04_06, malware_family TeslaCrypt, performance_impact Low, updated_at 2017_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/SillyFDC WordPress Traffic"; flow:established,to_server; content:"GET"; http_method; content:"/?dm=6b2280e30391615dcaa18e533ccb99a9"; fast_pattern; depth:37; http_uri; reference:md5,3c10f65f8c1a84c53d94c331a63cad06; classtype:trojan-activity; sid:2020845; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2015_04_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B1 Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 32|"; fast_pattern:only; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020849; rev:2; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B1 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 86|"; fast_pattern:only; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020850; rev:1; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B2 Checkin no architecture"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 84|"; fast_pattern:only; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:trojan-activity; sid:2020851; rev:1; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B1 Sending Processes"; content:"Sy|5c|"; content:"wininit|5c|"; distance:0; content:"winlogon|5c|"; fast_pattern:only; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020852; rev:1; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoWall Check-in M2"; flow:established,to_server; urilen:<110; content:!"|0d 0a|Accept-"; nocase; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; content:!"Referer|3a|"; http_header; content:"="; offset:1; depth:1; http_client_body; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; content:" rv|3a|11.0"; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020855; rev:2; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Malicious Office Doc CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/im"; http_uri; content:"g"; distance:0; http_uri; content:".php?id="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"MSOffice"; http_header; content:!"Outlook"; http_header; pcre:"/\/im(?:age|g)\.php\?id=\d+$/U"; reference:md5,27cd0a3db18fbb6d316fb4542c3a51f3; classtype:trojan-activity; sid:2020860; rev:5; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|04|gu2m"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020864; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_08, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|epmhyca5ol6plmx3"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,a6061196c9df9364d48c01bea83d6cb7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~EccKrypt-D/detailed-analysis.aspx; classtype:trojan-activity; sid:2020882; rev:2; metadata:created_at 2015_04_08, updated_at 2017_03_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (wh47f2as19.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|wh47f2as19|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020869; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, tag Ransomware, signature_severity Major, created_at 2015_04_08, malware_family TeslaCrypt, performance_impact Low, updated_at 2017_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kriptovor Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/loader.php?name="; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US|3b| rv|3a|x.xx) Gecko/20030504 Mozilla Firebird/0.6"; http_header; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,7e47a518561c46123d4facd43effafbf; classtype:trojan-activity; sid:2020883; rev:3; metadata:created_at 2015_04_09, updated_at 2015_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587] (msg:"ET TROJAN Kriptovor SMTP Traffic"; flow:established,to_server; content:"|0d 0a|PC|3a 20|"; content:"|0d 0a|Text|3a 20|"; distance:0; content:"|0d 0a|IP|3a 20|"; distance:0; content:"|0d 0a|TS|3a 20|"; distance:0; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020884; rev:1; metadata:created_at 2015_04_09, updated_at 2015_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kriptovor Retrieving RAR Payload"; flow:established,to_server; content:"GET"; http_method; content:".rar"; http_uri; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.1|3b| en-us|3b| rv|3a|1.9.2.3) Gecko/20100401 YFF35 Firefox/3.6.3"; http_header; fast_pattern:86,20; pcre:"/\.rar$/U"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020885; rev:1; metadata:created_at 2015_04_09, updated_at 2015_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kriptovor External IP Lookup checkip.dyndns.org"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Host|3a 20|checkip.dyndns.org|0d 0a|"; depth:26; http_header; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US|3b| rv|3a|x.xx) Gecko/20030504 Mozilla Firebird/0.6"; http_header; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,00e3b69b18bfad7980c1621256ee10fa; classtype:trojan-activity; sid:2020886; rev:2; metadata:created_at 2015_04_09, updated_at 2015_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shellshock Worm Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/.c.php?request="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,volexity.com/blog/?p=118; classtype:trojan-activity; sid:2020887; rev:1; metadata:created_at 2015_04_09, updated_at 2015_04_09;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Vobus/Beebone Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 2E F4 15 04|"; distance:4; within:6; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/operation-source-botnet-takedown-trend-micro-solutions; classtype:trojan-activity; sid:2020889; rev:1; metadata:created_at 2015_04_10, updated_at 2015_04_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Operation Buhtrap CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| Synapse|29 0d 0a|"; http_header; content:"id="; depth:3; http_client_body; pcre:"/^id=[A-F0-9]+$/P"; pcre:"/\/gate\.php$/U"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:trojan-activity; sid:2020890; rev:1; metadata:created_at 2015_04_10, updated_at 2015_04_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Operation Buhtrap CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/menu.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"rv|3a|20.0"; http_header; content:"Firefox/20.0"; distance:0; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; pcre:"/\/menu\.php$/U"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:trojan-activity; sid:2020891; rev:2; metadata:created_at 2015_04_10, updated_at 2015_04_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Maldoc Retrieving Dridex from pastebin"; flow:established,to_server; content:"GET"; http_method; content:"/raw.php?i="; depth:11; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Host|3a 20|pastebin.com|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5|29 0d 0a|"; http_header; reference:md5,07523de32e43f67b1bbd5edc87803d5c; classtype:trojan-activity; sid:2020892; rev:2; metadata:created_at 2015_04_10, updated_at 2015_04_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible APT30 or Win32/Nuclear HTTP Framework"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32|29 0d 0a|HOST|3a|"; http_header; depth:60; fast_pattern:40,20; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; pcre:"/\.(?:txt|gif|exe|bmp)$/Ui"; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:trojan-activity; sid:2020897; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_04_13, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible APT30 or Win32/Nuclear HTTP Framework POST"; flow:established,to_server; content:"POST|20|"; depth:5; content:"HTTP/1."; distance:0; content:!"Accept"; distance:0; content:!"Content-Type|3a|"; distance:0; content:!"Referer|3a|"; distance:0; content:"|20 28|compatible|3b| MSIE 6.0|3b| Win32|29 0d 0a|HOST|3a|"; distance:0; fast_pattern:12,20; content:"|0d 0a 0d 0a|"; distance:0; byte_jump:4,1,relative,little,post_offset -6; isdataat:!1,relative; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:trojan-activity; sid:2020898; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_04_13, malware_family Nuclear, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emotet v2 Exfiltrating Outlook information"; flow:established,to_server; content:"POST"; http_method; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"<Information>"; http_client_body; fast_pattern; content:"<id>"; distance:0; http_client_body; content:"<Version>"; distance:0; http_client_body; content:"<profile>"; distance:0; http_client_body; reference:url,securelist.com/analysis/69560/the-banking-trojan-emotet-detailed-analysis/; classtype:trojan-activity; sid:2020900; rev:2; metadata:created_at 2015_04_13, updated_at 2015_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible APT30 Fake Mozilla UA"; flow:established,to_server; content:"User-Agent|3a| Moziea/"; http_header; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:trojan-activity; sid:2020901; rev:1; metadata:created_at 2015_04_13, updated_at 2015_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LankerBoy HTTP CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".txt"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|us|0d 0a|Host"; depth:20; http_header; fast_pattern; pcre:"/\.txt$/U"; reference:md5,db2c617a6e53a24fa887e6ecf60a076d; classtype:trojan-activity; sid:2020902; rev:1; metadata:created_at 2015_04_13, updated_at 2015_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoinVault Mailer CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/redirect.php?loc=mail"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/redirect\.php\?loc=mail$/U"; reference:md5,af0e5a5df0be279aa517e2fd65cadd5c; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020906; rev:1; metadata:created_at 2015_04_14, updated_at 2015_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoinVault CnC Beacon M1"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"hwid="; depth:5; http_client_body; content:"&knock="; distance:0; http_client_body; content:"&keylog="; http_client_body; fast_pattern:only; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020907; rev:1; metadata:created_at 2015_04_14, updated_at 2015_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoinVault CnC Beacon M2"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"eyJib3RpbmZvIjp7InVwbG9hZElkIjo"; http_client_body; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020908; rev:1; metadata:created_at 2015_04_14, updated_at 2015_04_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN CoinVault CnC Beacon Response"; flow:established,from_server; file_data; content:"eyJrbm9ja3RpbWUiOj"; within:18; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020909; rev:1; metadata:created_at 2015_04_14, updated_at 2015_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Ruckguv.A Requesting Payload"; flow:established,to_server; content:"GET"; http_method; content:"/id.exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"MSIE"; http_header; reference:md5,227365242cc97fa611fdac295b732d82; reference:md5,b9eec5be1d2f5d0007bd94fdd8c7ea57; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3801; classtype:trojan-activity; sid:2020910; rev:1; metadata:created_at 2015_04_14, updated_at 2015_04_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN W32/Farfli.BHQ!tr Dropper CnC Beacon 2"; flow:established,to_server; content:"GET /do.asp?search="; depth:19; content:"|20|HTTP/1."; distance:0; content:!"Referer|3a|"; distance:0; content:"Host|3a 20|"; distance:0; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\r?$/Rmi"; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:trojan-activity; sid:2020913; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (33p5mqkaj22irv4z)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|33p5mqkaj22irv4z"; fast_pattern; distance:0; nocase; reference:md5,1c6269fe48cba5f830a64a50bdf4ffe5; reference:url,www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/page-13; classtype:trojan-activity; sid:2020915; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FighterPOS CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/command.php?id="; http_uri; fast_pattern:only; content:"&os="; http_uri; content:"&com="; http_uri; content:"&ver="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:trojan-activity; sid:2020918; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FighterPOS CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/log.php?id=|5b|"; http_uri; fast_pattern; content:"|7c|"; distance:0; http_uri; content:"|5d|"; distance:0; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:trojan-activity; sid:2020919; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FighterPOS CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/keylogger.php?id="; http_uri; fast_pattern:only; content:"&com="; http_uri; content:"&key="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:trojan-activity; sid:2020920; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sysget/HelloBridge HTTP GET CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?fn="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/&(?:uid|name|file)=[a-f0-9]+$/U"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020921; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sysget/HelloBridge HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?fn="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|file|22|"; http_client_body; content:"name=|22|path|22|"; distance:0; http_client_body; content:"name=|22|submit|22|"; distance:0; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020922; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unit42 PoisonIvy Keepalive to CnC"; flow:established,to_server; dsize:48; content:"|b8 98 30 04 e8 10 e5 8c e4 06 39 1b e0 51 96 40|"; offset:16; depth:16; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2015_04_15, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zacom/NFlog HTTP POST Connectivity Check"; flow:established,to_server; content:"POST"; http_method; content:"/STTip.asp"; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020924; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zacom/NFlog HTTP POST Fake UA CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|3b| .NET CLR 1.1.4322|29 0d 0a|"; http_header; fast_pattern:63,20; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020925; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN FormerFirstRAT HTTP POST CnC Beacon"; flow:established,to_server; content:"POST / HTTP/1."; depth:14; content:!"Accept-"; distance:0; content:!"Referer|3a|"; distance:0; content:!"Content-Type|3a|"; distance:0; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|3b| .NET CLR 1.1.4322)|0d 0a|"; distance:0; fast_pattern:63,20; content:"|3a|443|0d 0a|"; content:"|0d 0a 0d 0a|"; distance:0; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/R"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020926; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bioazih RAT Checkin"; flow:to_server,established; content:"User-Agent|3a| Pass|3a|"; http_header; content:"Hostname|3a|"; http_header; content:"Ip|3a|"; http_header; content:"Os|3a|"; http_header; content:"Proxy|3a|"; fast_pattern:only; http_header; content:"Vm|3a|"; http_header; reference:md5,7bc5451341a684aca80a59a463bad973; reference:md5,5443cf2b6c010c57cf740356c9167b77; reference:url,blogs.technet.com/b/mmpc/archive/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe.aspx; classtype:trojan-activity; sid:2020927; rev:4; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zacom/NFlog Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".asp?HostID="; fast_pattern:only; http_uri; content:"Windows NT 5.0|3b| .NET CLR 1.1.4322|29 0d 0a|"; http_header; pcre:"/\?HostID=([A-F0-9]{2}(?:-|<>)){5}[A-F0-9]{2}$/U"; reference:md5,e397a68bf4fbb7a9b4d1b6da1fe2172b; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020928; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Dalexis downloader encrypted binary (1)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; within:2048; classtype:trojan-activity; sid:2020929; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Dalexis downloader encrypted binary (2)"; flow:established,to_client; file_data; content:"|35 8c 0c 43 e2 1c f7 e4|"; distance:40; within:8; classtype:trojan-activity; sid:2020930; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Dalexis downloader encrypted binary (3)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; distance:32; within:8; classtype:trojan-activity; sid:2020931; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|10 58 85 8a 21 5a 27 a4 1f be 8f a1 3a f0 13 c5 94|"; within:40; content:"|55 04 03|"; distance:0; content:"|13|www.tennomewerto.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020932; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_16, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dalexis CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a| multipart/form-data|3b| boundary="; http_header; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Accept"; nocase; http_header; content:"name=|22|uploaded|22 3b 20|filename=|22|"; http_client_body; fast_pattern:only; content:".jpg"; http_client_body; classtype:trojan-activity; sid:2020933; rev:3; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon Fake UA"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla Firefox/4.0|0d 0a|"; http_header; fast_pattern:13,20; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020934; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"key="; depth:4; http_client_body; fast_pattern; pcre:"/^key=[A-Z]+$/P"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020935; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"version="; depth:8; http_client_body; fast_pattern; pcre:"/^version=\d{4}-\d{1,2}-\d{1,2}$/P";  reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020936; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"bit="; depth:4; http_client_body; fast_pattern; pcre:"/^bit=(?:32|64)$/P"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020937; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:"/"; offset:1; http_uri; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"unkey="; depth:6; http_client_body; fast_pattern; content:!"&"; distance:0; http_client_body; pcre:"/\/$/U"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020938; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/?bit="; http_uri; fast_pattern:only; content:"&version="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/\?bit=(?:32|64)&version=\d{4}-\d{1,2}-\d{1,2}$/U"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:trojan-activity; sid:2020939; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 6"; flow:established,to_server; content:"GET"; http_method; content:"/?check"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Example|0d 0a|"; http_header; pcre:"/\/\?check$/U"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:trojan-activity; sid:2020940; rev:1; metadata:created_at 2015_04_16, updated_at 2015_04_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Filecoder Ransomware Variant .onion Proxy Domain (tkj3higtqlvohs7z)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tkj3higtqlvohs7z"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2020942; rev:2; metadata:tag Ransomware, created_at 2015_04_16, malware_family Filecoder, updated_at 2017_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN  Win32/Tesch.B CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Internet  Explorer|0d 0a|"; http_header; fast_pattern:4,20; pcre:"/^[a-f0-9]+(?:\x20[a-f0-9]+)+$/P"; reference:md5,0032395c3a980e09c511b6b41ab3da48; classtype:trojan-activity; sid:2020945; rev:2; metadata:created_at 2015_04_17, updated_at 2015_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Chthonic CnC Beacon 5"; flow:established,to_server; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Length|3a 20|0|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; content:"/ HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|Mozilla/6."; fast_pattern:27,20; pcre:"/^[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n\r\n/Rmi"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:trojan-activity; sid:2020944; rev:7; metadata:created_at 2015_04_17, updated_at 2015_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Chthonic CnC Beacon 6"; flow:established,to_server; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Length|3a 20|0|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; content:"/ HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|Mozilla/7."; fast_pattern:27,20; pcre:"/^[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n\r\n/Rmi"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:trojan-activity; sid:2020946; rev:5; metadata:created_at 2015_04_17, updated_at 2015_04_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/StreamFlaw.A Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/6.0 (compatible|3b 20|MSIE 6.0"; http_header; fast_pattern:12,20; content:!"Referer|3a|"; http_header; reference:md5,981672cd969fe8cb1f887d0526b1ecf2; classtype:trojan-activity; sid:2020947; rev:4; metadata:created_at 2015_04_17, updated_at 2015_04_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Neutrino Bot Fake 404 Checkin Response"; flow:to_client,established; content:"404"; http_stat_code; file_data; content:"<!--"; distance:0; content:"NCMD|3a|"; within:6; metadata: former_category TROJAN; reference:url,blog.fortinet.com/post/hiding-malicious-traffic-under-the-http-404-error; classtype:trojan-activity; sid:2020949; rev:2; metadata:created_at 2015_04_20, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (pf3tlgkpks7pu7yr)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pf3tlgkpks7pu7yr"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020952; rev:1; metadata:created_at 2015_04_20, updated_at 2015_04_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (v7lfogalalzc2c4d)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|v7lfogalalzc2c4d."; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020953; rev:1; metadata:created_at 2015_04_20, updated_at 2015_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows nbtstat -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Remote Machine Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020954; rev:2; metadata:created_at 2015_04_20, updated_at 2015_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows nbtstat -r Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Names Resolution and Registration Statistics"; fast_pattern; content:"Name"; distance:0; content:"Type"; distance:0; content:"Status"; distance:0; classtype:trojan-activity; sid:2020956; rev:2; metadata:created_at 2015_04_20, updated_at 2015_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows nbtstat -s Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Connection Table"; fast_pattern; content:"Local Name"; distance:0; content:"State"; distance:0; content:"In/Out"; distance:0; content:"Remote Host"; distance:0; content:"Input"; distance:0; content:"Output"; distance:0; classtype:trojan-activity; sid:2020957; rev:2; metadata:created_at 2015_04_20, updated_at 2015_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows nbtstat -n Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Local Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020955; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (zoqowm4kzz4cvvvl)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zoqowm4kzz4cvvvl"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020958; rev:1; metadata:created_at 2015_04_21, updated_at 2015_04_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoWall .onion Proxy Domain (7oqnsnzwwnm6zb7y)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7oqnsnzwwnm6zb7y"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020959; rev:1; metadata:created_at 2015_04_21, updated_at 2015_04_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Graftor Downloading Dridex"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"MSIE"; http_header; content:"Host|3a|"; depth:5; http_header; content:"Connection|3a 20|close|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^\/\d+\/\d+\.exe$/U"; pcre:"/^Host\x3a[^\r\n]+\r\nAccept-Language\x3a[^\r\n]+\r\nAccept\x3a[^\r\n]+\r\nAccept-Encoding\x3a[^\r\n]+\r\nConnection\x3a\x20close\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2020960; rev:1; metadata:created_at 2015_04_22, updated_at 2015_04_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c0 15 80 14 58 47 62 12|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2020961; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CozyDuke APT HTTP Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; pcre:"/\.php\?$/U"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:trojan-activity; sid:2020962; rev:2; metadata:created_at 2015_04_22, updated_at 2015_04_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CozyDuke APT HTTP GET CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|"; depth:12; http_header; pcre:"/[A-Z]{100}(?:&\w+=[a-zA-Z0-9/+=]+){0,2}$/U"; flowbits:set,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:trojan-activity; sid:2020963; rev:1; metadata:created_at 2015_04_22, updated_at 2015_04_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CozyDuke APT HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:61; http_header; pcre:"/\.php\?$/U"; pcre:"/^\w+=(?:[a-zA-Z0-9/+=]{1,30}&\w+=)?[a-zA-Z0-9+/]{0,13}[A-Z]{200}/P"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:trojan-activity; sid:2020964; rev:1; metadata:created_at 2015_04_22, updated_at 2015_04_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT HTTP CnC Beacon Response"; flow:established,from_server; file_data; content:"<--"; within:3; pcre:"/^[A-F0-9]{8,12}/R"; content:"-->|0a|<"; fast_pattern; within:5; flowbits:isset,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:trojan-activity; sid:2020965; rev:1; metadata:created_at 2015_04_22, updated_at 2015_04_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 1"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 31 d5|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,d5a82520ebf38a0c595367ff0ca89fae; classtype:trojan-activity; sid:2020966; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 2"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 65 5d|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,859f167704b5c138ed9a9d4d3fdc0723; classtype:trojan-activity; sid:2020967; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 3"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 1b 3c|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,181a88c911b10d0fcb4682ae552c0de3; classtype:trojan-activity; sid:2020968; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 4"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 0f 0d|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,0e0182694c381f8b68afc5f3ff4c4653; classtype:trojan-activity; sid:2020969; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 5"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 03 5f|"; distance:9; within:20; content:"|55 04 0a|"; distance:0; content:"|1b|*.corp.utilitytelephone.com"; distance:1; within:28; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,4121414c63079b7fa836be00f8d0a93b; classtype:trojan-activity; sid:2020970; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 6"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 a9|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,1dde02ff744fa4e261168e2008fd613a; classtype:trojan-activity; sid:2020971; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 7"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 2c 2f|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,9ad55b83f2eec0c19873a770b0c86a2f; classtype:trojan-activity; sid:2020972; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 8"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 5f 31|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|--"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|SomeCity"; distance:1; within:9; content:"|0d 01 09 01|"; distance:0; content:"|1a|root@localhost.localdomain"; fast_pattern; distance:1; within:27; reference:md5,f58a4369b8176edbde4396dc977c9008; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-030500-0430-99; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; classtype:trojan-activity; sid:2020974; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.Win32.Agent.bay Variant Covert Channel (VERSONEX)"; flow:established,to_server; content:"VERSONEX|3a|"; depth:9; fast_pattern; byte_test:1,>=,0x30,0,relative; byte_test:1,<=,0x39,0,relative; content:"|7c|"; distance:1; within:1; reference:md5,f80af2735fdad5fe14defc4f1df1cc30; classtype:trojan-activity; sid:2020978; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern; classtype:trojan-activity; sid:2021006; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"ludGVybmV0T3Blb"; fast_pattern; classtype:trojan-activity; sid:2021007; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"JbnRlcm5ldE9wZW"; fast_pattern; classtype:trojan-activity; sid:2021008; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"d2luaW5ldC5kbG"; fast_pattern; classtype:trojan-activity; sid:2021009; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"dpbmluZXQuZGxs"; fast_pattern; classtype:trojan-activity; sid:2021010; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"3aW5pbmV0LmRsb"; fast_pattern; classtype:trojan-activity; sid:2021011; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 100"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{8}[\x20-\x7e]{5}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:trojan-activity; sid:2021012; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_04_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0d|IT Department"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|0b|example."; distance:1; within:9; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021013; rev:6; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_27, updated_at 2018_05_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN TorrentLocker SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a3 3c b6 6e 62 16 33|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,8b2b618a463b906a1005ff1ed7d5f875; classtype:trojan-activity; sid:2021014; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|10 05 86 8b f3 dc 2c ad 1f 00 dd ad fa 27 3c ea d0|"; content:"|55 04 03|"; distance:0; content:"|12|thewinesteward.com"; distance:1; within:19; reference:md5,331bec58cb113999f83c866de4976b62; classtype:trojan-activity; sid:2021015; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 88 cb e4 d5 79 99 98|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021016; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dalexis Downloading EXE"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.0|29 0d 0a|"; http_header; fast_pattern:44,20; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Connection|3a 20|Close|0d 0a|"; http_header; classtype:trojan-activity; sid:2021017; rev:1; metadata:created_at 2015_04_27, updated_at 2015_04_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MewsSpy/NionSpy .onion Proxy Domain (z3mm6cupmtw5b2xx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|z3mm6cupmtw5b2xx"; nocase; distance:0; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector; classtype:trojan-activity; sid:2021019; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Kaspersky Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 5F D3 AC 8F|"; distance:4; within:6; classtype:trojan-activity; sid:2021021; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Wapack Labs Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:2021022; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downeks Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:7; content:"/dw/gtk"; http_uri; fast_pattern:only; content:"Host|3a|"; http_header; depth:5; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:trojan-activity; sid:2021028; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downeks Checkin 2"; flow:to_server,established; urilen:>107; content:"GET"; http_method; content:"/setup/"; http_uri; fast_pattern:only; content:"Host|3a|"; http_header; depth:5; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/setup\/[a-zA-Z0-9!-]{100,}$/U"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:trojan-activity; sid:2021029; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BePush/Kilim CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?type="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Mozilla|2f|"; http_header; content:!"threatseeker.com|0d 0a|"; pcre:"/\.php\?type=(?:update_hash|js|key|arsiv_(?:hash|link))$/U"; reference:md5,dad57ec2d5d99b725acc726b0a644c00; reference:url,seclists.org/fulldisclosure/2015/Jan/131; classtype:trojan-activity; sid:2021030; rev:3; metadata:created_at 2015_04_29, updated_at 2017_02_14;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|terriblekira.su"; distance:1; within:16; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:trojan-activity; sid:2021031; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lidline.com"; distance:1; within:112; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:trojan-activity; sid:2021032; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_29, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cld7vqwcvn2bii67"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/650d5a7d247fbe9c7f4d92e901319fec8c83fd07d4f5291f23c30f338a2e2974?environmentId=2#extracted-strings; reference:md5,4a20784de661675d281edbd48a6e2485; classtype:trojan-activity; sid:2021041; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/DDoS.Sotdas/IptabLex Checkin"; flow:to_server,established; dsize:296; content:"|72 8D 90 89 7E D6|"; offset:224; depth:6; fast_pattern; content:"|b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6|"; reference:md5,f7556d9ede5d988400b1edbb1a172634; classtype:trojan-activity; sid:2021049; rev:2; metadata:created_at 2015_05_04, updated_at 2015_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux.Trojan.IptabLex Variant Checkin"; flow:to_server,established; dsize:157; content:"|77|"; depth:1; pcre:"/^[\x01\x03\x08\x09\x0b]\x00/R"; content:"|20 40 20|"; distance:0; content:"Hz"; nocase; within:15; reference:md5,019765009f7142a89af15aaaac7400cc; reference:url,blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html; classtype:trojan-activity; sid:2021050; rev:1; metadata:created_at 2015_05_04, updated_at 2015_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux.Mumblehard Initial Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|7.0.1) Gecko/20100101 Firefox/7.0.1"; fast_pattern:59,20; pcre:"/^Host\x3a (?:\d{1,3}\.){3}\d{1,3}\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nAccept-Language\x3a[^\r\n]+?\r\nAccept-Encoding\x3a[^\r\n]+?\r\nAccept-Charset\x3a[^\r\n]+?\r\nConnection\x3a close(?:\r\n)*$/Hi"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:trojan-activity; sid:2021051; rev:5; metadata:created_at 2015_05_04, updated_at 2015_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux.Mumblehard Command Status CnC"; flow:to_server,established; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|7.0.1) Gecko/"; fast_pattern:37,20; pcre:"/^\d{1,5}\.[2-5]0[0-5]\.\d+? Firefox\/7\.0\.1/Ri"; pcre:"/^Host\x3a (?:\d{1,3}\.){3}\d{1,3}\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nAccept-Language\x3a[^\r\n]+?\r\nAccept-Encoding\x3a[^\r\n]+?\r\nAccept-Charset\x3a[^\r\n]+?\r\nConnection\x3a close(?:\r\n)*$/Hi"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:trojan-activity; sid:2021052; rev:3; metadata:created_at 2015_05_04, updated_at 2015_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Linux.Mumblehard Spam Command CnC"; flow:to_server,established; content:"POST / HTTP/1."; depth:14; content:"|0d 0a 0d 0a 0f 0f|"; pcre:"/^\d{1,3}[0-2]/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:trojan-activity; sid:2021053; rev:1; metadata:created_at 2015_05_04, updated_at 2015_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carbon FormGrabber/Retgate.A/Rombertik Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"name="; http_client_body; content:"&host="; http_client_body; content:"&browser="; http_client_body; content:"&post="; http_client_body; fast_pattern:only; pcre:"/\.php$/U"; reference:url,symantec.com/connect/blogs/european-automobile-businesses-fall-prey-carbon-grabber; reference:md5,72bab43e406c9e325e49e27b22853b60; reference:url,blogs.cisco.com/security/talos/rombertik; reference:md5,f504ef6e9a269e354de802872dc5e209; classtype:trojan-activity; sid:2021055; rev:3; metadata:created_at 2015_05_04, updated_at 2015_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dyre Downloading Mailer 2"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0E|3b 20|.NET4.0C|3b 20|rv|3a|11.0) like Gecko|0d 0a|Host|3a|"; http_header; depth:195; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/Hmi"; pcre:"/\.tar$/U"; reference:url,www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html; reference:md5,999bc5e16312db6abff5f6c9e54c546f; classtype:trojan-activity; sid:2021056; rev:3; metadata:created_at 2015_05_04, updated_at 2015_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN njRAT Variant Outbound CnC Beacon"; flow:established,to_server; content:"|7c|nj-q8"; isdataat:!1,relative; classtype:trojan-activity; sid:2021057; rev:1; metadata:created_at 2015_05_05, updated_at 2015_05_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Ursnif SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|athereforeencourage.pw"; distance:1; within:23; classtype:trojan-activity; sid:2021061; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8d 3d d5 97 44 08 33 d8|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021063; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_07, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 101"; flow:to_server,established; dsize:>11; content:"|71 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8776e617b59da52bcac43b380a354aa0; classtype:trojan-activity; sid:2021065; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_05_07, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (is6xsotjdy4qtgur)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|is6xsotjdy4qtgur"; fast_pattern; distance:0; nocase; reference:url,www.malware-traffic-analysis.net/2015/05/06/index.html; reference:url,www.hybrid-analysis.com/sample/99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29?environmentId=1; reference:md5,a08784f5691a0a8ce6249e1981dea82c; classtype:trojan-activity; sid:2021077; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Enfal CnC POST"; flow:to_server,established; content:"POST"; http_method; content:".cgi"; fast_pattern:only; http_uri; pcre:"/\.cgi$/U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/Hmi"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:trojan-activity; sid:2021079; rev:2; metadata:created_at 2015_05_08, updated_at 2016_05_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Enfal CnC GET"; flow:to_server,established; content:"GET"; http_method; content:"docs/"; http_uri; fast_pattern:only; pcre:"/^\/(?:tran|http)docs\//U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/Hmi"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:trojan-activity; sid:2021080; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (iq3ahijcfeont3xx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iq3ahijcfeont3xx"; fast_pattern; distance:0; nocase; reference:md5,c3e567e9f45d0b4c1396f3d646598204; classtype:trojan-activity; sid:2021084; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|10 62 16 fe 1e af 85 65 68 82 0d d7 6f 8e 27 33 02|"; content:"|55 04 03|"; distance:0; content:"|0d|mainbytes.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021086; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a5 12 0c 27 cc 24 bb ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021087; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_11, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Agent.WVW CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/p?"; depth:3; http_uri; fast_pattern; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/^\/p\?\d+(?:\x3b\d+){4}$/U"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:trojan-activity; sid:2021088; rev:2; metadata:created_at 2015_05_12, updated_at 2015_05_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VaultCrypt Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:6; content:"/v.vlt"; http_uri; fast_pattern:only; content:"|0d 0a|UA-CPU|3a 20|"; http_header; reference:md5,d8bd77eebee2e74ea74679bf3f1f7210; classtype:trojan-activity; sid:2021091; rev:1; metadata:created_at 2015_05_12, updated_at 2015_05_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Putty SSH Credential Stealer"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; content:"=c3NoOi8v"; http_uri; fast_pattern:only; pcre:"/=c3NoOi8v[A-Za-z0-9+/]+={0,2}$/U"; content:!"Referer|3a|"; http_header; reference:md5,b5c88d5af37afd13f89957150f9311ca; classtype:trojan-activity; sid:2021095; rev:1; metadata:created_at 2015_05_13, updated_at 2015_05_13;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|roobox.info"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021096; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 21 e9 a1 69 3a 6e e9 a8 fb a3 ba 5b ee 9d 6e 60 02|"; fast_pattern; content:"|55 04 03|"; content:"|15|elyseeinvestments.com"; distance:1; within:22; reference:md5,1225b8c9b52d4828b9031267939e8260; classtype:trojan-activity; sid:2021097; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper Installing PUP 2"; flow:to_server,established; content:"GET"; http_method; content:"/ohupdate.php?"; http_uri; content:"localip="; http_uri; distance:0; content:"&macaddr="; http_uri; distance:0; content:"&program="; http_uri; distance:0; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| ICS)"; http_header; fast_pattern:21,20; reference:md5,9bfae378e38f0eb2dfff87fffa0dfe37; classtype:trojan-activity; sid:2021100; rev:1; metadata:created_at 2015_05_15, updated_at 2015_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper Installing PUP 1"; flow:to_server,established; content:"GET"; http_method; content:"/ohupdate.php?program="; http_uri; content:"&q="; http_uri; distance:0; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; fast_pattern:12,13; classtype:trojan-activity; sid:2021101; rev:1; metadata:created_at 2015_05_15, updated_at 2015_05_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|07|Glasgow"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|06|Glasgo"; distance:1; within:7; content:"|55 04 0a|"; distance:0; content:"|0b|Green Peace"; distance:1; within:12; reference:md5,3cecc935eb92ed03dc9908fc96b0f795; classtype:trojan-activity; sid:2021102; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FrauDrop Checkin"; flow:established,to_server; content:".asp?sn="; http_uri; content:"&tmac="; http_uri; distance:0; content:"&action="; http_uri; distance:0; content:"&ver="; http_uri; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x30442e9d036a40c8cbd41f8f4c9afab1ba\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021103; rev:1; metadata:created_at 2015_05_15, updated_at 2015_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FrauDrop UA LETITGO"; flow:established,to_server; content:"User-Agent|3a 20|LETITGO|0d 0a|"; http_header; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021104; rev:1; metadata:created_at 2015_05_15, updated_at 2015_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FrauDrop UA single"; flow:established,to_server; content:"User-Agent|3a 20|single|0d 0a|"; http_header; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021105; rev:1; metadata:created_at 2015_05_15, updated_at 2015_05_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|11|Facebook Porn PTY"; distance:1; within:18; classtype:trojan-activity; sid:2021106; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Zemot Fake Search Page"; flow:established,from_server; file_data; content:"background|3a 20|url(btn_search.png|29 2f 2a|tpa=http"; fast_pattern:15,20; reference:md5,38cad3170f85c4f9903574941bd282a8; classtype:trojan-activity; sid:2021107; rev:1; metadata:created_at 2015_05_15, updated_at 2015_05_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN APT Hellsing Proxy Checker Checkin"; flow:established,to_server; content:"GET /lib/common.asp?action="; fast_pattern; content:"&uid="; distance:0; content:"&lan="; distance:0; content:"&hname="; distance:7; within:22; content:"&uname="; distance:1; within:22; content:"&os="; distance:0; reference:md5,b7e7186d962d562af6a5d10a25d19b02; reference:url,securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/; classtype:trojan-activity; sid:2021108; rev:1; metadata:created_at 2015_05_15, updated_at 2015_05_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea 29 4d 2c d5 53 a8 8e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021109; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.Win32/Nitol.B Checkin"; flow:established,to_server; dsize:>1000; content:"|88 88 08 00|"; depth:4; fast_pattern; content:"|2E|"; distance:1; within:1; content:"|2F 73|"; distance:2; within:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:15; metadata: former_category TROJAN; reference:md5,f078e099b1f8afc7c43eb05b4badf9e7; classtype:trojan-activity; sid:2021111; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2015_05_16, malware_family Nitol_DDoS, performance_impact Low, updated_at 2017_11_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Widgets Numbers PTY"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021112; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|srv2415.domain.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021113; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_18, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yahoyah CnC Beacon"; flow:established,to_server; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|MSIE|28|"; http_header; content:"|29 29 3b 20|NT|28|"; distance:0; http_header; content:"|29 3b 20|AV|28|"; distance:0; http_header; content:"|29 3b 20|OV|28|"; distance:0; http_header; content:"|29 3b 20|NA|28|"; distance:0; http_header; content:"|29 20|VR|28|"; distance:0; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf; classtype:trojan-activity; sid:2021114; rev:1; metadata:created_at 2015_05_18, updated_at 2015_05_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CTB-Locker .onion Proxy Domain (tlunjscxn5n76iyz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tlunjscxn5n76iyz"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/3aed0cac4a7f3053e324276c72bbf3aead783da2eb8b53bf99134a0adbcd3267?environmentId=2; reference:md5,2df314974722ef6b5a66d81292679cb4; classtype:trojan-activity; sid:2021115; rev:1; metadata:created_at 2015_05_18, updated_at 2015_05_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible APT17 CnC Content in Public Website"; flow:from_server,established; file_data; content:"@MICR0S0FT"; pcre:"/^[a-zA-Z0-9]{8}/R"; content:"C0RP0RATI0N"; within:11; reference:url,github.com/fireeye/iocs/tree/master/APT17; classtype:trojan-activity; sid:2021116; rev:1; metadata:created_at 2015_05_19, updated_at 2015_05_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rallovs.A CnC Beacon"; flow:established,to_server; dsize:>1000; content:"|00 00 00 00|2|00|0|00|"; fast_pattern; pcre:"/^[1-9]\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 20 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; pcre:"/^\d\x00\d/R"; content:"|00 00|2|00|0|00|"; distance:0; content:"|00|-|00|"; distance:3; within:3; reference:md5,67a039a3139c6ef1bf42424acf658d01; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; classtype:trojan-activity; sid:2021117; rev:1; metadata:created_at 2015_05_19, updated_at 2015_05_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SPEAR CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:".asp?"; http_uri; fast_pattern:only; content:" MSIE "; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.asp\?(?:[A-Za-z0-9+*]{4})*(?:[A-Za-z0-9+*]{2}==|[A-Za-z0-9+*]{3}=|[A-Za-z0-9+*]{4})$/U"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,e09c8cd6ad3b99f46e083916c5371b6e2acc050d; classtype:trojan-activity; sid:2021118; rev:1; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SPEAR CnC Beacon 2"; flow:to_server,established; content:"GET"; http_method; content:"?wd="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\?wd=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/U"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,e09c8cd6ad3b99f46e083916c5371b6e2acc050d; classtype:trojan-activity; sid:2021119; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 19 ef 92 11 51 27 f3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021121; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_20, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Worm.VBS.Jenxcus.H URL Structure"; flow:to_server,established; content:"POST"; http_method; content:"/is-rinoy"; http_uri; fast_pattern:only; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021122; rev:1; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Worm.VBS.Jenxcus.H User Agent"; flow:to_server,established; content:"User-Agent|3a 20|Hacked"; http_header; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021123; rev:1; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blue Bot DDoS Proxy Request"; flow:to_server,established; content:"GET"; http_method; content:"/proxy"; http_uri; fast_pattern; content:"Host|3a 20|"; http_header; content:"|0d 0a|Connection|3a 20|"; http_header; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Cache-Control|3a 20|"; http_header; pcre:"/\/proxy$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021128; rev:2; metadata:created_at 2015_05_21, updated_at 2015_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blue Bot DDoS Blog Request"; flow:to_server,established; content:"GET"; http_method; content:"/blog"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; pcre:"/\/blog$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021129; rev:1; metadata:created_at 2015_05_21, updated_at 2015_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blue Bot DDoS Target Request"; flow:to_server,established; content:"GET"; http_method; content:"/target"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; pcre:"/\/target$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021130; rev:1; metadata:created_at 2015_05_21, updated_at 2015_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blue Bot DDoS Logger Request"; flow:to_server,established; content:"GET"; http_method; content:"/botlogger.php"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; pcre:"/\/botlogger\.php$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021131; rev:1; metadata:created_at 2015_05_21, updated_at 2015_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JavaScriptBackdoor HTTP GET CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/?action="; http_uri; fast_pattern:only; content:"&guid="; http_uri; content:"&version="; distance:0; http_uri; content:"WinHttp.WinHttpRequest."; http_header; content:!"Referer|3a|"; http_header; pcre:"/&version=\d+$/U"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:trojan-activity; sid:2021132; rev:1; metadata:created_at 2015_05_21, updated_at 2015_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JavaScriptBackdoor HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; content:!"Referer|3a|"; http_header; content:"username="; http_client_body; content:"memory_total="; http_client_body; content:"os_caption="; http_client_body; content:"os_serialnumber="; http_client_body; fast_pattern:only; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:trojan-activity; sid:2021133; rev:1; metadata:created_at 2015_05_21, updated_at 2015_05_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaScriptBackdoor SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b7 2f ae e8 e2 55 b5 bf|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,2a63b3a621d8e555734582d83b5e06a5; classtype:trojan-activity; sid:2021134; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET TROJAN Suspicious X-mailer Synapse Inbound to SMTP Server"; flow:established,to_server; content:"produced by Synapse"; fast_pattern:only; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2021135; rev:1; metadata:created_at 2015_05_21, updated_at 2015_05_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN H1N1 Loader CnC Beacon M1"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http_header; pcre:"/\/gate\.php$/U"; pcre:"/^[A-Za-z0-9/_]+={0,2}$/P"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:trojan-activity; sid:2021139; rev:1; metadata:created_at 2015_05_22, updated_at 2015_05_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN H1N1 Loader CnC Beacon M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http_header; content:"N0BRBh"; depth:6; http_client_body; fast_pattern; pcre:"/\.php$/U"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:trojan-activity; sid:2021140; rev:1; metadata:created_at 2015_05_22, updated_at 2015_05_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Bancos URL Structure"; flow:to_server,established; content:"GET"; http_method; content:"/infects/"; http_uri; fast_pattern:only; pcre:"/\/[a-z]\/infects\/[a-z]\?[a-z]=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Ui"; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis; reference:md5,9766c5eca8d229f1af9dfb9bd97f02a0; classtype:trojan-activity; sid:2021142; rev:1; metadata:tag Banking_Trojan, created_at 2015_05_22, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Autorun.AD Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:14; content:"/loglogin.html"; http_uri; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n(?:\r\n)?$/H"; reference:md5,3d652375fd511878f410fb1048e47f83; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AMSIL/Autorun.AD; reference:md5,3d652375fd511878f410fb1048e47f83; classtype:trojan-activity; sid:2021143; rev:3; metadata:created_at 2015_05_22, updated_at 2015_05_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nitlove POS CnC"; flow:to_server,established; content:"POST"; http_method; content:".php"; content:"User-Agent|3a 20|nit_love"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; pcre:"/\.php$/U"; reference:url,www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html; classtype:trojan-activity; sid:2021144; rev:1; metadata:created_at 2015_05_26, updated_at 2015_05_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Montana"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|09|Liverpool"; distance:1; within:10; content:"|55 04 03|"; distance:0; content:"|0e|southnorth.org"; distance:1; within:15; fast_pattern; reference:md5,440e5c0aee33cba3c4707ada0856ff6d; classtype:trojan-activity; sid:2021145; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Moose HTTP CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?p="; http_uri; fast_pattern; content:"&f="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021147; rev:2; metadata:created_at 2015_05_26, updated_at 2015_05_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Linux/Moose HTTP CnC Beacon Response"; flow:established,from_server; content:"Server|3a 20|Apache/20.2.25 (RedHat|29 0d 0a|"; http_header; fast_pattern:13,20; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021148; rev:1; metadata:created_at 2015_05_26, updated_at 2015_05_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"|0e 00 00 00|"; offset:4; depth:4; fast_pattern; content:!"|00|"; within:1; content:!"|00|"; distance:3; within:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:28; content:!"|00 00 00 00|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021149; rev:1; metadata:created_at 2015_05_26, updated_at 2015_05_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/Moose NAT Traversal CnC Beacon set"; flow:established,to_server; dsize:4; content:"|18 00 00 00|"; fast_pattern:only; flowbits:set,ET.Linux.Moose; flowbits:noalert; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021150; rev:1; metadata:created_at 2015_05_26, updated_at 2015_05_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/Moose NAT Traversal CnC Beacon - Sleep"; flow:established,from_server; dsize:8; content:"|16 00|"; depth:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021151; rev:1; metadata:created_at 2015_05_26, updated_at 2015_05_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/Moose NAT Traversal CnC Beacon - Multiple Tunnel"; flow:established,from_server; dsize:8; content:"|17 00|"; depth:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021152; rev:1; metadata:created_at 2015_05_26, updated_at 2015_05_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Wordpress Errorcontent CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:"/?ip="; http_uri; fast_pattern; content:"&referer="; http_uri; distance:0; content:"&ua="; http_uri; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a 20|"; pcre:"/^\/[a-z]+\/\?ip=/U"; reference:url,isc.sans.edu/diary/Possible+Wordpress+Botnet+C&C:+errorcontent.com/19733; classtype:trojan-activity; sid:2021153; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2015_05_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|ns343677.ip-94-23-16.eu"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021154; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bd 4b 4b 98 c9 8b 2f 20|"; within:35; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|webmaster@localhost"; distance:1; within:20; reference:md5,6cdd93dcb1c54a4e2b036d2e13b51216; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021155; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_28, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Gatak.DR Payload Instructions"; flow:established,to_server; content:"GET"; http_method; urilen:45; content:"/uploads/"; depth:9; http_uri; fast_pattern; content:".png"; distance:32; within:4; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|29 0d 0a|"; http_header; pcre:"/\/[a-f0-9]{32}\.png$/U"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Gatak.DR#tab=2; classtype:trojan-activity; sid:2021160; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (wdthvb6jut2rupu4)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wdthvb6jut2rupu4"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021163; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (xwxwninkssujglja)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xwxwninkssujglja"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021164; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (7fa6gldxg64t5wnt)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7fa6gldxg64t5wnt"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021165; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 7"; flow:established,to_server; content:"GET"; http_method; content:"/?action=getuid"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:trojan-activity; sid:2021166; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 8"; flow:established,to_server; content:"GET"; http_method; content:"/?action="; http_uri; fast_pattern:only; content:"&uid="; http_uri; content:"&bit="; http_uri; content:"&version="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:trojan-activity; sid:2021167; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"action="; depth:7; http_client_body; content:"&uid="; distance:0; http_client_body; content:"key="; distance:0; http_client_body; fast_pattern; pcre:"/&(?:un)?key=[A-Z]+$/P"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:trojan-activity; sid:2021168; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea d4 96 1c 0a 8b 6f a4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021175; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_01, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njRAT CnC Command (ll)"; flow:established,to_server; content:"|00|ll|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,5}\x00ll\x7c/i";  reference:md5,ac7b1fdc679fdbd3cb0cd8a3e30ecddb; classtype:trojan-activity; sid:2021176; rev:3; metadata:created_at 2015_06_02, updated_at 2015_06_02;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (ASCII)"; flow:to_server,established; content:"SMB"; offset:5; depth:4; content:"{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021179; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (Unicode)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{|00|A|00|A|00|0|00|E|00|E|00|D|00|2|00|5|00|-|00|4|00|1|00|6|00|7|00|-|00|4|00|C|00|B|00|B|00|-|00|B|00|D|00|A|00|8|00|-|00|9|00|A|00|0|00|F|00|5|00|F|00|F|00|9|00|3|00|E|00|A|00|8|00|}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021180; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT Backspace CnC Beacon"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3a 20|SJZJ (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; http_header; fast_pattern:only; content:"HOST|3a 20|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,ddf0981aebeea6ba9abdae6ddf8ed4e2; classtype:trojan-activity; sid:2021184; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0b|YouPorn Ltd"; distance:1; within:12; content:"|55 04 03|"; distance:0; content:"|0b|pornhub.xxx"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021186; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_04, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN IOS.Oneclickfraud HTTP Host"; flow:to_server,established; content:"Host|3a 20|eroeroou.com"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-060111-2757-99&tabid=2; classtype:trojan-activity; sid:2021187; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyBase Keylogger Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:".php?type=notification&machinename="; fast_pattern:only; http_uri; content:"&machinetime="; http_uri; content:!"User-Agent|3a| "; http_header; reference:md5,fa6f24a18ef772d9cdaa1d6cd1e24d1b; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021188; rev:3; metadata:created_at 2015_06_05, updated_at 2015_06_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Databack CnC"; flow:to_server,established; content:"GET"; http_method; content:".php?pn="; fast_pattern; http_uri; content:"&s="; distance:0; http_uri; content:"&x="; http_uri; distance:0; content:!"Referer|3a|"; http_header; pcre:"/\.php\?pn=[^&]+&s=[0-9]+&x=0\.[0-9]{7}$/U"; reference:md5,dc7b0c078482b68c1ff89da3ac88949b; classtype:trojan-activity; sid:2021189; rev:2; metadata:created_at 2015_06_05, updated_at 2015_06_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawfas.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021192; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 01 dc 12 42 31 23 93|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021193; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Qadars WebInject SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|www.freechristmasgifts2014.com"; distance:1; within:31; reference:md5,06588acf0112a84fe5f684bbafd7dc00; classtype:trojan-activity; sid:2021194; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|01 01|"; distance:18; within:2; content:"|55 04 03|"; distance:0; content:"|0d|web.gibnos.pw"; distance:1; within:14; reference:md5,c8131a48e834291be6c7402647250e73; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021196; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawer.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021197; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|laxitr.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021198; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|dazopla.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021199; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; content:"GET"; http_method; content:".jpg?resid="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2021200; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 3"; flow:to_server,established; content:"GET"; http_method; content:".asp?resid="; http_uri; fast_pattern:only; content:"&photoid="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2021201; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5"; flow:to_server,established; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"tagesschau.de"; http_header; content:!"ClipOrganizer"; http_header; pcre:"/\.jpg\?id=\d+$/U"; classtype:trojan-activity; sid:2021203; rev:3; metadata:created_at 2015_06_08, updated_at 2016_11_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (toxicola7qwv37qj)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|toxicola7qwv37qj"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; classtype:trojan-activity; sid:2021204; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|gipladfe.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021208; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|lazeca.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021209; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|zolaxap.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021210; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|babapoti.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021211; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|poknop.us"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021212; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Zacom.A CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:".py"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Windows NT 5.0|3b|"; http_header; pcre:"/^\d{4}/P"; pcre:"/\.py$/U"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021213; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Zacom.A CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Windows NT 5.0|3b|"; http_header; pcre:"/^\d{4}/P"; pcre:"/\.asp$/U"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021214; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN IsSpace/Zacom Connectivity Check"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"Host|3a 20|www.microsoft.com|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 7.0|3b|Windows NT 5.1)"; http_header; fast_pattern:41,20; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021215; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|10|www.carinsup.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021220; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|polasde.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021221; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|paxerba.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021222; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|molared.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021223; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|halowsin.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021224; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_09, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Dridex Download URI Struct with no referer"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"Cookie|3a|"; http_header; content:!"User-Agent|3a 20|LogitechUpdate"; http_header; pcre:"/\/\d+\/\d+\.exe$/U"; classtype:trojan-activity; sid:2021245; rev:4; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poweliks Clickfraud CnC M1"; flow:to_server,established; content:"GET"; http_method; content:"/query?version="; http_uri; fast_pattern; content:"&sid="; http_uri; distance:0; content:"&builddate="; http_uri; distance:0; content:"&q="; http_uri; distance:0; metadata: former_category TROJAN; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:trojan-activity; sid:2021226; rev:1; metadata:created_at 2015_06_10, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poweliks Clickfraud CnC M2"; flow:to_server,established; content:"GET"; http_method; content:".php?q="; http_uri; content:"redirect|3a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:"version|3a 20|"; http_header; content:"aid|3a 20|"; http_header; content:"builddate|3a 20|"; http_header; content:"pid|3a 20|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:trojan-activity; sid:2021227; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poweliks Clickfraud CnC M3"; flow:to_server,established; content:"GET"; http_method; content:".php?c="; http_uri; fast_pattern; content:"Referer|3a 20|"; http_header; content:".php?q="; http_header; distance:0; pcre:"/\.php\?c=[a-f0-9]{160}$/U"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:trojan-activity; sid:2021228; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Scanbox Sending Host Data"; flow:to_server,established; content:"GET"; http_method; content:".jpg"; http_uri; content:"recordid="; fast_pattern:only; content:"recordid="; http_cookie; depth:9; pcre:"/\/(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})\.jpg$/U"; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2021229; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021230; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AB6172ED-8105-4996-9D2A-597B5F827501}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021231; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{0710880F-3A55-4A2D-AA67-1123384FD859}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021232; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{6C51A4DB-E3DE-4FEB-86A4-32F7F8E73B99}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021233; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{7F9BCFC0-B36B-45EC-B377-D88597BE5D78}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021234; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{57D2DE92-CE17-4A57-BFD7-CD3C6E965C6A}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021235; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|A|00|F|00|F|00|C|00|4|00|F|00|0|00|-|00|E|00|0|00|4|00|B|00|-|00|4|00|C|00|7|00|C|00|-|00|B|00|4|00|0|00|A|00|-|00|B|00|4|00|5|00|D|00|E|00|9|00|7|00|1|00|E|00|8|00|1|00|E|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021236; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|B|00|6|00|1|00|7|00|2|00|E|00|D|00|-|00|8|00|1|00|0|00|5|00|-|00|4|00|9|00|9|00|6|00|-|00|9|00|D|00|2|00|A|00|-|00|5|00|9|00|7|00|B|00|5|00|F|00|8|00|2|00|7|00|5|00|0|00|1|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021237; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|0|00|7|00|1|00|0|00|8|00|8|00|0|00|F|00|-|00|3|00|A|00|5|00|5|00|-|00|4|00|A|00|2|00|D|00|-|00|A|00|A|00|6|00|7|00|-|00|1|00|1|00|2|00|3|00|3|00|8|00|4|00|F|00|D|00|8|00|5|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021238; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|C|00|5|00|1|00|A|00|4|00|D|00|B|00|-|00|E|00|3|00|D|00|E|00|-|00|4|00|F|00|E|00|B|00|-|00|8|00|6|00|A|00|4|00|-|00|3|00|2|00|F|00|7|00|F|00|8|00|E|00|7|00|3|00|B|00|9|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021239; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|7|00|F|00|9|00|B|00|C|00|F|00|C|00|0|00|-|00|B|00|3|00|6|00|B|00|-|00|4|00|5|00|E|00|C|00|-|00|B|00|3|00|7|00|7|00|-|00|D|00|8|00|8|00|5|00|9|00|7|00|B|00|E|00|5|00|D|00|7|00|8|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021240; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|5|00|7|00|D|00|2|00|D|00|E|00|9|00|2|00|-|00|C|00|E|00|1|00|7|00|-|00|4|00|A|00|5|00|7|00|-|00|B|00|F|00|D|00|7|00|-|00|C|00|D|00|3|00|C|00|6|00|E|00|9|00|6|00|5|00|C|00|6|00|A|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021241; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp any any -> $HOME_NET 443 (msg:"ET TROJAN Possible Duqu 2.0 Accessing backdoor over 443"; flow:to_server,established; content:"romanian.antihacker"; fast_pattern:only; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021242; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Dridex Download June 10 2015"; flow:established,from_server; content:"filename=|22|crypted.120.exe|22|"; http_header; nocase; classtype:trojan-activity; sid:2021244; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Gatak.DR Activity"; flow:established,to_server; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|29 0d 0a|"; fast_pattern:57,20; http_header; pcre:"/^\/([a-z]{4,9}\/[a-z]{4,12}\?[a-z]{4,7}\=[0-9]{5,7})$/U"; reference:md5,adb3242f8efad48ca174a7e46991f507; classtype:trojan-activity; sid:2021246; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Duqu 2.0 Request"; flow:established,to_server; content:"Cookie|3a| COUNTRY="; fast_pattern:only; content:"COUNTRY="; http_cookie; depth:8; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^COUNTRY=[a-z0-9]{26}$/C"; reference:url,www.symantec.com/connect/blogs/duqu-20-reemergence-aggressive-cyberespionage-threat; classtype:trojan-activity; sid:2021247; rev:1; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poweliks Clickfraud CnC M4"; flow:to_server,established; content:"GET"; http_method; content:"click?sid="; http_uri; fast_pattern; content:"&cid="; http_uri; distance:0; content:"Referer|3a 20|"; http_header; pcre:"/\?sid=[a-f0-9]{40}&cid=[0-9]$/U"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:trojan-activity; sid:2021251; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker .onion Proxy Domain (zbqxpjfvltb6d62m)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zbqxpjfvltb6d62m"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021252; rev:2; metadata:created_at 2015_06_11, updated_at 2017_03_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Torrentlocker C2 Domain in SNI"; flow:established,to_server; content:"|00 00 0d|krusperon.net"; fast_pattern:only; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021254; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Agent.WVW CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/s?"; depth:3; http_uri; fast_pattern; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"."; distance:1; within:2; http_uri; content:"_"; distance:0; http_uri; pcre:"/^\/s\?\d+\x3b\d+\x3b\d{1,2}\.\d_(?:32|64)_\d+(?:\x3b\d+){4}$/U"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:trojan-activity; sid:2021257; rev:1; metadata:created_at 2015_06_11, updated_at 2015_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Agent.WVW CnC Beacon 3"; flow:to_server,established; urilen:4; content:"GET"; http_method; content:"/cl1"; http_uri; fast_pattern:only; content:"Referer|3a 20|1|3a|"; pcre:"/^\d\.\d_(?:64|32)_\d\x3a/R"; content:"Empty|0d 0a|"; http_header; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:trojan-activity; sid:2021259; rev:2; metadata:created_at 2015_06_12, updated_at 2015_06_12;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Torrentlocker C2 SSL cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b3 b2 82 08 58 32 5e 8e|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,77c99b6f06fe443b72a0efaf8f285e4d; classtype:trojan-activity; sid:2021260; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Chinad Retrieving Config"; flow:to_server,established; content:"GET"; http_method; urilen:22; content:"/css/bootstrap.min.css"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/Hi"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:trojan-activity; sid:2021261; rev:1; metadata:created_at 2015_06_12, updated_at 2015_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Chinad Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/api/?a="; http_uri; depth:8; fast_pattern; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\n(?:\r\n)?$/Hi"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:trojan-activity; sid:2021262; rev:1; metadata:created_at 2015_06_12, updated_at 2015_06_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gatak CnC"; flow:established,to_server; content:"/report"; depth:7; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; http_header; pcre:"/^\/report[0-9]?_(?:v[0-9])?[A-Z]?[A-F0-9_-]+_[0-9]{1,3}_(?:st(?:arted|ep)|already|mark|p(?:rocess|a(?:ge|yload))|watch2|http|image|gdiplus|crc|DIRRR|finished|(?:ex(cept|ecuted)))/Ui"; reference:md5,636a911cc059415963da7009277bae17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/stegoloader-a-stealthy-information-stealer/; classtype:trojan-activity; sid:2021268; rev:8; metadata:created_at 2015_06_15, updated_at 2015_06_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12 2a 2e|pillspharm24.com"; distance:1; within:19; reference:md5,1b4e97af9f327126146338b8cd21dd86; classtype:trojan-activity; sid:2021273; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Elise CnC Beacon 1 M1"; flow:to_server,established; content:"GET"; http_method; content:"/page_"; nocase; http_uri; fast_pattern:only; content:".html"; nocase; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0"; http_header; pcre:"/\/[a-f0-9]{8}\/page_\d{8,10}\.html$/Ui"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021274; rev:3; metadata:created_at 2015_06_16, updated_at 2015_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Elise CnC Beacon 1 M2"; flow:to_server,established; content:"GET"; http_method; content:"/"; offset:9; depth:1; http_uri; content:".html"; distance:0; nocase; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"A="; depth:2; http_cookie; content:"Cookie|3a 20|A="; fast_pattern:only; pcre:"/^\/[a-f0-9]{8}\/\D+\d{8,10}\.html$/Ui"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021275; rev:4; metadata:created_at 2015_06_16, updated_at 2015_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Elise CnC Beacon 2"; flow:to_server,established; content:"POST"; http_method; content:".html"; nocase; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:!"Host|3 a20|www.youdao.com"; http_header; pcre:"/\/\d{8,10}\.html$/Ui"; reference:md5,cfa7954722d4277d26e96edc3289a4ce; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021276; rev:3; metadata:created_at 2015_06_16, updated_at 2015_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Elise CnC Beacon 3 M1"; flow:to_server,established; content:"GET"; http_method; content:"/archive/"; nocase; offset:9; http_uri; fast_pattern; content:".html"; nocase; distance:8; within:7; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/[a-f0-9]{8}\/archive\/\d{8,10}\.html$/Ui"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021277; rev:3; metadata:created_at 2015_06_16, updated_at 2015_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Elise CnC Beacon 3 M2"; flow:to_server,established; content:"GET"; http_method; content:".html"; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"XX="; http_cookie; content:"BX="; http_cookie; content:"Cookie|3a 20|XX="; fast_pattern:only; pcre:"/\/\d{8,10}\.html$/Ui"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021278; rev:2; metadata:created_at 2015_06_16, updated_at 2015_06_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Elise SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 03|"; distance:0; content:"|0b|eric-office"; distance:1; within:12; reference:md5,8334f346585aa27ac6ae86e5adcaefa2; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021279; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_16, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W2KM_BARTALEX Downloading Payload"; flow:established,to_server; content:"/lns.txt"; http_uri; fast_pattern:only; pcre:"/\/lns.txt$/U"; content:"WinHttp.WinHttpRequest"; http_header; reference:md5,0ed66982890ec483c3bc6f883e2424fb; classtype:trojan-activity; sid:2021284; rev:1; metadata:created_at 2015_06_17, updated_at 2015_06_17;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (FindPOS)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 2d 4a 53 08 27 aa b4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:trojan-activity; sid:2021289; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_17, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Netwire RAT Client Check-in 2"; flow:established,to_server; dsize:5; content:"|01 00 00 00 02|"; flowbits:isset,ET.NetwireRAT.Client; metadata: former_category TROJAN; reference:md5,acccfa6107c712a63b1473d524461163; classtype:trojan-activity; sid:2021290; rev:1; metadata:created_at 2015_06_17, updated_at 2017_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Adload (KaiXin Payload) Config Download"; flow:established,to_server; content:"GET"; http_method; content:"/mac.html?uid="; http_uri; depth:14; fast_pattern; content:"&sid="; http_uri; distance:0; content:"&fname="; http_uri; distance:0; content:"&mac="; http_uri; distance:0; content:"&os="; http_uri; distance:0; content:"&pcname="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:trojan-activity; sid:2021299; rev:2; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Adload (KaiXin Payload) Checkin"; flow:established,to_server; content:"GET"; http_method; content:".ini?"; http_uri; fast_pattern:only; content:!"|0d 0a|Accept-"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^\/[a-z]+?\.*?ini\?\d+$/Ui"; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:trojan-activity; sid:2021300; rev:1; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Adload (KaiXin Payload) Checkin Response"; flow:established,from_server; file_data; content:"[Config]|0d 0a|"; within:10; content:"[Process]|0d 0a|1="; distance:0; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:trojan-activity; sid:2021301; rev:3; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (bpq4dub4rlivvswu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpq4dub4rlivvswu"; fast_pattern; distance:0; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; reference:url,www.threatexpert.com/report.aspx?md5=0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021302; rev:1; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (gzc7lj4rvmkg25dm)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gzc7lj4rvmkg25dm"; fast_pattern; distance:0; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; reference:url,www.threatexpert.com/report.aspx?md5=0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021303; rev:1; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W2KM_BARTALEX Downloading Payload 2"; flow:established,to_server; content:"GET"; http_method; content:".txt"; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5|29 0d 0a|"; http_header; fast_pattern:51,20; content:"Accept|3a|"; http_header; content:"Accept-Language|3a|"; http_header; pcre:"/\/\d{4,}\.txt$/U"; reference:md5,545ee3114faa5abd994f9730713f2261; classtype:trojan-activity; sid:2021304; rev:3; metadata:created_at 2015_06_18, updated_at 2015_06_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|howtoe.pw"; distance:1; within:14; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021314; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef ee 78 a7 ef c6 52 20|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|mainsinkhole"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021315; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/ChinaZ DDoS Bot Checkin 2 "; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; fast_pattern; within:7; content:"MB|00 00 00 00|"; distance:0; content:"M|00 00 00 00|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:trojan-activity; sid:2021316; rev:1; metadata:created_at 2015_06_22, updated_at 2015_06_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Ascrirac .onion proxy Domain (5sse6j4kdaeh3yus)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5sse6j4kdaeh3yus"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021317; rev:3; metadata:created_at 2015_06_22, updated_at 2015_06_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Variant .onion proxy Domain (kurrmpfx6kgmsopm)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kurrmpfx6kgmsopm"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021318; rev:1; metadata:created_at 2015_06_22, updated_at 2015_06_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN AlphaCrypt .onion proxy Domain (tkjthigtqlvohs7z)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tkjthigtqlvohs7z"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021319; rev:1; metadata:created_at 2015_06_22, updated_at 2015_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; content:"GET"; http_method; content:"/download/ftp/grabftp"; http_uri; fast_pattern:9,12; content:".bin"; http_uri; pcre:"/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U"; content:"User-Agent|3A| Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b| Windows NT 6.1|3b 20|Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept|3A|"; http_header; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (xvha2ctkacx2ug3b)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvha2ctkacx2ug3b"; fast_pattern; distance:0; nocase; reference:url,www.dropboxforum.com/hc/communities/public/questions/203834265-virus; classtype:trojan-activity; sid:2021325; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DDoS.XOR Checkin 2"; flow:to_server,established; content:"GET"; http_method; content:"/check?iid="; http_uri; fast_pattern; content:"kernel="; http_uri; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&kernel=/U"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:trojan-activity; sid:2021334; rev:3; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DDoS.XOR Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/compiler?iid="; http_uri; fast_pattern; content:"username="; http_uri; distance:0; content:"password="; http_uri; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&username=/U"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:trojan-activity; sid:2021335; rev:3; metadata:created_at 2015_06_23, updated_at 2015_06_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DDoS.XOR Checkin via HTTP"; flow:established,to_server; content:"MSIE 6.0|3b 20|Windows NT 5.2|3b 20|SV1|3b 20|TencentTraveler|20 3b 20|.NET CLR 1.1.4322"; http_header; fast_pattern:21,20; metadata: former_category TROJAN; reference:md5,d818d056bbf7e227151d40c8bd539976; reference:url,blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf; classtype:trojan-activity; sid:2021336; rev:5; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2015_06_23, malware_family DDoS_XOR, performance_impact Low, updated_at 2018_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Vflooder.C Connectivity Check"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"Host|3a 20|google.com|0d 0a|"; fast_pattern:only; http_header; content:!"Accept-Encoding|3a 20|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Accept\x3a\x20\*\/\*\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20google\.com\r\nConnection\x3a\sKeep-Alive\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2021337; rev:1; metadata:created_at 2015_06_24, updated_at 2015_06_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|13|1024sslsecurity.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021339; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|typeofways.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021340; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|digination.info"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021341; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|ssl.savingscore.pw"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021342; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|supportupdate.info"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021343; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|17|patient-advertising.com"; distance:1; within:24; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021344; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|pdata-next.ru"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021345; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|live-advert.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021346; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0a|can-ip.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021347; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|pandolin.ru"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021348; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|securebnk.eu"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021349; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|fuxaloba.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021350; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ELF.DES.Downloader Request"; flow:to_server,established; content:"/ad.php?id="; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10|0d 0a|Accept-Encoding|3a 20|deflate|0d 0a|Accept-Language|3a 20|en-us|0d 0a|HOST|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021352; rev:1; metadata:created_at 2015_06_25, updated_at 2015_06_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Indiana"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|koalashelp.au"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021353; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8f e3 5b c8 ea 55 d6 4a|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021354; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|tsescase.tk"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021355; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_26, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN AlphaCrypt .onion Proxy Domain (djdkduep62kz4nzx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|djdkduep62kz4nzx"; fast_pattern; distance:0; nocase; reference:md5,1dd542bf3c1781df9a335f74eacc82a4; reference:url,malwr.com/analysis/YjllZWEzNmQ0MDA4NGNhNGIxYzIzNjU3YjczOTYxZjg/; classtype:trojan-activity; sid:2021363; rev:2; metadata:created_at 2015_06_29, updated_at 2015_06_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dridex SSL Cert 30 June 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|Passio dpt"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0b|romantik.it"; distance:1; within:12; reference:md5,0a977dfcb93301f1841dbe2272d3102b; classtype:trojan-activity; sid:2021370; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dridex SSL Cert 1 July 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|gay rights"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:12; reference:md5,865164ef97c50bdd8e8740621234a3cf; classtype:trojan-activity; sid:2021372; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 95 12 ee 90 e8 0f 66|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,22b0d4ff64d3cb3080feb47ce52988e9; classtype:trojan-activity; sid:2021375; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_02, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UpDocX Checkin"; flow:established,to_server; content:"/up_docx.php"; fast_pattern:only; http_uri; content:!"Referer"; http_header; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:trojan-activity; sid:2021376; rev:1; metadata:created_at 2015_07_02, updated_at 2015_07_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UpDocX Download"; flow:established,to_server; content:"/WINWORD32.exe"; fast_pattern:only; http_uri; content:!"Referer"; http_header; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:trojan-activity; sid:2021377; rev:2; metadata:created_at 2015_07_02, updated_at 2015_07_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Mocelpa Client Hello CnC Beacon"; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|54 b4 c9 7b|"; distance:0; content:"|00 00 00 12 00 10 00 00 0d|www.apple.com"; distance:0; reference:url,blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html; classtype:trojan-activity; sid:2021379; rev:1; metadata:created_at 2015_07_06, updated_at 2015_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zberp receiving config via image file - SET"; flow:to_server,established; content:".jpg"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.jpg$/U"; flowbits:set,ET.Zberp; flowbits:noalert; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021381; rev:8; metadata:created_at 2015_07_06, updated_at 2015_07_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Zberp/ZeusVM receiving config via image file (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|ff fe 3f 10 00 00|"; distance:0; byte_test:4,>,100,4,relative,little; byte_extract:4,4,config_len,relative,little; content:!"|00|"; within:config_len; pcre:"/^[^\x00]+(\xff\xd9)?$/R"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021382; rev:12; metadata:created_at 2015_07_06, updated_at 2016_11_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Zberp/ZeusVM receiving config via image file (steganography) 2"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe|"; distance:-10; within:2; byte_test:2,>,100,0,relative,little; byte_extract:2,0,config_len,relative,little; content:!"|00|"; distance:6; within:config_len; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021383; rev:4; metadata:created_at 2015_07_06, updated_at 2016_11_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Denisca.A CnC Beacon"; content:"|7c 2a 26|"; depth:3; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:16; within:1; content:"|7c|"; distance:0; pcre:"/\x7c[a-f0-9]{16}\x7c\d+\x7c$/"; reference:md5,0075c4d976984436443b30926ad818dd; classtype:trojan-activity; sid:2021385; rev:1; metadata:created_at 2015_07_06, updated_at 2015_07_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|08|portable"; distance:1; within:9; content:"|55 04 03|"; distance:0; content:"|0b|nintendo.jp"; distance:1; within:12; classtype:trojan-activity; sid:2021388; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Denisca.A CnC Beacon 2"; dsize:37; content:"|2a 26|"; depth:2; content:"|26 5e|"; distance:22; fast_pattern; reference:md5,aaa4304dd5f22a017930a9eeebc8898f; classtype:trojan-activity; sid:2021389; rev:1; metadata:created_at 2015_07_07, updated_at 2015_07_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|disaronnoterrace.es"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021391; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0e|protectthegays"; distance:1; within:15; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|08|gay team"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021393; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_09, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Wekby PCRat/Gh0st CnC Beacon (Outbound)"; flow:to_server,established; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:trojan-activity; sid:2021395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_07_09, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Wekby PCRat/Gh0st CnC Beacon (Inbound)"; flow:established,to_client; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:trojan-activity; sid:2021396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_07_09, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 84 d3 15 4c 18 a1 18 9f|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021397; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_09, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Matsnu Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php?"; fast_pattern:only; http_uri; content:!"Referer|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0b|3b| Windows NT 5.0|3b| .NET CLR 1.0.2914|29 0d 0a|"; http_header; content:"Connection|3a| Keep-Alive|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; content:"="; depth:7; http_client_body; content:"AA"; distance:3; within:2; http_client_body; pcre:"/^[a-z]{1,7}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:md5,7ff6912828faedbf39c4c66c7ba0260d; reference:md5,0361c2685bf799c04d796a6d18e1f075; reference:url,blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf; classtype:trojan-activity; sid:2021399; rev:2; metadata:created_at 2015_07_10, updated_at 2015_07_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/adm/contador.php"; http_uri; fast_pattern:only; content:"User-Agent|3A 20|Firefox/15.0.1|0D 0A|"; http_header; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:trojan-activity; sid:2021403; rev:1; metadata:created_at 2015_07_10, updated_at 2015_07_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/upload.php"; http_uri; content:"conteudo="; fast_pattern; depth:9; http_client_body; content:"&myFile="; http_client_body; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:trojan-activity; sid:2021404; rev:1; metadata:created_at 2015_07_10, updated_at 2015_07_10;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 89 56 e5 bd 59 77 67|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021411; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_13, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SeaDuke CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; fast_pattern:only; content:"Accept-Encoding|3a 20|identity|0d 0a|Host|3a 20|"; depth:33; http_header; content:!"Accept-L"; http_header; content:!"Accept|3a|"; http_header; pcre:"/\.php$/U"; pcre:"/^[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+(?:\x3b\x20[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+){1,6}={0,2}?$/C"; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; classtype:trojan-activity; sid:2021413; rev:1; metadata:created_at 2015_07_14, updated_at 2015_07_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; pcre:"/^.(?=[a-z0-9+/]*?[A-Z])(?=[A-Z0-9+/]*?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0329a\x02de\x00/R"; content:"|03|29a|02|de|00|"; nocase; fast_pattern:only; reference:url,morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick; classtype:trojan-activity; sid:2021416; rev:1; metadata:created_at 2015_07_15, updated_at 2015_07_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 d3 05 ec 6a a7 12 c5|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021417; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bedep HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; fast_pattern:only; content:"Accept|3a 20|text/html, application/xhtml+xml, */*|0d 0a|"; http_header; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/U"; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/P"; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Content-Type\x3a[^\r\n]+\r\n)?(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hi"; classtype:trojan-activity; sid:2021418; rev:7; metadata:created_at 2015_07_15, updated_at 2015_07_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.visionresearch.com"; distance:1; within:23; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021419; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 3d d6|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|--"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|SomeCity"; distance:1; within:9; content:"|0d 01 09 01|"; distance:0; content:"|1a|root@localhost.localdomain"; fast_pattern; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021420; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 5"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|extranet.qualityplanning.com"; distance:1; within:29; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021422; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|14|edadmin.kearsney.com"; distance:1; within:21; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021423; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|13|redbluffchamber.com"; distance:1; within:20; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021424; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 8"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|Connectads.com"; distance:1; within:15; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021425; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|cowsgirlz.es"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021426; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|16|Ubiquiti Networks Inc."; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|04|UBNT"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021427; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible CVE-2015-2424 RTF Dropping Sofacy"; flow:established,from_server; file_data; content:"D0CF11E0A1B11AE1"; nocase; content:"ffffffffff74303074"; nocase; distance:0; fast_pattern; reference:md5,112c64f7c07a959a1cbff6621850a4ad; reference:url,isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:trojan-activity; sid:2021431; rev:1; metadata:created_at 2015_07_16, updated_at 2015_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CosmicDuke Exfiltrating Data via FTP STOR"; flow:established,to_server; dsize:55<>65; content:"STOR|20|"; depth:5; pcre:"/^[a-z0-9]{1,10}[A-F0-9]+\.bin\r\n$/R"; content:".bin|0d 0a|"; fast_pattern:only; reference:md5,5080bc705217c614b9cbf67a679979a8; classtype:trojan-activity; sid:2023910; rev:2; metadata:created_at 2015_07_17, updated_at 2017_02_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|httpsgatevalidator.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021436; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Tsyrval Panda CnC Beacon"; flow:established,to_server; content:"|75 1C 11 10 75 01 14 07 12 58 5F|"; offset:3; depth:14; classtype:trojan-activity; sid:2021437; rev:1; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Bancos.AMM CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"ID_MAQUINA="; depth:11; nocase; http_client_body; fast_pattern; content:"&VERSAO="; distance:0; nocase; http_client_body; content:"&WIN="; distance:0; nocase; http_client_body; metadata: former_category TROJAN; reference:md5,f52ff1dc059f1df95781830d84a12869; classtype:trojan-activity; sid:2021439; rev:3; metadata:tag Banking_Trojan, created_at 2015_07_20, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyBase Keylogger HTTP Pattern"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/post.php?type="; http_uri; fast_pattern; content:"&machinename="; http_uri; distance:0; content:!"User-Agent|3a 20|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?/H"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021440; rev:3; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyBase Keylogger Uploading Screenshots"; flow:to_server,established; content:"POST"; http_method; content:"/image/upload.php"; fast_pattern:only; http_uri; content:"|0d 0a|Expect|3a|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"filename=|22|"; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/R"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:4; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Rioselx.A Checkin"; flow:established,to_server; content:"/access.php"; http_uri; fast_pattern; content:"User-Agent|3a|"; http_header; content:!"Mozilla"; within:7; http_header; pcre:"/^User-Agent\x3a\x20(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r\n/Hmi"; content:!"Referer"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:"Content-Length|3a| "; http_header; reference:md5,3eb94c397a395f24b84297593f69710a; classtype:trojan-activity; sid:2021442; rev:6; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|expresstrevel.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021445; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 07 45 6b c2 ad 90 a1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021446; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_20, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jiripbot CnC 1"; flow:to_server,established; urilen:7; content:"GET"; http_method; content:"/status"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; pcre:"/Host\x3a\x20jdk\.[a-f0-9]{32}\.org/Hmi"; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/Cm"; content:"A="; http_cookie; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:2021501; rev:1; metadata:created_at 2015_07_21, updated_at 2015_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jiripbot CnC 2"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/checkupdate"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; pcre:"/Host\x3a\x20jdk\.[a-f0-9]{32}\.org/Hmi"; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/Cm"; content:"A="; http_cookie; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:2021502; rev:1; metadata:created_at 2015_07_21, updated_at 2015_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Java/QRat Checkin"; flow:established,to_server; content:"|73 72|"; depth:2; content:"|00 05|value"; distance:0; pcre:"/\x00\x05value$/"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2021503; rev:1; metadata:created_at 2015_07_21, malware_family QRat, updated_at 2018_03_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Java/QRat Receiving Command 1"; flow:established,from_server; dsize:16; content:"|00 0d|giveClientMac"; offset:1; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2021504; rev:1; metadata:created_at 2015_07_21, malware_family QRat, updated_at 2018_03_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Java/QRat Receiving No Commands"; flow:established,from_server; dsize:10; content:"|00 07|nothing"; offset:1; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2021505; rev:1; metadata:created_at 2015_07_21, malware_family QRat, updated_at 2018_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sednit Connectivity Check 0 Byte POST"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20|"; http_header; content:"google."; http_header; within:16; content:!"Referer|3a|"; http_header; content:!"=http"; http_uri; content:"Content-Length|3A| 0|0D 0A|"; http_header; fast_pattern:only; content:"/?"; http_uri; pcre:"/\.[a-z]{3,4}\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; pcre:"/^Host\x3a\x20(?:www\.)?google(?:\.[a-z]{2,3})+\r?$/Hm"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used; classtype:trojan-activity; sid:2021506; rev:3; metadata:created_at 2015_07_22, updated_at 2015_07_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|06|coffee"; distance:1; within:7; content:"|55 04 0b|"; distance:0; content:"|07|it dept"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021512; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|obama team"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021513; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0a|littlepony"; distance:1; within:11; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0a|just cause"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021514; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|eurotranstele.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021515; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|promotion-statistics.mobi"; distance:1; within:26; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021516; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|data-stats-collector.biz"; distance:1; within:25; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021517; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|04|clan"; distance:1; within:5; content:"|55 04 0b|"; distance:0; content:"|06|bushes"; distance:1; within:7; fast_pattern; reference:md5,a5f7d314e2b996b69751a4e46503c644; classtype:trojan-activity; sid:2021518; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|07|dinasty"; distance:1; within:8; content:"|55 04 0b|"; distance:0; content:"|0d|klintons team"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021519; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021520; rev:1; metadata:created_at 2015_07_23, updated_at 2015_07_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"HTTP|3a 2f 2f|"; depth:7; http_raw_uri; content:"id="; depth:3; http_cookie; content:!"Host|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^id=[0-9A-F]{12}[^\r\n]+$/C"; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern:only; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:trojan-activity; sid:2021523; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2015_07_23, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 27 d2 2d d7 bd cb 5c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021525; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/ChinaZ 2.0 DDoS Bot Checkin 3"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; within:7; content:"MB|00 00 00 00|"; distance:0; content:"|28|null|29 00 00 00 00|"; fast_pattern; distance:0; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:trojan-activity; sid:2021526; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Zberp/ZeusVM receiving config via image file (steganography) 3"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe ff ff|"; distance:-10; within:4; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021527; rev:4; metadata:created_at 2015_07_23, updated_at 2016_11_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; content:"GET"; http_method; content:"/config"; http_uri; fast_pattern:only; content:".jpg"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"Connection|3a 20|Close"; http_header; content:"Cache-Control|3a 20|no-cache"; http_header; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; metadata: former_category TROJAN; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:3; metadata:created_at 2015_07_23, updated_at 2017_10_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|09|Microsoft"; distance:1; within:10; fast_pattern; content:"|55 04 0b|"; content:"|0b|Widgits pty"; distance:1; within:12; reference:md5,32230d747829dcf77841f594aa54915a; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021529; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|uktranstele.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021530; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W2KM_BARTALEX Downloading Payload M2 (set)"; flow:established,to_server; content:".txt"; http_uri; content:"WinHttp.WinHttpRequest"; http_header; flowbits:set,ET.BARTALEX; flowbits:noalert; classtype:trojan-activity; sid:2021531; rev:1; metadata:created_at 2015_07_24, updated_at 2015_07_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W2KM_BARTALEX Downloading Payload M2"; flow:established,from_server; flowbits:isset,ET.BARTALEX; content:"text/plain|0d 0a 0d 0a|http"; fast_pattern:only; content:"200"; http_stat_code; file_data; content:"http"; within:4; pcre:"/^s?\x3a\x2f+[^\r\n\s]+\.exe/Ri"; classtype:trojan-activity; sid:2021532; rev:1; metadata:created_at 2015_07_24, updated_at 2015_07_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Poshcoder .onion Proxy Domain (hlvumvvclxy2nw7j)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hlvumvvclxy2nw7j"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021534; rev:1; metadata:created_at 2015_07_27, updated_at 2015_07_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa ad 0a 9f da 99 c2 e3|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021541; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_27, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|decryptoraveidf7"; nocase; distance:0; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021545; rev:1; metadata:created_at 2015_07_28, updated_at 2015_07_28;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a4 3d 09 0a 4c 60 be 70|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021546; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_28, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|encryptor3awk6px"; nocase; distance:0; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021547; rev:1; metadata:created_at 2015_07_28, updated_at 2015_07_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (vacdgwaw5djp5hmu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vacdgwaw5djp5hmu"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021549; rev:1; metadata:created_at 2015_07_29, updated_at 2015_07_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|des7siw5vfkznjhi"; fast_pattern; distance:0; nocase; reference:md5,ca57b9de1cae18bda994aa4bd093c571; reference:url,www.file-analyzer.net/analysis/4825; classtype:trojan-activity; sid:2021551; rev:1; metadata:created_at 2015_07_29, updated_at 2015_07_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021553; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potao CnC"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|application/xml"; content:"<?xml version=|22|1.0|22|?>"; depth:21; http_client_body; content:"10a7d030-1a61-11e3-beea-001c42e2a08b"; distance:24; http_client_body; fast_pattern; classtype:trojan-activity; sid:2021554; rev:1; metadata:created_at 2015_07_30, updated_at 2015_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Potao CnC POST Response"; flow:to_client,established; content:"Server|3a 20|nginx"; http_header; file_data; content:"<?xml version=|27|1.0|27|?>"; depth:21; content:"<methodResponse>"; distance:1; content:"<params>|0a|<param>"; distance:1; content:"<value><base64>"; fast_pattern; distance:1; pcre:"/^\x0a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})\x0a/R"; classtype:trojan-activity; sid:2021555; rev:1; metadata:created_at 2015_07_30, updated_at 2015_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dyre CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"_W"; fast_pattern; http_uri; content:"User-Agent|3a|"; depth:11; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/_W\d+\.[A-F0-9]+\/\d+\/[^\x2f]+\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/$/U"; reference:md5,3e215dfa84c271bb431b3de2e5da016a; classtype:trojan-activity; sid:2021556; rev:1; metadata:created_at 2015_07_30, updated_at 2015_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 1"; flow:established,to_server; content:"GET"; http_method; content:"/PhantomSuper.class"; http_uri; fast_pattern; content:"Java/"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021557; rev:1; metadata:created_at 2015_07_30, updated_at 2015_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 2"; flow:established,to_server; content:"GET"; http_method; content:"/ArrayReplace.class"; http_uri; fast_pattern; content:"Java/"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021558; rev:1; metadata:created_at 2015_07_30, updated_at 2015_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN URI Struct Observed in Pawn Storm CVE-2015-2950"; flow:established,to_server; content:"POST"; http_method; content:"/?p2="; http_uri; content:"&recr="; distance:0; http_uri; fast_pattern; content:"&p3="; distance:0; http_uri; content:"&as="; distance:0; http_uri; content:"&c="; distance:0; http_uri; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021560; rev:1; metadata:created_at 2015_07_30, updated_at 2015_07_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain (613cb6owitcouepv)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|613cb6owitcouepv"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021561; rev:1; metadata:created_at 2015_07_30, updated_at 2015_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|09|democracy"; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|09|obamacare"; distance:1; within:10; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021563; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|srvreq.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021565; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|www.pohiola.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021566; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d8 17 61 5f e5 c3 b3 2c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021567; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 29 bf 95 40 97 37 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021568; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 6"; flow:to_server,established; content:"POST"; http_method; content:".asp?cookie="; http_uri; fast_pattern:only; content:"&type="; http_uri; content:"&vid="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3cd598e8e2fd033134d8784251eff59e; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:trojan-activity; sid:2021569; rev:1; metadata:created_at 2015_07_31, updated_at 2015_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 7"; flow:to_server,established; content:"GET"; http_method; content:".jpg?vid="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.jpg\?vid=\d+$/U"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:trojan-activity; sid:2021570; rev:2; metadata:created_at 2015_07_31, updated_at 2015_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 8"; flow:to_server,established; content:"GET"; http_method; content:"/viewphoto.asp?photoid="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:trojan-activity; sid:2021571; rev:1; metadata:created_at 2015_07_31, updated_at 2015_07_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (drometic.suroot.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|drometic|06|suroot|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021576; rev:1; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (docume.sysbloger.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|docume|09|sysbloger|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021577; rev:1; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (ohio.sysbloger.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|ohio|09|sysbloger|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021578; rev:1; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (specs.dnsrd.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|specs|05|dnsrd|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021579; rev:1; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (np3.Jkub.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|np3|04|Jkub|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021580; rev:1; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (ns8.ddns1.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns8|05|ddns1|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021581; rev:1; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (books.mrface.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|books|06|mrface|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021582; rev:1; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (kieti.ipsecsl.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|kieti|07|ipsecsl|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021583; rev:1; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN APT Lurker POST CnC Beacon"; flow:established,to_server; content:"POST /"; depth:6; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Content-Type|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021584; rev:3; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN APT Lurker GET CnC Beacon"; flow:established,to_server; content:"GET /"; depth:5; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021585; rev:3; metadata:created_at 2015_08_03, updated_at 2015_08_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT  CozyCar SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 12 85|"; distance:0; content:"|55  04 06|"; distance:0; content:"|02|--"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|SomeCity"; distance:1; within:9; content:"|0d 01 09 01|"; distance:0; content:"|1a|root@localhost.localdomain"; fast_pattern; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021591; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|safeboxkeyltd.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021592; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|safecitysup.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021593; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|89.104.95.236"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021594; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|08|Monsanto"; distance:1; within:9; content:"|55 04 0b|"; distance:0; content:"|0b|SmartPhones"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021596; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_04, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Alina.POS-Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Accept|3a 20|application/octet-stream|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; depth:74; http_header; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2021597; rev:3; metadata:created_at 2015_08_05, updated_at 2015_08_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|enfinetoner.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021598; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|ta-portfolio.com"; distance:1; within:17; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021599; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gallinj.com"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021602; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 e5 ff f2 10 0a 35 d0|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021603; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.enfinetoner.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021604; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.VBKrypt.vquj Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|0d 0a|Content-Encoding|3a| binary|0d 0a|"; fast_pattern; http_header; content:"|03 00|"; http_client_body; depth:2; content:"|00 01 00|"; http_client_body; within:4; content:"|00 01 00|"; http_client_body; within:4; reference:md5,0c420e1eef4b1f097ffec8d0c0ff438a; classtype:trojan-activity; sid:2021605; rev:3; metadata:created_at 2015_08_10, updated_at 2015_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Androm.gnlb Checkin"; flow:established,to_server; content:"/Count.asp?ver="; fast_pattern:only; nocase; http_uri; content:"&mac="; http_uri; content:!"Referer|3a|"; http_header; content:"Content-Length|3a| 0"; http_header; reference:md5,c7e6ebf91c03a2bcaa8053f149870fad; classtype:trojan-activity; sid:2021608; rev:3; metadata:created_at 2015_08_10, updated_at 2015_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible DarkHotel Landing M1"; flow:to_client,established; file_data; content:"eval|28|"; pcre:"/^[a-z]\x29/Rsi"; content:"Problems in loading internet explorer"; distance:0; content:"Try again after update your systems."; distance:0; fast_pattern:16,20; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:trojan-activity; sid:2021609; rev:1; metadata:created_at 2015_08_10, updated_at 2015_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DarkHotel Initial Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?type=creation"; http_uri; fast_pattern; content:"result="; distance:1; http_uri; content:"&info="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:trojan-activity; sid:2021610; rev:1; metadata:created_at 2015_08_10, updated_at 2015_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible DarkHotel Landing M2"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern:only; content:"|22|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:trojan-activity; sid:2021611; rev:2; metadata:created_at 2015_08_10, updated_at 2015_08_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible DarkHotel Landing M3"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern:only; content:"|27|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:trojan-activity; sid:2021612; rev:1; metadata:created_at 2015_08_10, updated_at 2015_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PSEmpire Checkin via POST"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/admin/get.php"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/Cookie\x3a\x20SESSIONID=[A-Z0-9]{16}\r\n/"; reference:url,www.powershellempire.com; classtype:trojan-activity; sid:2021616; rev:1; metadata:created_at 2015_08_12, updated_at 2015_08_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Dridex SSL Cert Aug 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Arizona"; fast_pattern; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|0a|Scottsdale"; distance:1; within:11; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}\x30/Rs"; classtype:trojan-activity; sid:2021621; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; content:"|55 04 0b|"; distance:0; content:"|05|poker"; distance:1; within:6; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021622; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 23 8b 36 d0 72 53 df|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021623; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (BlackEnergy CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 9e 1d 11 4a f9 72 62|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021624; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W2KM_BARTALEX August 11 2015"; flow:to_server,established; content:".jpg"; http_uri; nocase; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| FSL 7.0.6.01001)"; http_header; fast_pattern:55,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/(?:[a-z]+|\d+)\.jpg/Ui";  reference:md5,1bcea0364088c5308ed217649eeef4d9; classtype:trojan-activity; sid:2021625; rev:3; metadata:created_at 2015_08_14, updated_at 2015_08_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hacking Team Elite Windows Implant Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"/index.jsp"; http_uri; content:"Cookie|3a| ID="; fast_pattern; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/C"; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/P"; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021626; rev:6; metadata:created_at 2015_08_14, updated_at 2015_08_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hacking Team Scout Windows Implant Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Cookie|3a| ID="; fast_pattern; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/C"; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/P"; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021627; rev:7; metadata:created_at 2015_08_14, updated_at 2015_08_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hacking Team Android Implant Exfiltration"; flow:established, to_server; content:"POST"; http_method; content:"Android"; http_header; content:"Cookie|3a| ID="; fast_pattern; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/C"; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/P"; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021628; rev:7; metadata:created_at 2015_08_14, updated_at 2015_08_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hacking Team Implant Exfiltration"; flow:established, to_server; content:"POST"; http_method; content:"Cookie|3a| ID="; fast_pattern; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/C"; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/P"; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021629; rev:7; metadata:created_at 2015_08_14, updated_at 2015_08_14;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET TROJAN MS Terminal Server Single Character Login possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; content:"|0d 0a|"; distance:1; within:2; nocase; pcre:"/Cookie\x3a mstshash=[a-zA-Z]\r\n/"; flowbits:set,ET.RDP.Morto; metadata: former_category TROJAN; reference:cve,CAN-2001-0540; classtype:trojan-activity; sid:2021630; rev:2; metadata:created_at 2015_08_14, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke CnC Beacon 2"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|Pragma|3a 20|no-cache|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:104; http_header; fast_pattern:76,20; content:"Connection|3a 20|Keep-Alive|0d 0a|Content-Length|3a 20|"; distance:0; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; pcre:"/User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a)[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\nContent-Length\x3a\x20\d+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/Hm"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:trojan-activity; sid:2021631; rev:1; metadata:created_at 2015_08_14, updated_at 2015_08_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke CnC Beacon 3"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"POST / 1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:73; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:trojan-activity; sid:2021632; rev:1; metadata:created_at 2015_08_14, updated_at 2015_08_14;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|presidentjunction.org"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021633; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Redyms CnC)"; flow:established,from_server; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Inc."; distance:1; within:15; content:"|55 04 03|"; content:"|02|*."; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021634; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|tradingdelivery.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021635; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 e2 af 07 71 4b 6c 75|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021636; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot User-Agent (Charon/Inferno)"; flow:established,to_server; content:"(Charon|3b| Inferno)"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\x28Charon\x3b Inferno\x29\r?$/Hmi"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2021641; rev:4; metadata:created_at 2015_08_17, updated_at 2018_04_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ponmocup Post Infection DNS Lookup messagewild"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|messagewild|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2021642; rev:1; metadata:created_at 2015_08_17, updated_at 2015_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BandarChor Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:"number="; depth:7; http_client_body; content:"&id="; distance:0; http_client_body; content:"&pc="; distance:0; http_client_body; content:"&tail="; http_client_body; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,fba4af888ae0e838dd083d4cfebc8f39; reference:md5,d32b6c067e64c141b0c239d23ab1ffd1; reference:url,f-secure.com/weblog/archives/00002795.html; classtype:trojan-activity; sid:2021685; rev:5; metadata:created_at 2015_08_18, updated_at 2015_08_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|lastinstanse.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021686; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|deliverytrading.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021687; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 d9 2f af b4 8c 02 29|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021688; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_18, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18 2015"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_header; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\x0d\x0a]+?ms-?office/Hmi"; content:!".money-media.com|0d 0a|"; nocase; http_header; content:!"ad.payclick.it|0d 0a|"; nocase; http_header; content:!"sellercore.com|0d 0a|"; nocase; http_header; metadata: former_category TROJAN; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:7; metadata:created_at 2015_08_18, updated_at 2017_12_07;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|contrarypresidentstspea.info"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021695; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_19, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe$/U"; pcre:"/\/wp-(?:content|admin|includes)\//U"; metadata: former_category TROJAN; reference:md5,adabe1b995e6633dee19fdd2fdc4957a; classtype:trojan-activity; sid:2021697; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Wordpress, signature_severity Major, created_at 2015_08_20, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|mojojantes.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021703; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 91 48 c0 28 b4 2b 86 c7|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021704; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|serenyefa.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021705; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|1a|becomesthelegislatures.org"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021706; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?"; http_uri; content:"/0"; http_uri; content:"=0000"; http_uri; fast_pattern:only; content:"=?"; http_uri; content:!"Referer|3a|"; http_header; content:"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; pcre:"/\.php\?[a-z]+=0000[a-fA-F0-9]{4}&[a-z]+=\?[A-F0-9]+&[a-z]=\d{4}&[a-z]=\d{4}$/U"; flowbits:set,ET.Vawtrak; metadata: former_category TROJAN; reference:md5,1b820dda5833f802be829d468884884e; classtype:trojan-activity; sid:2025089; rev:1; metadata:created_at 2015_08_25, updated_at 2017_11_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (kb63vhjuk3wh4ex7)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kb63vhjuk3wh4ex7"; nocase; distance:0; fast_pattern; reference:md5,a9f29924410a14dea1eef8d75fed3b39; reference:url,www.malware-traffic-analysis.net/2015/08/24/index2.html; classtype:trojan-activity; sid:2021711; rev:1; metadata:created_at 2015_08_25, updated_at 2015_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Careto Mask DNS Lookup (msupdate.ath.cx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|msupdate|03|ath|02|cx|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021712; rev:1; metadata:created_at 2015_08_25, updated_at 2015_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Careto Mask DNS Lookup (karpeskmon.dyndns.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|karpeskmon|06|dyndns|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021714; rev:1; metadata:created_at 2015_08_25, updated_at 2015_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Careto Mask DNS Lookup (isaserver.minrex.gov.cu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|isaserver|06|minrex|03|gov|02|cu|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021715; rev:1; metadata:created_at 2015_08_25, updated_at 2015_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,little,post_offset -10; isdataat:!1,relative; pcre:"/^[\x20-\x7e]{5,}.{8}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2021716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_08_25, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 f0 c2 3d 49 5e bb 16|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021717; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Banker.bqba Checkin"; flow:to_server,established; content:".php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MyApp|29 0d 0a|"; fast_pattern:37,8; http_header; content:"windows="; depth:8; http_client_body; content:"&av="; http_client_body; reference:md5,838d43239ba2c28bd968f8a7da64d340; classtype:trojan-activity; sid:2023693; rev:1; metadata:created_at 2015_08_25, updated_at 2017_01_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bedep HTTP POST CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:".php?"; http_uri; fast_pattern:only; content:"PHPSESSID="; http_cookie; pcre:"/(?:[a-z]+=\d{3,4}\x3b\x20){4}/C"; content:"Accept|3a 20|text/html, application/xhtml+xml, */*|0d 0a|"; http_header; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/U"; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/P"; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hi"; classtype:trojan-activity; sid:2021718; rev:3; metadata:created_at 2015_08_26, updated_at 2015_08_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT Cheshire Cat CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 4.0|29 0d 0a|"; http_header; fast_pattern:44,20; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021719; rev:1; metadata:created_at 2015_08_26, updated_at 2015_08_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ssldata.ru"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021720; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|hasselbladolsonson.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021721; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 45 0c e4 b7 4c af d5|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021722; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AlphaCrypt CnC Beacon 3"; flow:established,to_server; urilen:>250; content:"GET"; http_method; content:"/r.php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|"; depth:12; http_header; pcre:"/\/r\.php\?[A-F0-9]+=?$/U"; reference:md5,0a4d0e5d0b69560414bbd20127bd8176; classtype:trojan-activity; sid:2021723; rev:4; metadata:created_at 2015_08_27, updated_at 2015_08_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; reference:md5,ee90ec9935c7b8e1a5dad364d4545851; classtype:trojan-activity; sid:2021724; rev:5; metadata:created_at 2015_08_27, updated_at 2015_08_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Joanap CnC Checkin"; flow:to_server,established; content:"|20|"; offset:3; depth:2; content:".ico"; content:"|20|HTTP/1."; distance:0; content:"User-Agent|3a 20|Mozillar"; distance:0; fast_pattern; content:!"Referer|3a|"; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,operationblockbuster.com/resources/index.html; classtype:trojan-activity; sid:2021730; rev:2; metadata:created_at 2015_08_31, updated_at 2016_05_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 ff d7 c2 ee b9 dd f0|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021731; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5d 30 37 a7 6b 0d 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021732; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|bri-secure.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021733; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|kingddomdirect.com"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021734; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Corebot Checkin"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/6.0)"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"AQAAA"; fast_pattern; depth:5; http_client_body; reference:md5,0f6a9b15bd9fd719bb96491e16eb2f9c; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; classtype:trojan-activity; sid:2021739; rev:1; metadata:created_at 2015_08_31, updated_at 2015_08_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Corebot Requesting Module"; flow:established,to_server; content:"POST"; http_method; content:".php?"; http_uri; content:"Content-Type|3a 20|text/plain"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_header; fast_pattern:59,20; content:!"Accept"; http_header; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021741; rev:1; metadata:created_at 2015_08_31, updated_at 2015_08_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Corebot Module Download"; flow:established,to_server; content:"GET"; http_method; content:".exx"; http_uri; content:!"Content-Type|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_header; fast_pattern:59,20; content:!"Accept"; http_header; pcre:"/\.exx$/U"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021742; rev:1; metadata:created_at 2015_08_31, updated_at 2015_08_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Reconyc.equo Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php?userid="; http_uri; content:"&mac="; fast_pattern:only; http_uri; content:"&auth="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,32c17edee5b29e41f31eda05e78b2241; classtype:trojan-activity; sid:2021744; rev:2; metadata:created_at 2015_09_04, updated_at 2015_09_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN PredatorPain Keylogger FTP Activity"; flow:established,to_server; dsize:21; content:"USER|20|panzerhund2015|0d 0a|"; fast_pattern:5,14; reference:url,malwareconfig.com/stats/PredatorPain; reference:md5,e5ddca929924e4f34cb18692f09ac424; classtype:trojan-activity; sid:2021745; rev:1; metadata:created_at 2015_09_04, updated_at 2015_09_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Spy/TVRat Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:"&stat="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/U"; metadata: former_category TROJAN; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:trojan-activity; sid:2021747; rev:9; metadata:created_at 2015_09_04, updated_at 2018_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Boaxxe.BR CnC Beacon"; flow:established,to_server; content:"|7c|CM01|7c|CM02|7c|CM03|7c|"; content:!">"; reference:md5,ec38ae7c35be4d7f8103bf1db692d2f8; classtype:trojan-activity; sid:2021748; rev:4; metadata:created_at 2015_09_08, updated_at 2015_09_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef 7e c0 ae 97 cf ff 23|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021750; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d4 45 4d a6 49 0c f1 ed|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021751; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 103"; flow:established,to_server; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9c/s"; reference:md5,b0c2a5a3cfef4e759979b7d0869b7612; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:trojan-activity; sid:2021753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_09_09, malware_family Gh0st, malware_family PCRAT, updated_at 2016_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Corebot Module Download 2"; flow:established,to_server; content:"GET"; http_method; content:".dat"; http_uri; content:!"Content-Type|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_header; fast_pattern:59,20; content:!"Accept"; http_header; pcre:"/\.dat$/U"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f32f2209a1986c55750ceb6d8066df9f; classtype:trojan-activity; sid:2021754; rev:1; metadata:created_at 2015_09_09, updated_at 2015_09_09;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|fiopol.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021767; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.creditoc.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021769; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|static.coopsrv.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021770; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 20 1c 21 75 01 8e 93|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021771; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (FindPOS)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 805c 5f ec 50 39 a2 14|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:trojan-activity; sid:2021772; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN PE EXE or DLL Windows file download Text"; flow:established,from_server; file_data; content:"4D5A"; distance:0; byte_jump:8,114,relative,multiplier 2,little,string,hex; content:"50450000"; distance:-126; within:8; classtype:trojan-activity; sid:2021774; rev:1; metadata:created_at 2015_09_14, updated_at 2015_09_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AlphaCrypt Connectivity Check 1"; flow:established,to_server; urilen:4; content:"/raw"; http_uri; fast_pattern:only; content:"Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+\r\nHost\x3a[^\r\n]+[\r\n]*$/H"; reference:md5,d0e3471f4963496cefd73744e98340aa; classtype:trojan-activity; sid:2021775; rev:1; metadata:created_at 2015_09_15, updated_at 2015_09_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|stat.coopswiss.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021776; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.centersu.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021777; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|menardgevu.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021779; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|menardgevu.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021780; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|feedfeed.name"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021781; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|my.ubscard.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021782; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|disaallowmediapartners.mn"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021783; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f2 49 34 bb 25 38 61 40|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021784; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_15, updated_at 2016_09_22;)

alert tcp any any -> $HOME_NET 80 (msg:"ET TROJAN SYNful Knock Cisco IOS Router Implant CnC Beacon (INBOUND)"; flow:established,to_server; content:"|00 00 00 00|text|00|"; byte_jump:4,0,relative,post_offset -1; isdataat:!1,relative; reference:url,fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html; classtype:trojan-activity; sid:2021785; rev:2; metadata:created_at 2015_09_15, updated_at 2015_09_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger DNSTunnel DNS Lookup (xssok.blogspot.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|xssok|08|blogspot|03|com|00|"; nocase; distance:0; fast_pattern; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021788; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Iron Tiger DNSTunnel Retrieving CnC"; flow:established,from_server; file_data; content:"$$$$$$$$$$"; fast_pattern; pcre:"/^(?:#+[A-Z]+)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\${10}/R"; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021789; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Iron Tiger Backdoor.GCloud CnC Beacon"; flow:established,to_server; content:"/user?pid="; http_uri; fast_pattern:only; content:"&data="; http_uri; content:"User-Agent|3a 20|WinHTTP Example/1.0|0d 0a|"; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021790; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN PlugX UDP CnC Beacon"; dsize:36; content:"|00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00|"; depth:20; content:!"|00 00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:13; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021791; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger Gh0ST/PlugX/Various Backdoors DNS Lookup (gameofthrones.ddns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|gameofthrones|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021792; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_09_16, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger Likely PlugX DNS Lookup (chrome.servehttp.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|chrome|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021793; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger Backdoor.GTalkTrojan DNS Lookup (update.gtalklite.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|update|09|gtalklite|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021794; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger HTTPBrowser DNS Lookup (trendmicro-update.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|trendmicro-update|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021795; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET TROJAN Possible Passthru/Kshell Port Redirection Initiation"; flow:to_server,established; dsize:11; content:"chkroot2007"; fast_pattern:only; reference:md5,f7146691adea573548fa040fb182f4fe; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021796; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021797; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|reportingdelivery.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021798; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|localinstanse.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021799; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Odlanor CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?m="; http_uri; content:"&v="; http_uri; distance:0; content:"&os="; http_uri; distance:0; content:"&c="; http_uri; distance:0; content:"&u="; http_uri; distance:0; pcre:"/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/Pi"; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,ce19c30ffda76cd63a88eeb8af0340f0; reference:url,welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats-at-poker/; classtype:trojan-activity; sid:2021800; rev:1; metadata:created_at 2015_09_18, updated_at 2015_09_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|healthweather.name"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021801; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 83 4c 61 ec 09 e6 03|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021802; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021803; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f1 03 f7 ce 62 9d fb 5a|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021804; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Rovnix CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|cherniypoyas.ru"; distance:1; within:16; reference:md5,080db9578ea797cd231bc1160d3824f1; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021805; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_21, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN XCodeGhost DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|init|0f|icloud-analysis|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021806; rev:1; metadata:created_at 2015_09_21, updated_at 2015_09_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN XCodeGhost DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|init|12|icloud-diagnostics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021807; rev:1; metadata:created_at 2015_09_21, updated_at 2015_09_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN XCodeGhost DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|init|0f|crash-analytics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021808; rev:1; metadata:created_at 2015_09_21, updated_at 2015_09_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|sslsecureserver.eu"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021809; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|uplinkadv.eu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021810; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ursnif Variant CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/upx/"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; pcre:"/\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/U"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:trojan-activity; sid:2021812; rev:1; metadata:created_at 2015_09_22, updated_at 2015_09_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"/images/"; http_uri; fast_pattern; content:".gif"; distance:100; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/images(?:\/[a-zA-Z0-9_]+)+\.gif$/U"; pcre:"/^User-Agent\x3a\x20(?:Mozilla\/|Shockwave)/Hmi"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:trojan-activity; sid:2021813; rev:4; metadata:created_at 2015_09_22, updated_at 2015_09_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ursnif Variant CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"|20 7c 20 22|0x"; http_client_body; fast_pattern; content:"_"; distance:0; http_client_body; content:"|22 20 7c 20|"; distance:0; http_client_body; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:trojan-activity; sid:2021814; rev:1; metadata:created_at 2015_09_22, updated_at 2015_09_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 1d 11|"; content:"|10|blatnoidomen.com"; distance:5; within:22; fast_pattern; reference:url,sslbl.abuse.ch; reference:md5,8217cc4fc3d5781206becbef148154ea; classtype:trojan-activity; sid:2021815; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fc 56 1e 02 6c d4 e2 22|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,e448572aea062241c80dd2a15562e968; classtype:trojan-activity; sid:2021816; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.fortamola.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021817; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business--testing.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021818; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 99 38 87 d8 6a ee a7|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; reference:md5,ead31d4cbbd79466359d46694a9d56d3; classtype:trojan-activity; sid:2021819; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN XcodeGhost CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a 20|init.icloud-analysis.com|0d 0a|"; http_header; fast_pattern:6,20; reference:url,github.com/XcodeGhostSource/XcodeGhost; classtype:trojan-activity; sid:2021822; rev:1; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 a8 3c 4c d7 28 96 34|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021824; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|e-securepass.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021825; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|contactexchangenetwork.biz"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021826; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cserhtmlordi.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021827; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 06 34 93 99 f8 54 f2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0b|Companyname"; distance:1; within:12; reference:md5,c7872508eededb17cf864886270fd3e9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021828; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ursnif Variant CnC Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.(?:gif|bmp|jpeg|png)$/U"; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:1; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ursnif Variant CnC Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:2; metadata:created_at 2015_09_23, updated_at 2015_09_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Naikon DNS Lookup (greensky27.vicp.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|greensky27|04|vicp|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,threatconnect.com/camerashy-resources/; classtype:trojan-activity; sid:2021831; rev:1; metadata:created_at 2015_09_24, updated_at 2015_09_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN XcodeGhost CnC M2"; flow:established,to_server; content:"POST"; http_method; content:"|00 00 01|"; http_client_body; content:"|00 65 00 0a 95 3a 10 8a 09 25 4e d7 94 5e e9 70 59 e2 95 79|"; http_client_body; distance:1; within:20; classtype:trojan-activity; sid:2021832; rev:1; metadata:created_at 2015_09_24, updated_at 2015_09_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Check"; flow:to_server,established; urilen:6; content:"POST"; http_method; content:"/check"; http_uri; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2021833; rev:1; metadata:created_at 2015_09_25, updated_at 2015_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Architecture POST 1"; flow:to_server,established; content:"POST"; http_method; content:"/i686?ver="; http_uri; depth:10; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2021834; rev:1; metadata:created_at 2015_09_25, updated_at 2015_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Architecture POST 2"; flow:to_server,established; content:"POST"; http_method; content:"/mips?ver="; http_uri; depth:10; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2021835; rev:1; metadata:created_at 2015_09_25, updated_at 2015_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Architecture POST 3"; flow:to_server,established; content:"POST"; http_method; content:"/armel?ver="; http_uri; depth:11; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2021836; rev:1; metadata:created_at 2015_09_25, updated_at 2015_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Architecture POST 4"; flow:to_server,established; content:"POST"; http_method; content:"/mipsel?ver="; http_uri; depth:12; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2021837; rev:1; metadata:created_at 2015_09_25, updated_at 2015_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Report POST"; flow:to_server,established; content:"POST"; http_method; content:"/srv_report?ver="; http_uri; depth:16; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2021838; rev:1; metadata:created_at 2015_09_25, updated_at 2015_09_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC POST"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/r0/index.php"; http_uri; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2021839; rev:1; metadata:created_at 2015_09_25, updated_at 2015_09_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|adtejoyo1377.tk"; distance:1; within:17; reference:md5,b40fc2d1f343affad7bc02ae9b37cd89; classtype:trojan-activity; sid:2021842; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 b1 f4 fe 4c 79 ed e9 98|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021843; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 9e 0c 1c 4c 8a d4 41 f7|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021844; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|usercheck.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021845; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_28, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|h36fhvsupe4mi7mm"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021849; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7vhbukzxypxh3xfy"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021850; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"P"; depth:1; nocase; http_client_body; content:"myPath = "; nocase; http_client_body; content:"iFold = "; nocase; http_client_body; content:"wallPath = "; nocase; http_client_body; fast_pattern:only; content:"listPath = "; nocase; http_client_body; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021851; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"M FSO object created|0d 0a|"; http_client_body; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021852; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A Successfully Installed CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"M STATE|3a 20|INSTALL|0d 0a|"; http_client_body; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021853; rev:2; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021854; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^P\d+\x20/P"; content:"M Created wallet - "; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021855; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 5"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^P\d+\x20/P"; content:"M RecursiveFileSearch"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021856; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 6"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^P\d+\x20/P"; content:"M Scan folder|3a 20|"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021857; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 7"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^P\d+\x20/P"; content:"M Saved cryptor key - "; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021858; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 8"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^P\d+\x20/P"; content:"|29 20|Encrypt|20|"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021859; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^P\d+\x20/P"; content:"M Files encrypted,"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021860; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 10"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^P\d+\x20/P"; content:"M STATE|3a 20|CRYPTED_"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021861; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 11"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^P\d+\x20/P"; content:"M Free disk space|3a 20|"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021862; rev:1; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 86 21 67 18 96 8a 67 e1|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,4568bc3e9c1a24ba792666ad1c620560; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021863; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 fa 10 e1 67 c6 9a 67 1b|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:md5,c55a60bb04a449eb8bc182f52124c341; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021864; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|legallyjumps.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021865; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|inbancosistems.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021866; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d5 f9 a6 1a fa 1e 76 c6|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,0453512c8c3bb940e8c40833d1076353; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021867; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 eb 96 25 e5 32 57 ee 34|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,77ebe2b014baf75e45c3009b0d42fa5d; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021868; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021869; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Hawkeye Keylogger SMTP Beacon"; flow:established,to_server; content:"Subject|3a 20|"; content:"SGF3a0V5ZSBLZXlsb2dnZXIg"; within:45; reference:md5,dfc2c23663122ac9fc25b708f278c147; classtype:trojan-activity; sid:2021871; rev:2; metadata:created_at 2015_09_30, updated_at 2015_09_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (HTTPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{HTTPFLOOD}"; fast_pattern; nocase; content:"Started consuming data from host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021872; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021873; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021874; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (AUTH)"; flow:established,from_server; content:"PRIVMSG"; content:"] {AUTH} User"; fast_pattern; distance:0; nocase; content:"logged "; distance:0; pcre:"/^(?:in|out)/R"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021875; rev:5; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (RAW)"; flow:established,from_server; content:"PRIVMSG"; content:"{RAW}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021876; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (EXEC)"; flow:established,from_server; content:"PRIVMSG"; content:"{EXEC}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021877; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (CHSERVER)"; flow:established,from_server; content:"PRIVMSG"; content:"{CHSERVER}"; fast_pattern; nocase; content:"Changing server|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021878; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (STOP)"; flow:established,from_server; content:"PRIVMSG"; content:"{STOP} Stop command ->"; fast_pattern:only; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021879; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (RESTART)"; flow:established,from_server; content:"PRIVMSG"; content:"{RESTART}"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021880; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command Complete 1"; flow:established,from_server; content:"PRIVMSG"; content:"] Process finished => Total bytes read|3a|"; fast_pattern; nocase; content:"Total bytes sent|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021881; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command Complete 2"; flow:established,from_server; content:"PRIVMSG"; content:"Total connections completed|3a|"; fast_pattern; nocase; content:"Total connections failed|3a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021882; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command Complete 3"; flow:established,from_server; content:"PRIVMSG"; content:" MB|2c| Average speed|3a|"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021883; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|protecteding.su"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021884; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|convertcodenj.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021885; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a2 62 91 f3 d9 eb d2 e8|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021887; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 ba bc c3 80 e0 57 54 de|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021888; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_01, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Java/QRat Retrieving PE"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3a 20|www.quaverse.com|0d 0a|"; depth:24; http_header; fast_pattern; pcre:"/\.exe$/U"; metadata: former_category TROJAN; reference:md5,ccdffdc551b36980b7cd04e33d5fb100; classtype:trojan-activity; sid:2021889; rev:1; metadata:created_at 2015_10_01, malware_family QRat, updated_at 2018_03_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021894; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 10 44 fc ef 4e 6d 2a|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021895; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021896; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 2a 97 16 3f bd a5|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021897; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|bannerexchangenet.pw"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021898; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 95 51 3e 68 35 08 62 53|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021902; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 4e a8 c7 a0 db 38 64|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021903; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|8192bitssl.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021904; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 80 9e 81 6b f8 7c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021909; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|1networkgate.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021910; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|golantus.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021911; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_06, updated_at 2016_07_01;)

alert tcp any any -> any any (msg:"ET TROJAN ELF/muBoT IRC Activity 1"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|Priv|20|Version"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021912; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp any any -> any any (msg:"ET TROJAN ELF/muBoT IRC Activity 2"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|says|20|"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021913; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp any any -> any any (msg:"ET TROJAN ELF/muBoT IRC Activity 3"; flow:established,from_server; content:"NOTICE"; content:"|3a|[Apache / PHP 5.x"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021914; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp any any -> any any (msg:"ET TROJAN ELF/muBoT IRC Activity 4"; flow:established,from_server; content:"NOTICE"; content:"FLOOD <target> <port> <secs>"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021915; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp any any -> any any (msg:"ET TROJAN ELF/muBoT IRC Activity 5"; flow:established,from_server; content:"NOTICE"; content:"|3a|Flooding with TCP"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021916; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ELF/muBoT User-Agent (I'm a mu mu mu ?)"; flow:established,to_server; content:"User-Agent|3a 20|I|27|m a mu mu mu|20 3f|"; fast_pattern:8,20; http_header; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021917; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DustySky CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"Pn="; nocase; distance:0; http_uri; fast_pattern; content:"&ID="; nocase; http_uri; content:"&o="; http_uri; content:"&av="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:trojan-activity; sid:2021919; rev:4; metadata:created_at 2015_10_06, updated_at 2015_10_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 f7 36 c4 05 31 ea 21 d3|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021920; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 88 f8 8a 58 16 c2 f5 89|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021921; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN StartPage Userclass HTTP Request"; flow:established,to_server; urilen:10; content:"/Userclass"; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Referer"; http_header; reference:md5,92ecb8cedb226a27e354b45a56f0353f; classtype:trojan-activity; sid:2021922; rev:1; metadata:created_at 2015_10_07, updated_at 2015_10_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neshta.A Posting Data"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a| multipart/form-data|3b| boundary="; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; nocase; http_header; content:"name=|22|file|22 3b 20|filename=|22|Browser"; http_client_body; fast_pattern:10,20; reference:md5,e93e5af213707ef1888784fa1e709004; classtype:trojan-activity; sid:2021923; rev:2; metadata:created_at 2015_10_07, updated_at 2015_10_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021924; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021925; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021926; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_07, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET TROJAN MSIL/Banker.M Requesting Binary from SQL"; flow:established,to_server; content:"S|00|E|00|L|00|E|00|C|00|T|00 20 00|i|00|m|00|g"; content:"F|00|R|00|O|00|M|00 20 00|d|00|b|00|o|00 2e 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 20 00|"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021930; rev:1; metadata:created_at 2015_10_07, updated_at 2015_10_07;)

alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"ET TROJAN MSIL/Banker.M Downloading Binary from SQL"; flow:established,to_client; content:"|03 00|d|00|b|00|o|00 09 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 03|i|00|m|00|g"; fast_pattern:14,20; content:"This program cannot be run"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021931; rev:1; metadata:created_at 2015_10_07, updated_at 2015_10_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible PlugX DNS Lookup (googlemanage.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|googlemanage|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021935; rev:1; metadata:created_at 2015_10_08, updated_at 2015_10_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible PlugX DNS Lookup (operaa.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|operaa|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021936; rev:1; metadata:created_at 2015_10_08, updated_at 2015_10_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|httpsvalidator.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021937; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|06|Denial"; distance:1; within:7; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0b|Springfield"; distance:1; within:12; content:"|55 04 0a|"; distance:0; content:"|03|Dis"; distance:1; within:4; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021938; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|1gateway.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021940; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|1networkpoint.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021945; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Dridex SSL Cert Oct 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|AU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:trojan-activity; sid:2021946; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Win32/Kelihos.F Checkin"; flow:to_server,established; dsize:164; content:"|6c 55 55 45 03 10 48 40|"; offset:4; depth:8; reference:md5,dc226166dfbe28eee2576ea5141bc19d; reference:md5,dadee91e0b82fc91a25a66b61bb2f2dc; classtype:trojan-activity; sid:2021947; rev:3; metadata:created_at 2015_10_12, updated_at 2015_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET TROJAN MAGICHOUND.MPK Activity via IRC"; flow:established,to_server; content:"PRIVMSG mpk|20 3a|"; content:"!MpkPing|20|<<mpk>>"; fast_pattern; distance:0; pcre:"/^\d{5}/R"; content:"<<mpk>>|20|<<mpk>>"; distance:0; pcre:"/^\d/R"; content:"<<mpk>>"; distance:0; reference:md5,ece5b62a4ed4e88dab4f1b5451f54794; classtype:trojan-activity; sid:2023940; rev:2; metadata:cve url_researchcenter_paloaltonetworks_com_2017_02_unit42_magic_hound_campaign_attacks_saudi_targets_, created_at 2015_10_14, updated_at 2017_02_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 c5 52 94 88 a7 4d 68 f4|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021950; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/Nemucod.M.gen requesting EXE payload 2015-10-07"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; nocase; content:"key="; http_uri; nocase; distance:0; fast_pattern; content:!"pdf="; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}$/U"; flowbits:set,ET.nemucod.exerequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021952; rev:1; metadata:created_at 2015_10_15, updated_at 2015_10_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/Nemucod.M.gen requesting PDF payload 2015-10-07"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; nocase; content:"key="; http_uri; nocase; distance:0; fast_pattern; content:"pdf="; http_uri; nocase; distance:0; content:!"Referer|3a| "; nocase; http_header; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}&pdf=[a-zA-Z]{4,}$/U"; flowbits:set,ET.nemucod.pdfrequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021953; rev:1; metadata:created_at 2015_10_15, updated_at 2015_10_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JS/Nemucod.M.gen downloading EXE payload"; flow:from_server,established; flowbits:isset,ET.nemucod.exerequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021954; rev:1; metadata:created_at 2015_10_15, updated_at 2015_10_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JS/Nemucod.M.gen downloading PDF payload"; flow:from_server,established; flowbits:isset,ET.nemucod.pdfrequest; file_data; content:"%PDF-"; within:5; fast_pattern; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021955; rev:1; metadata:created_at 2015_10_15, updated_at 2015_10_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nemucod Downloading Payload 2"; flow:established,to_server; content:"GET"; http_method; content:"/document.php?rnd="; depth:18; http_uri; fast_pattern; content:"&id="; http_uri; distance:0; content:!"Referer|3a|"; http_header; pcre:"/^\/document\.php\?rnd=[0-9]{4}&id=[A-F0-9]{100,}$/Ui"; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/malware/js_nemucod.hqk; classtype:trojan-activity; sid:2021956; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 0f 9b a5 56 a0 f7 57|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021957; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 db d0 33 6a 28 4f 39 2c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021958; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|best-apps.name"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021959; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_16, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PlugX or EvilGrab DNS Lookup (websecexp.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|websecexp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021960; rev:1; metadata:created_at 2015_10_16, updated_at 2015_10_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PlugX or EvilGrab DNS Lookup (appeur.gnway.cc)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|appeur|05|gnway|02|cc|00|"; nocase; distance:0; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021961; rev:1; metadata:created_at 2015_10_16, updated_at 2015_10_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PlugX DNS Lookup (mailsecurityservice.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|mailsecurityservice|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2015/10/targeted-attacks-ngo-burma/; classtype:trojan-activity; sid:2021962; rev:1; metadata:created_at 2015_10_16, updated_at 2015_10_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NetWire Variant - Client Hello"; flow:established,to_server; flowbits:set,ET.NetWire; flowbits:noalert; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021976; rev:2; metadata:created_at 2015_10_20, updated_at 2016_08_30;)

alert tcp [$EXTERNAL_NET,!199.30.201.192/29] any -> $HOME_NET any (msg:"ET TROJAN NetWire / Ozone / Darktrack Alien RAT - Server Hello"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021977; rev:6; metadata:created_at 2015_10_20, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN NetWire / Ozone / Darktrack Alien RAT - Client KeepAlive"; flow:established,to_server; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021978; rev:7; metadata:created_at 2015_10_20, updated_at 2016_08_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN NetWire Variant - Server Directory Listing Request"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01|"; depth:1; content:"|00 00 00 06 43 3A|"; distance:1; within:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021979; rev:2; metadata:created_at 2015_10_20, updated_at 2015_10_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|UK|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:trojan-activity; sid:2021980; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fat.uk-fags.top"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021981; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|14|support@vpn-core.net"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021982; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_20, malware_family Banking_Trojan, malware_family Retefe, updated_at 2017_01_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|FR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021993; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|volha.xyz"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021994; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Necurs Common POST Header Structure"; flow:established,to_server; content:"POST"; http_method; urilen:10<>20; content:".php"; http_uri; fast_pattern:only; content:!"NSIS|5f|Inetc |28|Mozilla|29|"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[12]?\d\d\r\nConnection\x3a\x20Keep-Alive\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,d11a453d4de6e6fd991967d67947c0d7; classtype:trojan-activity; sid:2021995; rev:3; metadata:created_at 2015_10_23, updated_at 2015_10_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.DarkComet Screenshot Upload Successful"; flow:established,to_server; dsize:7; content:"ENDSNAP"; reference:md5,38abba51bdf98347fc4f91642b21b041; classtype:trojan-activity; sid:2021996; rev:1; metadata:created_at 2015_10_23, updated_at 2015_10_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Duuzer Checkin"; flow:established,to_server; content:"|32 a3 56 bb 47 4f 32 00|"; depth:8; fast_pattern; content:"|30 b9 00 00|"; distance:3; within:4; reference:url,symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers; reference:md5,cd7a72be9c16c2ece1140bc461d6226d; classtype:trojan-activity; sid:2022000; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)

alert tcp any any -> any any (msg:"ET TROJAN LuminosityLink - Data Channel Client Request"; flow:established,to_server; content:"NO|7C|CRYPTDESK*"; depth:13; classtype:trojan-activity; sid:2022002; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)

alert tcp any any -> any any (msg:"ET TROJAN LuminosityLink - Data Channel Server Response"; flow:established,to_client; content:"GO8_=_8"; dsize:7; classtype:trojan-activity; sid:2022003; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|LU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022004; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN LummoX Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| LummoX Logger"; fast_pattern; nocase; classtype:trojan-activity; sid:2022005; rev:1; metadata:created_at 2015_10_27, updated_at 2015_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Agent Tesla Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| "; nocase; content:"|5b|Agent Tesla"; fast_pattern; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2022006; rev:2; metadata:created_at 2015_10_27, updated_at 2017_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MWI Maldoc Load Payload"; flow:established,to_server; content:"&act="; http_uri; fast_pattern:only; pcre:"/\/(?:im(?:age|g)|pict)\.(?:jpg|php)\?id=\d+&act=[12]$/U"; content:!".money-media.com|0d 0a|"; nocase; http_header; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; reference:url,www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2022007; rev:1; metadata:created_at 2015_10_28, updated_at 2015_10_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MWI Maldoc Stats Callout Oct 28"; flow:established,to_server; content:"/pict."; content:"?id="; http_uri; pcre:"/\/pict\.(?:jpg|php|xsp)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_header; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\x0d\x0a]+?ms-?office/Hmi"; content:!".money-media.com|0d 0a|"; nocase; http_header; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2022008; rev:2; metadata:created_at 2015_10_28, updated_at 2016_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data 2"; flow:established,to_server; content:"POST"; http_method; content:"/0"; http_uri; content:"/0000"; http_uri; distance:1; fast_pattern; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/U"; flowbits:set,ET.Vawtrak; classtype:trojan-activity; sid:2022016; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Malvertising Malicious PE Download"; flow:established,to_server; content:"GET"; http_method; content:"/adobe_flashplayer_7.exe"; http_uri; fast_pattern:only; reference:md5,d9b91aa8c66c4a701f5558bdca805eec; reference:url,otx.alienvault.com/pulse/5637202b4637f2388aaec61c/; classtype:trojan-activity; sid:2022020; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 59 43 e2 96 23 5b 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c0c8178b7ef2a8c067c68a7fb7dc7ecd; classtype:trojan-activity; sid:2022021; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_02, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2"; flow:established,to_server; urilen:24; content:"POST"; http_method; content:"/go/flashplayer_support/"; http_uri; fast_pattern:4,20; content:"Host|3a 20|www.adobe.com"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022025; rev:2; metadata:created_at 2015_11_03, updated_at 2016_11_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke Loader Java Connectivity Check"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Host|3a 20|java.com"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022026; rev:2; metadata:created_at 2015_11_03, updated_at 2016_11_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Host|3a 20|www.adobe.com"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022027; rev:2; metadata:created_at 2015_11_03, updated_at 2016_11_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Silent Miner Changelog Checkin"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/plain"; http_header; file_data; content:"Changelog v"; depth:11; fast_pattern; content:"-Added startup folder"; distance:0; content:"-Changed AutoUpdate Mode"; distance:0; content:"|7c 7c|----------------"; distance:0; content:"-Fixed startup .exe without name bug"; distance:0; content:"-Changed files hosting"; distance:0; content:"- Added CPU Threads"; reference:md5,2d51e11a38b7fd448cd0b1d319915e44; classtype:trojan-activity; sid:2022034; rev:1; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/Nemucod.M.gen requesting EXE payload 2015-11-02"; flow:to_server,established; content:"POST"; http_method; content:"redir.php"; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; content: "jndj="; fast_pattern; http_client_body; content: !"&ncm="; http_client_body; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}$/P"; flowbits:set,ET.nemucod.exerequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022037; rev:1; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/Nemucod.M.gen requesting PDF payload 2015-11-02"; flow:to_server,established; content:"POST"; http_method; content:"redir.php"; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; content: "jndj="; fast_pattern; http_client_body; content: "&ncm="; distance:0; http_client_body; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}&ncm=[a-zA-Z]{4,}$/P"; flowbits:set,ET.nemucod.pdfrequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022038; rev:1; metadata:created_at 2015_11_04, updated_at 2015_11_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Wrapper/Gholee/Wedex Checkin"; flow:established,to_server; dsize:12; content:"nocookie"; offset:4; depth:8; reference:md5,b7de8927998f3604762096125e114042; reference:url,blog.checkpoint.com/2015/11/09/rocket-kitten-a-campaign-with-9-lives/; classtype:trojan-activity; sid:2022047; rev:1; metadata:created_at 2015_11_09, updated_at 2015_11_09;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Cryptowall .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3wzn5p2yiumh7akj"; fast_pattern; distance:0; nocase; reference:url,www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names; classtype:trojan-activity; sid:2022048; rev:1; metadata:created_at 2015_11_09, updated_at 2015_11_09;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nyctradersacademy.com"; distance:1; within:22; reference:md5,cb690af981b61aa4779624db5d2489e1; reference:md5,040ac83b30a9bd111d06d238f39593fb; classtype:trojan-activity; sid:2022056; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|msupdcheck.com"; distance:1; within:16; reference:md5,4b689f711da45fb8523c95a85679f435; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022057; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 ae 7c 85 e8 a5 6b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5666cb1caca3fde7dd1c8195b76eac8e; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022058; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Get Passwords)"; flow:from_client,established; content:"|00|pl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00pl\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:trojan-activity; sid:2022059; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Desktop)"; flow:from_client,established; content:"|00|sc~|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00sc\x7e\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:trojan-activity; sid:2022060; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)"; flow:from_client,established; content:"|00|scPK|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00scPK\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:trojan-activity; sid:2022061; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback Response (File Manager)"; flow:to_client,established; content:"|00|rn|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rn\x7c/i"; classtype:trojan-activity; sid:2022062; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Get Passwords)"; flow:established; content:"|00|ret|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00ret\x7c/i"; reference:md5,310c26fa0c7d07adbff32b569b1972f1; classtype:trojan-activity; sid:2022063; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/HideWindows.C IRC Checkin"; flow:established,to_server; content:"PASS 6667|0a|"; content:"NICK pr0n|7c 30 0a|"; distance:0; fast_pattern; content:"USER Pmx|20 22 2a 22 20 22|"; distance:0; content:"|22 20 3a|pr0n|0a|"; reference:md5,4645b7883d5c8fee6579cc79dee5f683; reference:url,thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/; classtype:trojan-activity; sid:2022064; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 fb cd cd ff 15 b4 03|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,c493fbc74573c2c125ff57b1bf15e4be; classtype:trojan-activity; sid:2022065; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|systruster.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; reference:url,sslbl.abuse.ch; reference:md5,efa5ea2c511b08d0f8259a10a49b27ad; classtype:trojan-activity; sid:2022066; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|retsback.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; reference:url,sslbl.abuse.ch; reference:md5,e5b7fd7eed59340027625ac39bae7c81; classtype:trojan-activity; sid:2022067; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN KilerRAT CnC - Remote Shell"; flow:from_server,established; content:"rs|7c 4b 69 6c 65 72 7c|"; fast_pattern:only; pcre:"/\x7c(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/"; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:trojan-activity; sid:2022068; rev:2; metadata:created_at 2015_11_10, updated_at 2015_11_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN KilerRAT CnC - Info Checkin"; flow:from_server,established; content:"inf|7c 4b 69 6c 65 72 7c|"; fast_pattern; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:trojan-activity; sid:2022069; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B2 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 BA|"; fast_pattern:only; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:trojan-activity; sid:2022072; rev:1; metadata:created_at 2015_11_11, updated_at 2015_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bookworm CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:"/0"; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/^\/0[a-f0-9]{48}$/Ui"; reference:md5,8ae2468d3f208d07fb47ebb1e0e297d7; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:trojan-activity; sid:2022073; rev:1; metadata:created_at 2015_11_11, updated_at 2015_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bookworm CnC Beacon 2"; flow:to_server,established; content:"POST"; http_method; content:"000"; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/^\/[a-f0-9]+000[a-f0-9]{37}$/Ui"; reference:md5,0f41c853a2d522e326f2c30b4b951b04; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:trojan-activity; sid:2022074; rev:2; metadata:created_at 2015_11_11, updated_at 2015_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN Possible Chimera Ransomware - Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:md5,b66a864255ad796cf1e82f973f67f556; reference:url,reaqta.com/2015/11/diving-into-chimera-ransomware/; classtype:policy-violation; sid:2022075; rev:1; metadata:created_at 2015_11_11, updated_at 2015_11_11;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|rozmatis.com"; distance:1; within:13; reference:md5,58b38122ac12b84989914623efe833be; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022076; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0d|whoreshop.xyz"; distance:1; within:14; reference:md5,218a9854b7d1ca1f417c59a566b343d9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022077; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|baknsystem.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022078; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|lingeriesshop.biz"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022087; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0a|LosAngeles"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|11|speednetlocal.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022088; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|02|Ny"; distance:1; within:3; content:"|55 04 03|"; distance:0; content:"|13|securityrealnet.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022089; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_13, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Ransom.Win32.Blocker.dham Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?ID="; http_uri; content:"&Serial="; http_uri; content:"&acao="; http_uri; content:"&Log="; http_uri; content:"&PCInfo="; fast_pattern:only; http_uri; reference:md5,e15b38251aed80298ba07169eb6ee2fa; classtype:trojan-activity; sid:2022091; rev:1; metadata:created_at 2015_11_13, updated_at 2015_11_13;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 9f b1 5c 37 90 8a 2e b7|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022095; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 81 32 f4 d9 2c 39 c3 06|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022096; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 b4 78 3d 3f bf 60 b9 94|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022097; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 e9 29 af 96 2b 99 e2|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022098; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 c1 3b 57 1a 83 a5 b1 4a|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022099; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|1a|certs_division@sslslf.info"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022100; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.hot-sex-tube.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022101; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|55 04 0a|"; content:"|1d|International Security Depart"; distance:1; within:30; content:"|55 04 03|"; distance:0; content:"|0c|www.mgid.org"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022102; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_16, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Check"; flow:to_server,established; urilen:6; content:"GET"; http_method; content:"/check"; http_uri; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2022105; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Architecture GET 1"; flow:to_server,established; content:"GET"; http_method; content:"/i686?ver="; http_uri; depth:10; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2022106; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Architecture GET 2"; flow:to_server,established; content:"GET"; http_method; content:"/mips?ver="; http_uri; depth:10; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2022107; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Architecture GET 3"; flow:to_server,established; content:"GET"; http_method; content:"/armel?ver="; http_uri; depth:11; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2022108; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Architecture GET 4"; flow:to_server,established; content:"GET"; http_method; content:"/mipsel?ver="; http_uri; depth:12; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2022109; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC Report GET"; flow:to_server,established; content:"GET"; http_method; content:"/srv_report?ver="; http_uri; depth:16; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2022110; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN r0 CnC GET"; flow:to_server,established; urilen:13; content:"GET"; http_method; content:"/r0/index.php"; http_uri; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:trojan-activity; sid:2022111; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nymaim.BA CnC M1"; flow:to_server,established; content:"POST"; http_method; content:".in|0d 0a|User-Agent|3a 20|"; http_header; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; content:"Cache-Control|3a 20|no-cache"; http_header; content:"Pragma|3a 20|no-cache"; http_header; content:!"Content-Type|3a 20|"; http_header; content:!"/"; offset:1; http_uri; content:!"|2e|"; http_uri; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/Ui"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:trojan-activity; sid:2022119; rev:1; metadata:created_at 2015_11_18, updated_at 2015_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nymaim.BA CnC M2"; flow:to_server,established; content:"POST"; http_method; content:".pw|0d 0a|User-Agent|3a 20|"; http_header; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; content:"Cache-Control|3a 20|no-cache"; http_header; content:"Pragma|3a 20|no-cache"; http_header; content:!"Content-Type|3a 20|"; http_header; content:!"/"; offset:1; http_uri; content:!"|2e|"; http_uri; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/Ui"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:trojan-activity; sid:2022120; rev:1; metadata:created_at 2015_11_18, updated_at 2015_11_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|softupdates|04|info|00|"; nocase; distance:0; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:trojan-activity; sid:2022121; rev:1; metadata:created_at 2015_11_18, updated_at 2015_11_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|drivres-update|04|info|00|"; nocase; distance:0; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:trojan-activity; sid:2022122; rev:1; metadata:created_at 2015_11_18, updated_at 2015_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check"; flow:established,to_server; content:"POST"; http_method; content:"/fwlink/?LinkId="; http_uri; fast_pattern:only; content:"Host|3a 20|go.microsoft.com"; http_header; content:!"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; http_header; content:!"SOAPAction|3a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,467b786f7c645c73d5c29347d35cae11; classtype:trojan-activity; sid:2022124; rev:5; metadata:created_at 2015_11_20, updated_at 2016_11_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MegalodonHTTP CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&ip="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ram="; http_uri; content:"&cpu="; http_uri; content:"&gpu="; http_uri; content:"&av="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:trojan-activity; sid:2022126; rev:2; metadata:created_at 2015_11_23, updated_at 2015_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MegalodonHTTP Client Action"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?hwid=[A-F0-9]{16}$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n\r?$/H"; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:trojan-activity; sid:2022127; rev:3; metadata:created_at 2015_11_23, updated_at 2015_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MegalodonHTTP CoinMiner Activity"; flow:established,to_server; content:"GET"; http_method; content:".php?check="; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?check=\d$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n\r?$/H"; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:trojan-activity; sid:2022128; rev:2; metadata:created_at 2015_11_23, updated_at 2015_11_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|06|Zurich"; distance:1; within:7; content:"|55 04 07|"; distance:0; content:"|06|Zurich"; distance:1; within:7; content:"IT"; distance:0; content:"|55 04 03|"; distance:0; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|12|me@myhost.mydomain"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022129; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_23, malware_family Banking_Trojan, malware_family Retefe, updated_at 2017_01_30;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|support@hsshvpn.net"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022130; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_23, malware_family Banking_Trojan, malware_family Retefe, updated_at 2017_01_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Rincux CnC (set)"; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|Windows"; distance:0; content:"|20 4d 42 00 00 00 00 00|"; fast_pattern; distance:0; content:"|20 4d 48 7a 00 00 00 00 00|"; distance:0; flowbits:set,ET.Rincux; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:trojan-activity; sid:2022131; rev:1; metadata:created_at 2015_11_23, updated_at 2015_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Rincux CnC"; content:"|02 00 00 00|"; fast_pattern; depth:4; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Rs"; content:"|00 00 00 00|"; distance:0; flowbits:isset,ET.Rincux; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:trojan-activity; sid:2022132; rev:1; metadata:created_at 2015_11_23, updated_at 2015_11_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 87 58 1a 93 f4 b1 c2 6b|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022133; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Key|3a 20|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20/Hi"; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,5ba6cf36f57697a1eb5ac8deaa377b4b; classtype:trojan-activity; sid:2025381; rev:3; metadata:created_at 2015_11_23, updated_at 2018_04_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni .onion Proxy Domain (tmclybfqzgkaeilm)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmclybfqzgkaeilm"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022145; rev:1; metadata:created_at 2015_11_24, updated_at 2015_11_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Matryoshka CnC Beacon 1"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/general.png"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/general\.png$/U"; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022146; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Matryoshka CnC Beacon 2"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/n"; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/n\d+\.png$/U"; content:".png|20|HTTP/1.1|0d 0a|"; fast_pattern:only; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022147; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (alhadath.mobi)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|alhadath|04|mobi|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022148; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (big-windowss.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|big-windowss|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022149; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (cacheupdate14.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|cacheupdate14|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022150; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (fbstatic-a.space)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fbstatic-a|05|space|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022151; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (fbstatic-a.xyz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fbstatic-a|03|xyz|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022152; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (fbstatic-akamaihd.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|fbstatic-akamaihd|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022153; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (gmailtagmanager.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|gmailtagmanager|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022154; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (haaretz.link)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|haaretz|04|link|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022155; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (haaretz-news.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|haaretz-news|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022156; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (heartax.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|heartax|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022157; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (img.gmailtagmanager.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|img|0f|gmailtagmanager|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022158; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (kernel4windows.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|kernel4windows|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022159; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (main.windowskernel14.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|main|0f|windowskernel14|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022160; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (micro-windows.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|micro-windows|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022161; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (mswordupdate15.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|mswordupdate15|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022162; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (mswordupdate16.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|mswordupdate16|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022163; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (mswordupdate17.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|mswordupdate17|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022164; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (mywindows24.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|mywindows24|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022165; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (patch7-windows.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|patch7-windows|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022166; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (patch8-windows.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|patch8-windows|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022167; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (patchthiswindows.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|patchthiswindows|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022168; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (u.mywindows24.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|u|0b|mywindows24|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022169; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (walla.link)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|walla|04|link|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022170; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (wethearservice.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|wethearservice|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022171; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (wheatherserviceapi.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|wheatherserviceapi|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022172; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windowkernel.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|windowkernel|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022173; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windows-10patch.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|windows-10patch|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022174; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windows24-kernel.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|windows24-kernel|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022175; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windows-drive20.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|windows-drive20|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022176; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windows-india.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|windows-india|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022177; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windowskernel.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|windowskernel|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022178; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windows-kernel.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|windows-kernel|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022179; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windowskernel14.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|windowskernel14|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022180; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windowslayer.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|windowslayer|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022181; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windows-my50.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|windows-my50|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022182; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windowssup.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|windowssup|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022183; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKittens DNS Lookup (windowsupup.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|windowsupup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022184; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Swrort.A Checkin 3"; flow:to_server,established; content:"GET"; http_method; nocase; content:".php?/12345"; http_uri; pcre:"/\.php\?\/12345$/U"; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n\r?$/Hi"; reference:md5,24203ba70f584b64a432fb6dad52765d; classtype:trojan-activity; sid:2022186; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Scieron-A Checkin via HTTP POST 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Sony|3b|"; http_header; fast_pattern:only; pcre:"/^\/\d+$/U"; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,f184c13be617754e394ecb8c972c8861; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2022188; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF/muBoT IRC Activity 6 (SOCKS)"; flow:established,to_server; content:"NOTICE "; content:"|3a|REWRITING|0a|"; fast_pattern; distance:0; content:"|0a|to|0a|"; distance:0; pcre:"/^NOTICE [^\r\n]+? \x3aREWRITING\x0a[^\r\n]+?\x0ato\x0a[^\r\n]+?\x0a/s"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022189; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF/muBoT IRC Activity 7 (bindshell)"; flow:established,from_server; content:"|0a c2 84 c2 9f|muBoT|c2 84 c2 9f|REMOTE|c2 84 c2 9f|SHELL"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022190; rev:1; metadata:created_at 2015_11_25, updated_at 2015_11_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Teslacrypt .onion Proxy Domain (tw7kaqthui5ojcez)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tw7kaqthui5ojcez"; fast_pattern; distance:0; nocase; reference:md5,45683c29a36ef8a15f216d7c4b2af822; classtype:trojan-activity; sid:2022191; rev:1; metadata:created_at 2015_11_30, updated_at 2015_11_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBKlip/ClipBanker.P Status Update"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"/"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (compatible MSIE 9.0 Windows NT 6.1 WOW64 Trident/5.0)|0d 0a|"; http_header; content:"tekst="; depth:6; http_client_body; fast_pattern; content:!"Accept-"; http_header; pcre:"/^tekst=\w+$/Pi"; reference:md5,ef230777f5b34291ea22bfc3c591ce2d; classtype:trojan-activity; sid:2022192; rev:1; metadata:created_at 2015_11_30, updated_at 2015_11_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Send-Safe Bulk Mailer SSL Cert - Observed in Spam Campaigns"; flow:established,from_server; content:"|55 04 06|"; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 08|"; distance:0; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 0a|"; distance:0; content:"|09|Send-Safe"; fast_pattern; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|09|Send-Safe"; distance:1; within:10; reference:md5,837c7af7f376722a0315cb0a7cb12399; classtype:trojan-activity; sid:2022194; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup HTTP Request (generic) M1"; flow:established,to_server; content:!"Accept-"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Cookie|3a 20|"; isdataat:300,relative; content:!"|0d 0a|"; within:300; content:"Host|3a 20|1"; fast_pattern:only; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\r\n/Hm"; pcre:"/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022197; rev:2; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup HTTP Request (generic) M2"; flow:established,to_server; content:!"Accept-"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Cookie|3a 20|"; isdataat:300,relative; content:!"|0d 0a|"; within:300; content:"Host|3a 20|2"; fast_pattern:only; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\r\n/Hm"; pcre:"/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022198; rev:1; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup HTTP Request (generic) M3"; flow:established,to_server; content:!"Accept-"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Cookie|3a 20|"; isdataat:300,relative; content:!"|0d 0a|"; within:300; content:"Host|3a 20|3"; fast_pattern:only; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\r\n/Hm"; pcre:"/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022199; rev:1; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup HTTP Request (generic) M4"; flow:established,to_server; content:!"Accept-"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Cookie|3a 20|"; isdataat:300,relative; content:!"|0d 0a|"; within:300; content:"Host|3a 20|4"; fast_pattern:only; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\r\n/Hm"; pcre:"/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022200; rev:1; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup HTTP Request (generic) M5"; flow:established,to_server; content:!"Accept-"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Cookie|3a 20|"; isdataat:300,relative; content:!"|0d 0a|"; within:300; content:"Host|3a 20|5"; fast_pattern:only; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\r\n/Hm"; pcre:"/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022201; rev:1; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup HTTP Request (generic) M6"; flow:established,to_server; content:!"Accept-"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Cookie|3a 20|"; isdataat:300,relative; content:!"|0d 0a|"; within:300; content:"Host|3a 20|6"; fast_pattern:only; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\r\n/Hm"; pcre:"/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022202; rev:1; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup HTTP Request (generic) M7"; flow:established,to_server; content:!"Accept-"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Cookie|3a 20|"; isdataat:300,relative; content:!"|0d 0a|"; within:300; content:"Host|3a 20|7"; fast_pattern:only; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\r\n/Hm"; pcre:"/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022203; rev:1; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup HTTP Request (generic) M8"; flow:established,to_server; content:!"Accept-"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Cookie|3a 20|"; isdataat:300,relative; content:!"|0d 0a|"; within:300; content:"Host|3a 20|8"; fast_pattern:only; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\r\n/Hm"; pcre:"/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022204; rev:1; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup HTTP Request (generic) M9"; flow:established,to_server; content:!"Accept-"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; content:"Cookie|3a 20|"; isdataat:300,relative; content:!"|0d 0a|"; within:300; content:"Host|3a 20|9"; fast_pattern:only; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\r\n/Hm"; pcre:"/(?:Cache-Control\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n)|Connection\x3a\x20Close\r\n(?:Cache-Control\x3a\x20no-cache\r\nPragma\x3a\x20no-cache\r\n|Pragma\x3a\x20no-cache\r\nCache-Control\x3a\x20no-cache\r\n)|Pragma\x3a\x20no-cache\r\n(?:Connection\x3a\x20Close\r\nCache-Control\x3a\x20no-cache\r\n|Cache-Control\x3a\x20no-cache\r\nConnection\x3a\x20Close\r\n))/H"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022205; rev:1; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert udp $HOME_NET any -> any [5060,5061,5600] (msg:"ET TROJAN Ponmocup plugin #2600 (SIP scanner)"; content:"User-Agent|3a| Zoiper for Windows rev.1812|0d0a|"; threshold: type limit, count 1, seconds 3600, track by_src; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022206; rev:2; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2015-12-01"; flow:to_server,established; content:"GET"; http_method; content:".exe?"; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; content:!"User-Agent|3a| BlueCoat"; nocase; http_header; content:"MSIE 7.0"; http_header; pcre:"/\/[0-9]{2}\.exe\?[0-9]$/iU"; flowbits:set,ET.nemucod.exerequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,77290f994d05ad0add5768c9c040dc55; classtype:trojan-activity; sid:2022207; rev:2; metadata:created_at 2015_12_02, updated_at 2015_12_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|licensecheck.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022208; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos CnC)"; flow:established,from_server; content:"|55 04 0a|"; content:"|27|Agency Protocols Management of Internet"; distance:1; within:40; content:"|55 04 03|"; distance:0; content:"|0d|bestylish.com"; distance:1; within:14; fast_pattern; metadata: former_category TROJAN; reference:md5,ecda8c6613fb458102fcb6f70b1cd594; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022209; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Banking_Trojan, signature_severity Major, created_at 2015_12_02, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos CnC)"; flow:established,from_server; content:"|55 04 0a|"; content:"|27|Agency Protocols Management of Internet"; distance:1; within:40; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|0d|info@apmi.com"; distance:1; within:15; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022211; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Banking_Trojan, signature_severity Major, created_at 2015_12_02, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 81 a8 a0 05 4c c8 8b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022212; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_02, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF/lizkebab CnC Activity (Flooding 1)"; flow:established,to_server; content:"|20|Flooding|20|"; fast_pattern:only; content:"|20|for|20|"; content:"|20|seconds."; distance:0; pcre:"/(?:JUNK|HOLD) Flooding (?:\d{1,3}\.){3}\d{1,3} for \d+ seconds.\r?\n/"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022213; rev:1; metadata:created_at 2015_12_03, updated_at 2015_12_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ELF/lizkebab CnC Activity (Server Banner)"; flow:established,from_server; content:"***|0d 0a|*|20 20 20 20 20 20 20 20|WELCOME TO THE BALL PIT|20 20 20 20 20 20 20 20|*|0d 0a|"; fast_pattern:14,20; content:"*|20 20 20 20 20|Now with|20|"; distance:0; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022214; rev:1; metadata:created_at 2015_12_03, updated_at 2015_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF/STDbot CnC Activity (STD attack)"; flow:established,to_server; content:"PRIVMSG|20|"; content:"|20 3a|[STD]Hitting|20|"; fast_pattern; distance:0; content:"!|0a|"; distance:0; within:40; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022215; rev:2; metadata:created_at 2015_12_03, updated_at 2015_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF/STDbot CnC Activity (UNK attack)"; flow:established,to_server; content:"PRIVMSG|20|"; content:"|20 3a|[UNK]Hitting|20|"; fast_pattern; distance:0; content:"!|0a|"; distance:0; within:40; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022216; rev:2; metadata:created_at 2015_12_03, updated_at 2015_12_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/KDefend Checkin"; flow:established,to_server; content:"c|00|h|00|i|00|n|00|a|00 00 00|"; offset:16; depth:12; fast_pattern; content:"|20|MB|00|"; within:10; content:"/proc/stat|00|cpu|00|"; within:21; reference:url,blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html; classtype:trojan-activity; sid:2022219; rev:3; metadata:created_at 2015_12_04, updated_at 2015_12_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/MayhemBruter Checkin"; flow:established,to_server; content:"{|0a 20 20 22|id|22 3a 20 22|"; depth:11; fast_pattern; content:"|22 0a|}|00|"; distance:0; within:36; isdataat:!1,relative; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3405&p=27363; classtype:trojan-activity; sid:2022223; rev:1; metadata:created_at 2015_12_07, updated_at 2015_12_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Linux/MayhemBruter Inbound Ping From CnC"; flow:established,to_server; content:"/wp-content/plugins/"; http_uri; content:"/libso"; distance:0; http_uri; pcre:"/\/libso\d{1,4}\.php\?id=[a-zA-Z0-9]+$/U"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3405&p=27363; classtype:trojan-activity; sid:2022224; rev:2; metadata:created_at 2015_12_07, updated_at 2015_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak HTTP CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; pcre:"/^Cookie\x3a\x20PHPSESSID=[A-F0-9]{32}\r\n/m"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; content:"Cookie|3a 20|PHPSESSID="; fast_pattern:only; content:!"IBM-PROXY-WTE"; http_header; nocase; classtype:trojan-activity; sid:2022225; rev:8; metadata:created_at 2015_12_07, updated_at 2016_11_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|coughweb.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022226; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 f2 66 4a 29 e0 7e c2 78|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022227; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (FindPOS)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e0 78 4e 9c a4 ad ab 24|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:trojan-activity; sid:2022228; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|server.domain.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022229; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_11_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.gooodlaosadf.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022230; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 41 89 47 37 8f 56 41|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022231; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 f6 da a5 22 b2 8b 91 be|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022232; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|Cyxuzoidv"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022233; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|google.com"; distance:1; within:11; fast_pattern; content:"@google.com"; distance:0; content:"|0a|google.com"; distance:0; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022234; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0b|los Angeles"; distance:1; within:12; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|*.google.com"; distance:1; within:13; content:"@google.com"; distance:0; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022235; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Domain (75nzutdjjtnpgscz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|75nzutdjjtnpgscz"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022236; rev:1; metadata:created_at 2015_12_08, updated_at 2015_12_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vf4xdqg4mp3hnw5g"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022237; rev:1; metadata:created_at 2015_12_08, updated_at 2015_12_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wv55abv6bde65ek6"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022238; rev:1; metadata:created_at 2015_12_08, updated_at 2015_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NetBackdoor Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"|0d 0a|log="; http_client_body; fast_pattern; content:"path="; http_client_body; pcre:"/path=[A-Z]\x3a\x5c[A-F0-9]+\r\nlog=/Pi"; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022244; rev:1; metadata:created_at 2015_12_11, updated_at 2015_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NetBackdoor User-Agent (.net backdor)"; flow:to_server,established; content:"User-Agent|3a 20 2e|net backdor"; http_header; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022245; rev:1; metadata:created_at 2015_12_11, updated_at 2015_12_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|25|www.signliquideducationdaughter.final"; distance:1; within:38; fast_pattern:18,20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022247; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.benvenuittopronto.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022248; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca a8 d2 15 e5 c6 b7 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022249; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|theliveguard.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022250; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|televcheck.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022251; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|welcomefreinds.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022252; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN Possible Gootkit CnC SSL Cert M1"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|04|Asia"; distance:1; within:5; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:trojan-activity; sid:2022253; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN Possible Gootkit CnC SSL Cert M2"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|North America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:trojan-activity; sid:2022254; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN Possible Gootkit CnC SSL Cert M3"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Africa"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:trojan-activity; sid:2022255; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN Possible Gootkit CnC SSL Cert M4"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Europe"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:trojan-activity; sid:2022256; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN Possible Gootkit CnC SSL Cert M5"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|09|Australia"; distance:1; within:10; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:trojan-activity; sid:2022257; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN Possible Gootkit CnC SSL Cert M6"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|South America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:trojan-activity; sid:2022258; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN Possible Gootkit CnC SSL Cert M7"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0a|Antarctica"; distance:1; within:11; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:trojan-activity; sid:2022259; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|checkstat99.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022267; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Derusbi/Winnti Receiving Configuration"; flow:established,from_server; file_data; content:"$$$--Hello"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})Wrod--\$\$\$/R"; content:"Wrod--$$$"; fast_pattern:only; reference:url,blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family; classtype:trojan-activity; sid:2022269; rev:1; metadata:created_at 2015_12_16, updated_at 2015_12_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sakula DNS Lookup (mail.cbppnews.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|mail|08|cbppnews|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022272; rev:1; metadata:created_at 2015_12_17, updated_at 2015_12_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sakula DNS Lookup (inocnation.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|inocnation|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022273; rev:1; metadata:created_at 2015_12_17, updated_at 2015_12_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 47 00 43 cf a7 86 ee|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,d90c0177437c4cf588de4e60ab233fe1; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022275; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|lililililililili.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022276; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|intelliadsign.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022277; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|boistey.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022278; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CH|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022279; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Nivdort Posting Data 1"; flow:established,to_server; content:"POST"; http_method; content:".php HTTP/1.0|0d 0a|"; content:!"User-Agent|3a|"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"post="; depth:5; fast_pattern; http_client_body; pcre:"/^post\x3D(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/P"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022280; rev:1; metadata:created_at 2015_12_18, updated_at 2015_12_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Nivdort Posting Data 2"; flow:established,to_server; content:"POST"; http_method; content:".php HTTP/1.0|0d 0a|"; content:!"User-Agent|3a|"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"env="; depth:4; fast_pattern; http_client_body; pcre:"/^env\x3D(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/P"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022281; rev:1; metadata:created_at 2015_12_18, updated_at 2015_12_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/ProPoS CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Accept|3a 20|application/octet-stream|0d 0a|"; http_header; content:"User-Agent|3a 20|Pro PoS"; http_header; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:url,blog.talosintel.com/2015/12/pro-pos.html; classtype:trojan-activity; sid:2022282; rev:1; metadata:created_at 2015_12_18, updated_at 2015_12_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKBEN Ransomware"; flow:established,to_server; content:"GET"; http_method; content:".php?btc="; http_uri; nocase; fast_pattern; content:"&wid="; http_uri; nocase; distance:0; content:"|3a|TWljcm9zb2Z0IFdpbmR"; http_uri; distance:0; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,c952a88edc0766adf819b30cd2683ac7; classtype:trojan-activity; sid:2022283; rev:2; metadata:created_at 2015_12_18, updated_at 2015_12_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AlphaCrypt CnC Beacon 5"; flow:established,to_server; urilen:>250; content:"GET"; http_method; content:"/misc.php?"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|"; http_header; depth:12; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/misc\.php\?[A-F0-9]{250,}$/U"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:trojan-activity; sid:2022284; rev:3; metadata:created_at 2015_12_18, updated_at 2015_12_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|ssl-tree.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022286; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|foenglera.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022287; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN Possible Gootkit CnC SSL Cert M8"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0f|Central America"; distance:1; within:16; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:trojan-activity; sid:2022292; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|rommen-haft.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022293; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_21, updated_at 2016_07_01;)

#alert ip $HOME_NET any -> [206.72.206.74,206.72.206.75,206.72.206.76,206.72.206.77,206.72.206.78,66.45.241.130,66.45.241.131,66.45.241.132,66.45.241.133,66.45.241.134] any (msg:"ET TROJAN Kelihos CnC Server Activity"; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; reference:url,blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html; classtype:trojan-activity; sid:2022294; rev:1; metadata:created_at 2015_12_21, updated_at 2015_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ironhalo CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0(compatible|3b|MSIE 8.0|3b|Windows NT 6.1|29 0d 0a|"; http_header; fast_pattern:22,20; pcre:"/\.php$/U"; reference:md5,fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html; classtype:trojan-activity; sid:2022298; rev:1; metadata:created_at 2015_12_22, updated_at 2015_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AlphaCrypt CnC Beacon 6"; flow:established,to_server; urilen:>250; content:"GET"; http_method; content:".php?"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.3|3b 20|WOW64|3b 20|Trident/7.0|3b 20|Touch|3b 20|rv|3a|11.0) like Gecko|0d 0a|"; http_header; depth:89; fast_pattern:59,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/[a-z]+\.php\?[A-F0-9]{250,}$/U"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:trojan-activity; sid:2022300; rev:2; metadata:created_at 2015_12_22, updated_at 2015_12_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|givemyporn.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022301; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|qiqiqiqiqiqi.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022302; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ASCII Executable Inside of MSCOFF File DL Over HTTP"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"|34 64 35 61|"; content:"|35 34 36 38 36 39 37 33 32 30 37 30 37 32 36 66 36 37 37 32 36 31 36 64 32 30|"; distance:38; reference:md5,f4ee917a481e1718ccc749d2d4ceaa0e; classtype:trojan-activity; sid:2022303; rev:2; metadata:created_at 2015_12_23, updated_at 2015_12_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 97 ae 20 7e 61 5f 58 15|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022305; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 9d a8 74 c5 50 98 dd 09|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022306; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a6 75 8f 19 30 3e 46 58|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022307; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|monosuflex.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022308; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Powersploit Framework Script Downloaded"; flow:to_client,established; file_data; content:"function Invoke-"; depth:16; content:"|0a 7b 0a 3c 23 0a 2e 53 59 4e 4f 50 53 49 53 0a|"; distance:0; content:"|0a|PowerSploit Function|3a 20|"; distance:0; reference:md5,0aa391dc6d9ebec2f5d0ee6b4a4ba1fa; classtype:trojan-activity; sid:2022309; rev:1; metadata:created_at 2015_12_24, updated_at 2015_12_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BBSRAT GET request CnC"; flow:to_server,established; content:"GET"; http_method; content:"/bbs/"; depth:5; fast_pattern; http_uri; content:"/forum.php?sid="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; http_header; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/C"; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/Ui"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:trojan-activity; sid:2022310; rev:1; metadata:created_at 2015_12_24, updated_at 2015_12_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BBSRAT POST request CnC"; flow:to_server,established; content:"POST"; http_method; content:"/bbs/"; depth:5; fast_pattern; http_uri; content:"/forum.php?sid="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; http_header; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/C"; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/Ui"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:trojan-activity; sid:2022311; rev:1; metadata:created_at 2015_12_24, updated_at 2015_12_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (czc57cr2pn3zfn4b)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|czc57cr2pn3zfn4b"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022314; rev:1; metadata:created_at 2016_12_29, updated_at 2016_12_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (o7zeip6us33igmgw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|o7zeip6us33igmgw"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022315; rev:1; metadata:created_at 2016_12_29, updated_at 2016_12_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (vr6g2curb2kcidou)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vr6g2curb2kcidou"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022316; rev:1; metadata:created_at 2016_12_29, updated_at 2016_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot download config - SET"; flow:established,to_server; content:"GET"; http_method; content:".dat"; http_uri; content:!"Content-Type|3a|"; http_header; content:!"Referer"; http_header; pcre:"/\.dat$/U"; flowbits:set,ET.zbot.dat; flowbits:noalert; classtype:trojan-activity; sid:2022317; rev:1; metadata:created_at 2016_12_30, updated_at 2016_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Zbot download config"; flow:established,from_server; flowbits:isset,ET.zbot.dat; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type|3a| application/x-ns-proxy-autoconfig"; http_header; fast_pattern:24,20; file_data; pcre:"/^(?=[a-zA-Z]*?\d)(?=[a-z0-9]*?[A-Z])[a-zA-Z0-9+/]{30}/R"; classtype:trojan-activity; sid:2022318; rev:2; metadata:created_at 2016_12_30, updated_at 2016_12_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|1terabitbit.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022321; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|gatecheck.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022322; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:trojan-activity; sid:2022323; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN BlackEnergy SSL Cert"; flow:from_server,established; content:"|09 00 e3 6e 25 fe 3f fa 53 80|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/; classtype:trojan-activity; sid:2022327; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ibsecurity.info"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022328; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ibcsec.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022329; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_04, updated_at 2016_07_01;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NanoLocker Check-in (ICMP) M2"; itype:8; icode:0; dsize:26<>35; content:"|33|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022330; rev:2; metadata:created_at 2016_01_04, updated_at 2016_01_04;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NanoLocker Check-in (ICMP) M1"; itype:8; icode:0; dsize:26<>35; content:"|31|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022331; rev:3; metadata:created_at 2016_01_05, updated_at 2016_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cryptojoker Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?info="; fast_pattern; http_uri; content:"|3a 3a|"; distance:0; http_uri; content:"|4f 4e 4c 25 35 43 6e|"; http_raw_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/\x4f\x4e\x4c\x25\x35\x43\x6e$/I"; reference:url,www.bleepingcomputer.com/news/security/the-cryptojoker-ransomware-is-nothing-to-laugh-about/; reference:md5,904b0888bfa02d200091fa8ad014d016; reference:md5,bca6c1fa9b9a8bf60eecbd91e08d1323; classtype:trojan-activity; sid:2022333; rev:1; metadata:created_at 2016_01_05, updated_at 2016_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Malicious VBS Downloader fake image zip"; flow:to_server,established; content:"GET"; http_method; content:".zip"; http_uri; nocase; fast_pattern:only; content:"Content-Type|3a 20|text/plain|3b| Charset=UTF-8|0d 0a|"; http_header; pcre:"/\.(?:gif|jpe?g)\.zip$/Ui"; reference:md5,7b678a25c533652dbb0c2a2ac37cf1e3; classtype:trojan-activity; sid:2022334; rev:1; metadata:created_at 2016_01_05, updated_at 2016_01_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ELF.MrBlack DOS.TF Malformed Lookup (/lib32/libc.so.6)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|/lib32/libc|02|so|01|6|00|"; fast_pattern; distance:0; nocase; reference:md5,312fa52a7992e58359cb68bb0f029ea7; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022335; rev:2; metadata:created_at 2016_01_06, updated_at 2016_01_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN ELF.MrBlack DOS.TF Variant"; flow:established,to_server; content:"Linux_"; offset:8; depth:6; content:"TF-"; distance:58; within:3; fast_pattern; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022336; rev:2; metadata:created_at 2016_01_06, updated_at 2016_01_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32.Nitol.K Variant CnC"; flow:established,to_server; content:"|0b 00 00 00 00|"; depth:5; content:"Windows|20|"; distance:3; within:8; content:"|00|"; within:5; content:"|7c b4 ab b2 a5 7c|"; fast_pattern:only; reference:md5,56bff68317a0af08f749a1c717125cf3; classtype:trojan-activity; sid:2022337; rev:2; metadata:created_at 2016_01_06, updated_at 2016_01_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DustySky Payload Link Request"; flow:established,to_server; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern; content:"&token1="; http_uri; distance:0; content:"&token2="; http_uri; distance:0; content:"&C="; http_uri; distance:0; content:!"Referer|3a|"; http_header; pcre:"/\/[A-Za-z]+\.php\?((?:id|token1|token2|C)=[A-Za-z0-9\/=+%]*={0,2}&?){4}$/U"; reference:url,clearskysec.com/wp-content/uploads/2016/01/Operation DustySky_TLP_WHITE.pdf; classtype:trojan-activity; sid:2022343; rev:1; metadata:created_at 2016_01_07, updated_at 2016_01_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bulta CnC Beacon "; flow:established,to_server; content:"|1f 93 97 d3 94 01 69 49 4d 7b a7 ac f6 7a|"; depth:14; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022345; rev:2; metadata:created_at 2016_01_08, updated_at 2016_01_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Bulta DNS Lookup (kugo.f3322.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|kugo|05|f3322|03|net|00|"; nocase; distance:0; fast_pattern; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022346; rev:2; metadata:created_at 2016_01_08, updated_at 2016_01_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Bulta DNS Lookup (yk.ftwxw.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|yk|05|ftwxw|03|com|00|"; nocase; distance:0; fast_pattern; reference:md5,5b9a9e363f46f09e7f40c5cde2c90361; classtype:trojan-activity; sid:2022347; rev:2; metadata:created_at 2016_01_08, updated_at 2016_01_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN EvilGrab or APT.9002 DNS Lookup (secvies.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|secvies|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022355; rev:2; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TrochilusRAT DNS Lookup (security-centers.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|security-centers|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022356; rev:2; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Torte Downloading Binary"; flow:established,to_server; urilen:8; content:"/crond"; http_uri; fast_pattern:only; pcre:"/^\/crond(?:32|64)$/U"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|rv|3a|18.0) Gecko/20100101 Firefox/18.0|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:trojan-activity; sid:2022357; rev:1; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Torte Checkin"; flow:established,to_server; content:"/logo.gif?sessd="; http_uri; fast_pattern:only; content:"&sessc="; http_uri; content:"&sessk="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|"; pcre:"/^(?:zh-CN|en-US)\x3b rv\x3a1\.7\.6\)\r\n/R"; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:trojan-activity; sid:2022358; rev:2; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrochilusRAT CnC Beacon 1"; flow:established,to_server; dsize:8; content:"|bf bf af af 7e 00 00 00|"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022360; rev:3; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrochilusRAT CnC Beacon 2"; flow:established,to_server; dsize:13; content:"|07 0d 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022361; rev:2; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Agent.XST Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"this is UP"; depth:10; http_client_body; fast_pattern; content:"|00 00 00 00|"; http_client_body; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022362; rev:1; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Agent.XST Keepalive"; flow:established,to_server; content:"POST|20|"; depth:5; content:".asp|20|HTTP/1."; distance:0; content:!"Referer|3a|"; distance:0; content:!"Accept|3a|"; distance:0; content:"Content-Length|3a 20|2|0d 0a|"; distance:0; fast_pattern; content:"Content-Type|3a 20|text/html|0d 0a|"; content:"|0d 0a 0d 0a|ok"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022363; rev:2; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF.STD.ddos Checkin"; flow:established,to_server; dsize:28; content:"2-1Q3@@4V-9-W$p#=A#9c=#W~,|0d 0a|"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=2747&start=20#p27639; classtype:trojan-activity; sid:2022367; rev:2; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|PA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022385; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|relaxsaz.com"; distance:1; within:13; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022386; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|contora24.com"; distance:1; within:14; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022387; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|websecuranalitic.com"; distance:1; within:21; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022388; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|moneyclass24.com"; distance:1; within:17; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022389; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|vle.cli"; distance:1; within:8; reference:md5,678129a67898174fdb7e8c70ebcca6c3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022390; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.nonewhateverplanred.juegos"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022391; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.removenationalstiff.taipei"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022392; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|20|www.fightingmotioncertainly.page"; distance:1; within:33; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022393; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|dinuspuka.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022394; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|popredrak.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022395; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|vorlager.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022396; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|IR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022397; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker Payment Page (4nauizsaaopuj3qj)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|4nauizsaaopuj3qj"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022398; rev:1; metadata:created_at 2016_01_21, updated_at 2016_01_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker Payment Page (aynfksddnnfwkd)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|aynfksddnnfwkd"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022399; rev:1; metadata:created_at 2016_01_21, updated_at 2016_01_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker Payment Page (krfdnhfnsai3d)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|krfdnhfnsai3d"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022400; rev:1; metadata:created_at 2016_01_21, updated_at 2016_01_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !5938 (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 104"; flow:established,to_server; dsize:>11; content:"|78 9c|"; offset:9; depth:21; fast_pattern; byte_test:4,<,65535,-14,relative,little; byte_test:4,<,65535,-10,relative,little; byte_jump:4,-10,relative,little,post_offset 3; isdataat:!1,relative; pcre:"/^.{9,28}\x78\x9c/s"; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:trojan-activity; sid:2022401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2016_01_22, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/7ev3n Ransomware Initial Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?RIGHTS="; http_uri; fast_pattern; nocase; content:"&WIN="; http_uri; distance:0; nocase; content:"User-Agent|3a 20|Internet Explorer|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:trojan-activity; sid:2022402; rev:1; metadata:created_at 2016_01_22, updated_at 2016_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/7ev3n Ransomware Process Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?SSTART="; http_uri; nocase; content:"&CRYPTED_DATA="; http_uri; nocase; distance:0; fast_pattern; content:"&ID="; http_uri; nocase; distance:0; content:"User-Agent|3a 20|Internet Explorer|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:trojan-activity; sid:2022403; rev:1; metadata:created_at 2016_01_22, updated_at 2016_01_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kuklovodw.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022404; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_22, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LeChiffre Ransomware CnC"; flow:to_server,established; content:"GET"; http_method; content:"/sipvoice.php?"; http_uri; depth:14; fast_pattern; content:"&session="; http_uri; distance:0; content:"Keep-Alive|3a 20|300"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Synapse)"; http_header; reference:md5,4523ccfd191dcceeae8e884f82f5c7ad; reference:url,blog.malwarebytes.org/intelligence/2016/01/draft-lechiffre-a-manually-run-ransomware/; classtype:trojan-activity; sid:2022406; rev:1; metadata:created_at 2016_01_25, updated_at 2016_01_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kaicone.A Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Plug="; http_client_body; depth:5; fast_pattern; content:"Instituto="; http_client_body; distance:0; content:"&AV="; http_client_body; distance:0; content:!"Referer|3a 20|"; http_header; reference:md5,0dfaf7a70859ddb86296276dc20ce1ae; classtype:trojan-activity; sid:2022407; rev:1; metadata:created_at 2016_01_25, updated_at 2016_01_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|BW|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022408; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_26, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|9i7ffdgvffibow7|09|vrnserver|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022411; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aaa123|05|spdns|02|de|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022412; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|accounts|09|yourturbe|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022413; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|account|0f|websurprisemail|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022414; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|addi|05|apple|07|cloudns|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022415; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|admin|05|spdns|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022416; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 7"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|apple|0f|lenovositegroup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022417; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 8"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|bailee|06|alanna|07|cloudns|03|biz|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022418; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 9"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|bee|04|aoto|07|cloudns|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022419; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|bits|07|githubs|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022420; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|book|0f|websurprisemail|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022421; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|clean|08|popqueen|07|cloudns|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022422; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|desk|0f|websurprisemail|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022423; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|detail43|0a|myfirewall|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022424; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|dolat|0f|websurprisemail|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022425; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|dolet|0f|websurprisemail|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022426; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 17"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|economy|05|spdns|02|de|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022427; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 18"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|economy|05|spdns|02|eu|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022428; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 19"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|eemete|07|freetcp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022429; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 20"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|firefox|05|spdns|02|de|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022430; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 21"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|firewallupdate|10|firewall-gateway|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022431; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 22"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|fish|07|seafood|07|cloudns|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022432; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ftp112|05|lenta|07|cloudns|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022433; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 24"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|github|0a|ignorelist|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022434; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 25"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|islam|10|youtubesitegroup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022435; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 26"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|kissecurity|10|firewall-gateway|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022436; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 27"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|liumingzhen|05|myftp|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022437; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 28"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|mail|10|firewall-gateway|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022438; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|mareva|09|catherine|07|cloudns|02|us|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022439; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 30"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|mm|0f|lenovositegroup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022440; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 31"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|muslim|09|islamhood|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022441; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 32"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|news|10|firewall-gateway|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022442; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 33"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|opero|05|spdns|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022443; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 34"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|otcgk|06|border|07|cloudns|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022444; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 35"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|p|05|klark|07|cloudns|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022445; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 36"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|ppcc|0a|vasilevich|07|cloudns|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022446; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 37"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|press|0f|ufoneconference|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022447; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 38"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|qq|09|yourturbe|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022448; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 39"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|sys|10|firewall-gateway|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022449; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 40"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|vip|05|yahoo|07|cloudns|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022450; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 41"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|webmail|09|yourturbe|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022451; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 42"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|05|37513|02|cn|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022452; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 43"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|08|angleegg|04|xxxy|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022453; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 45"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|08|googmail|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022455; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 46"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|06|gorlan|07|cloudns|03|pro|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022456; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 47"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|06|uyghur|03|25u|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022457; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 48"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|07|uyghuri|06|MrFace|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022458; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 49"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|youturbe|02|co|02|cc|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022459; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 50"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|yycc|07|mrbonus|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022460; rev:1; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 44"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|zjhao|05|dtdns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022461; rev:2; metadata:created_at 2016_01_27, updated_at 2016_01_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neutrino Checkin 2"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"auth=1"; http_client_body; depth:6; pcre:"/^auth=1$/P"; metadata: former_category TROJAN; reference:md5,25bd222c947fcbb7e1fb9f6e176ea53f; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2022462; rev:2; metadata:created_at 2016_01_27, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neutrino Checkin 3"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"exec=1&task_id="; http_client_body; depth:15; fast_pattern; metadata: former_category TROJAN; reference:md5,25bd222c947fcbb7e1fb9f6e176ea53f; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2022463; rev:2; metadata:created_at 2016_01_27, updated_at 2017_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bedep Connectivity Check M2"; flow:established,to_server; content:"GET"; http_method; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri; nocase; content:"Host|3a 20|www.ecb.europa.eu|0d 0a|"; http_header; nocase; content:"Accept|3a 20|text/html, application/xhtml+xml, */*|0d 0a|"; http_header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hi"; classtype:trojan-activity; sid:2022467; rev:1; metadata:created_at 2016_01_28, updated_at 2016_01_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CenterPOS User Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|IDOSJNDX|0d 0a|"; fast_pattern; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022468; rev:1; metadata:created_at 2016_01_28, updated_at 2016_01_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CenterPOS CnC"; flow:established,to_server; content:"POST"; content:".php"; http_uri; content:"mode="; depth:5; fast_pattern; nocase; http_client_body; content:"&uid="; nocase; http_client_body; distance:0; content:"&osname="; nocase; http_client_body; distance:0; content:"&compname="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022469; rev:1; metadata:created_at 2016_01_28, updated_at 2016_01_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN CenterPOS Delete Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"|7c|delplugs|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022470; rev:1; metadata:created_at 2016_01_28, updated_at 2016_01_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN CenterPOS Load Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"|7c|loadplug|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022471; rev:1; metadata:created_at 2016_01_28, updated_at 2016_01_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CenterPOS CnC 2"; flow:established,to_server; content:"POST"; content:".php"; http_uri; content:"mode="; depth:5; fast_pattern; nocase; http_client_body; content:"&uid="; nocase; http_client_body; distance:0; content:"&comid="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022472; rev:1; metadata:created_at 2016_01_28, updated_at 2016_01_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CustomRAT DNS lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|www729448908|05|f3322|03|org|00|"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022473; rev:1; metadata:created_at 2016_01_28, updated_at 2016_01_28;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|buhzgalter.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022474; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0f|docknetwork.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022475; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|macroflex.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022476; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mokes CnC Keep-Alive"; flow:established,to_server; urilen:3; content:"GET"; http_method; content:"/v1"; depth:3; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Accept"; http_header; threshold: type both, count 9, seconds 60, track by_src; reference:url,securelist.com/blog/research/73503/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/; classtype:trojan-activity; sid:2022477; rev:1; metadata:created_at 2016_02_01, updated_at 2016_02_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|ashirimi-critism.kz"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022478; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022480; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_01, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01"; flow:to_server,established; content:"GET"; http_method; content:".exe"; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; pcre:"/\/[0-9]{2}\.exe$/iU"; flowbits:set,ET.nemucod.exerequest; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,8bdc81393a4fcfaf6d1b8dc01486f2f0; classtype:trojan-activity; sid:2022482; rev:1; metadata:created_at 2016_02_02, updated_at 2016_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28"; flow:to_server,established; urilen:>82; content:"GET"; http_method; content:"/counter/?id="; http_uri; nocase; content: "&rnd="; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; pcre:"/\/counter\/\?id=[A-Z0-9_-]{60,}&rnd=\d{1,}$/iU"; flowbits:set,ET.nemucod.exerequest; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,d5c5cc9cae2e9a7a2d3a77efcb526e4c; classtype:trojan-activity; sid:2022483; rev:5; metadata:created_at 2016_02_02, updated_at 2016_11_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022488; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|KM|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022489; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_04, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(yez2o5lwqkmlv5lc)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yez2o5lwqkmlv5lc"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022490; rev:1; metadata:created_at 2016_02_04, updated_at 2016_02_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Download Request Containing Suspicious Filename - Crypted"; flow:to_server,established; content:"GET"; http_method; content:"crypted.exe"; nocase; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/crypted\.exe$/Ui"; reference:md5,ff823130efcdf8ab267cad92eb5b90d7; reference:md5,e953e6b3be506c5b8ca80fbcd79c065e; reference:md5,1e2fa2e401cd2295a03ba8d8d3d3698b; classtype:trojan-activity; sid:2022491; rev:1; metadata:created_at 2016_02_04, updated_at 2016_02_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Fluxer CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/gate.php?id="; http_uri; fast_pattern; content:"&ver="; http_uri; distance:0; content:"&m="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla|0d 0a|"; http_header; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/&m=\d$/Ui"; reference:md5,648f432b41f3bcebc1a599f529055cf0; classtype:trojan-activity; sid:2022492; rev:1; metadata:created_at 2016_02_04, updated_at 2016_02_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/LockScreen CnC HTTP Pattern"; flow:established,to_server; content:"GET"; http_method; content:",0x"; http_uri; fast_pattern:only; pcre:"/(?:,0x[0-9a-f]{2}){10}$/U"; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,8df8d0cd70f96538211c65fb6361704d; classtype:trojan-activity; sid:2022494; rev:1; metadata:created_at 2016_02_08, updated_at 2016_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/HydraCrypt CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; urilen:11; content:"/flamme.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\nCache-Control\x3a no-cache+\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2022495; rev:1; metadata:created_at 2016_02_08, updated_at 2016_02_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(fwgrhsao3aoml7ej)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fwgrhsao3aoml7ej"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022501; rev:1; metadata:created_at 2016_02_10, updated_at 2016_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|"; http_header; content:".php|20|HTTP/1.1|0d 0a|Accept|3a 20|"; fast_pattern:3,20; pcre:"/^(?!\r\n|m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)[^\r\n]+\r\n/Ri"; pcre:"/\.php$/U"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:1; metadata:created_at 2016_02_10, updated_at 2016_02_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"data="; depth:5; http_client_body; fast_pattern; pcre:"/^data=[A-F0-9]{100,}$/P"; pcre:"/\.php$/U"; content:!"driftmania"; http_header; content:!"coreftp.com|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla"; http_header; reference:md5,a3440b6117f3783989683753c9f394dd; classtype:trojan-activity; sid:2022504; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_02_10, malware_family Ransomware, malware_family Alphacrypt, malware_family TeslaCrypt, performance_impact Low, updated_at 2016_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Gaudox Checkin"; flow:to_server,established; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; fast_pattern:25,20; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; pcre:"/\.php$/U"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:trojan-activity; sid:2022505; rev:3; metadata:created_at 2016_02_11, updated_at 2016_02_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Payment DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|javajvlsworf3574"; nocase; distance:0; fast_pattern; reference:md5,ff50a331feec575b505976cb0506ebfd; classtype:trojan-activity; sid:2022507; rev:1; metadata:created_at 2016_02_11, updated_at 2016_02_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CO|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022508; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022509; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|susana24.com"; distance:1; within:13; reference:md5,23cfdb9896cadd54f935ed4e2df2e0a4; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022510; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|wartan24.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022511; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kitoboyka.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022512; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|vestostnord.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022513; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 bf f2 e1 26 c5 4c 2c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022514; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bedep Connectivity Check M3"; flow:established,to_server; content:"GET"; http_method; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri; fast_pattern; nocase; content:"Host|3a 20|www.ecb.europa.eu|0d 0a|"; http_header; nocase; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; classtype:trojan-activity; sid:2022519; rev:3; metadata:created_at 2016_02_13, updated_at 2016_02_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|YU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022521; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|SA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022522; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_15, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/GCman.Backdoor CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/s2.cgi"; http_uri; depth:15; content:!"Referer|3A|"; http_header; pcre:"/^[a-f0-9]{31}\x3B(?:[a-zA-Z0-9+/=]+)?\r?$/P"; reference:md5,8a18846e17244db9af90009ddab341ce; reference:url,securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/; classtype:trojan-activity; sid:2022529; rev:1; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|02|NY"; distance:1; within:3; fast_pattern; content:"|55 04 03|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"admin@"; distance:2; within:6; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022534; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?!www)\d?[A-Z]?(?:[a-z]{3,20}\.)?[a-z]{5,}(?:\d[a-z]{5,})?\.[a-z]{2,5}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022535; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_17, updated_at 2016_11_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|tatar28.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022536; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|giviklorted.at"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022537; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_17, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:9; content:"POST"; http_method; content:"/main.php"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"Content-Length|3a 20|10"; http_header; content:"|0d 0a|"; distance:1; within:2; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.php$/U"; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022538; rev:4; metadata:created_at 2016_02_17, updated_at 2016_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible OceanLotus Time Check to Microsoft.com"; flow:to_server,established; content:"GET|20 20|HTTP/1.0|0d 0a|"; depth:15; content:"www.microsoft.com"; distance:6; within:23; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:2022539; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Possible OceanLotus CnC Heartbeat"; flow:to_client,established; dsize:14; content:"|75 7a 76 7e 1a 1b 1b 1b 1b 1b 11 1b 1b 1b|"; fast_pattern; threshold: type limit, count 1, track by_src, seconds 60; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:2022540; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible OceanLotus C2 Checkin"; flow:to_server,established; content:"GET"; http_method; content:".db?k="; fast_pattern; http_uri; content:"?q="; http_uri; distance:0; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/\?q=[a-f0-9]{32}$/Ui"; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:2022541; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|6dtxgqam4crv6rr6"; nocase; distance:0; fast_pattern; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FrameworkPOS CnC Server Reporting IP Address To Agent"; flow:established,to_client; file_data; content:"=="; depth:2; content:"=="; within:17; fast_pattern; file_data; content:"=="; depth:2; pcre:"/^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})(?:={2})/R"; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:trojan-activity; sid:2022552; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 85 d0 ad 8b ad f1 59|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022553; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_22, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Linux/Tsunami DNS Request (updates.absentvodka.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|updates|0b|absentvodka|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022555; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Linux/Tsunami DNS Request (updates.mintylinux.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|updates|0a|mintylinux|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022556; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Linux/Tsunami DNS Request (eggstrawdinarry.mylittlerepo.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|eggstrawdinarry|0c|mylittlerepo|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022557; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Linux/Tsunami DNS Request (linuxmint.kernel-org.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|linuxmint|0a|kernel-org|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022558; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN FrameworkPOS Covert DNS CnC Initial Check In"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04 70 69 6e 67 03 61 64 6d|"; fast_pattern; distance:15; content:"|05|grp"; nocase; offset:12; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:trojan-activity; sid:2022559; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|twbers4hmi6dx65f"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/02b21d4a90a2a50506711a9c120b1e51f77084eba25688f7db2b9571037465dc?environmentId=1; classtype:trojan-activity; sid:2022560; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xlowfznrg4wf7dli)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xlowfznrg4wf7dli"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022561; rev:1; metadata:created_at 2016_02_23, updated_at 2016_02_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Operation Blockbuster User-Agent (Mozillar)"; flow:to_server,established;  content:"User-Agent|3a| Mozillar"; http_header; nocase; fast_pattern; threshold: type limit, count 2, track by_src, seconds 300; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,www.operationblockbuster.com/resources/index.html; classtype:trojan-activity; sid:2022564; rev:4; metadata:created_at 2016_02_24, updated_at 2016_02_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely PadCrypt Locker PKG DL"; flow:established,to_server; content:".pdcr"; http_uri; nocase; pcre:"/\.pdcr$/Ui"; content:!"Referer|3a|"; http_header; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022568; rev:1; metadata:created_at 2016_02_25, updated_at 2016_02_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PadCrypt .onion Payment Domain"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gnkltbsaeq35rejl"; fast_pattern; distance:0; nocase; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022569; rev:1; metadata:created_at 2016_02_25, updated_at 2016_02_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|09 00 a7 ed 6e 63 0f d0 e1 f9|"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022571; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_26, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Andromeda Download (set)"; flow:to_server,established; content:"GET"; http_method; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/\/\?[A-Z]{10,}$/U"; flowbits:set,ET.andromeda; flowbits:noalert; classtype:trojan-activity; sid:2022572; rev:1; metadata:created_at 2016_02_29, updated_at 2016_02_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Andromeda Download"; flow:from_server,established; flowbits:isset,ET.andromeda; content:"200"; http_stat_code; content:"Server|3a 20|nginx"; http_header; content:"Content-Description|3a 20|File Transfer|0d 0a|"; http_header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; content:"Content-Transfer-Encoding|3a| binary|0d 0a|"; fast_pattern:20,15; pcre:"/filename=[a-f0-9]{32}v\.(?:docm|zip)\x0d\x0a/Hmi"; classtype:trojan-activity; sid:2022573; rev:1; metadata:created_at 2016_02_29, updated_at 2016_02_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN jFect HTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ping"; http_uri; content:"User-Agent|3a 20|Java/"; content:"uid="; depth:4; http_client_body; content:"&group="; http_client_body; content:"&lan="; http_client_body; content:"&nameAtPc="; http_client_body; fast_pattern; nocase; content:"&os="; http_client_body; content:"&country="; http_client_body; content:"&uptime="; http_client_body; content:"&installDate="; http_client_body; nocase; content:!"Referer|3a|"; http_header; reference:md5,d19261cf449afc52532028cca110eb36; classtype:trojan-activity; sid:2022582; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|i3ezlvkoi7fwyood"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022589; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lpholfnvwbukqwye"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022590; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Godzilla Loader Base64 Filename"; flow:from_server,established; content:"200"; http_stat_code; content:"|47 4f 44 5a 49 4c 4c 41|"; http_cookie; file_data; content:"<div style=|22|display|3a|none|22| id=|22|"; depth:30; fast_pattern:10,20; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>[a-zA-Z0-9+/=]{28}/Rsi"; content:"</div>"; distance:0; within:6; classtype:trojan-activity; sid:2022594; rev:2; metadata:created_at 2016_03_04, updated_at 2016_05_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Dridex Base64 Executable"; flow:from_server,established; content:"200"; http_stat_code; content:"|47 4f 44 5a 49 4c 4c 41|"; http_cookie; file_data; content:"<div style=|22|display|3a|none|22| id=|22|"; depth:30; fast_pattern:10,20; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>TVqQAA/Rsi"; classtype:trojan-activity; sid:2022595; rev:1; metadata:created_at 2016_03_04, updated_at 2016_03_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/CHIP Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"-----BEGIN CERTIFICATE-----"; depth:27; fast_pattern; http_client_body; content:"-----END CERTIFICATE-----"; distance:0; http_client_body; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; reference:md5,18189daa96e711777158d7cb599c13b1; reference:url,malware-traffic-analysis.net/2016/11/17/index.html; classtype:trojan-activity; sid:2023534; rev:2; metadata:created_at 2016_03_07, updated_at 2016_11_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/KeRanger Ransomware CnC DNS Request 1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lclebb6kvohlkcml"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:trojan-activity; sid:2022598; rev:1; metadata:created_at 2016_03_07, updated_at 2016_03_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/KeRanger Ransomware CnC DNS Request 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bmacyzmea723xyaz"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:trojan-activity; sid:2022599; rev:1; metadata:created_at 2016_03_07, updated_at 2016_03_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/KeRanger Ransomware CnC DNS Request 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nejdtkok7oz5kjoc"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:trojan-activity; sid:2022600; rev:1; metadata:created_at 2016_03_07, updated_at 2016_03_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/KeRanger Ransomware CnC DNS Request 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fiwf4kwysm4dpw5l"; fast_pattern; distance:0; nocase; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/; classtype:trojan-activity; sid:2022601; rev:1; metadata:created_at 2016_03_07, updated_at 2016_03_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Panda Banker CnC"; flow:established,to_server; content:"POST"; http_method; content:!"Content-Type|3a 20|"; http_header; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; depth:13; content:!".php"; http_uri; pcre:"/^\/[A-Za-z0-9]+(?:\/[A-F0-9]+){3,}$/U"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; pcre:"/^User-Agent\x3a[^\r\n]+?(?:MSIE|rv\x3a11)/Hm"; content:"P/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern:only; reference:md5,17bd012f145bba62b4e58b376d8002d3; classtype:trojan-activity; sid:2022609; rev:1; metadata:created_at 2016_03_10, updated_at 2016_03_10;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 45"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|tally|0a|myfirewall|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022610; rev:1; metadata:created_at 2016_03_10, updated_at 2016_03_10;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 46"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|accountgoogle|10|firewall-gateway|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022611; rev:2; metadata:created_at 2016_03_10, updated_at 2016_03_10;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scarlet Mimic DNS Lookup 47"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|filegoogle|10|firewall-gateway|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022612; rev:2; metadata:created_at 2016_03_10, updated_at 2016_03_10;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|dolbyfck.com"; distance:1; within:13; classtype:trojan-activity; sid:2022613; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_03_11, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(k7tlx3ghr3m4n2tu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|k7tlx3ghr3m4n2tu"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022614; rev:1; metadata:created_at 2016_03_14, updated_at 2016_03_14;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|marinova.am"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022623; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_03_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Kasidet CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 62 fd fd 41 2d 9c a4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022624; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_03_16, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Suckfly/Nidiran Backdoor DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|19|microsoft-security-center|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120123-5521-99; classtype:trojan-activity; sid:2022626; rev:1; metadata:created_at 2016_03_16, updated_at 2016_03_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x27[a-z]+|(?:\x20[A-Z][a-z]+){1,2})?[01]/Rs"; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+)\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?!(?:com|net|org)[01])[a-z]{2,}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022627; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_03_17, updated_at 2016_11_11;)

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Maktub Locker Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bs7aygotd2rnjl4o"; fast_pattern; distance:0; nocase; reference:md5,74add6536cdcfb8b77d10a1e7be6b9ef; classtype:trojan-activity; sid:2022634; rev:1; metadata:created_at 2016_03_21, updated_at 2016_03_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET TROJAN Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 Unicode"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022637; rev:3; metadata:created_at 2016_03_23, updated_at 2016_03_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET TROJAN Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 ASCII"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".locky|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022638; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET TROJAN Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v2"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022639; rev:5; metadata:created_at 2016_03_23, updated_at 2017_01_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN PE EXE or DLL Windows file download Text M2"; flow:established,from_server; file_data; content:"4D5A"; nocase; within:4; content:"50450000"; distance:0; content:"21546869732070726f6772616d"; nocase; fast_pattern; classtype:trojan-activity; sid:2022640; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker Payment Domain (3qbyaoohkcqkzrz6)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|3qbyaoohkcqkzrz6"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2022647; rev:2; metadata:created_at 2016_03_23, updated_at 2018_06_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Genome User-Agent (Http Down)"; flow:established,to_server; content:"User-Agent|3a 20|Http Down"; http_header; fast_pattern; reference:md5,479306863946029e545a4803b303d74c; classtype:trojan-activity; sid:2022654; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN IrcBot Fantasy Name Gen"; flow:established,to_server; content:"Host|3a 20|www.fantasynamegen.com"; http_header; nocase; fast_pattern; content:!"User-Agent"; http_header; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022655; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN IrcBot Downloading Files via FTP"; flow:established,to_server; content:"RETR scrypt13"; depth:13; content:".cl"; distance:2; within:6; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022656; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN IrcBot Downloading .old"; flow:established,to_server; content:".old"; http_uri; content:".old|20|HTTP/1.1|0d 0a|Host"; content:!"User-Agent"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022657; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky Payment)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|32kl2rwsjvqjeui7"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022660; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_03_25, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TeslaCrypt Payment)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kkd47eh4hdjshb5t"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022661; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_03_25, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rzss2zfue73dfvmj"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022662; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_03_25, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky Payment)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|twbers4hmi6dc65f"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022663; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_03_25, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vrvis6ndra5jeggj"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022664; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_03_25, updated_at 2016_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Locky CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:11; content:"/submit.php"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:"User-Agent|3a|"; http_header; pcre:"/[\x80-\xff]/P"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:trojan-activity; sid:2022665; rev:4; metadata:created_at 2016_03_28, updated_at 2016_03_28;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware/Cerber Checkin 2"; dsize:<11; content:"hi"; depth:2; fast_pattern; pcre:"/^[a-f0-9]{7,}$/R"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,ac4d7fb5739862e9914556ed5d50f84f; classtype:trojan-activity; sid:2023453; rev:5; metadata:created_at 2016_03_28, updated_at 2016_10_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Coverton Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lnc57humvaxpqfv3"; nocase; distance:0; fast_pattern; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022675; rev:1; metadata:created_at 2016_03_28, updated_at 2016_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware/Coverton Checkin"; flow:to_server,established; content:".php?ch="; http_uri; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-length|3a| 0|0d 0a|"; http_header; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022676; rev:1; metadata:created_at 2016_03_28, updated_at 2016_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware/Coverton CnC 1"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"task=report&id="; http_client_body; fast_pattern:only; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022677; rev:1; metadata:created_at 2016_03_28, updated_at 2016_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware/Coverton CnC 2"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"task=knock&pub="; http_client_body; fast_pattern:only; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022678; rev:1; metadata:created_at 2016_03_28, updated_at 2016_03_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky Possible Payment Page"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|25z5g623wpqpdwis"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022680; rev:1; metadata:created_at 2016_03_28, updated_at 2016_03_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.TreasureHunter Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; content:"request=true"; http_uri; fast_pattern:only; content:"request="; http_client_body; depth:8; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept-"; http_header; reference:md5,070e9a317ee53ac3814eb86bc7d5bf49; reference:url,isc.sans.edu/forums/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/; classtype:trojan-activity; sid:2022681; rev:2; metadata:created_at 2016_03_29, updated_at 2016_03_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/CryptFile2 Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"|3d 30 78 30 36 2c 30 78 30 32 2c 30 78 30 30 2c 30 78 30 30|"; fast_pattern; http_client_body; content:"|2c 3c 62 72 3e 30 78|"; distance:0; http_client_body; content:"|2c 3c 62 72 3e 30 78|"; distance:0; http_client_body; content:"|2c 3c 62 72 3e 30 78|"; distance:0; http_client_body; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:trojan-activity; sid:2022683; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_03_29, malware_family Ransomware, malware_family CryptFile2, performance_impact Low, updated_at 2016_10_24;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|Wureuzisen"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022684; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_03_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|whaovxeynxctdrvzn.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022685; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_03_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Backdoor.Dripion External IP Check"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"/"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; content:"Host|3a 20|www.dawhois.com|0d 0a|"; fast_pattern:only; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:trojan-activity; sid:2022688; rev:1; metadata:created_at 2016_03_30, updated_at 2016_03_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Backdoor.Dripion HTTP CnC Checkin"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"/"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"|40 24|"; http_client_body; depth:2; pcre:"/^\x40\x24[^\x20-\x7e\r\n]+$/Ps"; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:trojan-activity; sid:2022689; rev:1; metadata:created_at 2016_03_30, updated_at 2016_03_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-03-31"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?ad="; http_uri; nocase; content:"="; distance:0; http_uri; content:!"Referer|3a| "; nocase; http_header; pcre:"/=\d+$/U"; flowbits:set,ET.nemucod.exerequest; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,c5ad81d8d986c92f90d0462bc06ac9c6; classtype:trojan-activity; sid:2022692; rev:1; metadata:created_at 2016_03_31, updated_at 2016_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|freemooon|03|org|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x09freemooon\x03org\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_05, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|velodrivve|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x0avelodrivve\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022704; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_05, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|bedrifg|03|org|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x07bedrifg\x03org\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022705; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_05, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|olimpian|03|org|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x08olimpian\x03org\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022706; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_05, updated_at 2016_09_08;)

alert tcp any any -> any any (msg:"ET TROJAN LuminosityLink - Data Channel Client Request 2"; flow:established,to_server; content:"CONNECT="; depth:8; content:"8_=_8"; distance:0; isdataat:!1,relative; classtype:trojan-activity; sid:2022707; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert tcp any any -> any any (msg:"ET TROJAN LuminosityLink - CnC Password Exfil"; flow:established,to_server; content:"PASSWORDS="; depth:10; content:"8_=_8"; distance:0; isdataat:!1,relative; classtype:trojan-activity; sid:2022709; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert tcp any any -> any any (msg:"ET TROJAN LuminosityLink - CnC"; flow:established,to_server; content:"ACT="; depth:4; content:"8_=_8"; distance:0; isdataat:!1,relative; classtype:trojan-activity; sid:2022710; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xzjvzkgjxebzreap)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xzjvzkgjxebzreap"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022711; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Atraps Receiving Config via Image File (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|FF D9 23|"; distance:0; content:"$|3a|1|3a|$"; distance:0; fast_pattern; pcre:"/^[A-Za-z0-9+/=]+\x24\x3a\d+\x3a\x24$/R"; metadata: former_category TROJAN; reference:md5,3dce01df285b3570738051672664068d; classtype:trojan-activity; sid:2025070; rev:2; metadata:created_at 2016_04_06, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; content:"|09 00 e6 7b 40 4f 24 b8 2a f9|"; reference:url,sslbl.abuse.ch; reference:md5,3d8d1a65ce53c6ac2e43523e82a6d471; classtype:trojan-activity; sid:2022713; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_04_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|05|Tampa"; distance:1; within:6; content:"|55 04 0a|"; distance:0; content:"|1b|Realtek Semiconductor Corp."; distance:1; within:28; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022714; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_04_07, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fedbook|03|org|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x07fedbook\x03org\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022715; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_07, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|sunsay|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x06sunsay\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022720; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_08, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|feellgood|03|org|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,11}\x09feellgood\x03org\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022721; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_08, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|kinomix|03|org|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,11}\x07kinomix\x03org\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022726; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_13, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|verekt|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,11}\x06verekt\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_13, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|stgg5jv6mqiibmax"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_13, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|goodbird|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x08goodbird\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_13, updated_at 2016_09_08;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.huevo.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022733; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_04_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 c4 2f d3 44 ed 20 a4 ab|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022734; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_04_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 dd b5 a0 63 d6 36 a8 89|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022735; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_04_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|17|private@sysprivpop.lkdd"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022736; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_04_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Virus-Encoder Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:"submit=submit&id="; http_client_body; fast_pattern; content:"&guid="; http_client_body; distance:0; content:"&pc="; http_client_body; distance:0; content:"&mail="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,57a69d5130d32da0a278c72137ca58ee; classtype:trojan-activity; sid:2022737; rev:1; metadata:created_at 2016_04_15, updated_at 2016_04_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|bigdoggi|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x08bigdoggi\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_19, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Unknown PowerShell Loader DNS Lookup (spl.noip.me)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|spl|04|noip|02|me|00|"; nocase; distance:0; fast_pattern; reference:url,fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html; classtype:trojan-activity; sid:2022747; rev:1; metadata:created_at 2016_04_19, updated_at 2016_04_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|barrout|03|org|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x07barrout\x03org\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022748; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_19, updated_at 2016_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Agent.XST/UP007 Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"this is UP"; depth:10; http_client_body; fast_pattern; content:"|00 00 00 00|"; http_client_body; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:trojan-activity; sid:2022749; rev:1; metadata:created_at 2016_04_20, updated_at 2016_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Agent.XST/UP007 Keepalive 2"; flow:established,to_server; content:"POST|20|"; depth:5; content:".asp|20|HTTP/1."; distance:0; content:!"Referer|3a|"; distance:0; content:!"Accept|3a|"; distance:0; content:"Content-Length|3a 20|5|0d 0a|"; distance:0; fast_pattern; content:"Content-Type|3a 20|text/html|0d 0a|"; content:"|0d 0a 0d 0a|READY"; distance:0; threshold:type limit, count 1, seconds 60, track by_src; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:trojan-activity; sid:2022750; rev:1; metadata:created_at 2016_04_20, updated_at 2016_04_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PoisonIvy SPIVY DNS Lookup (leeh0m.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|leeh0m|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/; classtype:trojan-activity; sid:2022753; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2016_04_22, malware_family PoisonIvy, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanDownloader.Banload.XDL Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/okok/Notify.php"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library|29 0d 0a|"; http_header; reference:md5,70adf5506c767590e11bdc473c91bb38; classtype:trojan-activity; sid:2022754; rev:1; metadata:created_at 2016_04_22, updated_at 2016_04_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|beneton|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x07beneton\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022755; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_22, updated_at 2016_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT.Fwits CnC Beacon M1"; flow:established,to_server; content:"GET"; http_method; content:"/al?"; depth:4; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:trojan-activity; sid:2022756; rev:1; metadata:created_at 2016_04_25, updated_at 2016_04_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT.Fwits CnC Beacon M2"; flow:established,to_server; content:"GET"; http_method; content:"?---"; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\?---[A-Z]$/U"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:trojan-activity; sid:2022757; rev:1; metadata:created_at 2016_04_25, updated_at 2016_04_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackmoon/Banbra Configuration Request"; flow:to_server,established; content:"GET"; http_method; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; http_uri; content:"Accept|3a 20|*/*|0d 0d 0a|User-Agent"; http_header; fast_pattern; content:".qq.com|0d 0a|"; http_header; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,bbcbd3dc203829c9cdbf7d1b057f0e79; classtype:trojan-activity; sid:2022759; rev:1; metadata:created_at 2016_04_25, updated_at 2016_04_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ahsqbeospcdrngfv"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022761; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_26, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|biojart|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x07biojart\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022762; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_26, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|benefin|03|org|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x07benefin\x03org\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022763; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_04_26, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Retefe Banker .onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5qgerbbyhdz5bwca"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022764; rev:1; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2017_01_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Retefe Banker .onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yycqx6ay5oedto5f"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022765; rev:1; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2017_01_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Retefe Banker .onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|j2pjkgrlaopysagn"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022766; rev:1; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2017_01_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Retefe Banker .onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|i3e5y4ml7ru76n5e"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022767; rev:1; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2017_01_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Retefe Banker .onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iabni66w5xvwawbe"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022768; rev:1; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2017_01_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Locky CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; urilen:13; content:"/userinfo.php"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:"User-Agent|3a|"; http_header; pcre:"/[\x80-\xff]/P"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:trojan-activity; sid:2022769; rev:1; metadata:created_at 2016_04_27, updated_at 2016_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 105"; flow:to_server,established; dsize:>11; content:"|4a ae|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xae/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ba6eaf301344de6fe1e079fa960bc698; classtype:trojan-activity; sid:2022773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2016_04_29, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rrcspgfghsjnklts"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022777; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_05_03, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Locky Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ycvcjbhgkmsiyhdd"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022778; rev:1; metadata:created_at 2016_05_03, updated_at 2016_05_03;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.0)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|d|01|q|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022780; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.1)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|e|01|q|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022781; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|f|01|q|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022782; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.0)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|d|01|r|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022783; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|e|01|r|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022784; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|f|01|r|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022785; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.3)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|g|01|r|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022786; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 10.0)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|d|01|v|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022787; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Darpapox/Jaku Initial C2 Checkin"; flow:to_server,established; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; content:"uid={"; depth:5; fast_pattern; http_client_body; content:"&v="; http_client_body; distance:0; content:"&pi="; http_client_body; distance:0; content:",&if="; http_client_body; distance:0; reference:url,forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022788; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 0b|"; content:"|16|SomeOrganizationalUnit"; distance:1; within:23; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|0c|root@ua7.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022795; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_05_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|microurl.bit"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022796; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_05_05, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN SHUJIN .onion Payment Page"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eqlc75eumpb77ced"; fast_pattern; distance:0; nocase; reference:md5,d59a27b1e0a46cc185f1937ca42f300a; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/; classtype:trojan-activity; sid:2022798; rev:2; metadata:created_at 2016_05_06, updated_at 2016_12_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|16|allowherebarbclient.me"; distance:1; within:23; classtype:trojan-activity; sid:2022799; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_05_09, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Cryptolocker Payment Page (de2nuvwegoo32oqv)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|de2nuvwegoo32oqv"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022800; rev:2; metadata:created_at 2016_05_09, updated_at 2017_09_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bjksfohseaguu|03|org|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x0dbjksfohseaguu\x03org\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022801; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_05_10, updated_at 2016_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Sality-GR Checkin 2"; flow:to_server,established; content:".png?"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|"; depth:12; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/\.png\x3f[0-9a-f]{4,8}\x3d\d+?$/U"; reference:md5,99d614964eafe83ec4ed1a4537be35b9; classtype:trojan-activity; sid:2022804; rev:1; metadata:created_at 2016_05_13, updated_at 2016_05_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Metasploit Payload Common Construct Bind_API (from server)"; flow:from_server,established; content:"|60 89 e5 31|"; content:"|64 8b|"; distance:1; within:2; content:"|30 8b|"; distance:1; within:2; content:"|0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff|"; distance:1; within:13; content:"|ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2|"; within:15; content:"|52 57 8b 52 10|"; distance:1; within:5; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025644; rev:1; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2016_05_16, updated_at 2018_07_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain (hw5qrh6fxv2tnaqn)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hw5qrh6fxv2tnaqn"; fast_pattern; distance:0; nocase; reference:url,nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/; classtype:trojan-activity; sid:2022806; rev:1; metadata:created_at 2016_05_16, updated_at 2016_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Spy.Banker.DH Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?"; http_uri; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.1|3b| ru|3b| rv|3a|1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)|0d 0a|"; fast_pattern:84,20; http_header; content:"id="; depth:3; nocase; http_client_body; pcre:"/\.aspx\?$/U"; reference:md5,39519ff5bddd6d0eee032232349fe0a6; classtype:trojan-activity; sid:2022811; rev:2; metadata:created_at 2016_05_17, updated_at 2016_06_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain (eqrvbczir5ua2emd)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eqrvbczir5ua2emd"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022817; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic gate[.].php GET with minimal headers"; flow:established,to_server; content:"GET"; http_method; content:"/gate.php"; http_uri; nocase; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; reference:md5,ad4045887298439f5a21700bdbc7a311; classtype:trojan-activity; sid:2022818; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Hidden-Tear Ransomware Variant (.bloccato) DNS Request to CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|ur232dkkwpdkwp|03|xyz|00|"; nocase; distance:0; fast_pattern; reference:url,www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/; reference:md5,e586f208a724ba84369b72bc43d92057; classtype:trojan-activity; sid:2022831; rev:1; metadata:created_at 2016_05_19, updated_at 2016_05_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|closedoors|03|net|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x0aclosedoors\x03net\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022832; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_05_19, updated_at 2016_09_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|basey.ru"; distance:1; within:10; classtype:trojan-activity; sid:2022833; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_05_20, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PowerShell/Agent.A DNS Lookup (go0gIe.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|go0gIe|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:trojan-activity; sid:2022835; rev:1; metadata:created_at 2016_05_24, updated_at 2016_05_24;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PowerShell/Agent.A DNS Checkin"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"00"; distance:1; within:2; content:"00000"; distance:0; fast_pattern; pcre:"/^(?!0+30)[0-9A-Z]+30[^0-9]/R"; content:"|00|"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:trojan-activity; sid:2022836; rev:3; metadata:created_at 2016_05_24, updated_at 2016_05_24;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PowerShell/Agent.A DNS File Transfer CnC Beacon"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"00"; distance:1; within:2; content:"00000"; distance:0; pcre:"/^[0-9A-Z]+232A/R"; content:"232A"; fast_pattern:only; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:trojan-activity; sid:2022837; rev:1; metadata:created_at 2016_05_24, updated_at 2016_05_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET TROJAN Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 Unicode"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022838; rev:1; metadata:created_at 2016_05_25, updated_at 2016_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET TROJAN Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 ASCII"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".crypt|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022839; rev:1; metadata:created_at 2016_05_25, updated_at 2016_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET TROJAN Possible CryptXXX Ransomware Renaming Encrypted File SMB v2"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00|"; nocase; distance:0; fast_pattern; pcre:"/^[^A-Za-z0-9]/R"; classtype:trojan-activity; sid:2022840; rev:2; metadata:created_at 2016_05_25, updated_at 2016_05_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN HTTPBrowser/Pisloader Covert DNS CnC Channel TXT Lookup"; content:"|01 00 00 01 00 00 00 00 00 00 11|"; depth:11; offset:2; fast_pattern; pcre:"/^[A-Z0-9]{17}/R"; content:"|00 00 10|"; distance:0; threshold:type limit, track by_src, count 1, seconds 300; content:!"|03|prs|0a|proofpoint|03|com|00|"; reference:md5,985eba97e12c3e5bce9221631fb66d68; reference:url,researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/; classtype:trojan-activity; sid:2022842; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_05_31, performance_impact Low, updated_at 2016_07_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ajj3a7gfmgwmhhoz"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022843; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_05_31, updated_at 2016_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Locky CnC Beacon 4 21 May"; flow:established,to_server; content:"POST"; http_method; content:"/access.cgi"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:"User-Agent|3a|"; http_header; pcre:"/[\x80-\xff]/P"; reference:md5,53859b74ab0ed0e98065982462f4e575; classtype:trojan-activity; sid:2022844; rev:1; metadata:created_at 2016_05_31, updated_at 2016_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Criptobit/Mobef Ransomware Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?a="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) Edge/13.10586|0d 0a|"; fast_pattern:40,20; http_header; pcre:"/\.php\?a=\d{5,10}.+\x3a\d\x3a\d\x3a\d\.\d\x3a\d$/U"; reference:md5,c90a8039f330ba6660a91113f6c53685; classtype:trojan-activity; sid:2022845; rev:3; metadata:created_at 2016_05_31, updated_at 2016_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Luminosity RAT Possible Module Download M1"; flow:to_server,established; urilen:5; content:"GET"; http_method; content:"/EPWD"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022851; rev:1; metadata:created_at 2016_06_02, updated_at 2016_06_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Luminosity RAT Possible Module Download M2"; flow:to_server,established; urilen:4; content:"GET"; http_method; content:"/PWD"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022852; rev:1; metadata:created_at 2016_06_02, updated_at 2016_06_02;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Kovter Client CnC Traffic"; flow:established,to_server; dsize:4<>256; content:!"HTTP"; content:"|00 00 00|"; offset:1; depth:3; pcre:"/^[\x11\x21-\x26\x41\x45\x70-\x79]/R"; content:!"|00 00|"; distance:0; byte_jump:1,0,from_beginning,post_offset 3; isdataat:!2,relative; pcre:!"/\x00$/"; reference:url,symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update; classtype:trojan-activity; sid:2022861; rev:1; metadata:created_at 2016_06_06, updated_at 2016_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FastPOS Initial Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/cdosys.php?"; http_uri; fast_pattern; content:"=new&username="; http_uri; distance:0; content:"&computername="; http_uri; distance:0; content:"&os="; http_uri; distance:0; content:"&architecture="; http_uri; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022862; rev:1; metadata:created_at 2016_06_06, updated_at 2016_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FastPOS Version Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/cdosys.php?"; http_uri; fast_pattern; content:"=noupdate&ver="; http_uri; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022863; rev:1; metadata:created_at 2016_06_06, updated_at 2016_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FastPOS Sending Status Logs"; flow:to_server,established; content:"GET"; http_method; content:"/cdosys.php?"; http_uri; fast_pattern; content:"=statuslog&log="; http_uri; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022864; rev:1; metadata:created_at 2016_06_06, updated_at 2016_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FastPOS Software Update Request"; flow:to_server,established; content:"GET"; http_method; content:"/cdosys.php?"; http_uri; fast_pattern; content:"=update&username="; http_uri; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022865; rev:1; metadata:created_at 2016_06_06, updated_at 2016_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FastPOS Reporting Error Code"; flow:to_server,established; content:"GET"; http_method; content:"/cdosys.php?"; http_uri; fast_pattern; content:"&log=GetLastError"; http_uri; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022866; rev:1; metadata:created_at 2016_06_06, updated_at 2016_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FastPOS Successful Software Update Request"; flow:to_server,established; content:"GET"; http_method; content:"/cdosys.php?"; http_uri; fast_pattern; content:"&log=CheckedForUpdate"; http_uri; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022867; rev:1; metadata:created_at 2016_06_06, updated_at 2016_06_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 06|"; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 08|"; distance:0; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x20[A-Z][a-z]+)?[01]/Rs"; content:"|55 04 09|"; fast_pattern; distance:0; pcre:"/^.{2}\d{2,3}(?:\x20[A-Z][a-z]+\.?){1,3}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|55 04 03|"; distance:0; pcre:"/^.(.[a-z]{4,12}\.(?:us|org|net|biz|info|mobi|com)[01]).*?\x55\x04\x03.\1/Rs"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022868; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_06, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bddadevlpkwrrmud"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022870; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_06_06, updated_at 2016_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FastPOS Sending Keystrokes"; flow:to_server,established; content:"GET"; http_method; content:"/cdosys.php?"; http_uri; fast_pattern; content:"key&log=TWND"; http_uri; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022871; rev:1; metadata:created_at 2016_06_07, updated_at 2016_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FastPOS RAM Scraper Sending Details"; flow:to_server,established; content:"GET"; http_method; content:"/cdosys.php?"; http_uri; fast_pattern; content:"add&log="; http_uri; distance:0; content:"&foundin="; http_uri; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022872; rev:1; metadata:created_at 2016_06_07, updated_at 2016_06_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/DMA Locker CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?action="; http_uri; fast_pattern; content:!".aspx"; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\?action=\d(&botId=[A-F0-9]{32})?$/Ui"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:\r\n)?$/Hmi"; reference:md5,050f04ed78e96418179228272998d87d; classtype:trojan-activity; sid:2022873; rev:2; metadata:created_at 2016_06_07, updated_at 2016_06_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Windows Executable Sent When Remote Host Claims to Send a RAR Archive"; flow:established,from_server; content:"Content-Type|3a 20|application/rar|0d 0a|"; nocase; fast_pattern:11,20; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; metadata: former_category INFO; classtype:trojan-activity; sid:2022874; rev:2; metadata:created_at 2016_06_08, updated_at 2017_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BandarChor/CryptON Ransomware Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:"=8ACEFC"; offset:1; depth:7; fast_pattern; http_client_body; pcre:"/=8ACEFC[0-9A-F]{150,}$/P"; pcre:"/\.php$/U"; reference:md5,5ee28035c56c048580c64b67ec4f2124; classtype:trojan-activity; sid:2022875; rev:2; metadata:created_at 2016_06_08, updated_at 2016_06_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|tda-au.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022877; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|forevery0ung.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022878; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9e 99 a3 02 bc 7d 3f 4e|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|10|www.undernet.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022879; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 51 a8 51 66 e3 5c 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022880; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Qarallax RAT Downloading Modules"; flow:to_server,established; content:"GET"; http_method; content:"qarallax.com|0d 0a|"; http_header; fast_pattern; content:"User-Agent|3a 20|Java/"; http_header; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:trojan-activity; sid:2022881; rev:1; metadata:created_at 2016_06_08, updated_at 2016_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1714 (msg:"ET TROJAN Qarallax RAT Keepalive C2 (set)"; flow:to_server,established; content:"|00 00 09 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; flowbits:set,ET.qarallax; flowbits:noalert; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:trojan-activity; sid:2022882; rev:1; metadata:created_at 2016_06_08, updated_at 2016_06_08;)

alert tcp $EXTERNAL_NET 1714 -> $HOME_NET any (msg:"ET TROJAN Qarallax RAT Keepalive C2"; flow:from_server,established; flowbits:isset,ET.qarallax; content:"|00 00 0c 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:trojan-activity; sid:2022883; rev:1; metadata:created_at 2016_06_08, updated_at 2016_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT28 SEDNIT Variant CnC Beacon 1"; flow:to_server,established; content:"POST"; http_method; content:".pdf/?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.pdf\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:trojan-activity; sid:2023912; rev:1; metadata:created_at 2016_06_09, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT28 SEDNIT Variant CnC Beacon 2"; flow:to_server,established; content:"POST"; http_method; content:".zip/?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.zip\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:trojan-activity; sid:2023913; rev:1; metadata:created_at 2016_06_09, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT28 SEDNIT Variant CnC Beacon 3"; flow:to_server,established; content:"POST"; http_method; content:".htm/?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.htm\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:trojan-activity; sid:2023914; rev:1; metadata:created_at 2016_06_09, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT28 SEDNIT Variant CnC Beacon 4"; flow:to_server,established; content:"POST"; http_method; content:".xml/?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.xml\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:trojan-activity; sid:2023915; rev:1; metadata:created_at 2016_06_09, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:to_server,established; dsize:>11; content:"kuroro"; depth:6; byte_jump:4,0,relative,little,from_beginning; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:trojan-activity; sid:2022885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2016_06_09, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 444 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Certificate Detected (Bancos C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|US"; distance:1; within:4; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:4; content:"|55 04 07|"; content:"|05|Miami"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; content:"|08|Business"; distance:1; within:10; metadata: former_category TROJAN; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:trojan-activity; sid:2022888; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Banking_Trojan, signature_severity Major, created_at 2016_06_10, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bolek HTTP Checkin"; flow: to_server,established; content:"GET"; http_method; content:"User-Agent|3a 20|Client 1.2|0d 0a|"; fast_pattern; http_header; pcre:"/\?[a-f0-9]{32}$/Ui"; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:trojan-activity; sid:2022889; rev:1; metadata:created_at 2016_06_10, updated_at 2016_06_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Botnet Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:!"Referer|3a|"; http_header; content:"data="; nocase; http_client_body; depth:5; content:"ew0KCSJhZGRyZXNzIiA6"; fast_pattern; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022891; rev:1; metadata:created_at 2016_06_13, updated_at 2016_06_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Crypren/Zcrypt Ransomware Checkin"; flow:established,to_server; content:".php?computerid="; http_uri; pcre:"/\.php\?computerid=[a-fA-F0-9]{32}&(?:public|private)=\d$/U"; content:!"Referer|3a 20|"; http_header; reference:md5,7efb738c2b04aacdd3354d590cb3df47; classtype:trojan-activity; sid:2022897; rev:1; metadata:created_at 2016_06_14, updated_at 2016_06_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/RAA Ransomware check-in"; flow:established,to_server; content:".php?id="; http_uri; content:" - RAA"; http_uri; fast_pattern; content:"WinHttp.WinHttpRequest"; http_header; reference:md5,535494aa6ce3ccef7346b548da5061a9; classtype:trojan-activity; sid:2022899; rev:1; metadata:created_at 2016_06_15, updated_at 2016_06_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FOX-SRT ShimRat check-in (Data)"; flow:established,to_server; content:"POST"; http_method; pcre:"/\.php$/U"; content:"Data$$"; fast_pattern:only; http_client_body; content:!"Content-Type"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/Data\$\$\d\d/P"; pcre:"/Data$/P";  threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022900; rev:2; metadata:created_at 2016_06_15, updated_at 2016_06_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FOX-SRT ShimRat check-in (php)"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; fast_pattern:only; pcre:"/\.php$/U"; content:"php"; http_client_body; depth:3; pcre:"/^php.{0,500}[\x80-\xff]/Ps";content:!"Content-Type"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie:"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022901; rev:1; metadata:created_at 2016_06_15, updated_at 2016_06_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FOX-SRT ShimRat check-in (Yuok)"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"User-Agent|3a 20|"; http_header; depth:12; content:!"Content-Type|3a|"; http_header; content:!"Referer:"; http_header; content:!"Cookie|3a|"; content:"Youk$$"; http_client_body; fast_pattern:only; pcre:"/^(php)?Yuok\$\$\d\d/P"; pcre:"/Yuok$/P"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022902; rev:1; metadata:created_at 2016_06_15, updated_at 2016_06_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FOX-SRT ShimRatReporter check-in"; content:"POST"; http_method; content:"Accept-Encoding|3a 20|utf-8|0d 0a|"; http_header; content:".php?filename="; http_uri; fast_pattern:only; content:"Accept: */*"; http_header; content:!"Referer"; http_header; content:!"Content-Type"; http_header; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022903; rev:1; metadata:created_at 2016_06_15, updated_at 2016_06_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Towerweb Ransomware Landing Page"; flow:from_server,established;  content:"200"; http_stat_code; file_data; content:"WRITE THIS INFORMATION DOWN---------------<br>|0a|Ransom Id|3a|"; fast_pattern:37,20; content:"BTC Address|3a 20|"; distance:0; content:"|0a|Email|3a 20|"; distance:0; reference:md5,fb279dc7e47adefb3a9f1c78297c5870; reference:url,www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/; classtype:trojan-activity; sid:2022906; rev:2; metadata:created_at 2016_06_20, updated_at 2016_12_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 60 fe ed 86 b8 81 83|"; within:35; content:"|55 04 0a|"; content:"|0b|Sinkhole.Ru"; distance:1; within:12; content:"|55 04 03|"; distance:0; content:"|01 2a|"; distance:1; within:2; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022907; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0e|Sinkhole Party"; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|08|sinkhole"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022908; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_21, updated_at 2016_07_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain (mphtadhci5mrdlju)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mphtadhci5mrdlju"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022917; rev:1; metadata:created_at 2016_06_27, updated_at 2016_06_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|4b7gf8bngf877"; fast_pattern; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022919; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 d9 0c 85 30 1c bb ac a0|"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022920; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|lobemaintaty.space"; fast_pattern; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022921; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 C2 or Zeus Panda C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|huhu.com"; fast_pattern; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022922; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_06_27, updated_at 2016_07_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Satana Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/add.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; content:"id="; http_client_body; depth:3; content:"&code="; http_client_body; distance:0; content:"&sdata="; http_client_body; distance:0; content:"&name="; http_client_body; distance:0; reference:md5,d236fcc8789f94f085137058311e848b; reference:url,blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware; classtype:trojan-activity; sid:2022929; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 cf 74 72 c9 4e 72 20 e4|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022943; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2016_07_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|09 00 f8 f1 74 46 04 c2 a4 42|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022944; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2016_07_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Rockloader)"; flow:established,from_server; content:"|55 04 03|"; content:"|55 04 03|"; content:"|08|server29"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022945; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2016_07_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Zeus C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|7yh0mdze6ztr7erew835im3w8.info"; fast_pattern; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022946; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2016_07_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN BartCrypt Payment DNS Query to .onion proxy Domain (khh5cmzh5q7yp7th)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|khh5cmzh5q7yp7th"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022947; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2016_07_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|WIN-K462BJ3GEEC"; fast_pattern; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022948; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_07_05, performance_impact Low, updated_at 2016_07_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/Keydnap DNS Query to CnC"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|g5wcesdfjzne7255|05|onion|02|to|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:trojan-activity; sid:2022950; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, tag TROJAN_OSX_Keydnap, signature_severity Major, created_at 2016_07_06, performance_impact Low, updated_at 2016_07_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/Keydnap DNS Query to CnC"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|r2elajikcosf7zee|05|onion|02|to|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:trojan-activity; sid:2022951; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, tag TROJAN_OSX_Keydnap, signature_severity Major, created_at 2016_07_06, performance_impact Low, updated_at 2016_07_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransomware Locky CnC Beacon 21 May"; flow:established,to_server; content:"POST"; http_method; content:"/_dispatch.php"; fast_pattern; content:"www-form-urlencoded|0d 0a|"; http_header; content:"|0d 0a|x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http_header; pcre:"/^[0-9a-zA-Z=%-]{0,48}(?:%[A-F0-9]{2}){4}/Psi"; reference:md5,6f8987e28fed878d08858a943e7c6e7c; classtype:trojan-activity; sid:2022952; rev:1; metadata:tag Locky, created_at 2016_07_06, updated_at 2016_07_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (OSX/Keydnap CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|g5wcesdfjzne7255.onion.to"; distance:1; within:26; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:trojan-activity; sid:2022953; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, tag TROJAN_OSX_Keydnap, signature_severity Major, created_at 2016_07_07, performance_impact Low, updated_at 2016_07_07;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 CnC)"; flow:established,from_server; content:"|09 00 cc e5 16 49 2c 1e 96 57|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_07_11, performance_impact Low, updated_at 2016_07_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|www.__RANDOM_STR_.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022961; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_07_12, performance_impact Low, updated_at 2016_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SFG Client Information POST"; flow:to_server,established; content:"POST"; http_method; content:".log"; http_uri; content:"Host|3a 20|nullptr|0d 0a|"; http_header; fast_pattern:only; pcre:"/\.log$/U"; reference:url,sentinelone.com/blogs/sfg-furtims-parent/; classtype:trojan-activity; sid:2022963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_12, malware_family Futrim, malware_family SFG, updated_at 2016_07_12;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Ranscam Ransomware Contact Form"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"action=|22|http|3a|//www.tectite.com"; fast_pattern; nocase; content:"EmailAddr|3a|Your email address"; nocase; distance:0; content:"Message|3a|Your message"; nocase; distance:0; content:"Use your real email if you want a response"; nocase; distance:0; content:"spam folder if you do not receive"; nocase; distance:0; reference:md5,926a8d1c842964b2b81f5f94f6ae73b1; reference:url,blog.talosintel.com/2016/07/ranscam.html; classtype:trojan-activity; sid:2022968; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_07_14, performance_impact Low, updated_at 2016_07_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Razy.azv Downloading Content"; flow:established,to_server; content:".so"; http_uri; pcre:"/\/(?:tr(?:_w)?|ft)\.so$/U"; content:!"Referer|3a 20|"; nocase; http_header; content:!"Accept"; nocase; http_header; reference:md5,e17b1d84da1d2c684f3e67adff7ef582; classtype:trojan-activity; sid:2022969; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_14, malware_family Razy, performance_impact Low, updated_at 2016_07_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Dreambot File Upload (No Data Sent)"; flow:established,to_server; content:"POST"; http_method; content:"/images/"; http_uri; content:"_2"; http_uri; content:"User-Agent|3a 20|"; http_header; depth:12; content:"Content-Length|3a 20|2|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; pcre:"/\/images\/.*_2[FB].*\.(?:avi|gif|bmp|jpeg|png)$/Ui"; reference:md5,e17b1d84da1d2c684f3e67adff7ef582; classtype:trojan-activity; sid:2022970; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_14, malware_family ursnif, malware_family Dreambot, malware_family ISFB, performance_impact Low, updated_at 2016_11_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN Cknife Shell Command Struct Inbound (PHP)"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3a 20|Java"; http_header; depth:16; content:"=@eval"; http_client_body; depth:9; content:"base64_decode"; http_client_body; distance:0; content:"&action="; http_client_body; distance:0; content:!"Referer|3a 20|"; http_header; reference:url,recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022976; rev:1; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_07_20, performance_impact Low, updated_at 2016_07_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN Cknife Shell Command Struct Inbound (aspx)"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3a 20|Java"; http_header; depth:16; content:"=Response.Write"; http_client_body; depth:18; fast_pattern; content:"eval"; http_client_body; distance:0; content:!"Referer|3a 20|"; http_header; reference:url,www.recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022977; rev:1; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_07_20, performance_impact Low, updated_at 2016_07_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Evil Monero Cryptocurrency Miner Request Pools"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<HTML>|0d 0a|<HEAD>|0d 0a|<BODY>|0d 0a|<DIV"; depth:28; content:"|0d 0a|899@"; distance:0; content:"0.rn,9.re9899@n&9,bgggs"; distance:0; fast_pattern; reference:md5,848720742b957d27f6ee94b9fe4126f0; reference:url,www.fireeye.com/blog/threat-research/2016/06/resurrection-of-the-evil-miner.html; classtype:trojan-activity; sid:2022982; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2016_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Generic - POST To gate.php with no accept headers"; flow:established,to_server; content:"POST"; content:"/gate.php"; http_uri; nocase; fast_pattern:only; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022985; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_26, malware_family Zeus, performance_impact Low, updated_at 2017_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad"; flow:established,to_server; content:"/gate.php"; nocase; http_uri; fast_pattern:only; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?\n/H"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022986; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_26, malware_family Zeus, performance_impact Low, updated_at 2016_07_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pottieq.A Check-in"; flow:established,to_server; content:"POST"; http_method; content:!"Accept"; http_header; content:"pc="; http_client_body; content:"mail="; http_client_body; content:"guid="; nocase; http_client_body; content:!"Cookie|3a 20|"; content:!"Referer|3a 20|"; http_header; content:"User-Agent|3a 20 7b|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a\x20\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}\r?$/Hmi"; pcre:"/(?:^|&)id=\d+(?:$|&)/P"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Pottieq, signature_severity Major, created_at 2016_07_27, malware_family Pottieq, performance_impact Low, updated_at 2016_07_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gccxqpuuylioxoip"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_02, malware_family Ransomware, performance_impact Low, updated_at 2017_04_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kvyatmujksksbcgx"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023000; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_02, malware_family Ransomware, performance_impact Low, updated_at 2017_04_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mz7oyb3v32vshcvk"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023001; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_02, malware_family Ransomware, performance_impact Low, updated_at 2017_04_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xhrnfffaixawpuob"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_02, malware_family Ransomware, performance_impact Low, updated_at 2017_04_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yuysikankhqvdwdv"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023003; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_02, malware_family Ransomware, performance_impact Low, updated_at 2017_04_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zjfq4lnfbs7pncr5"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_02, malware_family Ransomware, performance_impact Low, updated_at 2017_04_04;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|taxreclaim.am"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_02, malware_family Zeus_SSL, performance_impact Low, updated_at 2016_08_02;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 08|"; content:"|04|Atak"; distance:1; within:5; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023006; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_02, updated_at 2016_08_02;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 95 9d ed 5e 9f 95 7f b4|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023007; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_02, updated_at 2016_08_02;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9c 26 67 04 e7 9a e0 56|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023008; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_02, updated_at 2016_08_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|secureit.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023009; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_02, updated_at 2016_08_02;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 da e8 83 5e e4 0a d0 5c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023010; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_02, updated_at 2016_08_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader.Pony CnC)"; flow:from_server,established; content:"|09 00 a7 26 cd 4c 62 32 35 26|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023011; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_02, updated_at 2016_08_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|09 00 b8 a4 f2 db af 86 f7 53|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023012; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_02, updated_at 2016_08_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|04 26 98 61 57|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|25|ASA Temporary Self Signed Certificate"; distance:1; within:38; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023013; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_02, updated_at 2016_08_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ProjectSauron Remsec DNS Lookup (rapidcomments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|rapidcomments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_08, malware_family APT_ProjectSauron_Remsec, performance_impact Low, updated_at 2016_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ProjectSauron Remsec DNS Lookup (bikessport.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|bikessport|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_08, malware_family APT_ProjectSauron_Remsec, performance_impact Low, updated_at 2016_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ProjectSauron Remsec DNS Lookup (myhomemusic. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|myhomemusic|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023022; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_08, malware_family APT_ProjectSauron_Remsec, performance_impact Low, updated_at 2017_11_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ProjectSauron Remsec DNS Lookup (flowershop22.110mb.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|flowershop22|05|110mb|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; classtype:trojan-activity; sid:2023023; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_08, malware_family APT_ProjectSauron_Remsec, performance_impact Low, updated_at 2016_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ProjectSauron Remsec DNS Lookup (wildhorses.awardspace.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|wildhorses|0a|awardspace|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_08, malware_family APT_ProjectSauron_Remsec, performance_impact Low, updated_at 2016_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ProjectSauron Remsec DNS Lookup (asrgd-uz .weedns.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|asrgd-uz"; fast_pattern; distance:0; content:"|06|weedns|03|com|00|"; nocase; distance:0; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023025; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_08, malware_family APT_ProjectSauron_Remsec, performance_impact Low, updated_at 2016_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ProjectSauron Remsec DNS Lookup (sx4-ws42 .yi.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"sx4-ws42"; fast_pattern; distance:0; content:"|02|yi|03|org|00|"; nocase; distance:0; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023026; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_08, malware_family APT_ProjectSauron_Remsec, performance_impact Low, updated_at 2016_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ProjectSauron Remsec DNS Lookup (we .q.tcow.eu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|we"; fast_pattern; distance:0; content:"|01|q|04|tcow|02|eu|00|"; nocase; distance:0; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023027; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_08, malware_family APT_ProjectSauron_Remsec, performance_impact Low, updated_at 2016_08_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN RAMNIT.A M1"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 54 65 78 74 46 69 6c 65 28 44 72 6f 70 50 61 74 68|"; nocase; content:"|57 53 48 73 68 65 6c 6c 2e 52 75 6e 20 44 72 6f 70 50 61 74 68 2c 20 30|"; nocase; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023028; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_09, malware_family Ramnit, performance_impact Moderate, updated_at 2016_08_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN RAMNIT.A M2"; flow:established,from_server; file_data; content:"|6c 61 6e 67 75 61 67 65 3d 56 42 53 63 72 69 70 74|"; nocase; content:"|57 72 69 74 65 44 61 74 61 20 3d|"; nocase; content:"|22 34 44 35 41 39 30 30|"; nocase; distance:0; content:"|44 72 6f 70 46 69 6c 65 4e 61 6d 65 20 3d 20|"; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023029; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_09, malware_family Ramnit, performance_impact Low, updated_at 2016_08_09;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|www.endeverllcandjohns13.com"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023030; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_09, performance_impact Low, updated_at 2016_08_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16 03 01 00|"; depth:4; content:"|09 00 8e b6 50 28 b2 eb aa d8|"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023031; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_08_09, performance_impact Low, updated_at 2016_08_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProjectSauron Remsec CnC Beacon (hardcoded HTTP headers)"; flow:established,to_server; content:"|41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 74 65 78 74 2F 70 6C 61 69 6E 2C 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C 2A 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 4E 6F 2D 43 61 63 68 65|"; fast_pattern:10,20; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023032; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_09, performance_impact Low, updated_at 2016_08_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Radonskra.B C2 Check-in"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"&os=Windows"; http_uri; nocase; content:"&mac="; nocase; http_uri; content:"&lua="; http_uri; nocase; content:"&firewall="; http_uri; nocase; content:"&antivirus="; http_uri; nocase; content:"&antispyware"; http_uri; nocase; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; reference:md5,9d6b99e87faa3f7a23adef5031bd598b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fRadonskra.B; classtype:trojan-activity; sid:2023033; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_09, performance_impact Low, updated_at 2016_08_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Lady CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/pm.sh?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|curl/"; http_header; pcre:"/^\/pm\.sh\?\d+$/U"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:trojan-activity; sid:2023034; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2016_08_10, malware_family Linux_Lady, performance_impact Low, updated_at 2016_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Lady CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/v"; depth:2; http_uri; content:"/lady_"; distance:0; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|curl/"; http_header; pcre:"/^\/v\d+\/lady_[ix]/U"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:trojan-activity; sid:2023035; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2016_08_10, malware_family Linux_Lady, performance_impact Low, updated_at 2016_08_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Pony Variant FOX Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"os_version="; http_client_body; depth:11; fast_pattern; content:"os_version_full="; http_client_body; distance:0; content:"processorId="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:md5,190c607ef81fa0c27fb1313df5f05266; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:trojan-activity; sid:2023292; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_10, malware_family Pony, performance_impact Low, updated_at 2016_09_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monsoon Tinytyphon CnC Beacon GET"; flow:established,to_server; content:"GET"; http_method; content:"/dw.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; pcre:"/\/dw\.php$/U"; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:trojan-activity; sid:2023049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_11, malware_family MONSOON, malware_family Tinytyphon, performance_impact Low, updated_at 2016_08_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monsoon Tinytyphon CnC Beacon Exfiltrating Docs"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"name=|22|MD5|22|"; http_client_body; content:"name=|22|fname|22|"; distance:0; http_client_body; content:"name=|22|compname|22|"; distance:0; http_client_body; content:"name=|22|uploadedfile|22 3b|"; http_client_body; fast_pattern:only; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:trojan-activity; sid:2023050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_11, performance_impact Low, updated_at 2016_08_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DarkHotel DNS Lookup (apply-wsu.ebizx.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|apply-wsu|05|ebizx|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:trojan-activity; sid:2023059; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_15, malware_family DarkHotel, performance_impact Low, updated_at 2016_08_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DarkHotel DNS Lookup (apply.ebizx.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|apply|05|ebizx|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:trojan-activity; sid:2023060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_15, performance_impact Low, updated_at 2016_08_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Aveo Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?id="; depth:14; http_uri; fast_pattern; content:"&1="; distance:0; http_uri; content:"&2="; distance:0; http_uri; content:"&4="; distance:0; http_uri; content:"&5="; distance:0; http_uri; content:"&6="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:trojan-activity; sid:2023076; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_18, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, updated_at 2016_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Aveo C2 Response"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?id="; depth:14; http_uri; fast_pattern; content:"&1="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:trojan-activity; sid:2023077; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_18, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, updated_at 2016_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Aveo C2 Request"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?id="; depth:14; http_uri; fast_pattern; content:"&1="; distance:0; http_uri; content:!"&2="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:trojan-activity; sid:2023078; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_18, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, updated_at 2016_08_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Curso Banker.BR Checkin"; flow:established,to_server; content:".asp?m="; http_uri; fast_pattern:only; pcre:"/\.asp\?m=(?:INS|UAC)(?:&p=&a=)?&i=201\d{11}&/Ui"; content:"&v="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,bd389eb9cf03e55013eaf07970288f08; classtype:trojan-activity; sid:2023081; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_19, malware_family Banking_Trojan, performance_impact Low, updated_at 2016_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Curso Banker Downloading Modules"; flow:to_server,established; content:"GET"; http_method; content:"/system/MA-"; depth:11; http_uri; fast_pattern; content:".dll"; http_uri; pcre:"/\/(?:IUpdate|fbclient|IETask|Mixeds|Ubuntu10)\.dll$/U"; reference:md5,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,260a7aab3d29ed4bce9ac35002361a87; classtype:trojan-activity; sid:2023082; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_19, malware_family Banking_Trojan, performance_impact Low, updated_at 2016_08_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alfa/Alpha Ransomware Checkin"; flow:established,to_server; urilen:33; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern:only; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Cache-Control|3a|"; http_header; content:!"Pragma|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^GET\x20\/[A-F0-9]{32}\x20HTTP\/1\.1\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/"; reference:md5,0601d824d188a42bc530f349926f1f95; reference:md5,900cacbd18f1e21cf6b5a9f842c23b72; reference:url,www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/; classtype:trojan-activity; sid:2023083; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_22, performance_impact Low, updated_at 2016_08_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain (5n7y4yihirccftc5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5n7y4yihirccftc5"; fast_pattern; distance:0; nocase; reference:md5,d7cb55e90dee7777fe7b77b079d51513; classtype:trojan-activity; sid:2023084; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_08_23, malware_family Ransomware, malware_family Locky, performance_impact Low, updated_at 2016_08_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN R980/CRYPBEE.A Ransomware Activity"; flow:established,to_server; content:"GET"; http_method; content:"/assets/timepicker/x.php?"; http_uri; content:"User-Agent|3a 20|cpp"; http_header; reference:md5,a38e156b5c7b337ffbde6cc1ddab1004; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/; classtype:trojan-activity; sid:2023085; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_08_24, malware_family Ransomware, performance_impact Low, updated_at 2016_08_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET TROJAN PNScan.2 Inbound Status Check - set"; flow:established,to_server; content:"|20|/check|20|HTTP/1."; offset:3; depth:16; fast_pattern; flowbits:set,ET.PNScan.2; flowbits:noalert; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023087; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2016_08_25, malware_family PNScan_2, performance_impact Low, updated_at 2016_08_25;)

alert tcp $HOME_NET 9000 -> $EXTERNAL_NET any (msg:"ET TROJAN PNScan.2 Inbound Status Check Response"; flow:established,from_server; content:"Content-Length|3a 20|12|0d 0a|"; content:"{|22|status|22 3a|1}"; distance:0; fast_pattern; flowbits:isset,ET.PNScan.2; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023088; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2016_08_25, malware_family PNScan_2, performance_impact Low, updated_at 2016_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET TROJAN PNScan.2 CnC Beacon"; flow:established,to_server; content:"POST /"; depth:6; content:"?ver="; distance:0; fast_pattern; content:"|20|HTTP/1."; distance:0; content:!"Referer|3a|"; distance:0; pcre:"/^POST \/(?:i686|arm|mips(?:el)?)\?ver=\d+\x20/"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023089; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2016_08_25, malware_family PNScan_2, performance_impact Low, updated_at 2016_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET TROJAN PNScan.2 CnC Beacon 2"; flow:established,to_server; content:"POST /srv_report?ver="; depth:21; content:!"Referer|3a|"; distance:0; pcre:"/^\d+\x20/R"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023090; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2016_08_25, malware_family PNScan_2, performance_impact Low, updated_at 2016_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.DarkComet Keepalive Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\d+$/"; reference:md5,d4f949f268d00522cfbae5d18cbce933; classtype:trojan-activity; sid:2023091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (aalaan .tv)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aalaan|02|tv|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023093; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (accounts .mx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|accounts|02|mx|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023094; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (adjust-local-settings .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|adjust-local-settings|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023095; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (alawaeltech .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|alawaeltech|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023096; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (alljazeera .co)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|alljazeera|02|co|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023097; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (asrararabiya .co)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|asrararabiya|02|co|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023098; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (asrararablya .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|asrararablya|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023099; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (asrarrarabiya .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|asrarrarabiya|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023100; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (bahrainsms .co)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|bahrainsms|02|co|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023101; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (bbc-africa .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|bbc-africa|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023102; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (bulbazaur .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|bulbazaur|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023103; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (checkinonlinehere .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|checkinonlinehere|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023104; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (cnn-africa .co)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|cnn-africa|02|co|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023105; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (damanhealth .online)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|damanhealth|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023106; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (emiratesfoundation .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|emiratesfoundation|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023107; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (fb-accounts .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|fb-accounts|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023108; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (googleplay-store .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|googleplay-store|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023109; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (icloudcacher .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|icloudcacher|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023110; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (icrcworld .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|icrcworld|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023111; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (manoraonline .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|manoraonline|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023112; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (mz-vodacom .info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|mz-vodacom|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023113; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (newtarrifs .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|newtarrifs|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023114; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (ooredoodeals .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ooredoodeals|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023115; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (pickuchu .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|pickuchu|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023116; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (redcrossworld .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|redcrossworld|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023117; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (sabafon .info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|sabafon|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023118; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (smser .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|smser|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023119; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (sms .webadv.co)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|sms|06|webadv|02|co|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023120; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (topcontactco .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|topcontactco|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023121; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (tpcontact .co.uk)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|tpcontact|02|co|02|uk|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023122; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (track-your-fedex-package .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|18|track-your-fedex-package|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023123; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (turkeynewsupdates .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|turkeynewsupdates|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023124; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (turkishairines .info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|turkishairines|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023125; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (uaenews .online)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|uaenews|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023126; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (univision .click)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|univision|05|click|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023127; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (unonoticias .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|unonoticias|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023128; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (whatsapp-app .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|whatsapp-app|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023129; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (y0utube .com.mx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|y0utube|03|com|02|mx|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023130; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, malware_family Pegasus, performance_impact Low, updated_at 2016_08_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Pegasus/Trident Related HTTP Beacon 1"; flow:established,to_server; content:".html&nocache="; http_uri; content:!"&"; distance:0; http_uri; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023131; rev:2; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_26, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, updated_at 2016_08_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Pegasus/Trident Related HTTP Beacon 2"; flow:established,to_server; content:".html?a="; http_uri; fast_pattern; content:"&b="; distance:0; http_uri; content:"&nocache="; distance:0; http_uri; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023132; rev:1; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_26, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, updated_at 2016_08_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Pegasus/Trident Related HTTP Beacon 3"; flow:established,to_server; content:"/final111?&nocache="; http_uri; fast_pattern:only; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023133; rev:2; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_26, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, updated_at 2016_08_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Pegasus/Trident Related HTTP Beacon 4"; flow:established,to_server; content:".html?s="; http_uri; fast_pattern; content:"&d="; distance:0; http_uri; pcre:"/^[^&]+?\.html\?s=[^&]+?&d=$/U"; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023134; rev:2; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_26, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, updated_at 2016_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Pegasus/Trident Related HTTP Beacon 5"; flow:established,to_server; content:"Tring to download bundle(try|3a|"; http_uri; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023136; rev:2; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_26, malware_family Pegasus_Trident, malware_family NSO, performance_impact Low, updated_at 2016_08_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (bigcrashcar.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|bigcrashcar|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2023142; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_31, malware_family Ransomware, performance_impact Low, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AgentTesla PWS HTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"type="; http_client_body; depth:5; content:"&hwid="; http_client_body; content:"&time="; http_client_body; content:"&pcname="; http_client_body; content:"&logdata="; http_client_body; fast_pattern; content:"&screen="; http_client_body; content:"&ipadd="; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,21d3c7d099aceff2a1f16d8ae0f38731; classtype:trojan-activity; sid:2023144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_01, performance_impact Low, updated_at 2016_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET TROJAN Locky Ransomware Renaming File via SMB"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|z|00|e|00|p|00|t|00|o|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2023147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_01, malware_family Ransomware, performance_impact Low, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET TROJAN Locky Ransomware Writing Instructions via SMB"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"_|00|H|00|E|00|L|00|P|00|_|00|i|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|s|00|.|00|h|00|t|00|m|00|l"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2023148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_01, malware_family Ransomware, performance_impact Low, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $HOME_NET [445,139] (msg:"ET TROJAN Zlader Ransomware Worm Propagating Over SMB v1 ASCII"; flow:to_server,established; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|24|RECYCLE|2E|BIN|2E 7B|"; nocase; distance:0; fast_pattern; pcre:"/\x24RECYCLE\.BIN\.\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\x5C\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\.(?:scr|pif|cmd)/i"; threshold:type limit, track by_src, count 10, seconds 60; reference:url,www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_zlader.b; classtype:trojan-activity; sid:2023149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_01, performance_impact Low, updated_at 2016_09_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN BartCrypt Payment DNS Query to .onion proxy Domain (s3clm4lufbmfhmeb)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|s3clm4lufbmfhmeb"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023154; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/LuaBot CnC Beacon"; flow:established,to_server; content:"GET /bot?bid="; depth:13; fast_pattern; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:trojan-activity; sid:2023155; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, created_at 2016_09_06, malware_family Linux_LuaBot, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/LuaBot CnC Beacon Response"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a 0d 0a|script|7c|"; distance:0; content:"|7c|endscript"; distance:0; fast_pattern; content:"script|7c|"; distance:0; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:trojan-activity; sid:2023156; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, created_at 2016_09_06, malware_family Linux_LuaBot, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|vuinuzhz.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|certificatestatistic.com"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|careersnetworks.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023159; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|microsoftstore.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023160; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|jmfbrtbsmth.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023161; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fxpsjcklcqf.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023162; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ywxozojqmcd.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023163; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|06|fwafdw"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023164; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business-swiss.online"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023165; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|pro-access.cn"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023166; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|securefreeonly.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Hancitor CnC)"; flow:established,from_server; content:"|09 00 ce 75 ce f8 84 a5 7e e5|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|ntracking.sys-optimatic.cloud"; distance:1; within:30; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|secureinishman.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|systemresystem.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|secureinterrr100.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|supergoodvin888.pw"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|statuscheck.online"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023174; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|Otakkibigytu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023175; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (RockLoader CnC)"; flow:established,from_server; content:"|09 00 cb 68 d8 f0 41 2b 87 4c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|host-ui.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Pony Variant FOX Reporting Adfraud Activity"; flow:established,to_server; content:"POST"; http_method; content:".php/data"; http_uri; fast_pattern:only; pcre:"/\.php\/data$/U"; content:"http|3a 2f 2f|"; http_client_body; offset:20; depth:7; content:!"Referer|3a|"; http_header; reference:md5,cdfb7e5544c9aa49c17217fdfe04e854; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:trojan-activity; sid:2023293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_08, malware_family Pony, performance_impact Low, updated_at 2016_09_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fpashgkepwtoqdjg"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_08, updated_at 2016_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vrympoqs5ra34nfo"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_08, updated_at 2016_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Mokes.A CnC Heartbeat Request (set)"; flow:established,to_server; urilen:3; content:"GET"; http_method; content:"/v1"; http_uri; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:"Safari/7046A194A|0d 0a|"; http_header; distance:0; fast_pattern; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Connection\x3a\x20Close\r\nUser-Agent\x3a\x20[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nAccept-Language\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/Hmi"; flowbits:set,ET.OSX.Mokes; flowbits:noalert; reference:url,securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered; classtype:trojan-activity; sid:2023182; rev:1; metadata:affected_product Mac_OSX, deployment Perimeter, tag OSX_Malware, created_at 2016_09_08, updated_at 2016_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN OSX/Mokes.A CnC Heartbeat"; flow:established,to_client; dsize:<300; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Connection|3a 20|close|0d 0a|"; http_header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; http_header; flowbits:isset,ET.OSX.Mokes; reference:url,securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered; classtype:trojan-activity; sid:2023183; rev:1; metadata:affected_product Mac_OSX, deployment Perimeter, tag OSX_Malware, created_at 2016_09_08, updated_at 2016_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/CryPy Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/victim.php?info="; http_uri; fast_pattern; content:"&ip="; http_uri; distance:0; content:"User-Agent|3a 20|Python-urllib"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/victim\.php\?info=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&ip=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:trojan-activity; sid:2023345; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_09, malware_family Ransomware, performance_impact Low, updated_at 2016_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Quant Loader Download Request"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?id="; http_uri; fast_pattern; content:"&c="; distance:0; nocase; http_uri; content:"&mk="; distance:0; nocase; http_uri; content:!"Referer"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 30; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family Locky, malware_family Pony9, updated_at 2016_09_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Quant Loader Download Response"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"dll=http"; depth:8; nocase; fast_pattern; content:"|3b|exe=http"; distance:0; nocase; content:"|3b|dll=http"; distance:0; nocase; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family Locky, malware_family Pony9, updated_at 2016_09_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows dir Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"<DIR>"; content:"File(s)"; distance:0; content:"Dir(s)"; content:"bytes free"; fast_pattern; distance:0; classtype:trojan-activity; sid:2023205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_14, performance_impact Low, updated_at 2016_09_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows Microsoft Windows DOS prompt command Error Invalid Argument"; flow:established,to_server; content:"ERROR|3a| Invalid Argument/Option"; fast_pattern; classtype:trojan-activity; sid:2023206; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows Microsoft Windows DOS prompt command Error not recognized"; flow:established,to_server; content:"|27| is not recognized as an internal or external command|2c|"; content:"operable program or batch file."; fast_pattern; classtype:trojan-activity; sid:2023207; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows Microsoft Windows DOS prompt command Error not found"; flow:established,to_server; content:"The following command was not found|3a 20|"; classtype:trojan-activity; sid:2023208; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows net statistics workstation Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Workstation Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023209; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows net statistics server Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Server Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows driverquery -v Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Module Name"; content:"Display Name"; content:"Description"; content:"Driver Type"; fast_pattern; classtype:trojan-activity; sid:2023211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows driverquery -si Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"DeviceName"; fast_pattern; content:"InfName"; content:"IsSigned"; content:"Manufacturer"; classtype:trojan-activity; sid:2023212; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows qwinsta Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SESSIONNAME"; fast_pattern; content:"USERNAME"; content:"ID"; content:"STATE"; content:"TYPE"; content:"DEVICE"; classtype:trojan-activity; sid:2023213; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows quser Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"USERNAME"; fast_pattern; content:"SESSIONNAME"; content:"ID"; content:"STATE"; content:"IDLE TIME"; content:"LOGON TIME"; classtype:trojan-activity; sid:2023214; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows gpresult Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Operating System Group Policy Result tool v"; fast_pattern; classtype:trojan-activity; sid:2023215; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows netsh advfirewall show allprofiles Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Domain Profile Settings|3a|"; fast_pattern:only; content:"Firewall Policy"; classtype:trojan-activity; sid:2023216; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC OS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Boot Device"; fast_pattern; content:"Build Number"; content:"Build Type"; classtype:trojan-activity; sid:2023217; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC COMPUTERSYSTEM get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdminPasswordStatus"; fast_pattern; content:"AutomaticManagedPagefile"; content:"Build Type"; classtype:trojan-activity; sid:2023218; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC NETLOGIN get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccountExpires"; fast_pattern; content:"AuthorizationFlags"; content:"BadPasswordCount"; classtype:trojan-activity; sid:2023219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC NIC get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdapterType"; fast_pattern; content:"AdapterTypeId"; content:"AutoSense"; classtype:trojan-activity; sid:2023220; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC PROCESS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"CSCreationClassName"; fast_pattern; content:"CSName"; content:"Description"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC SERVER get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"BlockingRequestsRejected"; fast_pattern; content:"BytesReceivedPersec"; content:"BytesTotalPersec"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023222; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC SERVICE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AcceptPause"; fast_pattern:only; content:"AcceptStop"; content:"Caption"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023223; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC SHARE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccessMask"; fast_pattern; content:"AllowMaximum"; content:"Caption"; content:"Description"; classtype:trojan-activity; sid:2023224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC SYSACCOUNT get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Description"; content:"Domain"; content:"InstallDate"; content:"LocalAccount"; fast_pattern; classtype:trojan-activity; sid:2023225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows WMIC STARTUP get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Command"; content:"Description"; content:"Location"; content:"UserSID"; fast_pattern; classtype:trojan-activity; sid:2023226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, performance_impact Low, updated_at 2016_09_15;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN LuminosityLink - Inbound Data Channel CnC Delimiter"; flow:established,to_client; dsize:<25; content:"8_=_8"; fast_pattern; isdataat:!1,relative; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:trojan-activity; sid:2023241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, malware_family Luminosity_Link, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN LuminosityLink - Outbound Data Channel CnC Delimiter"; flow:established,to_server; dsize:<25; content:"8_=_8"; fast_pattern; isdataat:!1,relative; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:trojan-activity; sid:2023242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, malware_family Luminosity_Link, updated_at 2016_09_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|curenasriense.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|transadvert.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023244; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|glob-marketing.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows sc query Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SERVICE_NAME|3A|"; content:"DISPLAY_NAME|3A|"; content:"TYPE"; content:"STATE"; classtype:trojan-activity; sid:2023246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Critical, created_at 2016_09_16, performance_impact Low, updated_at 2016_09_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain (f5xraa2y2ybtrefz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|f5xraa2y2ybtrefz"; fast_pattern; distance:0; nocase; reference:md5,5eeeeb093ee02d3769886880f8a58a90; classtype:trojan-activity; sid:2023247; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2016_09_19, malware_family Ransomware, malware_family Locky, performance_impact Low, updated_at 2016_09_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Libyan Scorpions Adwind DNS Lookup (winmeif .myq-see.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|winmeif|07|myq-see|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023256; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_22, malware_family Netwire_RAT, updated_at 2016_09_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Libyan Scorpions Adwind DNS Lookup (collge .myq-see.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|collge|07|myq-see|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023257; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_22, malware_family Netwire_RAT, updated_at 2016_09_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Libyan Scorpions Adwind DNS Lookup (sara2011 .no-ip.biz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|sara2011|05|no-ip|03|biz|00|"; nocase; distance:0; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023258; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_22, malware_family Netwire_RAT, updated_at 2016_09_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Libyan Scorpions Netwire RAT DNS Lookup (samsung .ddns.me)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|samsung|04|ddns|02|me|00|"; nocase; distance:0; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023259; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_22, malware_family Netwire_RAT, updated_at 2016_09_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Libyan Scorpions Netwire RAT DNS Lookup (wininit .myq-see.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|wininit|07|myq-see|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_22, malware_family Netwire_RAT, updated_at 2016_09_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fqoapcjolfwwenqx"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_22, malware_family Ransomware, malware_family Locky, performance_impact Low, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ns-cheap.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023262; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_22, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|gl-markt.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023263; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_22, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|hoonietospeed.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023264; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_22, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnbcheck.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023265; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_22, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|statway.online"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023266; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_22, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|petetongtt.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023267; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_22, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00 e4 52 b4 b2 9e 40 bd 86|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023268; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_22, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|verifybyamexcards.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023269; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_22, updated_at 2016_09_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|dnbcheck.site"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_23, malware_family Gozi, updated_at 2016_09_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mainmar.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023287; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_23, malware_family Gozi, updated_at 2016_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BleedingLife EK CVE-2014-6332 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 34 2d 36 33 33 32 2e 70 68 70 3f|"; http_uri; fast_pattern:only; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:trojan-activity; sid:2023288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag BleedingLifeEK, signature_severity Major, created_at 2016_09_23, malware_family Exploit_Kit, malware_family BleedingLife, updated_at 2016_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BleedingLife EK CVE-2016-0189 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 36 2d 30 31 38 39 2e 70 68 70 3f|"; http_uri; fast_pattern:only; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:trojan-activity; sid:2023289; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag BleedingLifeEK, signature_severity Major, created_at 2016_09_23, malware_family Exploit_Kit, malware_family BleedingLife, updated_at 2016_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BleedingLife EK Payload Request"; flow:to_server,established; content:"GET"; http_method; content:".php?e="; http_uri; fast_pattern; content:"&h="; content:!"Referer|3a|"; http_header; pcre:"/\.php\?e=\d{4}\-\d{4}&h=[a-f0-9]{32}$/Ui"; flowbits:set,ET.BleedingLife.Payload; classtype:trojan-activity; sid:2023290; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag BleedingLifeEK, signature_severity Major, created_at 2016_09_23, malware_family Exploit_Kit, malware_family BleedingLife, updated_at 2016_09_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN BleedingLife EK Payload Delivered"; flow:from_server,established; flowbits:isset,ET.BleedingLife.Payload; content:"200"; http_stat_code; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; fast_pattern:22,20; content:"Content-Type|3a 20|application/"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2023291; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag BleedingLifeEK, signature_severity Major, created_at 2016_09_23, malware_family Exploit_Kit, malware_family BleedingLife, updated_at 2016_09_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|secursitenot.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023294; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_26, malware_family Gozi, updated_at 2016_09_26;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gtldsfs.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_26, malware_family Gozi, updated_at 2016_09_26;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|cdnfastnetwork.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_26, malware_family Gozi, updated_at 2016_09_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (gtldsfs .com )"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|gtldsfs|04|com |00|"; nocase; distance:0; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_26, malware_family Gozi, updated_at 2016_09_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (cdnfastnetwork .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|cdnfastnetwork|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023298; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_26, malware_family Gozi, updated_at 2016_09_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 Komplex DNS Lookup (appleupdate .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|appleupdate|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:trojan-activity; sid:2023299; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_26, malware_family APT28, malware_family OSX_Komplex, updated_at 2016_09_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 Komplex DNS Lookup (apple-iclouds .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|apple-iclouds|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:trojan-activity; sid:2023300; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_26, malware_family APT28, malware_family OSX_Komplex, updated_at 2016_09_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 Komplex DNS Lookup (itunes-helper .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|itunes-helper|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:trojan-activity; sid:2023301; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_26, malware_family APT28, malware_family OSX_Komplex, updated_at 2016_09_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Anuna PHP Backdoor Attempt"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:".php?cookie=1"; http_uri; fast_pattern:only; pcre:"/\.php\?cookie=1$/U"; flowbits:set,ET.Anuna.Backdoor; classtype:trojan-activity; sid:2023305; rev:1; metadata:affected_product PHP, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2016_09_28, malware_family Anuna, updated_at 2016_09_28;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET TROJAN Anuna PHP Backdoor Sucessful Exploit"; flow:established,from_server; flowbits:isset,ET.Anuna.Backdoor; content:"200"; http_stat_code; file_data; content:"cookie=4"; within:8; classtype:trojan-activity; sid:2023306; rev:1; metadata:affected_product PHP, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2016_09_28, malware_family Anuna, updated_at 2016_09_28;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|arcnetcdn.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023308; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_28, malware_family Gozi, updated_at 2016_09_28;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|sdpvss.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023309; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_28, malware_family Gozi, updated_at 2016_09_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (sdpvss .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|sdpvss|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023310; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_28, malware_family Gozi, performance_impact Low, updated_at 2016_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/HadesLocker Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; content:"hwid="; http_client_body; depth:5; fast_pattern; content:"&tracking_id="; http_client_body; distance:0; content:"&usercomputername="; http_client_body; distance:0; content:"&ip="; http_client_body; distance:0; reference:md5,6970847bedab9ab83e69630d065ba67b; classtype:trojan-activity; sid:2023481; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_04, malware_family Ransomware, performance_impact Low, updated_at 2016_11_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|allenia.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023319; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_05, updated_at 2016_10_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|ssltrustcontrol.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_05, updated_at 2016_10_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|usgivememoney.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023321; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_05, updated_at 2016_10_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|p.scgreencharter.org"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023322; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_05, updated_at 2016_10_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|fastsvpsd.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_05, updated_at 2016_10_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|csos.brycepeterson.net"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_05, updated_at 2016_10_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mgudoor.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_05, updated_at 2016_10_05;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|zigerds.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023326; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_05, updated_at 2016_10_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH TorrenLocker Payment Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|4w5wihkwyhsav2ha"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023327; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, created_at 2016_10_07, updated_at 2016_10_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH TorrenLocker Payment Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|anbqjdoyw6wkmpeu"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023328; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, created_at 2016_10_07, updated_at 2016_10_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Locky Payment Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jhomitevd2abj3fk"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023329; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, created_at 2016_10_07, updated_at 2016_10_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoWall/TeslaCrypt Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|aterdunst|03|com|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023330; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, created_at 2016_10_07, updated_at 2016_10_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoWall/TeslaCrypt Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|bonmawp|02|at|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023331; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, created_at 2016_10_07, updated_at 2016_10_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoWall/TeslaCrypt Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|wallymac|03|com|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023332; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, created_at 2016_10_07, updated_at 2016_10_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Linux.Mirai Login Attempt (xc3511)"; flow:to_server,established; content:"xc3511|0d 0a|"; dsize:8; reference:url,www.flashpoint-intel.com/when-vulnerabilities-travel-downstream; classtype:trojan-activity; sid:2023333; rev:4; metadata:affected_product DVR, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_10, malware_family ddos_bot, performance_impact Low, updated_at 2016_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; content:"Connection|3a 20|close"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_12, malware_family Ransomware, malware_family Enigma, performance_impact Low, updated_at 2016_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nuke Ransomware Checkin"; flow:to_server,established;content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"machine="; depth:8; fast_pattern; http_client_body; pcre:"/\.php$/Ui"; pcre:"/^machine=[^&]+$/Pi"; metadata: former_category TROJAN; reference:url,www.spyware-techie.com/nuke-ransomware-removal-guide; reference:md5,ff0e42146794f0d080df0467337b2d01; classtype:trojan-activity; sid:2023335; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_12, malware_family Ransomware, malware_family Nuke, performance_impact Low, updated_at 2017_04_13;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|geernabys.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_12, malware_family ursnif, performance_impact Low, updated_at 2016_10_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TheTrick Banking Trojan User-Agent"; flow:to_server,established; content:"User-Agent|3a 20 54 72 69 63 6b 4c 6f 61 64 65 72|"; fast_pattern:only; reference:md5,f26649fc31ede7594b18f8cd7cdbbc15; classtype:trojan-activity; sid:2023338; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_13, malware_family Banking_Trojan, performance_impact Low, updated_at 2016_10_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Infostealer.Snifula File Upload"; flow:established,to_server; content:"POST"; http_method; content:".cgi"; http_uri; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern:6,20; http_client_body; content:!"Referer|3a 20|"; http_header; content:"User-Agent|3a 20|IE|0d 0a|Host"; http_header; reference:md5,be16b8d1b85843c89301f189b35c4963; classtype:trojan-activity; sid:2023337; rev:1; metadata:created_at 2016_10_14, updated_at 2016_10_14;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (Powershell Trojan)"; flow:from_server,established; content:"|16|"; content:"|0b|"; distance:0; within:8; content:"|09 00 d6 e6 05 e6 06 e6 17 3f|"; fast_pattern:only; reference:url,pastebin.com/7wYupkJL; reference:md5,4c5c9014f2d18f11ca62848876551323; classtype:trojan-activity; sid:2023342; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_17, malware_family PowerShell, performance_impact Low, updated_at 2016_10_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice.B DNS Lookup (appexsrv .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appexsrv|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:trojan-activity; sid:2023344; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_18, malware_family APT28, malware_family DealersChoice_B, performance_impact Low, updated_at 2016_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/CryPy Ransomware Encrypting File"; flow:established,to_server; content:"GET"; http_method; content:"/savekey.php?file="; http_uri; fast_pattern; content:"&id="; http_uri; distance:0; content:"User-Agent|3a 20|Python-urllib"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/savekey\.php\?file=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:trojan-activity; sid:2023346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_18, malware_family Ransomware, malware_family CryPy, performance_impact Low, updated_at 2016_10_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c7 b5 8a 8d d7 e8 44 b0|"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023347; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_18, updated_at 2016_10_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|facenoplays.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023348; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_18, updated_at 2016_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:to_server,established; dsize:>11; content:"|00 00|"; offset:2; depth:2; content:!"|00 00|"; depth:2; content:"|9c 4b|"; offset:8; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -9; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,edc84c505d101301459dafab296fb743; classtype:trojan-activity; sid:2023349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Gh0st, signature_severity Major, created_at 2016_10_19, malware_family Gh0st, malware_family PCRAT, performance_impact Low, updated_at 2016_10_19;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 97 21 dd 62 8b bc 65 25|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_19, performance_impact Low, updated_at 2016_10_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed AgentTesla Domain Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|agenttesla|03|com|00|"; nocase; distance:0; fast_pattern; reference:md5,32f3fa6b80904946621551399be32207; classtype:trojan-activity; sid:2023354; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_21, malware_family Keylogger, malware_family AgentTesla, malware_family Backdoor, performance_impact Low, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (microsoftsupp .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|microsoftsupp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (aljazeera-news .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|aljazeera-news|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023356; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (ausameetings .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ausameetings|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023357; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (bbc-press .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|bbc-press|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (cnnpolitics .eu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|cnnpolitics|02|eu|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (dailyforeignnews .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dailyforeignnews|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (dailypoliticsnews .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|dailypoliticsnews|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (defenceiq .us)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|defenceiq|02|us|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (defencereview .eu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|defencereview|02|eu|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (diplomatnews .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|diplomatnews|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023364; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (euronews24 .info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|euronews24|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023365; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (euroreport24 .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|euroreport24|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023366; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (kg-news .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|kg-news|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023367; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (military-info .eu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|military-info|02|eu|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (militaryadviser .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|militaryadviser|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (militaryobserver .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|militaryobserver|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (nato-hq .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|nato-hq|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (nato-news .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|nato-news|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023372; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (natoint .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|natoint|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023373; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (natopress .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|natopress|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023374; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (osce-info .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|osce-info|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023375; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (osce-press .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|osce-press|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023376; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (pakistan-mofa .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|pakistan-mofa|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023377; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (politicalreview .eu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|politicalreview|02|eu|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023378; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (politicsinform .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|politicsinform|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023379; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (reuters-press .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|reuters-press|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (shurl .biz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|shurl|03|biz|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (stratforglobal .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|stratforglobal|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (thediplomat-press .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|thediplomat-press|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (theguardiannews .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|theguardiannews|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023384; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (trend-news .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|trend-news|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023385; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (unian-news .info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|unian-news|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023386; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (unitednationsnews .eu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|unitednationsnews|02|eu|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023387; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (virusdefender .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|virusdefender|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023388; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (worldmilitarynews .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|worldmilitarynews|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023389; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (worldpoliticsnews .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|worldpoliticsnews|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023390; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (capisp .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|capisp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023391; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (dataclen .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|dataclen|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023392; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (mscoresvw .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|mscoresvw|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023393; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (windowscheckupdater .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|windowscheckupdater|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (acledit .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|acledit|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (biocpl .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|biocpl|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:trojan-activity; sid:2023396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2016_10_21, malware_family APT28_Sednit, updated_at 2016_10_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/CryptFile2 Ransomware Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20 70 6f 73 74 5f 65 78 61 6d 70 6c 65|"; http_header; fast_pattern:only; content:"=0x"; http_client_body; content:"|2c|0x"; distance:2; within:5; http_client_body; content:"|3c 62 72 3e|"; distance:0; http_client_body; pcre:"/\.php$/U"; reference:md5,ad2c80611ebc7f6d45bd3e46de38b776; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:trojan-activity; sid:2023397; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_24, malware_family Ransomware, malware_family CryptFile2, performance_impact Low, updated_at 2016_10_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bitter RAT TCP CnC Beacon"; flow:established,from_server; content:"BITTER1234"; depth:10; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,6e855944d171a3acbb64635dbe7a9c62; classtype:trojan-activity; sid:2023399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_24, malware_family Bitter_implant, updated_at 2016_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bitter RAT HTTP CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?cId="; http_uri; fast_pattern; content:"&hos"; distance:0; http_uri; content:"Name="; distance:0; http_uri; content:"Info="; distance:0; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; threshold: type both, count 1, seconds 120, track by_src; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,2b07e054a1abb2941e5e70fba652a211; classtype:trojan-activity; sid:2023400; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_24, malware_family Bitter_implant, updated_at 2016_10_24;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|hlaprise.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023402; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_25, updated_at 2016_10_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|calmiinity.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_25, updated_at 2016_10_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|rootenplay.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023404; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_25, updated_at 2016_10_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 89 f7 85 18 43 70 17 d1|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023405; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_25, updated_at 2016_10_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|statuscheck.site"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023406; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_25, performance_impact Low, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (ciscohelpcenter .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|ciscohelpcenter|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023407; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (timezoneutc .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|timezoneutc|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023408; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (inteldrv64 .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|inteldrv64|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (advpdxapi .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|advpdxapi|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023410; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (cloudflarecdn .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|cloudflarecdn|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023411; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (driversupdate .info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|driversupdate|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023412; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (kenlynton .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|kenlynton|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023413; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (microsoftdriver .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|microsoftdriver|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (microsofthelpcenter .info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|microsofthelpcenter|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023415; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (nortonupdate .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|nortonupdate|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023416; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (softwaresupportsv .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|softwaresupportsv|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023417; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (symantecsupport .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|symantecsupport|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023418; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (updatecenter .name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|updatecenter|04|name|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023419; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (updatesystems .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|updatesystems|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023420; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (updmanager .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|updmanager|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023421; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/Sednit DNS Lookup (windowsappstore .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|windowsappstore|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023422; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT28/Sednit SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|09|ngefqevwe"; distance:1; within:10; fast_pattern; reference:md5,f7ee38ca49cd4ae35824ce5738b6e587; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023423; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Brazilian Banker Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?role="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&bits="; http_uri; content:"&av="; http_uri; content:"&host="; http_uri; content:"&plugins="; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,580f82bbd46e8344231cf005; classtype:trojan-activity; sid:2023424; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2016_10_26, malware_family Banking_Trojan, performance_impact Low, updated_at 2016_10_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ffoqr3ug7m726zou"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023425; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_10_26, malware_family Ransomware_Cerber, updated_at 2016_10_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfdachijzuwx4bc4"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023426; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_10_26, malware_family Ransomware_Cerber, updated_at 2016_10_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ojmekzw4mujvqeju"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023427; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_10_26, malware_family Ransomware_Cerber, updated_at 2016_10_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xrhwryizf5mui7a5"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023428; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_10_26, malware_family Ransomware_Cerber, updated_at 2016_10_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Houdini/Hworm CnC Checkin M1"; flow:established,to_server; content:"new_houdini|0d 0a|"; fast_pattern; offset:4; depth:13; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; isdataat:!1,relative; reference:md5,45009c70d362dcd253112c9cf1924f57; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance; classtype:trojan-activity; sid:2023429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_26, malware_family Houdini, malware_family Hworm, performance_impact Low, updated_at 2016_11_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (1111111)"; flow:to_server,established; content:"1111111|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023430; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (54321)"; flow:to_server,established; content:"54321|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023431; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (666666)"; flow:to_server,established; content:"666666|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023432; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin)"; flow:to_server,established; content:"7ujMko0admin|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023433; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv)"; flow:to_server,established; content:"7ujMko0vizxv|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023434; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (888888)"; flow:to_server,established; content:"888888|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023435; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (anko)"; flow:to_server,established; content:"anko|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023436; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (dreambox)"; flow:to_server,established; content:"dreambox|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023437; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (fucker)"; flow:to_server,established; content:"fucker|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023438; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (hi3518)"; flow:to_server,established; content:"hi3518|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023439; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (ikwb)"; flow:to_server,established; content:"ikwb|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023440; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (juantech)"; flow:to_server,established; content:"juantech|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023441; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (jvbzd)"; flow:to_server,established; content:"jvbzd|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023442; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (klv123)"; flow:to_server,established; content:"klv123|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023443; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (klv1234)"; flow:to_server,established; content:"klv1234|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023444; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (meinsm)"; flow:to_server,established; content:"meinsm|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023445; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (realtek)"; flow:to_server,established; content:"realtek|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023446; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (service)"; flow:to_server,established; content:"service|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023447; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (ubnt)"; flow:to_server,established; content:"ubnt|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023448; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (vizxv)"; flow:to_server,established; content:"vizxv|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023449; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (xmhdipc)"; flow:to_server,established; content:"xmhdipc|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023450; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_10_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (zlxx)"; flow:to_server,established; content:"zlxx|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023451; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET TROJAN Possible Linux.Mirai Login Attempt (Zte521)"; flow:to_server,established; content:"Zte521|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023452; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2016_10_26, updated_at 2016_11_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Jackpot Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?HWInfo="; http_uri; nocase; content:"}&Time="; http_uri; nocase; distance:0; content:"User-Agent|3a 20|My Session"; http_header; fast_pattern:2,20; content:"|2e 00 70 00 68 00 70 00 3f 00 48 00 57 00 49 00 6e 00 66 00 6f 00 3d|"; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,5624c920b1fd3da3a451d564bb7488d3; classtype:trojan-activity; sid:2023465; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_27, malware_family Ransomware, malware_family Jackpot, performance_impact Low, updated_at 2016_10_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Emissary External IP Lookup"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/index.shtml"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32)|0d 0a|"; http_header; content:"Host|3a 20|"; http_header; content:"b4secure.com|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+(?:www\.)?b4secure\.com\r$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:policy-violation; sid:2023470; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2016_10_31, malware_family Emissary, malware_family Lotus_Blossom, updated_at 2016_10_31;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; byte_test:3,<,1200,0,relative; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,13,1,relative; content:!"www."; distance:2; within:4; pcre:"/^.{2}(?P<CN>(?:(?:\d?[A-Z]?|[A-Z]?\d?)(?:[a-z]{3,20}|[a-z]{3,6}[0-9_][a-z]{3,6})\.){0,2}?(?:\d?[A-Z]?|[A-Z]?\d?)[a-z]{3,}(?:[0-9_-][a-z]{3,})?\.(?!com|org|net|tv)[a-z]{2,9})[01].*?(?P=CN)[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; content:!"GoDaddy"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023476; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_02, performance_impact Low, updated_at 2017_02_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Moose CnC Request M1"; flow:to_server,established; urilen:1; content:"GET"; http_method; content:!"Referer|3a 20|"; http_header; content:"PP|3b 20|nhash="; fast_pattern:only; content:"PHPSESSID="; http_cookie; content:"AAAAAAAAAAAAAAA"; http_cookie; distance:0; content:"PP|3b 20|nhash="; http_cookie; distance:0; content:"|3b 20|chash="; http_cookie; distance:0; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:trojan-activity; sid:2023477; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2016_11_02, malware_family Linux_Moose, performance_impact Low, updated_at 2016_11_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Moose CnC Response"; flow:from_server,established; content:"200"; http_stat_code; content:"PP|3b 20|expires="; fast_pattern:only; content:"PHPSESSID="; http_cookie; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; http_cookie; distance:0; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; http_cookie; distance:0; content:"PP|3b 20|expires="; http_cookie; distance:0; content:"WL="; http_cookie; content:"PP|3b 20|expires="; http_cookie; distance:0; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<html><body><h1>It works!</h1>"; nocase; depth:30; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:trojan-activity; sid:2023478; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2016_11_02, malware_family Linux_Moose, performance_impact Low, updated_at 2016_11_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Moose CnC Request M2"; flow:to_server,established; urilen:1; content:"GET"; http_method; content:!"Referer|3a 20|"; http_header; content:"|3b 20|nhash="; fast_pattern:only; content:"PHPSESSID="; http_cookie; content:"|3b 20|nhash="; http_cookie; distance:0; content:"|3b 20|chash="; http_cookie; distance:0; pcre:"/^Host\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nAccept-Language\x3a\x20[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+[\r\n]+$/Hmi"; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:trojan-activity; sid:2023479; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2016_11_02, malware_family Linux_Moose, performance_impact Low, updated_at 2016_11_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|16|securityprotectingcorp|03|com|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023658; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, signature_severity Major, created_at 2016_11_03, malware_family APT28, updated_at 2016_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/HTA Downloader Behavior M3"; flow:to_server,established; content:".php?cmd=p&id="; fast_pattern:only; http_uri; content:"&rnd="; http_uri; pcre:"/\.php\?cmd=p&id=\w+.*?&rnd=[\x2e\d]+$/Ui"; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,d3abaa6736d7d549eca8644c67e9fcfe; classtype:trojan-activity; sid:2023485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_07, performance_impact Low, updated_at 2017_08_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:from_server,established; content:"|16|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:11; content:"|09 00 ff 41 25 0a bf 95 6d 71|"; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0b|domzino org"; distance:1; within:13; reference:md5,f6e81ae634bbcc309a4a5e01f20e4136; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_07, updated_at 2016_11_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sednit/APT28/Sofacy Delphocy CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:"as_q="; http_client_body; content:"as_ft="; http_client_body; fast_pattern:only; reference:url,www.welivesecurity.com/post_paper/en-route-with-sednit-part-3-a-mysterious-downloader/; classtype:trojan-activity; sid:2023486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_08, malware_family APT28, malware_family Sofacy, malware_family Sednit_Delphocy, performance_impact Low, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|heeriekupman.com"; distance:1; within:17; classtype:trojan-activity; sid:2023489; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_08, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|sni237731.cloudflaressl.com"; distance:1; within:28; classtype:trojan-activity; sid:2023490; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_08, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|infosec256bit.com"; distance:1; within:18; classtype:trojan-activity; sid:2023491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_08, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslsecure777.com"; distance:1; within:17; classtype:trojan-activity; sid:2023492; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_08, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|dodstersystem.com"; distance:1; within:18; classtype:trojan-activity; sid:2023493; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_08, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|whatissslnow.com"; distance:1; within:17; classtype:trojan-activity; sid:2023494; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_08, updated_at 2016_11_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:from_server,established; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; pcre:"/^(?P<letter>[a-z])(?P=letter)[01]/R"; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; content:!"|55 04 03|"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_10, performance_impact Low, updated_at 2016_11_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|getifourl.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023498; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_11, updated_at 2016_11_11;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 d1 c2 e8 fc aa 20 b5 6d|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023499; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_11, updated_at 2016_11_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN XRatLocker/AiraCrop Ransomware Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|6kaqkavhpu5dln6x"; nocase; distance:0; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023503; rev:1; metadata:created_at 2016_11_14, updated_at 2016_11_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN XRatLocker/AiraCrop Ransomware Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mvy3kbqc4adhosdy"; nocase; distance:0; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023504; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_11_14, malware_family Ransomware, malware_family XRatLocker, malware_family AiraCrop, performance_impact Low, updated_at 2016_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CerberTear Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?hwid=[A-F0-9]{8}$/Ui"; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n\r\n$/Hmi"; reference:md5,7d181574893ec9cb2795166623f8e531; classtype:trojan-activity; sid:2023505; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_11_14, malware_family Ransomware, malware_family CerberTear, performance_impact Low, updated_at 2016_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Alcatrez Locker Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?user="; http_uri; fast_pattern; content:"&try="; http_uri; distance:0; content:"&status="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n\r\n$/Hmi"; reference:md5,1cb51c130e6f75f11c095b122e008bbc; classtype:trojan-activity; sid:2023506; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_11_14, malware_family Ransomware, malware_family Alcatrez_Locker, performance_impact Low, updated_at 2016_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoLuck / YafunnLocker Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?id="; http_uri; content:"&hi"; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1)|0d 0a|"; http_header; fast_pattern:20,20; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,59109839de42d2acb44fbd7ff151fe0c; classtype:trojan-activity; sid:2023533; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_11_14, malware_family Ransomware, malware_family YafunnLocker, performance_impact Low, updated_at 2016_11_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 eb 14 76 ac 55 37 6b 52|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023521; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_17, updated_at 2016_11_17;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 82 eb e4 e6 d5 39 9c 05|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023522; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_17, updated_at 2016_11_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN KeyBoy DNS Lookup (www .about.jkub.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|05|about|04|jkub|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023523; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2016_11_18, malware_family KeyBoy, updated_at 2016_11_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN KeyBoy DNS Lookup (www .eleven.mypop3.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|06|eleven|06|mypop3|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023524; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2016_11_18, malware_family KeyBoy, updated_at 2016_11_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN KeyBoy DNS Lookup (www .backus.myftp.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|06|backus|05|myftp|04|name|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023525; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2016_11_18, malware_family KeyBoy, updated_at 2016_11_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN KeyBoy DNS Lookup (tibetvoices .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tibetvoices|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2016_11_18, malware_family KeyBoy, updated_at 2016_11_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy CnC Beacon"; flow:established,to_server; content:"|8a 00 d1 00 8a 00 6a 00|"; depth:8; reference:url,citizenlab.org/2016/11/parliament-keyboy/; reference:md5,8846d109b457a2ee44ddbf54d1cf7944; classtype:trojan-activity; sid:2023527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_18, malware_family KeyBoy, performance_impact Low, updated_at 2016_11_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|res1allenia.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023528; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|digtheromb.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023530; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (FlokiBot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; content:"|55 04 03|"; distance:0; content:"|08|uspal.cf"; distance:1; within:9; reference:md5,3ddf657800e60a57b884b87e1e8a987c; classtype:trojan-activity; sid:2023536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_21, performance_impact Low, updated_at 2016_11_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Locky CnC checkin Nov 21"; flow:to_server,established; content:"POST"; http_method; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http_header; pcre:"/^\/[^\x2e\x3f\x3d\x26]+\.[^\x2e\x2f\x3f\x3d\x26]+$/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f[^\x2f]+\x2f\r?$/Hm"; content:"www-form-urlencoded|0d 0a|"; http_header; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/P"; classtype:trojan-activity; sid:2023551; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_21, malware_family Locky, performance_impact Low, updated_at 2016_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Locky CnC checkin Nov 21 M2"; flow:to_server,established; content:"POST"; http_method; content:".cgi"; http_uri; pcre:"/\.cgi$/U"; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\r?$/Hm"; content:"www-form-urlencoded|0d 0a|"; http_header; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/P"; classtype:trojan-activity; sid:2023552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_21, malware_family Locky, performance_impact Low, updated_at 2016_11_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sweatmeat.pw"; distance:1; within:13; classtype:trojan-activity; sid:2023537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_21, performance_impact Low, updated_at 2016_11_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Tuhkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|biszweater.pw"; distance:1; within:14; classtype:trojan-activity; sid:2023538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_22, updated_at 2016_11_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|coinf333.info"; distance:1; within:14; classtype:trojan-activity; sid:2023539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_22, updated_at 2016_11_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 bc 7c af f0 e8 ee 0f e8|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_22, updated_at 2016_11_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,from_server; content:"|09 00 e7 1f b0 eb b2 ae 21 70|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_22, updated_at 2016_11_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,from_server; content:"|09 00 b8 d7 6d 5b 44 1a 9f 0a|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_22, updated_at 2016_11_22;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 a7 15 36 3b e0 82 35 9b|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023543; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_23, performance_impact Low, updated_at 2016_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/VB.SDB CnC Beacon"; flow:established,to_server; content:"Auth"; depth:4; content:"|20 40 20|"; distance:0; content:"|5c 23 2f|Microsoft|20|"; distance:0; fast_pattern; reference:md5,5a9a8502b87ce1a6a608debd10761957; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:trojan-activity; sid:2023544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_23, updated_at 2016_11_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/TrojanDownloader.Delf.BVP Win32/BioData CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?b="; http_uri; content:!"&"; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:"form-data|3b 20|name=|22|unit|22 3b 20|"; fast_pattern:4,20; http_client_body; metadata: former_category TROJAN; reference:md5,68aab6163c29183ad8da1cf27a5a47c5; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families; classtype:trojan-activity; sid:2023545; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_23, updated_at 2017_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/TrojanDownloader.Delf.BXC CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?cg="; http_uri; fast_pattern; content:"&b="; distance:0; http_uri; content:"&gt="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,d199b13d4676080073eaeb4e0ff39a75; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:trojan-activity; sid:2023546; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_23, updated_at 2016_11_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Certificate Detected (Gootkit CnC)"; flow:from_server,established; content:"|09 00 c7 52 05 4b 9d 0e f6 96|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:10; reference:md5,fa224c69088cc331a6b30bc5069fa9d5; classtype:trojan-activity; sid:2023550; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_23, updated_at 2016_11_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Flokibot CnC)"; flow:from_server,established; content:"|09 00 9c 56 80 8c 3d 64 03 c6|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023554; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_29, malware_family Flokibot, updated_at 2016_11_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnsapis.net"; distance:1; within:12; classtype:trojan-activity; sid:2023555; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_29, malware_family Gozi, updated_at 2016_11_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|msg.capital"; distance:1; within:12; classtype:trojan-activity; sid:2023556; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_29, malware_family Gozi, updated_at 2016_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Netwire RAT Check-in 2"; flow:established,to_server; dsize:69; content:"|41 00 00 00 83|"; depth:5; flowbits:set,ET.NetwireRAT.Client; metadata: former_category TROJAN; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_29, malware_family Netwire_RAT, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Netwire RAT Check-in 2"; flow:established,to_client; dsize:69; content:"|41 00 00 00 85|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; metadata: former_category TROJAN; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025036; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_29, malware_family Netwire_RAT, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Sharik/Smoke Loader Receiving Payload"; flow:established,from_server; content:"404"; http_stat_code; file_data; content:"|00|"; distance:1; within:1; content:"|00|MZ"; distance:1; within:3; content:"This program must be run under Win32"; distance:0; fast_pattern; reference:md5,65c7426b056482fcda962a7a14e86601; classtype:trojan-activity; sid:2023567; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_30, malware_family Sharik, malware_family Smoke_Loader, performance_impact Low, updated_at 2016_11_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DistTrack/Shamoon CnC Beacon M1"; flow:established,to_server; content:"GET "; depth:4; content:".php?shinu="; distance:0; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x20HTTP\/1\.1\r\n/R"; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:trojan-activity; sid:2023570; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_01, malware_family DistTrack, malware_family Shamoon, performance_impact Low, updated_at 2016_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DistTrack/Shamoon CnC Beacon M2"; flow:established,to_server; content:"GET "; depth:4; content:"."; distance:0; content:"?"; distance:3; within:1; content:"="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x20HTTP\/1\.1\r\n/R"; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"User-Agent|3a 20|Mozilla/5.0 (MSIE 7.1|3b| Windows NT 6.0)|0d 0a|"; distance:0; fast_pattern:20,20; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:trojan-activity; sid:2023571; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_01, malware_family DistTrack, malware_family Shamoon, performance_impact Low, updated_at 2016_12_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 cf dd b8 9f 9d 14 26 ad|"; content:"|55 04 03|"; distance:0; content:"|15|localhost.localdomain"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023572; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_01, performance_impact Low, updated_at 2016_12_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a0 c9 ee 35 a4 1c 6f 74|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:md5,a8139f8c2547f11522c3d7d58b90c422; classtype:trojan-activity; sid:2023590; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_01, performance_impact Low, updated_at 2016_12_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:from_server,established; content:"|55 04 03|"; content:"|0B|fleil42.com"; distance:1; within:12; reference:md5,50ede75eb74a0a795500cc7b8c6c9f54; classtype:trojan-activity; sid:2023591; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_01, performance_impact Low, updated_at 2016_12_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Unknown AutoIt Bot DNS Lookup (webmail .duia.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|webmail|04|duia|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/; classtype:trojan-activity; sid:2023573; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_01, malware_family Ceatrg, performance_impact Low, updated_at 2016_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [7080,8080] (msg:"ET TROJAN W32.Geodo/Emotet Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| SLCC1|3b| .NET CLR 1.1.4322)|0d 0a|Host"; http_header; content:"HTTP/1.1|0d 0a|Cookie|3a 20|"; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; pcre:"/[a-z0-9]{3,4}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/Ci"; flowbits:set,ETPRO.Emotet; metadata: former_category TROJAN; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:trojan-activity; sid:2024272; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_01, malware_family Geodo, malware_family Emotet, performance_impact Low, updated_at 2017_05_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|globalresearching|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:trojan-activity; sid:2023659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_02, malware_family APT28, updated_at 2016_12_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|shcserv|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:trojan-activity; sid:2023660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_02, malware_family APT28, updated_at 2016_12_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|adobeupgradeflash|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:trojan-activity; sid:2023661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_02, malware_family APT28, updated_at 2016_12_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN User-Agent (Visbot)"; flow:to_server,established; content:"User-Agent|3a 20|Visbot"; fast_pattern:only; http_header; reference:url,www.bleepingcomputer.com/news/security/visbot-malware-found-on-6-691-magento-online-stores/; classtype:trojan-activity; sid:2023575; rev:2; metadata:affected_product Magento, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_12_02, malware_family Visbot, performance_impact Low, updated_at 2016_12_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|gpufps|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:trojan-activity; sid:2023662; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_05, malware_family APT28, updated_at 2016_12_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|adobe-flash-updates|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:trojan-activity; sid:2023663; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_05, malware_family APT28, updated_at 2016_12_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|versiontask|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:trojan-activity; sid:2023664; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_05, malware_family APT28, updated_at 2016_12_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|webcdelivery|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:trojan-activity; sid:2023665; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_05, malware_family APT28, updated_at 2016_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Locky CnC Checkin Dec 5 M1"; flow:to_server,established; content:"POST"; http_method; urilen:12; content:"/checkupdate"; fast_pattern:only; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/Ps"; classtype:trojan-activity; sid:2023576; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_05, malware_family Locky, performance_impact Low, updated_at 2016_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Locky CnC Checkin HTTP Pattern"; flow:to_server,established; content:"POST"; http_method; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http_header; fast_pattern:only; content:"www-form-urlencoded|0d 0a|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\r?$/Hm"; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/P"; classtype:trojan-activity; sid:2023577; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_05, malware_family Locky, performance_impact Low, updated_at 2016_12_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|27c73bq66y4xqoh7"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023578; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_12_06, updated_at 2016_12_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|avsxrcoq2q5fgrw2"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023579; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_12_06, updated_at 2016_12_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fnmi62725zfti2vy"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_12_06, updated_at 2016_12_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ftoxmpdipwobp4qy"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_12_06, updated_at 2016_12_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pe2cku7pebkpgeko"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_12_06, updated_at 2016_12_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; http_header; depth:30; content:"Firefox"; fast_pattern; http_header; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+Firefox[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nHost\x3a\x20/H"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2023583; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_06, malware_family Downloader, malware_family Locky_JS, performance_impact Low, updated_at 2017_04_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Goldeneye .onion Payment Domain (goldenhjnqvc2lld)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|goldenhjnqvc2lld"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2016_12_06, malware_family Ransomware, updated_at 2016_12_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Goldeneye .onion Payment Domain (golden2uqpiqcs6j)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|golden2uqpiqcs6j"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2016_12_06, malware_family Ransomware, updated_at 2016_12_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT28 Uploader Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"."; http_uri; content:"/?"; distance:0; http_uri; content:"="; distance:1; within:3; http_uri; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; pcre:"/\/?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"google.com|0d 0a|"; http_header; content:".1|0d 0a|User-Agent|3a 20|Mozi"; fast_pattern:only; classtype:trojan-activity; sid:2023916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_07, malware_family APT28_Uploader, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT28 Uploader Variant Fake Request to Google"; flow:established,to_server; content:"POST"; http_method; content:"."; http_uri; content:"/?"; distance:0; http_uri; content:"="; distance:1; within:3; http_uri; content:"Host|3a 20|google.com|0d 0a|"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; pcre:"/\/\?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; classtype:trojan-activity; sid:2023917; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_07, malware_family APT28_Uploader, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Popcorn-Time .onion Payment Domain (3hnuhydu4pd247qb)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3hnuhydu4pd247qb"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023589; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_12_08, malware_family Ransomware, performance_impact Low, updated_at 2016_12_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|izaberiauto.com"; distance:1; within:16; classtype:trojan-activity; sid:2023593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_08, malware_family Gozi, performance_impact Low, updated_at 2016_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|";  pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2016_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Kwampirs Outbound GET request"; flow:to_server,established; content:"GET"; nocase; http_method; urilen:>21; content:"?q=KT"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"Accept"; http_header; content:"User-Agent|3a 20|Mozilla/"; http_header; depth:20; pcre:"/\.(?:aspx?|php)\?q=(?=KT)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a/H"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2016_12_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|microsoftfont|03|com|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023666; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, signature_severity Major, created_at 2016_12_09, malware_family APT28, updated_at 2016_12_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016 M2"; flow:from_server,established; file_data; content:"|76 7e 72 20 7e 20 3d 20 22 22 3b 20 7e 20 2b 3d|"; within:17; content:"0."; distance:0; pcre:"/^\d+[\x22\x27]/R"; content:"|27 3b 20 7e 20 2b 3d 20 27|"; distance:0; within:500; content:"|27 3b 20 7e 20 2b 3d 20 27|"; distance:0; within:500; classtype:trojan-activity; sid:2023598; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2016_12_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|zugzwang|02|me|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023599; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|vmdefmnsndoj|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023600; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|xpknpxmywqsr|07|support|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023601; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|lvfjcwwobycj|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023602; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|bwhrdaumwuvn|07|support|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023603; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|bpmsfckfkrpr|07|support|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023604; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|oornsduuwjli|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023605; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|qjqubpciajoc|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023606; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|exvdaajegjur|07|support|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023607; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|tro69|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023608; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|tro69|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023609; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|tro69|07|support|00|"; nocase; distance:0; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023610; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_12, updated_at 2016_12_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 107"; flow:to_server,established; dsize:>11; content:"|14 24|"; offset:8; fast_pattern; content:!"|00 00|"; distance:-10; within:2; content:"|00 00|"; distance:-4; within:2; byte_jump:4,-8,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2023611; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Gh0st, signature_severity Major, created_at 2016_12_12, malware_family Gh0st, malware_family PCRAT, performance_impact Low, updated_at 2016_12_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (1)"; dsize:13<>32; content:"0"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (2)"; dsize:13<>32; content:"1"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (3)"; dsize:13<>32; content:"2"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (4)"; dsize:13<>32; content:"3"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (5)"; dsize:13<>32; content:"4"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023616; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (6)"; dsize:13<>32; content:"5"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (7)"; dsize:13<>32; content:"6"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023618; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (8)"; dsize:13<>32; content:"7"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (9)"; dsize:13<>32; content:"8"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (10)"; dsize:13<>32; content:"9"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (11)"; dsize:13<>32; content:"a"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (12)"; dsize:13<>32; content:"b"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (13)"; dsize:13<>32; content:"c"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (14)"; dsize:13<>32; content:"d"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (15)"; dsize:13<>32; content:"e"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (16)"; dsize:13<>32; content:"f"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|nympompksmfx|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023630; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_13, malware_family Mirai, updated_at 2016_12_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|xpknpxmywqsrhe|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023631; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_13, malware_family Mirai, updated_at 2016_12_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|kedbuffigfjs|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023632; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_13, malware_family Mirai, updated_at 2016_12_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|srrys|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023633; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_13, malware_family Mirai, updated_at 2016_12_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|binpt|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023634; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_13, malware_family Mirai, updated_at 2016_12_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|kciap|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023635; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_13, malware_family Mirai, updated_at 2016_12_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|mziep|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023636; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_13, malware_family Mirai, updated_at 2016_12_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Botnet Domain Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|tr069|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023637; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_13, malware_family Mirai, updated_at 2016_12_13;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 98 ea a6 c4 99 a7 b3 f7|"; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023639; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_13, performance_impact Low, updated_at 2016_12_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN NEODYMIUM Wingbird DNS Lookup (srv601 .ddns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|srv601|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023641; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family NEODYMIUM_Wingbird, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN NEODYMIUM Wingbird DNS Lookup (srv602 .ddns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|srv602|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023642; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family NEODYMIUM_Wingbird, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PROMETHIUM/StrongPity DNS Lookup (updatesync .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|updatesync|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PROMETHIUM/StrongPity DNS Lookup (svnservices .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|svnservices|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PROMETHIUM/StrongPity DNS Lookup (mynetenergy .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|mynetenergy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023645; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PROMETHIUM/StrongPity DNS Lookup (windriversupport .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|windriversupport|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PROMETHIUM/StrongPity DNS Lookup (truecrypte .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|truecrypte|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PROMETHIUM/StrongPity DNS Lookup (edicupd002 .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|edicupd002|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023648; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PROMETHIUM/StrongPity DNS Lookup (jourrapid .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|jourrapid|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PROMETHIUM/StrongPity DNS Lookup (true-crypte .website)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|true-crypte|07|website|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023650; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, updated_at 2016_12_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN PROMETHIUM/StrongPity DNS Lookup (myrappid .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|myrappid|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023651; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_14, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, updated_at 2016_12_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TeleBots BCS-server CnC Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"value="; depth:6; http_client_body; fast_pattern; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:trojan-activity; sid:2023652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_15, malware_family TeleBots_payload, updated_at 2016_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TeleBots BCS-server User-Agent"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Mozilla/5.0|3b 0d 0a|"; http_header; fast_pattern:6,20; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:trojan-activity; sid:2023653; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_15, malware_family TeleBots_payload, updated_at 2017_03_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TeleBots VBS Backdoor CnC Beacon 1"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/Hello"; http_uri; content:"varname="; depth:8; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:trojan-activity; sid:2023654; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_15, malware_family TeleBots_payload, updated_at 2016_12_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Maktub .onion Payment Domain (maktubebz6z6cgtw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|maktubebz6z6cgtw"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2016_12_15, malware_family Ransomware, performance_impact Low, updated_at 2016_12_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TeleBots VBS Backdoor CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"?-----BEGIN|20|CERTIFICATE-----"; http_uri; fast_pattern; content:"-----END|20|CERTIFICATE-----"; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/END\x20CERTIFICATE-----$/U"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:trojan-activity; sid:2023656; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_16, malware_family TeleBots_payload, performance_impact Low, updated_at 2016_12_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28/SEDNIT Uploader Variant DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|postlkwarn|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:trojan-activity; sid:2023667; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_16, malware_family APT28_Sednit, performance_impact Low, updated_at 2016_12_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Click Fraud Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/link.txt?"; http_uri; fast_pattern:only; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; pcre:"/^\/link\.txt\?[0-9]{1,2}\x3a[0-9]{1,2}\x3a[0-9]{1,2}/U"; classtype:trojan-activity; sid:2023669; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_19, malware_family Maldoc, performance_impact Low, updated_at 2016_12_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016 M3"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; pcre:"/Content-Disposition\x3a[^\r\n]+\.(?:jpe?g|gif|png)/Hmi"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023671; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_19, malware_family Trojan_Kwampirs, updated_at 2016_12_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016 M4"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|image|2f|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023672; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_19, malware_family Trojan_Kwampirs, updated_at 2016_12_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016 M5"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|text/javascript"; file_data; pcre:"/^(?P<v1>\S{1,100})\s+(?P<v2>\S{1,100})\s+=\s+\x22\x22\x3b\s+(?P=v2)\s+\+\=\s+\x27(?P=v1).+?(?P=v1)\x27\x3b.+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27]/R"; classtype:trojan-activity; sid:2023673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_19, malware_family Trojan_Kwampirs, updated_at 2016_12_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [6789] (msg:"ET TROJAN Possible Linux.Mirai DaHua Default Credentials Login"; flow:to_server,established; content:"888888|0d 0a|888888"; depth:14; content:"busybox telnetd -p"; distance:0; reference:url,isc.sans.edu/diary/21833; classtype:attempted-admin; sid:2023674; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2016_12_20, performance_impact Low, updated_at 2016_12_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Braincrypt Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?uuid="; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Go-http-client/"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?uuid=[a-z0-9]{32}$/Ui"; reference:md5,6b938ca31a55e743112ab34dc540a076; classtype:trojan-activity; sid:2023675; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_12_20, malware_family Ransomware, malware_family Braincrypt, performance_impact Low, updated_at 2016_12_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Tofsee DGA (2016-12-15 to 2017-05-04)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:gdqg|hdqh|idqi|jdqj|kdqk|ldql|mdqm|ndqn|odqo|pdqp|qdqq|rdqr|sdqs|tdqt|udqu|vdqv|wdqw|xdqx|ydqy|zdqz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.govcert.admin.ch/blog/26/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures; classtype:trojan-activity; sid:2023677; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_22, malware_family Spambot, malware_family Tofse, updated_at 2016_12_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Tofsee DGA (2017-05-04 to 2017-11-02)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:adra|bdrb|cdrc|ddrd|edre|fdrf|gdrg|hdrh|idri|jdrj|kdrk|ldrl|mdrm|ndrn|odro|pdrp|qdrq|rdrr|sdrs|tdrt|udru|vdrv|wdrw|xdrx|ydry|zdrz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.govcert.admin.ch/blog/26/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures; classtype:trojan-activity; sid:2023678; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_22, malware_family Spambot, malware_family Tofse, updated_at 2016_12_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016 M6"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/Hmi"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023679; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2017_01_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|p27dokhpz2n7nvgr"; nocase; distance:0; fast_pattern; reference:md5,c2f7595a1c394f1dac2e418815c54fd2; classtype:trojan-activity; sid:2023690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_12_29, malware_family Ransomware_Cerber, performance_impact Low, updated_at 2016_12_30;)

alert tcp $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 b9 dc 45 b2 1c 85 40 25|"; content:"|55 04 03|"; distance:0; content:"|04|host"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023689; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_29, performance_impact Low, updated_at 2016_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN MRCR1 Ransomware Checkin M1"; flow:to_server,established; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|"; distance:0; content:"form-data|3b 20|name=|22|uid|22|"; distance:0; content:"form-data|3b 20|name=|22|uname|22|"; distance:0; content:"form-data|3b 20|name=|22|cname|22|"; distance:0; content:"form-data|3b 20|name=|22|ltime|22|"; distance:0; content:"form-data|3b 20|name=|22|uright|22|"; distance:0; content:"form-data|3b 20|name=|22|sysinfo|22|"; distance:0; fast_pattern:5,20; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:trojan-activity; sid:2023691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_03, malware_family Ransomware, updated_at 2017_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MRCR1 Ransomware Checkin M2"; flow:to_server,established; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|"; distance:0; content:"|43 50 55 20 4d 6f 64 65 6c 3a|"; distance:0; fast_pattern; content:"|43 50 55 20 43 6f 75 6e 74 3a|"; distance:0; content:"|47 65 74 52 41 4d 3a|"; distance:0; content:"|5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d|"; distance:0; content:"|5b 50 72 6f 67 72 61 6d 6d 73 5d|"; distance:0; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:trojan-activity; sid:2023692; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_03, malware_family Ransomware, updated_at 2017_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackmoon/Banbra Configuration Request M2"; flow:to_server,established; content:"GET"; http_method; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; fast_pattern:15,20; http_uri; content:"keep-alive|0d 0a|User-Agent"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,56b8f9428b2171f45dc447fb9fa1b03f; classtype:trojan-activity; sid:2023694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_04, malware_family Banking_Trojan, performance_impact Low, updated_at 2017_01_04;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET TROJAN W32/Cerber.Ransomware CnC Checkin M4"; dsize:14; pcre:"/^[a-f0-9]{14}$/"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,1f41be13d5d19e1a5c76b6d7256a8df4; reference:md5,6707e861e377409bd1037452c7c5fa74; classtype:trojan-activity; sid:2023695; rev:2; metadata:tag Ransomware_Cerber, created_at 2017_01_05, malware_family Cerber, updated_at 2017_01_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qcwbrevxrotoepsp"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023705; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_01_06, updated_at 2017_01_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ztuw5bvuuapzdfya"; fast_pattern; distance:0; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023706; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_01_06, updated_at 2017_01_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016 M7"; flow:from_server,established; flowbits:isset,min.gethttp; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/Hmi"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023711; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2017_01_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/Venom CnC Beacon"; flow:established,to_server; content:"|9e ab 49 31 08 53 b5 d4|"; depth:8; reference:url,security.web.cern.ch/security/venom.shtml; classtype:trojan-activity; sid:2023716; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2017_01_11, malware_family Linux_Venom, performance_impact Low, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|specadv.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023717; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|p.fmsacademy.it"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023718; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|sc.jacksburgershack.com"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023719; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|m.williamdegel.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023720; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|cdn.ui-data.cc"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023721; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|baikalsecret.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023722; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|disaaxpalallow.me"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|aucom.pw"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023725; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Chthonic CnC)"; flow:established,from_server; content:"|09 00 e6 0c cf da 58 8f a7 b2|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023726; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,from_server; content:"|09 00 ac 80 a0 72 11 64 df 3f|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|15|localhost.localdomain"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|spora|02|bz|00|"; nocase; distance:0; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; classtype:trojan-activity; sid:2023728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_01_11, malware_family Spora, performance_impact Low, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hctppfblwfot6ces"; fast_pattern; distance:0; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023729; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|j24ojpexpgaorlxj"; fast_pattern; distance:0; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023730; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lmhrmbouhkffosig"; fast_pattern; distance:0; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023731; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|neo73ruk6mprlmww"; fast_pattern; distance:0; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023732; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|padcrympj5rvgwed"; fast_pattern; distance:0; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023733; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qli26fihoid5qwo5"; fast_pattern; distance:0; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023734; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|r4i3izmyccncfrsr"; fast_pattern; distance:0; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023735; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CryptoWall .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rq5w3yn6qgbu4mo5"; fast_pattern; distance:0; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023736; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fmwdvmk2ejgbl5pi"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023737; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_01_11, malware_family Ransomware, updated_at 2017_01_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Maldoc Second Stage VBS Downloader with URL Padding"; flow:established,to_server; content:".exe???????????????"; http_uri; nocase; fast_pattern:only; pcre:"/\.exe\?+$/Ui"; content:"WinHttp.WinHttpRequest."; http_header; reference:md5,57ce6f966c6b441fe82a211647c6e863; classtype:trojan-activity; sid:2023739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2017_01_12, malware_family Maldoc, performance_impact Low, updated_at 2017_01_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Pony Payload DL"; flow:established,to_server; content:"/inst.exe"; http_uri; fast_pattern:only; pcre:"/\/inst\.exe$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"Accept-"; http_header; content:"User-Agent|3a|"; http_header; content:"Accept|3a|"; http_header; content:!"360safe.com|0d 0a|"; http_header; content:!"qhcdn.com|0d 0a|"; http_header; metadata: former_category TROJAN; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2023740; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_13, malware_family Pony, updated_at 2017_03_13;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pony DLL Download M2"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|59 55 49 50 57 44 46 49 4c 45 30 59 55 49 50 4b 44 46 49 4c 45 30 59 55 49 43 52 59 50 54 45 44 30 59 55 49|"; classtype:trojan-activity; sid:2023741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_13, malware_family Pony, updated_at 2017_01_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN User-Agent (Xmaker)"; flow:to_server,established; content:"User-Agent|3a| Xmaker"; http_header; reference:url,www.pcapanalysis.com/tag/trickster-google-drive-malware-trojan-pcap-file-download-traffic-sample/; classtype:trojan-activity; sid:2023746; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_17, performance_impact Low, updated_at 2017_01_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Evil JS Ransomware"; flow:from_server,established; file_data; content:"|5c|u006d|5c|u0065|5c|u0073|5c|u0073|5c|u0061|5c|u0067|5c|u0065"; content:"<html><body|20|bgcolor=|22|#F78181|22|>"; nocase; within:100; content:"Hello.|20|Your|20|UID|3a|"; within:100; content:"|65 76 69 6c 20 72 61 6e 73 6f 6d 77 61 72 65|"; fast_pattern; within:100; content:"|75 6e 69 71 75 65 20 73 74 72 6f 6e 67 65 73 74 20 41 45 53 20 6b 65 79|"; distance:0; content:"|73 65 6e 64 20 6d 65 20 79 6f 75 72 20 55 49 44 20 74 6f|"; distance:0; content:"|4c 69 73 74 20 6f 66 20 65 6e 63 72 79 70 74 65 64 20 66 69 6c 65 73|"; distance:0; reference:md5,b9d81c51c10abd64107edc5e73a26aea; reference:url,www.cert.pl/en/news/single/evil-a-poor-mans-ransomware-in-javascript/; classtype:trojan-activity; sid:2023747; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_18, malware_family Ransomware, performance_impact Low, updated_at 2017_01_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup (gtranm .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|gtranm|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:trojan-activity; sid:2023761; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2017_01_24, malware_family APT28_DealersChoice, updated_at 2017_01_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT28 DealersChoice DNS Lookup (zpfgr .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|zpfgr|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:trojan-activity; sid:2023762; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2017_01_24, malware_family APT28_DealersChoice, updated_at 2017_01_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX Backdoor Quimitchin DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|eidk|05|hopto|03|org"; nocase; distance:0; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/; reference:md5,e4744b9f927dc8048a19dca15590660c; classtype:trojan-activity; sid:2023763; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_24, malware_family Quimitchin, performance_impact Low, updated_at 2017_01_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Trojan Checkin Jan 24 2017"; flow:established,to_server; content:"User-Agent|3a 20|v7v7v7v7v7v7v7v7v7v7v7v7"; http_header; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:trojan-activity; sid:2023764; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_25, updated_at 2017_01_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Betabot Checkin 5"; flow:established,to_server; content:"/order.php"; http_uri; fast_pattern:only; pcre:"/\.php$/U";content:!"Referer|3a 20|"; http_header;pcre:"/(?:^|=)[A-F0-9]{70,}(?:$|&)/P"; metadata: former_category TROJAN; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:trojan-activity; sid:2023765; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_25, updated_at 2017_05_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sage Ransomware Checkin Primer"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"POST / HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept";  http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; http_header; content:!"Content-Type|3a|"; http_header; pcre:"/^.{0,15}[\x00-\x09\x80-\xff]/Ps";flowbits:set,ET.Sage.Primer; flowbits:noalert;  reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:trojan-activity; sid:2023766; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_01_25, malware_family Ransomware, malware_family Sage, performance_impact Low, updated_at 2017_01_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Sage Ransomware Checkin"; flow:established,from_server; flowbits:isset,ET.Sage.Primer; content:"Content-Length|3a 20|1|0d 0a|"; http_header; file_data; content:"k"; within:1; isdataat:!1,relative; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:trojan-activity; sid:2023767; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_01_25, malware_family Ransomware, malware_family Sage, updated_at 2017_01_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Unknown Trojan Checkin Jan 26 2017"; flow:to_server,established; content:"GET"; http_method; content:"/config.php?id="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; pcre:"/\/config\.php\?id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,2ccd95bb2e9d8c6e6b6eb68963461f08; classtype:trojan-activity; sid:2023769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_27, performance_impact Low, updated_at 2017_01_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (webfile .myq-see.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|webfile|07|myq-see|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023777; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (downloadmyhost .zapto.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|downloadmyhost|05|zapto|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (help2014 .linkpc.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|help2014|06|linkpc|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (safara .sytes.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|safara|05|sytes|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023780; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (exportball .servegame.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|exportball|09|servegame|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023781; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (viewnet .better-than.tv)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|viewnet|0b|better-than|02|tv|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023782; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (down .downloadoneyoutube.co.vu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|down|12|downloadoneyoutube|02|co|02|vu|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023783; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (netstreamag .publicvm.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|netstreamag|08|publicvm|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023784; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (hostgatero .ddns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|hostgatero|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023785; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (subsidiaryohio .linkpc.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|subsidiaryohio|06|linkpc|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023786; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (helpyoume .linkpc.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|helpyoume|06|linkpc|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023787; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (downloadtesting .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|downloadtesting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023788; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (gameoolines .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gameoolines|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023789; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (onlinesoft .space)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|onlinesoft|05|space|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023790; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (newphoneapp .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|newphoneapp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (gamestoplay .bid)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gamestoplay|03|bid|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023792; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (smartsftp .pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|smartsftp|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023793; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (galaxysupdates .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|galaxysupdates|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (galaxy-s .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|galaxy-s|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (datasamsung .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|datasamsung|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (progsupdate .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|progsupdate|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (topgamse .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|topgamse|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (bandtester .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|bandtester|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023799; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (speedbind .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|speedbind|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023800; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (ukgames .tech)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|ukgames|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023801; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (wallanews .publicvm.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|wallanews|08|publicvm|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023802; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (wallanews .sytes.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|wallanews|05|sytes|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023803; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (noredirecto .redirectme.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|noredirecto|0a|redirectme|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (dynamicipaddress .linkpc.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dynamicipaddress|06|linkpc|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (downloadlog .linkpc.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|downloadlog|06|linkpc|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (havan .qhigh.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|havan|05|qhigh|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (kolabdown .sytes.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|kolabdown|05|sytes|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023808; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (rotter2 .publicvm.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|rotter2|08|publicvm|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023809; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (ftpserverit .otzo.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|ftpserverit|04|otzo|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023810; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustySky_related_implant, updated_at 2017_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downeks Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"."; http_uri; content:!"?"; http_uri; content:!"="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|text/plain|3b|charset=UTF-8|0d 0a|Host|3a 20|"; depth:46; http_header; fast_pattern:26,20; content:"Expect|3a 20|100-continue|0d 0a|"; distance:0; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/P"; reference:md5,31cf042e91de7492c86e1ad02dc9eaec; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustSky_related_Implant, updated_at 2017_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible DustySky PoisonIvy CnC Beacon"; flow:established,to_server; dsize:48; content:"|75 f0 01 ef 23 bf db 30 19 9f 56 74 01 f7 30 a0|"; offset:16; depth:16; reference:md5,2cd8c27bdc88ebba3e36114a1b55cef6; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustSky_related_Implant, updated_at 2017_01_31;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DustySky QuasarRAT CnC Beacon"; flow:established,from_server; content:"|10 00 00 00 99 9a c7 b8|"; depth:8; reference:md5,a19d4ff89a3f699a6f8237a7905e80e1; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustSky_related_Implant, updated_at 2017_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoShield Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Accept"; http_header; content:"id="; http_client_body; depth:3; content:"&numbers=-----"; http_client_body; content:"BEGIN|20|PRIVATE|20|KEY"; http_client_body; fast_pattern; reference:md5,ef815146b802cfd6a5fb67d1f9267745; classtype:trojan-activity; sid:2023814; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family Ransomware, performance_impact Low, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shafttt MySQL Bruteforce Bot CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"get="; fast_pattern; depth:4; http_client_body; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; pcre:"/^get=\d+(?:$|&)/P"; pcre:"/\.php$/U"; reference:md5,cb4ab17468984f1b292adac9f745cb2b; classtype:trojan-activity; sid:2023815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family Shafttt, performance_impact Low, updated_at 2017_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WSF/JS Downloader Jan 30 2017 M1"; flow:to_server,established; urilen:>65; content:"/counter/?"; fast_pattern; http_uri; depth:10; content:"a="; http_uri; content:"i="; http_uri; content:"MSIE 7.0"; http_header; pcre:"/[&?]i=[A-Za-z0-9_-]{50,}(?:&|$)/U"; pcre:"/[&?]a=(?:[a-zA-Z0-9_-]{25,}|(?:0\.)?\d+)(?:&|$)/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,852cbd70766feb96923a79b210e94646; classtype:trojan-activity; sid:2023816; rev:1; metadata:created_at 2017_01_31, updated_at 2017_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Turla Kopiluwak User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| Win64|3b| x64)|3b 20|"; fast_pattern:34,20; http_header; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:2023868; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_03, malware_family Turla_Kopiluwak, performance_impact Low, updated_at 2017_02_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"/assets/"; http_uri; fast_pattern; content:"."; distance:100; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/assets(?:\/[a-zA-Z0-9_]+)+\.(?:jpeg|gif)$/U"; pcre:"/^User-Agent\x3a\x20(?:Mozilla\/|Shockwave)/Hmi"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023870; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_06, malware_family ursnif, updated_at 2017_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ursnif Variant Retrieving Payload (x32)"; flow:established,to_server; content:"GET"; http_method; content:"X32.jpg"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/X32\.jpg$/U"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023871; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_06, malware_family ursnif, updated_at 2017_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ursnif Variant Retrieving Payload (x64)"; flow:established,to_server; content:"GET"; http_method; content:"X64.jpg"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/X64\.jpg$/U"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023872; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_06, malware_family ursnif, updated_at 2017_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-02-06"; flow:established,to_server; content:".vbn"; http_uri; nocase; pcre:"/\.vbn$/Ui"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; fast_pattern:26,20; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2023875; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_06, malware_family Nemucod, performance_impact Low, updated_at 2017_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible iKittens OSX MacDownloader CNC Beacon"; flow:established,to_server; urilen:14; content:"GET"; http_method; content:"/Servermac.php"; depth:14; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:trojan-activity; sid:2023876; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, malware_family MacDownloader, updated_at 2017_02_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN iKittens OSX MacDownloader DNS Lookup (officialswebsites .info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|officialswebsites|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:trojan-activity; sid:2023877; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, malware_family MacDownloader, updated_at 2017_02_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Banker.Win32.Alreay DNS Lookup (tradeboard .mefound .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|tradeboard|07|mefound|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023884; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_08, malware_family Alreay_Banking, updated_at 2017_02_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Banker.Win32.Alreay DNS Lookup (movis-es .ignorelist .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|movis-es|0a|ignorelist|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_08, malware_family Alreay_Banking, updated_at 2017_02_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Banker.Win32.Alreay DNS Lookup (exbonus .mrbasic .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|exbonus|07|mrbasic|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023886; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_08, malware_family Alreay_Banking, updated_at 2017_02_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|spora|03|biz|00|"; nocase; distance:0; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2023887; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_02_09, malware_family Spora, performance_impact Low, updated_at 2017_02_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Qadars CnC DNS Lookup (bst2bgxin81a.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|bst2bgxin81a|03|org|00|"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023893; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_13, malware_family Qadars, updated_at 2017_02_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Qadars CnC DNS Lookup (websecuranalityc.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|websecuranalityc|03|com|00|"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023894; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_13, malware_family Qadars, updated_at 2017_02_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Qadars CnC DNS Lookup (liveskansys.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|liveskansys|03|com|00|"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023895; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_13, malware_family Qadars, updated_at 2017_02_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (iusacell-movil .com.mx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|iusacell-movil|03|com|02|mx|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023898; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_13, malware_family Pegasus, updated_at 2017_02_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (smsmensaje .mx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|smsmensaje|02|mx|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023899; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_13, malware_family Pegasus, updated_at 2017_02_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Unknown Malicious SSL Cert 1"; flow:established,from_server; content:"|55 04 03|"; content:"|14|giftshop.mefound.com"; distance:1; within:21; classtype:trojan-activity; sid:2023902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_02_14, updated_at 2017_02_14;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Unknown Malicious SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|14|estimate.mefound.com"; distance:1; within:21; classtype:trojan-activity; sid:2023903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_02_14, updated_at 2017_02_14;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Unknown Malicious SSL Cert 3"; flow:established,from_server; content:"|55 04 03|"; content:"|16|tradeboard.mefound.com"; distance:1; within:23; classtype:trojan-activity; sid:2023904; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_02_14, updated_at 2017_02_14;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Unknown Malicious SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|referenceblog.ignorelist.com"; distance:1; within:29; classtype:trojan-activity; sid:2023905; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_02_14, updated_at 2017_02_14;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Unknown Malicious SSL Cert 5"; flow:established,from_server; content:"|07|Makeups"; content:"|55 04 03|"; distance:0; content:"|12|www.ignorelist.com"; distance:1; within:19; classtype:trojan-activity; sid:2023906; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_02_14, updated_at 2017_02_14;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Unknown Malicious SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|15|latest.ignorelist.com"; distance:1; within:22; classtype:trojan-activity; sid:2023907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_02_14, updated_at 2017_02_14;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Unknown Malicious SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|15|tipnews.longmusic.com"; distance:1; within:22; classtype:trojan-activity; sid:2023908; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_02_14, updated_at 2017_02_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string1_slide_1_1)"; flow:established,to_server; content:"IUgyYll"; content:"t"; within:3; content:"L"; within:3; content:"l"; within:3; content:"N"; within:3; content:"3"; within:3; content:"Q"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string1_slide_1_2)"; flow:established,to_server; content:"I"; content:"U"; within:3; content:"g"; within:3; content:"y"; within:3; content:"Y"; within:3; content:"l"; within:3; content:"ltLlN3Q"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string1_slide_2_1)"; flow:established,to_server; content:"FIMmJZ"; content:"b"; within:3; content:"S"; within:3; content:"5"; within:3; content:"T"; within:3; content:"d"; within:3; content:"0"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string1_slide_2_2)"; flow:established,to_server; content:"F"; content:"I"; within:3; content:"M"; within:3; content:"m"; within:3; content:"J"; within:3; content:"Z"; within:3; content:"bS5Td0"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string1_slide_3_1)"; flow:established,to_server; content:"hSDJiWW"; content:"0"; within:3; content:"u"; within:3; content:"U"; within:3; content:"3"; within:3; content:"d"; within:3; content:"A"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string1_slide_3_2)"; flow:established,to_server; content:"h"; content:"S"; within:3; content:"D"; within:3; content:"J"; within:3; content:"i"; within:3; content:"W"; within:3; content:"W0uU3dA"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string2_slide_1_1)"; flow:established,to_server; content:"QDM0Zlo"; content:"3"; within:3; content:"R"; within:3; content:"V"; within:3; content:"t"; within:3; content:"w"; within:3; content:"X"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string2_slide_1_2)"; flow:established,to_server; content:"Q"; content:"D"; within:3; content:"M"; within:3; content:"0"; within:3; content:"Z"; within:3; content:"l"; within:3; content:"o3RVtwX"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string2_slide_2_1)"; flow:established,to_server; content:"AzNGZa"; content:"N"; within:3; content:"0"; within:3; content:"V"; within:3; content:"b"; within:3; content:"c"; within:3; content:"F"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string2_slide_2_2)"; flow:established,to_server; content:"A"; content:"z"; within:3; content:"N"; within:3; content:"G"; within:3; content:"Z"; within:3; content:"a"; within:3; content:"N0VbcF"; within:8; reference:md5,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string2_slide_3_1)"; flow:established,to_server; content:"AMzRmWj"; content:"d"; within:3; content:"F"; within:3; content:"W"; within:3; content:"3"; within:3; content:"B"; within:3; content:"c"; within:3; reference:md5,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string2_slide_3_2)"; flow:established,to_server; content:"A"; content:"M"; within:3; content:"z"; within:3; content:"R"; within:3; content:"m"; within:3; content:"W"; within:3; content:"jdFW3Bc"; within:10; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Miniduke Variant CnC Beacon via WebDAV"; flow:established,to_server; content:"/catalog/outgoing"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Microsoft-WebDAV-MiniRedir/"; http_header; reference:md5,f3459924f8b657359cb0bd0984a1d0fa; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, performance_impact Low, updated_at 2017_02_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN APT29 Cache_DLL SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|private.directinvesting.com"; distance:1; within:28; reference:md5,8f154d23ac2071d7f179959aaba37ad5; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023931; rev:2; metadata:created_at 2017_02_16, malware_family APT29_Cache_DLL, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Qadars CnC DNS Lookup (zkdef09i7ola.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|zkdef09i7ola|03|net|00|"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023932; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family Qadars, performance_impact Low, updated_at 2017_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; metadata: former_category TROJAN; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023941; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; metadata: former_category TROJAN; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M3"; flow:established,from_server; file_data; content:"XAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBn"; metadata: former_category TROJAN; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Double Base64 Unicode Net.ServicePointManager M1"; flow:established,from_server; file_data; content:"VwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZAEEAYQBRAEIAagBBAEcAVQBBAFUAQQBCAHYAQQBHAGsAQQBiAGcAQgAw"; metadata: former_category TROJAN; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Double Base64 Unicode Net.ServicePointManager M2"; flow:established,from_server; file_data; content:"cAdwBCAE8AQQBHAFUAQQBkAEEAQQB1AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBVAEEAQgB2AEEARwBrAEEAYgBnAEIAM"; metadata: former_category TROJAN; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Double Base64 Unicode Net.ServicePointManager M3"; flow:established,from_server; file_data; content:"XAHcAQgBPAEEARwBVAEEAZABBAEEAdQBBAEYATQBBAFoAUQBCAHkAQQBIAFkAQQBhAFEAQgBqAEEARwBVAEEAVQBBAEIAdgBBAEcAawBBAGIAZwBCAD"; metadata: former_category TROJAN; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023946; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Malicious PowerSploit PowerShell Script Observed over HTTP"; flow:established,from_server; file_data; content:"CmdletBinding()"; content:"$DoNotZeroMZ"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023947; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MAGICHOUND.FETCH Retrieving Malicious PowerShell"; flow:established,to_server; urilen:8; content:"GET"; http_method; content:"/pro.bat"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,97454efcab28e64ac5400e63780af764; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/; classtype:trojan-activity; sid:2023948; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_FETCH, updated_at 2017_02_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Likely MAGICHOUND.FETCH Receiving PowerSploit PowerShell over HTTP"; flow:established,from_server; content:"$PEBytes"; content:"$PEBytes0=|22|TV"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_FETCH, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MAGICHOUND.RETRIEVER CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".asmx"; http_uri; content:"<ip>"; http_client_body; content:"</ip><mac>"; distance:0; http_client_body; content:"</mac><host>"; distance:0; http_client_body; fast_pattern; content:"</host>"; distance:0; http_client_body; reference:md5,012f79570f720b997b9ef4ef327dd2da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_related, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MAGICHOUND.FETCH CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".aspx?n="; http_uri; fast_pattern; content:"&m="; distance:0; http_uri; content:"&i="; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; metadata: former_category TROJAN; reference:md5,ed9e14a932b28f1ebdc4cd5b549af9da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023951; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_related, updated_at 2017_09_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN MAGICHOUND.FETCH SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|service.chrome-up.date"; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023952; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_related, performance_impact Low, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (chrome-up .date)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|chrome-up|04|date|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023953; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (timezone .live)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|timezone|04|live|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023954; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (servicesystem .serveirc.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|servicesystem|08|serveirc|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (analytics-google .org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|analytics-google|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (com-adm .in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|com-adm|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (microsoftexplorerservices .cloud)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|19|microsoftexplorerservices|05|cloud|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (msservice .site)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|msservice|04|site|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (com-ho .me)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|com-ho|02|me|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (ntg-sa .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ntg-sa|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023961; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MAGICHOUND-related DNS Lookup (briefl .ink)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|briefl|03|ink|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023962; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_16, malware_family MAGICHOUND, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MAGICHOUND.LEASH IRC CnC Beacon"; flow:established,to_server; content:"USER AS_a # # |3a|des|0d 0a|"; depth:20; reference:md5,3c8a142d2e3b84fb0d210250af77cc9b; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_LEASH, performance_impact Low, updated_at 2017_02_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CozyCar CnC Beacon"; flow:established,to_server; content:"=11&"; http_uri; content:"=2"; distance:1; within:8; http_uri; content:"&"; distance:6; within:7; http_uri; content:"=410&"; distance:1; within:11; http_uri; content:"=650&"; distance:1; within:11; http_uri; fast_pattern; content:"=51"; distance:1; within:9; http_uri; pcre:"/=11&[^&]{1,7}?=2[^&]{6,12}&[^&]{1,7}?=410&[^&]{1,7}?=650&[^&]{1,7}?=51$/U"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023965; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_17, malware_family APT29_CozyCar, updated_at 2017_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CozyCar V2 CnC Beacon"; flow:established,to_server; content:"=12&"; http_header; content:"=2"; distance:1; within:8; http_header; content:"=="; distance:12; within:6; http_header; content:"=="; distance:18; within:10; http_header; pcre:"/\.php\?$/U"; content:".php? HTTP/1."; fast_pattern:only; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023966; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_02_17, malware_family APT29_CozyCar, updated_at 2017_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT29 Implant8 - Evil Twitter Callback"; flow:established,to_server; urilen:21; content:"GET"; http_method; content:"/api/asyncTwitter.php"; http_uri; fast_pattern:only; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023967; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT29_Implant8, performance_impact Low, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|backup|11|microsoftappstore|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023968; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dataserver|08|cmonkey3|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023969; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|google-helps|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023970; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|kpupdate|05|amz80|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023971; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|mail-help|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023972; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|mail-issue|03|top|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023973; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 7"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|microsoftupdating|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 8"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|microsoftwww|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023975; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 9"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns1|05|ccccc|04|work|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns1|0c|superman0x58|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023977; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns1|04|xssr|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023978; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns2|05|ccccc|04|work|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023979; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns2|0c|superman0x58|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023980; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns2|04|xssr|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023981; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|qr1|0b|3jd90dsj3df|07|website|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|r4|11|microsoftupdating|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023983; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 17"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|rouji|04|xssr|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023984; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 18"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|t2z0n9|11|microsoftappstore|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023985; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 19"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|temp|0a|mail-issue|03|top|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023986; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 20"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|time-service|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023987; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 21"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|update|0c|microsoftwww|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 22"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|updatecz|08|mykorean|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023989; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|uriupdate|06|newsbs|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 24"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|wwgooglewww|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 25"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|www|0c|microsoftwww|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023992; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 26"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|wwwgooglewww|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023993; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ShellCrew.APT StreamEx DNS Lookup 27"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|zy|04|xssr|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:trojan-activity; sid:2023994; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT_ShellCrew, malware_family StreamEx, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|x5sbb5gesp6kzwsh"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; reference:md5,f09e72e3c1c36192b22e15b59a13ee1c; reference:url,blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html; classtype:trojan-activity; sid:2023998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_02_17, malware_family Torrentlocker, performance_impact Low, updated_at 2017_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT29 Implant8 - MAL_REFERER"; flow:established,to_server; content:"GET"; http_method; content:"&bvm=bv.81"; fast_pattern; http_header; content:"|2c|d."; distance:6; within:3; http_header; content:"|0D 0A|"; distance:3; within:2; http_header; content:!"Cookie|3A 20|"; http_header; content:"Referer|3a 20|https|3a|//www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd="; pcre:"/^(?:[02-9]|1[01]?)&ved=0C[A-L]{2}QFjA[A-L]&url=/R"; content:"&ei="; distance:0; pcre:"/^[A-Za-z0-9]{20,22}&usg=[A-Za-z0-9_]{34}&bvm=bv\.81[1-7]{6}\,d\.[A-Za-z0-9_]{3}\r\n/R"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2024004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_17, malware_family APT29_Implant8, performance_impact Low, updated_at 2017_02_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN FakeM SSL DNS Lookup (islamhood .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|islamhood|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2024005; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_21, malware_family FakeM_SSL, performance_impact Low, updated_at 2017_02_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Matrix Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:".php?apikey="; http_uri; content:"&compuser="; http_uri; distance:0; content:"&sid="; http_uri; distance:0; content:"&phase="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Synapse)|0d 0a|"; http_header; fast_pattern:24,20; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,ad8a7a383971ce0f5fc51e909e406996; classtype:trojan-activity; sid:2024120; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_24, malware_family Ransomware, malware_family Matrix, performance_impact Low, updated_at 2017_03_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/TinyNuke CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/client.php?"; http_uri; fast_pattern; content:"Content-Length|3a 20|9|0d 0a|"; http_header; pcre:"/\/client\.php\?[A-F0-9]{15,25}$/Ui"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.TinyNuke; metadata: former_category TROJAN; reference:md5,917124e4d53057324aa129520fca73fb; classtype:trojan-activity; sid:2024991; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_27, performance_impact Low, updated_at 2017_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pteranodon Backdoor Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?comp="; nocase; depth:16; fast_pattern; http_uri; content:"&id="; nocase; distance:0; http_uri; content:"_{"; distance:0; http_uri; metadata: former_category TROJAN; reference:md5,58aee970b06e67c9047836710f28e205; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pteranodon Backdoor CnC POST"; flow:to_server,established; content:"POST"; http_method; content:"|42 30 75 4e 64 34 52 79 5f 24 0d 0a|"; http_header; fast_pattern; content:"form-data|3b 20|name=|22|uuid|22|"; http_client_body; metadata: former_category TROJAN; reference:md5,58aee970b06e67c9047836710f28e205; reference:md5,8d6d246c5c660691c59405ee2914a020; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024023; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pteranodon Variant 1 Backdoor Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"comp="; nocase; depth:5; http_client_body; fast_pattern; content:"&id="; distance:0; nocase; http_client_body; content:"_{"; distance:0; nocase; http_client_body; content:"}_"; distance:0; nocase; http_client_body; content:"&sysinfo="; distance:0; nocase; http_client_body; metadata: former_category TROJAN; reference:md5,c56c677b52e795710e77aa2d4f12b70a; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pteranodon Variant 2 Backdoor Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"fid="; depth:4; nocase; http_client_body; content:"&versiya="; nocase; distance:0; http_client_body; fast_pattern; content:"&comp="; nocase; distance:0; http_client_body; content:"&id="; nocase; distance:0; http_client_body; content:"&sysinfo="; nocase; distance:0; http_client_body; metadata: former_category TROJAN; reference:md5,2f0f78038c8a2f6177d266c62cadd756; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024025; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pteranodon Variant 3 Backdoor Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?fid="; depth:15; http_uri; content:"&versiya="; nocase; distance:0; http_uri; fast_pattern; content:"&comp="; nocase; distance:0; http_uri; content:"&id="; nocase; distance:0; http_uri; content:"&sysinfo="; nocase; distance:0; http_uri; metadata: former_category TROJAN; reference:md5,2f0f78038c8a2f6177d266c62cadd756; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024026; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gamaredon File Stealer POST"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"form-data|3b 20|name=|22|filename|22|"; nocase; http_client_body; content:"form-data|3b 20|name=|22|compname|22|"; distance:0; nocase; http_client_body; content:"form-data|3b 20|name=|22|serial|22|"; distance:0; nocase; http_client_body; fast_pattern:4,20; content:"form-data|3b 20|name=|22|w|22|"; distance:0; nocase; http_client_body; content:"form-data|3b 20|name=|22|filesize|22|"; distance:0; nocase; http_client_body; content:"form-data|3b 20|name=|22|file|22|"; distance:0; nocase; http_client_body; metadata: former_category TROJAN; reference:md5,1a81516780c2c5a966261cc47478133c; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024027; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Infostealer.Bancos ProxyChanger Checkin"; flow:established,to_server; content:"GET"; http_method; content:"//admin/imagens/icones/new/get.php"; fast_pattern:only; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; metadata: former_category TROJAN; reference:md5,d34912a19473fe41abdd4764e7bec5f9; classtype:trojan-activity; sid:2024028; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2017_02_28, malware_family Bancos, performance_impact Low, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WS/JS Downloader Mar 07 2017 M1"; flow:established,to_server; content:"/counter/"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"MSIE 7.0"; http_header; pcre:"/\/counter\/(?:\?[a-z]?\d{1,2}$|[^\x2f]*\d\.exe$|.*?[?=](?=[A-Za-z_-]{0,200}[0-9][A-Za-z_-]{0,200}[0-9])(?=[A-Z0-9_-]{0,200}[a-z][A-Z0-9_-]{0,200}[a-z])(?=[a-z0-9_-]{0,200}[A-Z][a-z0-9_-]{0,200}[A-Z])[A-Za-z0-9_-]{50,}(?:&|$))/U"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_08, updated_at 2017_03_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WS/JS Downloader Mar 07 2017 M2"; flow:established,to_server; content:"/counter/?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"User-Agent|3a|"; http_header; pcre:"/\/counter\/(?:\?[a-z]?\d{1,2}$|[^\x2f]*\d\.exe$|.*?[?=](?=[A-Za-z_-]{0,200}[0-9][A-Za-z_-]{0,200}[0-9])(?=[A-Z0-9_-]{0,200}[a-z][A-Z0-9_-]{0,200}[a-z])(?=[a-z0-9_-]{0,200}[A-Z][a-z0-9_-]{0,200}[A-Z])[A-Za-z0-9_-]{50,}(?:&|$))/U"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_08, updated_at 2017_03_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Spora Ransomware SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|08|spora.bz"; distance:1; within:9; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024043; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_03_09, malware_family Spora, updated_at 2017_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spora Ransomware Checkin"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"=XDATABASE64ENCRYPTED"; http_client_body; fast_pattern:1,20; content:!"Cookie|3a|"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_03_09, malware_family Spora, updated_at 2017_03_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Karmen Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:"data.php?id="; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=[A-Za-z0-9]{10,20}(?:&key=[A-Za-z0-9]{10,30})?$/Ui"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/Hmi"; metadata: former_category TROJAN; reference:md5,05427ed1c477cc01910eb9adbf35068d; classtype:trojan-activity; sid:2024239; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_14, malware_family Karmen_Ransomware, performance_impact Moderate, updated_at 2018_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/CryptFile2 / Revenge Ransomware Checkin M3"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"id="; http_client_body; depth:3; content:"&count="; http_client_body; distance:0; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/^id=[0-9A-Z]+&count=/P"; metadata: former_category TROJAN; reference:md5,116fbce554b25829b17b6e47990821b4; classtype:trojan-activity; sid:2024056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_15, malware_family CryptFile2, performance_impact Moderate, updated_at 2017_03_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MagikPOS Downloader Retrieving Payload"; flow:established,to_server; content:"GET /"; depth:5; content:".php?file="; distance:0; fast_pattern; pcre:"/^(?:64|86)/R"; content:"|20|HTTP/1."; within:8; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; metadata: former_category TROJAN; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag POS, signature_severity Major, created_at 2017_03_16, malware_family MagikPOS, performance_impact Low, updated_at 2017_03_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MagikPOS Downloader Checkin"; flow:established,to_server; content:"data=domain%253a"; depth:16; fast_pattern; content:"%250auser"; distance:0; metadata: former_category TROJAN; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024066; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2017_03_16, malware_family MagikPOS, performance_impact Low, updated_at 2017_03_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MagikPOS CnC Beacon"; flow:established,to_server; content:"POST /"; depth:6; content:"/api/?act=in|20|HTTP/1."; distance:0; fast_pattern; content:!"User-Agent|3a|"; distance:0; content:!"Content-Type|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"Expect|3a 20|100-continue|0d 0a|"; distance:0; metadata: former_category TROJAN; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag POS, signature_severity Major, created_at 2017_03_16, malware_family MagikPOS, performance_impact Low, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nopassworddomaine.com"; distance:1; within:22; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024068; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|asdallls.com"; distance:1; within:13; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024069; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|treesaboutword.com"; distance:1; within:19; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Android Marcher C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|randfservices.co.uk"; distance:1; within:20; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024071; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|radomir.tk"; distance:1; within:11; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024072; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ui-images.ru"; distance:1; within:13; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024073; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|sopelnas.co"; distance:1; within:12; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024074; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|nesiron.co"; distance:1; within:11; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024075; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|securityupdate.at"; distance:1; within:18; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024076; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|Anyverizozovali"; distance:1; within:16; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024077; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0e\x0f](?!(?:www|ns))[a-z0-9]{2,3}/R"; content:".faisrl.net"; within:11; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024078; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0a\x0b](?!(?:www|ns))[a-z0-9]{1,2}/R"; content:".kjaro.it"; within:9; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024079; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|24brb.tk"; distance:1; within:9; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024080; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|interface-ui.ru"; distance:1; within:16; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024081; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024082; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|kmeses.com"; distance:1; within:11; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024084; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sklaaaor.com"; distance:1; within:13; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|securessl.info"; distance:1; within:15; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024086; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|gamagrjoba.at"; distance:1; within:14; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024087; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|c.beccaccechepassione.com"; distance:1; within:26; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024088; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|shanycuusenetscape.xyz"; distance:1; within:23; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024089; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|userlicensenon.club"; distance:1; within:20; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024090; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|w4ait0.com"; distance:1; within:11; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_03_16, updated_at 2017_03_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Banker.ACUT CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)|0d 0a|"; http_header; fast_pattern:12,20; content:"plugin="; http_client_body; depth:7; content:"&windows="; http_client_body; content:"&user="; http_client_body; content:"&av="; http_client_body; content:"&bs="; http_client_body; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,219cf8b022d3933ba46f482478450f49; classtype:trojan-activity; sid:2024099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_22, malware_family Banload, performance_impact Moderate, updated_at 2017_03_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hjhqmbxyinislkkt"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024104; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2017_03_27, malware_family Ransomware, malware_family Cerber, performance_impact Low, updated_at 2017_04_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN KHRAT DragonOK DNS Lookup (inter-ctrip .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|inter-ctrip|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok’s-new-custom-backdoor; classtype:trojan-activity; sid:2024108; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_29, performance_impact Low, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mjs2bcdrttpmm7pp"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024110; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sloryvugp4abxnfu"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024111; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|u73tcilcw2cw2by5"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xijymvzq4zkyubfe"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain "; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zmsr22fviy7kxihf"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024114; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zuotmsnm7vh2jx77"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024115; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zxungms47m6ecj7t"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024116; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cze2agbxnpkc5hdk"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024117; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xqraoaoaph4d545r"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024118; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|underdj5ziov3ic7"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_03_29, malware_family Ransomware, updated_at 2017_03_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (1e100 .tech)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|1e100|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024143; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (1m100 .tech)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|1m100|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024144; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (ads-youtube .online)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|ads-youtube|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024145; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (akamaitechnology .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|akamaitechnology|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024146; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (alkamaihd .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|alkamaihd|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024147; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (azurewebsites .tech)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|azurewebsites|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024148; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (broadcast-microsoft .tech)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|broadcast-microsoft|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024149; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (chromeupdates .online)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|chromeupdates|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024150; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (cloudmicrosoft .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|cloudmicrosoft|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024151; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (dnsserv .host)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|dnsserv|04|host|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024152; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (elasticbeanstalk .tech)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elasticbeanstalk|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024153; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (fdgdsg .xyz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|fdgdsg|03|xyz|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024154; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (jguery .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|jguery|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024155; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (jguery .online)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|jguery|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024156; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (microsoft-ds .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|microsoft-ds|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024157; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (microsoft-security .host)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|microsoft-security|04|host|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024158; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (nameserver .win)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|nameserver|03|win|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024159; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (newsfeeds-microsoft .press)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|newsfeeds-microsoft|05|press|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024160; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (owa-microsoft .online)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|owa-microsoft|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024161; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (primeminister-goverment-techcenter .tech)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|22|primeminister-goverment-techcenter|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024162; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (qoldenlines .net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|qoldenlines|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024163; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (sharepoint-microsoft .co)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|sharepoint-microsoft|02|co|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024164; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (ssl-gstatic .online)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|ssl-gstatic|06|online|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024165; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible CopyKitten DNS Lookup (trendmicro .tech)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|trendmicro|04|tech|00|"; nocase; distance:0; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024166; rev:1; metadata:created_at 2017_03_31, updated_at 2017_03_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Red Leaves magic packet detected (APT10 implant)"; flow:established,to_server; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; flowbits:set,ncc.apt10.beacon_send; threshold:type limit, track by_src, count 1, seconds 600; metadata: former_category TROJAN; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:trojan-activity; sid:2024173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT10, tag RedLeaves, signature_severity Major, created_at 2017_04_04, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, updated_at 2017_04_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Red Leaves magic packet response detected (APT10 implant)"; flowbits:isset,ncc.apt10.beacon_send; flow:established,to_client; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; threshold:type limit, track by_dst, count 1, seconds 600; metadata: former_category TROJAN; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:trojan-activity; sid:2024174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag APT10, tag RedLeaves, signature_severity Major, created_at 2017_04_04, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, updated_at 2017_04_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Red Leaves HTTP CnC Beacon (APT10 implant)"; flow:established,to_server; content:"POST "; depth:5; content:"/index.php|20|HTTP/1.1|0d 0a|"; distance:0; content:!"Content-Type|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept-"; distance:0; content:!"Referer|3a|"; distance:0; content:"Accept|3a 20|*/*|0d 0a|"; distance:0; content:"Connection|3a 20|Keep-Alive"; content:"Host|3a 20|"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/R"; pcre:"/^POST\x20\/(?:[A-Z]+\/)?index\.php\x20/"; content:"dex.php|20|HTTP/1.1|0d 0a|Co"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; metadata: former_category TROJAN; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:trojan-activity; sid:2024175; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag APT10, tag RedLeaves, signature_severity Major, created_at 2017_04_04, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, updated_at 2017_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Felismus CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:".php?V="; http_uri; fast_pattern; content:"&U="; distance:0; http_uri; content:!"Accept-"; http_header; content:"Windows NT"; http_header; content:"Referer|3a|"; http_header; content:".php|0d 0a|"; distance:0; http_header; metadata: former_category TROJAN; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:trojan-activity; sid:2024176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Felismus, signature_severity Major, created_at 2017_04_04, malware_family Felismus, performance_impact Low, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Felismus CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/products.php?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:"Referer|3a|"; http_header; content:"/products.php|0d 0a|"; distance:0; http_header; pcre:"/\.php\?[a-z]{15,}$/U"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; threshold:type limit, track by_src, count 1, seconds 600; metadata: former_category TROJAN; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:trojan-activity; sid:2024177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Felismus, signature_severity Major, created_at 2017_04_04, malware_family Felismus, performance_impact Low, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Matrix Ransomware Sending Encrypted Filelist"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Synapse)|0d 0a|"; http_header; fast_pattern:12,20; content:"name=|22|uploadfile|22 3b 20|filename=|22|C|3a 5c|"; http_client_body; content:"|0d 0a|[ALL]|0d 0a|"; http_client_body; distance:0; content:"|0d 0a|[ALL_END]|0d 0a 0d 0a|[PRIORITY]|0d 0a|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,e5293a4da4b67be6ff2893f88c8ef757; classtype:trojan-activity; sid:2024178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_04, malware_family Ransomware, malware_family Matrix, performance_impact Moderate, updated_at 2017_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neutrino Checkin 6"; flow:to_server,established; content:"POST"; http_method; content:"authkeys="; http_cookie; content:!"Referer|3a|"; http_header; content:"auth=1"; http_client_body; depth:6; metadata: former_category TROJAN; reference:md5,656766ad934aa482cbe78f1bca6dadc2; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2024179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_04, malware_family Neutrino, performance_impact Moderate, updated_at 2017_04_04;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN MSIL/NR42 Bot Parsing Config From Webpage"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<sendusername>"; fast_pattern; content:"</sendusername>"; distance:0; within:30; content:"<guser>"; distance:0; content:"</guser>"; distance:0; content:"<files>"; distance:0; content:"</files>"; distance:0; content:"<cmdua>"; distance:0; content:"</cmdua>"; distance:0; content:"<cmdkmt>"; distance:0; threshold:type both, track by_src, count 60, seconds 60; metadata: former_category TROJAN; reference:md5,32730022593ebd2c93126d34bc60b654; classtype:trojan-activity; sid:2024182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_06, performance_impact Moderate, updated_at 2017_04_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Turla Carbon Paper CnC Beacon (Fake User-Agent)"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE "; http_header; content:"."; distance:1; within:2; http_header; content:".0|3b| Windows NT "; distance:0; http_header; content:"Trident/"; distance:0; http_header; content:"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a Mozilla\/4\.0 \(compatible\x3b MSIE \d{1,2}\.0\.\d+\.\d+\.0\x3b Windows NT /Hmi"; content:"Cookie|3a 20|PHPSESSID="; fast_pattern:only; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/; classtype:trojan-activity; sid:2024183; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_06, performance_impact Moderate, updated_at 2017_04_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jpre3ta3x2csggd4"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_04_07, malware_family Ransomware, updated_at 2017_04_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cmzr4dz3begkpwa2"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_04_07, malware_family Ransomware, updated_at 2017_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Mole Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"guid="; http_client_body; depth:5; fast_pattern; content:"&ver="; http_client_body; distance:0; pcre:"/^guid=[^&]+?&ver=[^&]+?(?:&fc=[^\r\n]+)?$/Pi"; metadata: former_category TROJAN; reference:url,isc.sans.edu/forums/diary/Malspam+on+20170411+pushes+yet+another+ransomware+variant/22290/; reference:md5,31c2e85ef5e4c0009e1f18794527b4ca; classtype:trojan-activity; sid:2024203; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_12, malware_family Ransomware, malware_family Mole, performance_impact Moderate, updated_at 2017_04_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Hidden-Tear Variant Ransomware CnC Checkin"; flow:established,to_server; content:".php?rid=ClsgIFVzZXItSUQgIF0gID"; http_uri; fast_pattern; content:"Ransom|3a 20|Client|0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?rid=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; metadata: former_category TROJAN; reference:md5,b991a99335b01bed8da4401fee1f2d45; classtype:trojan-activity; sid:2024204; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_12, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Moderate, updated_at 2017_04_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Cradle Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pn6fsogszhqlxz4n"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,53f6f9a0d0867c10841b815a1eea1468; classtype:trojan-activity; sid:2024205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_14, malware_family Ransomware, malware_family Cradle, performance_impact Low, updated_at 2017_04_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Quant Loader Download Response M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"exe=http://"; within:30; nocase; fast_pattern; content:"|2e|exe|3b|"; distance:0; nocase; metadata: former_category TROJAN; reference:md5,aa0b114a64683d89f62d26a088e164f6; classtype:trojan-activity; sid:2024206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_17, performance_impact Moderate, updated_at 2017_04_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Malicious Gzip PowerShell over HTTP"; flow:established,from_server; file_data; content:"FromBase64String"; content:"H4sIAI"; distance:0; fast_pattern; content:"GzipStream"; nocase; distance:0; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PowerShell, signature_severity Major, created_at 2017_04_18, malware_family PowerShell, performance_impact Moderate, updated_at 2017_04_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Runsome Ransomware CnC Checkin"; flow:established,to_server; content:".php?name="; http_uri; content:"&key=ENC"; http_uri; distance:0; fast_pattern; content:"|20|HTTP/1.1|0d 0a|Host|3a|"; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?name=[^\r\n]+?&key=ENC[^\r\n]+$/U"; metadata: former_category TROJAN; reference:md5,70c27926e54732a579b0004ede566fc6; reference:url,github.com/ShaneNolan/Runsome; classtype:trojan-activity; sid:2024223; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_19, malware_family Ransomware, malware_family Runsome, performance_impact Moderate, updated_at 2017_04_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN Unknown Possibly Ransomware (Dropped by RIG) CnC Beacon"; flow:established,to_server; content:"POST / HTTP/1."; depth:14; content:!"Referer|3a|"; distance:0; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; content:"Accept|3a 20|*|0d 0a|"; fast_pattern:only; metadata: former_category TROJAN; reference:md5,26b21902548e3b821387c90d729bace6; classtype:trojan-activity; sid:2024233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_21, performance_impact Moderate, updated_at 2017_04_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ARM Binary Downloaded via WGET Containing Suspicious Netcat Command - Possible IoT Malware"; flow:from_server,established; flowbits:isset,ET.armwget; content:"|25|24|25|28nc+"; content:"+-e+|25|2Fbin|25|2Fsh|25|29"; within:50; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024241; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_04_25, updated_at 2017_04_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ARM Binary Downloaded via WGET Containing GoAhead and Multiple Camera RCE 0Day Vulnerabilities"; flow:from_server,established; flowbits:isset,ET.armwget; content:"/set_ftp.cgi"; distance:0; fast_pattern; content:"&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr="; distance:0; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:trojan-activity; sid:2024242; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_04_25, updated_at 2017_04_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ARM Binary Requested via WGET to Known IoT Malware Domain"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a 20|ntp.gtpnet.ir"; http_header; fast_pattern; content:"User-Agent|3a 20|Wget/"; http_header; pcre:"/\.(?:arm(?:5n|7)?|m(?:ips|psl))$/U"; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024243; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_04_25, updated_at 2017_04_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known IoT Malware Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ntp|06|gtpnet|02|ir|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024244; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2017_04_25, updated_at 2017_04_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known IoT Malware Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|load|06|gtpnet|02|ir|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024245; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2017_04_25, updated_at 2017_04_25;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL cert (pyteHole Ransomware)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|services.pasmik.net"; distance:1; within:20; metadata: former_category TROJAN; reference:md5,f652968bfe0861b56c8bdc111d902512; classtype:trojan-activity; sid:2024246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_25, malware_family pyteHole, performance_impact Low, updated_at 2017_04_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible DANDERSPRITZ Default HTTP Headers"; flow:established,to_server; content:"POST"; http_method; content:"Referrer|3a 20|"; http_header; content:"|0d 0a|TlEo|3a 20|"; http_header; fast_pattern;  metadata: former_category TROJAN; classtype:trojan-activity; sid:2024247; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_26, performance_impact Moderate, updated_at 2017_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible DANDERSPRITZ HTTP Beacon"; flow:established,to_server; content:"POST"; http_method; content:"|3a|0000"; http_header; content:"|f0 00 00 00 45 ff 11 ff f0 44 00 00|"; http_client_body; fast_pattern; offset:0;  metadata: former_category TROJAN; classtype:trojan-activity; sid:2024248; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_26, performance_impact Moderate, updated_at 2017_04_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|z2luqg4xu5r6zm6o"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024263; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_04_27, malware_family Ransomware, updated_at 2017_04_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zyuc6ucewfwgnhvg"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024264; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_04_27, malware_family Ransomware, updated_at 2017_04_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazuar CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:"Referer|3a|"; http_header; content:"AuthToken="; depth:10; http_cookie; pcre:"/^AuthToken=[A-Za-z0-9+/]{43}=$/C"; content:"Cookie|3a 20|AuthToken="; fast_pattern:only; metadata: former_category TROJAN; reference:md5,7a778e076e48ff269e91f17a15ea97d5; reference:url,researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/; classtype:trojan-activity; sid:2024270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag RUAPT, signature_severity Major, created_at 2017_05_04, malware_family Turla, malware_family Kazuar, performance_impact Low, updated_at 2017_09_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Turla Snake OSX DNS Lookup (car-service .effers.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|car-service|06|effers|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/; classtype:trojan-activity; sid:2024271; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag APT, tag RUAPT, signature_severity Critical, created_at 2017_05_04, malware_family Turla, malware_family Snake, performance_impact Low, updated_at 2017_09_15;)

alert tcp $HOME_NET any -> any any (msg:"ET TROJAN SuperCMD CnC Beacon"; flow:established,to_server; content:"windows update "; depth:15; pcre:"/^[A-F0-9]+\x00/R"; metadata: former_category TROJAN; reference:md5,816db8a1916201309d2a24b4a745305b; reference:url,blogs.rsa.com/supercmd-rat/; classtype:trojan-activity; sid:2024273; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2017_05_04, performance_impact Low, updated_at 2017_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET TROJAN W32/Emotet CnC Beacon 1"; flow:established,to_server; content:"GET / HTTP/1.1|0D 0A|Cookie|3A|"; depth:23; fast_pattern; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| SLCC1|3B| .NET CLR 1.1.4322)|0D 0A|Host|3A|"; distance:0; pcre:"/Cookie\:\ [A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/Smi"; metadata: former_category TROJAN; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:trojan-activity; sid:2024274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_04, performance_impact Moderate, updated_at 2017_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET TROJAN W32/Emotet CnC Beacon 2"; flow:established,to_server; content:"GET / HTTP/1.1|0D 0A|Cookie|3A|"; depth:23; fast_pattern; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32|3B| Trident/4.0)|0D 0A|Host|3A|"; distance:0; pcre:"/Cookie\:\ [A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/Smi"; metadata: former_category TROJAN; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:trojan-activity; sid:2024275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_04, performance_impact Moderate, updated_at 2017_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/OzazaLocker Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?key="; http_uri; fast_pattern; content:"&value="; http_uri; distance:0; content:"|20|HTTP/1.1|0d 0a|Host|3a|"; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,e8c6d686249fc3c6df3dc88ea2cddf02; classtype:trojan-activity; sid:2024276; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_04, malware_family OzazaLocker, performance_impact Moderate, updated_at 2017_05_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/NewHT Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?computerName="; http_uri; fast_pattern; content:"&userName="; http_uri; distance:0; content:"&key="; http_uri; distance:0; content:"&id="; http_uri; distance:0; content:"&time="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,2e0ebb7a21d16ab6fa908f74bee260d6; classtype:trojan-activity; sid:2024280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_05, malware_family Ransomware, malware_family NewHT, performance_impact Moderate, updated_at 2017_05_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain ant.trenz .pl Lookup"; content:"|03|ant|05|trenz|02|pl|00|"; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024281; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_08, performance_impact Moderate, updated_at 2017_05_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/Proton.B DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|handbrake|03|biz|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,objective-see.com/blog/blog_0x1D.html; classtype:trojan-activity; sid:2024284; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, created_at 2017_05_09, malware_family OSX_Proton, performance_impact Low, updated_at 2017_05_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN OSX/Proton.B Domain in SNI"; flow:established,to_server; content:"|00 00 0d|handbrake.biz"; fast_pattern:only; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_09, performance_impact Moderate, updated_at 2017_07_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Turla SHIRIME DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|tnsc|0b|webredirect|03|org|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html; classtype:trojan-activity; sid:2024286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag 0day, created_at 2017_05_09, malware_family Turla, malware_family SHIRIME, performance_impact Low, updated_at 2017_05_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jaff Ransomware Checkin"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a 20|fkksjobnn43.org|0d 0a 0d 0a|"; fast_pattern:only; metadata: former_category TROJAN; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,942c6a039724ed5326c3c247bfce3461; classtype:trojan-activity; sid:2024288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_05_11, malware_family Jaff_Ransomware, updated_at 2017_05_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Jaff Domain (fkksjobnn43 . org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|fkksjobnn43|03|org|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024289; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_05_11, malware_family Jaff_Ransomware, performance_impact Low, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jaff Ransomware Checkin M1"; flow:to_server,established; urilen:4; content:"GET"; http_method; content:"/a5/"; fast_pattern; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a 20|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cache-Control|3a|"; http_header; content:"GET /a5/ HTTP/1."; depth:16; content:"|0d 0a|Host|3a 20|"; distance:1; within:8; pcre:"/^[a-z0-9\-\.]+?\x0d\x0a\x0d\x0a$/R"; metadata: former_category TROJAN; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_05_11, malware_family Jaff_Ransomware, performance_impact Low, updated_at 2017_05_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible WannaCry DNS Lookup 1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|29|iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; distance:0; nocase; fast_pattern; content:"|00|"; within:7; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024291; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_12, malware_family wannacry, updated_at 2017_05_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible WannaCry DNS Lookup 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|29|ifferfsodp9ifjaposdfjhgosurijfaewrwergwea"; distance:0; nocase; fast_pattern; content:"|00|"; within:7; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024293; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_14, malware_family wannacry, performance_impact Moderate, updated_at 2017_05_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible WannaCry DNS Lookup 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|29|ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; distance:0; nocase; fast_pattern; content:"|00|"; within:7; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024294; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_15, malware_family wannacry, performance_impact Moderate, updated_at 2017_05_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible WannaCry DNS Lookup 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|29|iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea"; distance:0; nocase; fast_pattern; content:"|00|"; within:7; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024295; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Moderate, updated_at 2017_05_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible WannaCry DNS Lookup 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|29|iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb"; distance:0; nocase; fast_pattern; content:"|00|"; within:7; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024296; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Moderate, updated_at 2017_05_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN MSIL/May Ransomware SSL Cert Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|13|mayofware.solutions"; distance:1; within:20; metadata: former_category TROJAN; reference:md5,9bee9fbe8c87f491ed31e94bb0c2e06f; classtype:trojan-activity; sid:2024304; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_16, malware_family May, performance_impact Low, updated_at 2017_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; pcre:"/Host\x3a\x20[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/Hi"; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024298; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2017_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"; flow:established,to_server; content:"ifferfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; pcre:"/Host\x3a\x20[^\s]*ifferfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/Hi"; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024299; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2017_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"; flow:established,to_server; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; http_header; fast_pattern:only; pcre:"/Host\x3a\x20[^\s]*ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf\.[a-z]{2,5}\x0d\x0a/Hi"; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024300; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2017_05_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"; flow:established,to_server; content:"iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; pcre:"/Host\x3a\x20[^\s]*iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/Hi"; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024301; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2017_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb"; http_header; fast_pattern:only; pcre:"/Host\x3a\x20[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb\.[a-z]{2,5}\x0d\x0a/Hi"; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2017_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MWI Maldoc Load Payload"; flow:established,to_server; content:"&act="; http_uri; fast_pattern:only; pcre:"/\?id=\d+&act=[12]$/U"; content:!".money-media.com|0d 0a|"; nocase; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024306; rev:1; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, performance_impact Low, updated_at 2017_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MWI Maldoc Posting Host Data"; flow:established,to_server; content:"POST"; http_method; content:"&act="; http_uri; fast_pattern:only; pcre:"/\?id=\d+&act=\d$/U"; content:!".money-media.com|0d 0a|"; nocase; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; content:"rprt="; http_client_body; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024307; rev:1; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, performance_impact Low, updated_at 2017_05_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot Cryptocurrency Wallet Exfiltration Detected"; flow:established,to_server; content:"POST"; http_method; content:"(Charon|3b 20|Inferno)"; http_header; content:"|00 26 00|"; offset:1; depth:3; http_client_body; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024311; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, malware_family lokibot, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"; flow:established,to_server; content:"POST"; http_method; content:"(Charon|3b 20|Inferno)"; http_header; content:"|00 27 00|"; offset:1; depth:3; http_client_body; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024312; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, malware_family lokibot, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot Request for C2 Commands Detected M1"; flow:established,to_server; content:"POST"; http_method; content:"(Charon|3b 20|Inferno)"; http_header; content:"|00 28 00|"; offset:1; depth:3; http_client_body; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; flowbits:set,ET.LokiBot; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024313; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, malware_family lokibot, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot File Exfiltration Detected"; flow:established,to_server; content:"POST"; http_method; content:"(Charon|3b 20|Inferno)"; http_header; content:"|00 29 00|"; offset:1; depth:3; http_client_body; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, malware_family lokibot, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot Keylogger Data Exfiltration Detected M1"; flow:established,to_server; content:"POST"; http_method; content:"(Charon|3b 20|Inferno)"; http_header; content:"|00 2b 00|"; offset:1; depth:3; http_client_body; pcre:"/^[\x00-\x01]\x00.\x00[\x00-\x01]\x00.\x00.{4}\x01\x00.\x00{3}.{48}\x05\x00{3}/R"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024315; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, malware_family lokibot, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot Screenshot Exfiltration Detected"; flow:established,to_server; content:"POST"; http_method; content:"(Charon|3b 20|Inferno)"; http_header; content:"|00 2c 00|"; offset:1; depth:3; http_client_body; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, malware_family lokibot, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"; flow:established,to_server; content:"POST"; http_method; content:"Content-Key|3a 20|"; http_header; content:"|0d 0a|"; distance:8; within:2; http_header; content:"|00 27 00|"; offset:1; depth:3; http_client_body; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\n/Hi"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024317; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, malware_family lokibot, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot Request for C2 Commands Detected M2"; flow:established,to_server; content:"POST"; http_method; content:"Content-Key|3a 20|"; http_header; content:"|0d 0a|"; distance:8; within:2; http_header; content:"|00 28 00|"; offset:1; depth:3; http_client_body; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\nContent-Length\x3a\x20[^\r\n]+\r\nConnection\x3a\x20close/Hi"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024318; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, malware_family lokibot, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LokiBot Keylogger Data Exfiltration Detected M2"; flow:established,to_server; content:"POST"; http_method; content:"Content-Key|3a 20|"; http_header; content:"|0d 0a|"; distance:8; within:2; http_header; content:"|00 2b 00|"; offset:1; depth:3; http_client_body; pcre:"/^[\x00-\x01]\x00.\x00[\x00-\x01]\x00.\x00.{4}\x01\x00.\x00{3}.{48}\x05\x00{3}/R"; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\n/Hi"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_17, malware_family lokibot, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/EasyLocker Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|noobcrypt"; fast_pattern; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/(?:countdown|check)\/[a-f0-9]{30,45}\/(?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})?$/Ui"; metadata: former_category TROJAN; reference:md5,980342a5a783d7f6ce188c575d9ca97a; classtype:trojan-activity; sid:2024320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_18, malware_family Ransomware, malware_family EasyLocker, performance_impact Moderate, updated_at 2017_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/ASPC Bot CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:".php?key="; http_uri; content:"&string="; http_uri; distance:0; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:(?:\x3a\x3a|3A3A)[^\x3a]+?){5,}$/Ui"; metadata: former_category TROJAN; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:trojan-activity; sid:2024322; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_18, malware_family ASPC_Bot, performance_impact Moderate, updated_at 2017_05_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/ASPC Bot CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php?key="; http_uri; fast_pattern; content:"&string="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"Referer|3a|"; http_header; content:"key="; http_client_body; depth:4; content:"&string="; http_client_body; distance:0; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:\x3a\x3a[^\x3a]+?){5,}$/Ui"; metadata: former_category TROJAN; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:trojan-activity; sid:2024321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_18, malware_family ASPC_Bot, performance_impact Moderate, updated_at 2017_05_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN UIWIX Ransomware .onion Payment Domain (4ujngbdqqm6t2c53)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|4ujngbdqqm6t2c53"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_22, malware_family Ransomware, malware_family UIWIX, performance_impact Low, updated_at 2017_05_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|spora|02|li|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,906c51a18073112c4479b3fe4ea329ca; classtype:trojan-activity; sid:2024324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_22, performance_impact Moderate, updated_at 2017_05_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MalDoc Retrieving Payload May 23 2017 2"; flow:established,to_server; content:"GET"; http_method; content:!"|2e|"; http_uri; content:"User-Agent|3a 20 22|Mozilla/5.2 (Windows NT 6.2|3b| rv|3a|50.2) Gecko/20200103 Firefox/50.2|22 0d 0a|"; http_header; fast_pattern:12,20; content:!"Referer|3A|"; http_header; metadata: former_category TROJAN; reference:md5,502cb33a03c29a96a4c32ec26dce5395; classtype:trojan-activity; sid:2024325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_23, malware_family Dridex, performance_impact Moderate, updated_at 2017_05_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT32 Komprogo DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|check|0b|paidprefund|03|org|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:trojan-activity; sid:2024330; rev:2; metadata:created_at 2017_05_25, updated_at 2017_05_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT32 Komprogo DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|syn|07|timeizu|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:trojan-activity; sid:2024331; rev:2; metadata:created_at 2017_05_25, updated_at 2017_05_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT32 Komprogo DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|blog|08|docksugs|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:trojan-activity; sid:2024332; rev:1; metadata:created_at 2017_05_25, updated_at 2017_05_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT32 Komprogo DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|news|0a|lightpress|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:trojan-activity; sid:2024333; rev:1; metadata:created_at 2017_05_25, updated_at 2017_05_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT32 Komprogo DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|mobile|0a|pagmobiles|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:trojan-activity; sid:2024334; rev:1; metadata:created_at 2017_05_25, updated_at 2017_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Observed GET Request to Jaff Domain (orhangazitur . com)"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a 20|orhangazitur.com|0d 0a|"; fast_pattern:only; metadata: former_category TROJAN; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024338; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_31, malware_family Jaff_Ransomware, performance_impact Moderate, updated_at 2017_09_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Jaff Domain (orhangazitur . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|orhangazitur|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024339; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_31, malware_family Jaff_Ransomware, performance_impact Moderate, updated_at 2017_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jaff Ransomware Checkin"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a 20|comboratiogferrdto.com|0d 0a|"; fast_pattern:only; metadata: former_category TROJAN; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024340; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_31, malware_family Jaff_Ransomware, performance_impact Moderate, updated_at 2017_05_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Jaff Domain (comboratiogferrdto . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|comboratiogferrdto|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,51cf3452feb218a4b1295cebf3b2130e; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_31, malware_family Jaff_Ransomware, performance_impact Moderate, updated_at 2017_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Fireball Activity"; flow:established,to_server; content:"GET"; http_method; content:"?clients="; http_uri; content:"&reqs=visit."; http_uri; distance:0; content:"User-Agent|3a 20|RookIE/"; http_header; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection; reference:md5,69ffdf99149d19be7dc1c52f33aaa651; classtype:trojan-activity; sid:2024348; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_02, malware_family Fireball, performance_impact Moderate, updated_at 2017_06_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,2525,587] (msg:"ET TROJAN Executioner Ransomware Reporting Infection via SMTP "; flow:established,to_server; dsize:<40; content:"DECRYPT CODE|20 3a 20 20 20 20 20 20 20|"; fast_pattern; depth:21; metadata: former_category TROJAN; reference:md5,eec4f84d12139add6d6ebf3b8c72fff7; classtype:trojan-activity; sid:2024351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_06, malware_family Ransomware, malware_family Executioner, performance_impact Moderate, updated_at 2017_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Unk.HT-Based Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"hostname=csharp-"; http_client_body; depth:16; fast_pattern; content:"&enckey="; http_client_body; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,2aa11c090fd0737e52cd532418c1211e; classtype:trojan-activity; sid:2024352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_06, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Moderate, updated_at 2017_06_06;)

alert icmp any any -> any any (msg:"ET TROJAN OpenSSH in ICMP Payload - Possible Covert Channel"; itype:8; icode:0; content:"openssh"; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024366; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_08, performance_impact Moderate, updated_at 2017_06_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PLATINUM Dipsind CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"ud7LDjtsTHe2tWeC8DYo8A**"; http_client_body; fast_pattern; metadata: former_category TROJAN; reference:md5,0cc901350eaffb8f84b920691460921f; classtype:trojan-activity; sid:2024369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag PLATINUM, signature_severity Major, created_at 2017_06_09, malware_family Dipsind, malware_family PLATINUM, performance_impact Low, updated_at 2017_06_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spectre Ransomware CnC Checkin"; flow:established,to_server; content:".php?mode="; http_uri; content:"&crypted="; http_uri; distance:0; content:"&id="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; fast_pattern:5,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,e8af7ef13b6ced37d08dce0f747d7d8b; classtype:trojan-activity; sid:2024373; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_09, malware_family Ransomware, malware_family Spectre, performance_impact Moderate, updated_at 2017_06_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN X-Malware-Sinkhole Header in HTTP Response"; flow:from_server,established; content:"X-Malware-Sinkhole|3a 20|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024378; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_13, performance_impact Moderate, updated_at 2017_06_13;)

alert tcp any any -> any any  (msg:"ET TROJAN DPRK HIDDEN COBRA DDoS Handshake Success"; dsize:6; flow:established,to_server; content:"|18 17 e9 e9 e9 e9|"; fast_pattern; metadata: former_category TROJAN; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:2024382; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_14, updated_at 2017_06_15;)

alert tcp any any -> any any  (msg:"ET TROJAN DPRK HIDDEN COBRA Botnet C2 Host Beacon"; flow:established,to_server; content:"|1b 17 e9 e9 e9 e9|"; depth:6; fast_pattern; metadata: former_category TROJAN; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:2024383; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_14, updated_at 2017_06_15;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (secure-access10 .mx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|secure-access10|02|mx|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024405; rev:1; metadata:deployment Perimeter, tag Targeted, tag APT, signature_severity Major, created_at 2017_06_19, malware_family Pegasus, performance_impact Low, updated_at 2017_06_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (network190 .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|network190|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024406; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, signature_severity Major, created_at 2017_06_19, malware_family Pegasus, performance_impact Low, updated_at 2017_06_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (mymensaje-sms .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|mymensaje-sms|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024407; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_19, performance_impact Moderate, updated_at 2017_06_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (smscentro .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|smscentro|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024408; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, signature_severity Major, created_at 2017_06_19, malware_family Pegasus, performance_impact Low, updated_at 2017_06_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (ideas-telcel .com.mx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ideas-telcel|03|com|02|mx|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024409; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, signature_severity Major, created_at 2017_06_19, malware_family Pegasus, performance_impact Low, updated_at 2017_06_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Pegasus Related DNS Lookup (twiitter .com.mx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|twiitter|03|com|02|mx|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024410; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, signature_severity Major, created_at 2017_06_19, malware_family Pegasus, performance_impact Low, updated_at 2017_06_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake Windows Scam ScreenLocker"; flow:established,to_server; content:"GET"; http_method; content:"/lock.php"; http_uri; content:"User-Agent|3a 20|MyAgent|0d 0a|"; http_header; fast_pattern:1,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/lock\.php$/Ui"; metadata: former_category TROJAN; reference:md5,6443d8351f5ed62836003f103d8de20e; classtype:trojan-activity; sid:2024417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_20, malware_family Screenlocker, performance_impact Moderate, updated_at 2017_06_20;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN DragonOK KHRAT Downloader Receiving Payload"; flow:established,from_server; file_data; content:".DAT,K1|22 0d 0a|fso"; metadata: former_category TROJAN; reference:md5,404518f469a0ca85017136b6b5166ae3; classtype:trojan-activity; sid:2024418; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, tag CNAPT, signature_severity Major, created_at 2017_06_20, malware_family DragonOK, malware_family KHRAT, performance_impact Low, updated_at 2017_06_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FF-RAT Stage 1 CnC Checkin"; flow:to_server,established; content:"POST|20|/"; depth:6; content:".php?hdr_ctx="; distance:0; within:50; fast_pattern; pcre:"/^[0-9]{1,5}_[0-9]{1,5}\x20HTTP\/1\.1\x0d\x0a/R"; content:"|0d 0a|User-Agent|3a 20|Mozilla/5.0|0d 0a|"; distance:0; within:100; content:!"Referer|3a|"; metadata: former_category TROJAN; reference:url,www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html; classtype:trojan-activity; sid:2024419; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_22, performance_impact Moderate, updated_at 2017_06_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MalDoc Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:7,20; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:!"microsoft.com|0d 0a|"; http_header; content:!"pdfcomplete.com|0d 0a|"; http_header; content:!"mymitchell.com|0d 0a|"; http_header; content:!"azureedge.net|0d 0a|"; http_header; pcre:"/\.bin$/U"; metadata: former_category TROJAN; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2018_02_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN x0Proto File Contents Exfil Request"; flow:established,from_server; dsize:9; content:"DLOAD|0c|1|0c|1"; depth:9; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024423; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN x0Proto File Info Request"; flow:established,from_server; dsize:8; content:"REQF|0c|1|0c|1"; depth:8; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024424; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX OceanLotus Checkin"; flow:established,to_server; content:"|41 61 54 03|"; offset:1; depth:4; fast_pattern; content:"|63 63 63 63 63 63 63 63|"; distance:0; metadata: former_category TROJAN; reference:md5,researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/; classtype:trojan-activity; sid:2024425; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, tag OceanLotus, tag OSX, created_at 2017_06_26, malware_family OceanLotus, performance_impact Low, updated_at 2017_06_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Naoinstalad Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?MD="; http_uri; fast_pattern; content:"Naoinstalado"; http_uri; nocase; content:!"Mozilla"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,f136f9ec7f7f8cb1a12a9b835183be59; reference:url,www.malware-traffic-analysis.net/2017/06/08/index.html; classtype:trojan-activity; sid:2024427; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_26, performance_impact Moderate, updated_at 2017_06_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32/Parite.B Checkin 3"; flow:to_server,established; dsize:>1000; content:"|00 00 00 00 9c 00 00 00 06 00 00 00 01 00 00 00|"; offset:0; depth:16; content:"|b1 1d 00 00 02 00 00 00|"; distance:0; metadata: former_category TROJAN; reference:md5,d10d6d2a29dd27b44e015dd6bf4cb346; classtype:trojan-activity; sid:2024429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment Internet, signature_severity Major, created_at 2017_06_27, malware_family Parite, performance_impact Moderate, updated_at 2017_07_17;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (HiddenTear Variant CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|wwecuador.com"; distance:1; within:14; metadata: former_category TROJAN; reference:md5,02c1da1c668ac71995f56c2c198d7d73; classtype:trojan-activity; sid:2024433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_28, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Low, updated_at 2017_06_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Formbook 0.3 Checkin"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3a 20|Mozilla"; http_header; content:"dat="; depth:4; http_client_body; nocase; fast_pattern; pcre:"/^dat=[a-z0-9_/+-]{1000,}/Pi"; metadata: former_category TROJAN; reference:md5,6886a2ebbde724f156a8f8dc17a6639c; classtype:trojan-activity; sid:2024436; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_29, malware_family Password_Stealer, updated_at 2017_11_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iuieylpvfurcvmpk"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_29, updated_at 2017_06_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (Locky C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cpawdrtxfjkwrkkl"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_29, updated_at 2017_06_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qfjhpgbefuhenjp7"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024439; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2017_06_29, malware_family Ransomware, malware_family Cerber, performance_impact Low, updated_at 2017_06_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xpcx6erilkjced3j"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024440; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2017_06_29, malware_family Ransomware, malware_family Cerber, performance_impact Low, updated_at 2017_06_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown CnC"; flow:to_server,established; content:"POST"; http_method; urilen:7; content:"tinba/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0|28|compatible|3b| MSIE 10.0|3b| Windows NT 6.1|3b| Trident|2f|6.0|29|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; reference:md5,d360ee49950e7da3978379494667260c; classtype:trojan-activity; sid:2024441; rev:1; metadata:created_at 2017_07_05, updated_at 2017_07_05;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Tinba Banker CnC Response"; flow:established,from_server; file_data; content:"|00 00 00 00 48 65 61 44|"; depth:8; fast_pattern; content:"|00 00|"; distance:0; within:5; metadata: former_category TROJAN; reference:md5,d360ee49950e7da3978379494667260c; classtype:trojan-activity; sid:2024442; rev:2; metadata:created_at 2017_07_05, updated_at 2017_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Petya Conn Check"; flow:established,to_server; urilen:1; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36"; http_header; fast_pattern:94,20; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; content:"Host|3a 20|myip.com.ua|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,twitter.com/V_Baczynski/status/881051849700364288; classtype:trojan-activity; sid:2024443; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_05, performance_impact Moderate, updated_at 2017_07_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Quant Loader Download Request"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern; content:"&c="; distance:0; nocase; http_uri; content:"&mk="; distance:0; nocase; http_uri; content:"&il="; distance:0; nocase; http_uri; content:"&vr="; distance:0; nocase; http_uri; content:"&bt="; distance:0; nocase; http_uri; content:!"Referer"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,23646295E98BD8FA022299374E4F76E0; classtype:trojan-activity; sid:2024452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_10, performance_impact Moderate, updated_at 2018_04_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-11 1)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|slavf1@yandex.ru|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; metadata: former_category TROJAN; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:trojan-activity; sid:2024454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_11, malware_family CoinMiner, performance_impact Moderate, updated_at 2017_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Unk.Stealer Data Exfil Via HTTP"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http_client_body; fast_pattern:32,20; pcre:"/^(?:(?:Passwords|PCinformation)\.txt|(?:Data|GrabbedTxtFiles)\.zip)\x22\r\n/Ri"; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:trojan-activity; sid:2024455; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_11, malware_family Unknown, performance_impact Moderate, updated_at 2017_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dragonfly Backdoor.Goodor Go Implant CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"."; http_uri; content:"?"; distance:3; within:2; http_uri; content:"="; distance:3; within:1; http_uri; content:"&"; distance:32; within:1; http_uri; content:!"Referer|3a|"; http_header; content:"Go-http-client/1.1|0d 0a|"; http_header; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-f0-9]{32}&[a-z0-9]{3}=[^&]+&[a-z0-9]{3}=[a-f0-9]{32}$/U"; metadata: former_category TROJAN; reference:md5,8943e71a8c73b5e343aa9d2e19002373; classtype:trojan-activity; sid:2024894; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Targeted, signature_severity Critical, created_at 2017_07_12, performance_impact Moderate, updated_at 2017_10_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup (vps2java .securitytactics .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|vps2java|0f|securitytactics|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024456; rev:2; metadata:created_at 2017_07_12, updated_at 2017_07_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup (job .yoyakuweb .technology)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|job|09|yoyakuweb|0a|technology|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024457; rev:2; metadata:created_at 2017_07_12, updated_at 2017_07_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup (resume .immigrantlol .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|resume|0c|immigrantlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024458; rev:1; metadata:created_at 2017_07_12, updated_at 2017_07_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup (macos .exoticlol .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|macos|09|exoticlol|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024459; rev:2; metadata:created_at 2017_07_12, updated_at 2017_07_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup (css .google-statics .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|css|0e|google-statics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024460; rev:1; metadata:created_at 2017_07_12, updated_at 2017_07_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LockPOS CnC"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3a 20|lock|0d 0a|"; fast_pattern; http_header; content:"|00 00 00|"; offset:1; depth:3; http_client_body; metadata: former_category TROJAN; reference:md5,0ad35a566cfb60959576835ede75983b; reference:url,www.arbornetworks.com/blog/asert/lockpos-joins-flock/; classtype:trojan-activity; sid:2024461; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag POS, tag LockPOS, signature_severity Major, created_at 2017_07_12, malware_family PoS, updated_at 2017_07_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Striked Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|User-Agent|3a 20|python"; distance:0; fast_pattern; content:"|0d 0a 0d 0a|crid="; distance:0; content:"&dta="; distance:0; content:!"Referer|3a|"; reference:md5,80317e3194d8f7fd495b0bf06cae2295; classtype:trojan-activity; sid:2024465; rev:1; metadata:created_at 2017_07_13, updated_at 2017_07_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed DNS Query to Known Fenrir Ransomware CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|fenrir-ransomware|0d|000webhostapp|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,a5ecf27bfab7fbb1ace3ec9a390b23bd; classtype:trojan-activity; sid:2024467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_13, malware_family Ransomware, malware_family Fenrir, performance_impact Low, updated_at 2017_07_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wgxpsgshk3hbmyzb"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024516; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_07_14, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed Malicious DNS Query (Reyptson Ransomware CnC)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|37z2akkbd3vqphw5"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,2f60c2dc9b89a78a450839ded2a1737a; classtype:trojan-activity; sid:2024469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_17, malware_family Ransomware, malware_family Reyptson, performance_impact Low, updated_at 2017_07_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-17 7)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|ownyaga@gmail.com|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; metadata: former_category TROJAN; reference:md5,3b24a327e60ee77668d09e5b96e27dc8; classtype:trojan-activity; sid:2024471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, signature_severity Major, created_at 2017_07_17, malware_family CoinMiner, performance_impact Moderate, updated_at 2017_07_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|bowenpres|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024472; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_18, performance_impact Moderate, updated_at 2017_07_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|bowenpress|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_18, performance_impact Moderate, updated_at 2017_07_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|bowenpress|03|org|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024474; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_18, performance_impact Moderate, updated_at 2017_07_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|bowenpross|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024475; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_18, performance_impact Moderate, updated_at 2017_07_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|datalink|03|one|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024476; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_18, performance_impact Moderate, updated_at 2017_07_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|secuerserver|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024477; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_18, performance_impact Moderate, updated_at 2017_07_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|epochatimes|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_18, performance_impact Moderate, updated_at 2017_07_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CDT Credphish/Netwire Campaign DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|vnews|02|hk|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024479; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_18, performance_impact Moderate, updated_at 2017_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Shifr Ransomware Malicious Domain in SNI Observed"; flow:to_server,established; content:"|00 00 19|v5t5z6a55ksmt3oh.onion"; metadata: former_category TROJAN; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024486; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_20, malware_family Shifr, performance_impact Moderate, updated_at 2017_07_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DarkHotel Downloader CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"2.php?jpg="; http_uri; fast_pattern; content:!"&"; distance:0; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/[a-z]+2\.php\?jpg=[^&]+$/U"; metadata: former_category TROJAN; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:trojan-activity; sid:2024482; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, tag DarkHotel, signature_severity Critical, created_at 2017_07_20, malware_family DarkHotel, performance_impact Low, updated_at 2017_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DarkHotel Downloader CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"name=|22|banner|22 0d 0a|"; http_client_body; fast_pattern; content:"name=|22|jpg|22 0d 0a|"; distance:0; http_client_body; content:"name=|22|userfile|22 3b 0d 0a|"; distance:0; http_client_body; metadata: former_category TROJAN; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:trojan-activity; sid:2024483; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, tag DarkHotel, signature_severity Critical, created_at 2017_07_20, malware_family DarkHotel, performance_impact Low, updated_at 2017_07_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Observed Malicious Domain SSL Cert in SNI (Unknown Stealer CnC)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:5; content:"|00 00 1b|4fp2u2ue4pyqdpfu"; fast_pattern; metadata: former_category TROJAN; reference:md5,2067d1cb1a25c6d6d371339fad9123ba; classtype:trojan-activity; sid:2024485; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_20, malware_family Unknown, performance_impact Moderate, updated_at 2017_07_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN LokiBot Related DNS query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|french-cooking|03|com|00|"; fast_pattern; nocase; distance:0; metadata: former_category TROJAN; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2017_07_21, malware_family lokibot, performance_impact Low, updated_at 2017_08_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN LokiBot Related DNS query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|coffeinoffice|03|xyz|00|"; fast_pattern; nocase; distance:0; metadata: former_category TROJAN; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024488; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2017_07_21, malware_family lokibot, performance_impact Low, updated_at 2017_08_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Bitshifter Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?root="; http_uri; fast_pattern; content:"Accept|3a 20|text/plain|0d 0a|"; http_header; content:!"Accept-"; http_header; content:"|20|HTTP/1.0|0d 0a|Host|3a|"; content:!"Referer|3a|"; http_header;  pcre:"/\.php\?root=[a-f0-9]{16}$/U"; metadata: former_category TROJAN; reference:md5,d01229914a6b57387e2c963e3aadbc1f; classtype:trojan-activity; sid:2024489; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_21, malware_family Ransomware, malware_family Bitshifter, performance_impact Moderate, updated_at 2017_07_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Andromeda File Request"; flow:established,to_server; content:"myguy"; http_uri; fast_pattern:only; pcre:"/myguy\.(?:xls(?:\.hta)?|exe)$/U"; metadata: former_category TROJAN; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference:cve,2017-0199; classtype:trojan-activity; sid:2024490; rev:2; metadata:created_at 2017_07_21, updated_at 2017_09_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Shifr Ransomware CnC DNS Query (v5t5z6a55ksmt3oh)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|v5t5z6a55ksmt3oh|05|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, malware_family Shifr, performance_impact Moderate, updated_at 2017_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Shifr Ransomware CnC DNS Query (ojdue4474qghybjb)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ojdue4474qghybjb|05|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024492; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, malware_family Shifr, performance_impact Moderate, updated_at 2017_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CopyKittens Matryoshka DNS Lookup 1 (winupdate64 . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|winupdate64|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-activity; sid:2024495; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, malware_family Matryoshka, performance_impact Moderate, updated_at 2017_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CopyKittens Matryoshka DNS Lookup 2 (twiter-statics . info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|twiter|2d|statics|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity; sid:2024496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, malware_family Matryoshka, performance_impact Moderate, updated_at 2017_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CopyKittens Cobalt Strike DNS Lookup (cloudflare-analyse . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|cloudflare|2d|analyse|03|com|00|"; nocase; distance:0; fast_pattern; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity; sid:2024497; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, malware_family CobaltStrike, performance_impact Moderate, updated_at 2017_07_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TDTESS Backdoor User-Agent"; flow:established,to_server; content:"XXXXXXXXXXXXXXXXX/5.0 (Windows NT 6.1 WOW64|3b| Trident/7.0|3b| AS|3b| rv:11.0) like Gecko"; http_header; metadata: former_category TROJAN; reference:md5,113ca319e85778b62145019359380a08; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-activity; sid:2024498; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, performance_impact Moderate, updated_at 2017_07_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/BanloadDownloader.XZY Retrieving Payload"; flow:to_server,established; content:"GET"; http_method; content:"/sosdoudou_V3/"; http_uri; fast_pattern; content:"WinHttp.WinHttpRequest"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a 20|"; http_header; metadata: former_category TROJAN; reference:md5,98376de10118892f0773617da137c2be md5,599ea45f5420f948e0836239eb3ce772; classtype:trojan-activity; sid:2024499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_26, malware_family Banload, performance_impact Moderate, updated_at 2017_07_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Revcode RAT CnC"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"keyauth="; http_client_body; fast_pattern; depth:8; content:"&key="; http_client_body; distance:0; content:"&uid="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; content:"WinHttpRequest"; http_header; metadata: former_category TROJAN; reference:md5,3f652d9bc17a4be3c0e497ea19848344; classtype:trojan-activity; sid:2024500; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_27, performance_impact Moderate, updated_at 2017_07_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Revcode RAT CnC 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"mode="; http_client_body; fast_pattern; depth:5; content:"&data="; http_client_body; distance:0; content:"&key="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; content:"WinHttpRequest"; http_header; metadata: former_category TROJAN; reference:md5,3f652d9bc17a4be3c0e497ea19848344; classtype:trojan-activity; sid:2024501; rev:1; metadata:created_at 2017_07_27, updated_at 2017_07_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ISMAgent CnC Checkin 1"; flow:to_server,established; content:"GET"; http_method; content:"/action2/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Firefox|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024502; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_28, malware_family Ismdoor, performance_impact Moderate, updated_at 2017_07_31;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ISMAgent Receiving Commands from CnC Server "; flow:from_server,established; content:"|23|command|23 23|systeminfo"; offset:36; fast_pattern; content:"&&"; distance:0; metadata: former_category TROJAN; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024503; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_28, malware_family Ismdoor, performance_impact Moderate, updated_at 2017_07_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ISMAgent DNS Tunneling (microsoft-publisher . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|microsoft-publisher|03|com|00|"; nocase; distance:0; fast_pattern; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024504; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_28, malware_family Ismdoor, performance_impact Moderate, updated_at 2017_07_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tptbibuegry2nvuh"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024517; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_07_28, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed DNS Query to Reborn/Ovidiy Stealer CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|stealur|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,4daca05b0015efeaacebc58d007c32c4; classtype:trojan-activity; sid:2024506; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_31, malware_family Reborn_Stealer, malware_family Ovidiy_Stealer, performance_impact Low, updated_at 2017_07_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Observed Malicious Domain SSL Cert in SNI (JS_POWMET)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; content:"|00 00 0c|bogerando.ru"; fast_pattern; metadata: former_category TROJAN; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware; reference:md5,31f83bf81b139bcc69e51df2c76a0bf2; classtype:trojan-activity; sid:2024512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_02, malware_family JS_POWMET, performance_impact Low, updated_at 2017_08_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fgb45ft3pqamyji7"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024518; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gebdp3k7bolalnd4"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024519; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|2irbar3mjvbap6gt"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024520; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qg6m5wo7h3id55ym"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024521; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvnk7q32kmvcvx5x"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xzfsqbdlb3cssp4t"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024523; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wqfhdgpdelcgww4g"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvvu3fqglfceuzfu"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.ATS CnC Activity"; flow:established,to_server; content:"GET|20|"; depth:4; content:".php?Hwid=S-"; distance:0; fast_pattern; pcre:"/^[^&]+[0-9](?:&(?:Pc|Etat)=[^&]+)?(?:&user=[^&]+&Ip=[^&]+&Ping=[^&]+&v=[^&]+&Ville=[^&]+&Pays=[^&]+&Region=[^&]+)?\x20HTTP/1.1\r\nHost\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/Ri"; content:"|20|HTTP/1.1|0d 0a|Host|3a|"; content:!"Referer|3a|"; content:!"User-Agent|3a|"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,53d3ee595bc5df7e97403906f1415c21; classtype:trojan-activity; sid:2024528; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_08, performance_impact Moderate, updated_at 2017_08_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/Mughthesec/SafeFinder/OperatorMac DNS Query Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|api|0a|mughthesec|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024529; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_09, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, updated_at 2017_08_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/Mughthesec/SafeFinder/OperatorMac Rogue Search Engine DNS Query Observed"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|default27061330-a|08|akamaihd|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:2024530; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_09, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, updated_at 2017_08_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/CoalaBot CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a|"; http_header; content:"KAMA NT"; http_header; distance:0; within:50; fast_pattern; content:"BULLET|3b|"; http_header; distance:0; within:20; content:"REGION|3b|"; http_header; distance:0; within:20; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; pcre:"/^[A-Za-z0-9]{10,}[\-\)\(]{1,2}/Pi"; metadata: former_category TROJAN; reference:md5,523de838dd44cdd6f212d36c142d830c; classtype:trojan-activity; sid:2024531; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_09, malware_family CoalaBot, performance_impact Moderate, updated_at 2017_09_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Gozi/Ursnif Payload v12"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1|"; depth:48; fast_pattern; metadata: former_category TROJAN; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024533; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_11, malware_family ursnif, malware_family Gozi, performance_impact Moderate, updated_at 2017_08_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed DNS Query to Gryphon CnC Domain / GlobeImposter Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cr7icbfqm64hixta"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,c714c3fe13e515a85774b03787ee9d85; classtype:trojan-activity; sid:2024543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_08_14, malware_family GlobeImposter, malware_family Gryphon, performance_impact Moderate, updated_at 2017_08_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|nylalobghyhirgh|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024588; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|ribotqtonut|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|jkvmdmjyfcvkf|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|bafyvoruzgjitwr|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024591; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|xmponmzmxkxkh|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024592; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tczafklirkl|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 7"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|notped|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024594; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 8"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|dnsgogle|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024595; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 9"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|operatingbox|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024596; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|paniesx|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024597; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for known ShadowPad CnC 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|techniciantext|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:trojan-activity; sid:2024598; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_17, malware_family ShadowPad, performance_impact Moderate, updated_at 2017_08_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Datper CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"="; within:9; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.php\?[a-z]{3,8}=[a-f0-9]{16}[01][a-z]+$/Ui"; metadata: former_category TROJAN; reference:md5,eae5b16bef5f7dc37909ec91367fa807; reference:url,blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html; classtype:trojan-activity; sid:2024601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_21, malware_family Datper, performance_impact Moderate, updated_at 2017_08_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5pr6hirtlfan3j76"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2024603; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_08_22, malware_family Spora, performance_impact Low, updated_at 2017_08_22;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN OSX.Pwnet.A Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|vlone.cc"; distance:1; within:9; reference:url,sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/; classtype:trojan-activity; sid:2024613; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT12 THREEBYTE DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|bsksac|06|au-syd|09|mybluemix|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.macnica.net/blog/2017/08/post-fb81.html; classtype:trojan-activity; sid:2024619; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag APT12, signature_severity Major, created_at 2017_08_29, malware_family THREEBYTE, performance_impact Low, updated_at 2017_08_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ISMAgent DNS Lookup (msoffice-cdn . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|msoffice-cdn|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,812d3c4fddf9bb81d507397345a29bb0; reference:url,www.clearskysec.com/ismagent/; classtype:trojan-activity; sid:2024620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_29, performance_impact Moderate, updated_at 2017_08_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/ASPC Bot CnC Checkin M3"; flow:established,to_server; content:"POST"; http_method; content:".php?string="; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"Referer|3a|"; http_header; content:"string="; http_client_body; depth:7; pcre:"/\.php\?string=[a-zA-Z0-9+=]+$/Ui"; metadata: former_category TROJAN; reference:md5,f392c55f636e93f4b72f1a2aa5022730; classtype:trojan-activity; sid:2024625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_09_13;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ilcmjtvnrw2hostl"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024626; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uvgnugc3nvdgboc2"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024627; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vg6xusopmzu7m2ce"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024628; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vgyruvtmjabu7llq"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024629; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vozupq6ewgxyn4ct"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024630; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vqrqlt4t2kcmyrkb"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024631; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vs74c53whr5kisk2"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024632; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vsy7udjnodbqwp7l"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vvuymthse6kj4vl4"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024634; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Cerber Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oqwygprskqv65j72"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024635; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Cerber Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|toytyaclucomunit"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024636; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_08_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gazer HTTP POST Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php?"; http_uri; content:"|ff ff ff ff 00 00 00 00|"; offset:0; http_client_body; fast_pattern:only; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/(?:(?:a(?:(?:lbu|d)m|ccount|uthor)|c(?:ont(?:ac|en)|lien)t|p(?:artners|hoto)|(?:memb|us)er|session|video|hash|key|id)=[a-z0-9]{6,12}&){4}/Ui"; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf; classtype:trojan-activity; sid:2024637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, updated_at 2017_08_30;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Gazer DNS query observed (soligro . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|soligro|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_31, malware_family Gazer, performance_impact Low, updated_at 2017_08_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Gazer DNS query observed (mydreamhoroscope . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mydreamhoroscope|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024642; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_31, malware_family Gazer, performance_impact Low, updated_at 2017_08_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN CobianRAT Checkin to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|LOGIN|7c 2d 7c|"; within:30; fast_pattern; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN CobianRAT Receiving Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; fast_pattern; content:"|00 00 02|"; within:30; pcre:"/^(?:Lg|Execute|FLD|Sc)\x7c\x2d\x7c/R"; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN CobianRAT Receiving Additional Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"more|7c 2d 7c|"; within:30; fast_pattern; pcre:"/^(?:FM|SM|CP|CM|MC|NF|CH|PS|PT)/R"; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN CobianRAT Receiving Config Commands from CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"Svr|7c 2d 7c|"; within:100; fast_pattern; pcre:"/^(?:\x40|\x21|\x23|\x7e|\x24)/R"; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN CobianRAT Screenshot Exfil to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|Sc|7c 2d 7c|"; within:30; fast_pattern; content:"JFIF"; within:10; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN KHRAT DNS Lookup (upload-dropbox .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|upload-dropbox|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/; classtype:trojan-activity; sid:2024658; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_04, malware_family KHRAT, performance_impact Low, updated_at 2017_09_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Tinba Checkin 4"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a 20|157"; nocase; http_header; fast_pattern:only; content:!"Content-Type"; nocase; http_header; content:!"Accept"; nocase; http_header; content:!"Referer:"; nocase; http_header; content:!"User-Agent|3a|"; nocase; http_header; content:"|00 80 00 00 00|"; http_client_body; offset:24; depth:5; flowbits:set,ET.Tinba.Checkin; metadata: former_category TROJAN; reference:md5,ade4d8f0447dac5a8edd14c3d44f410d; classtype:trojan-activity; sid:2024659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2017_09_04, malware_family Tinba, performance_impact Low, updated_at 2017_09_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ApolloLocker Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&pname="; http_client_body; content:"&uname="; http_client_body; content:"&pkey="; http_client_body; content:"&aekey="; http_client_body; content:"&ppub="; http_client_body; content:"&userx=ApolloCrypto"; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:trojan-activity; sid:2024666; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_06, malware_family ApolloLocker, performance_impact Moderate, updated_at 2017_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ApolloLocker Ransomware CnC Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&crypto=ApolloCrypto"; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:trojan-activity; sid:2024667; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_06, malware_family ApolloLocker, performance_impact Moderate, updated_at 2017_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Unk.Bot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&os="; http_uri; distance:0; content:"&build="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:trojan-activity; sid:2024679; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, performance_impact Moderate, updated_at 2017_09_08;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Zloader CnC Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|1c|chinaandkoreacriminalaffairs"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; metadata: former_category TROJAN; reference:md5,7a57fcc1afab791f9995fbc479fe340e; classtype:trojan-activity; sid:2024680; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, malware_family Zloader, performance_impact Low, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|dicco.at"; distance:1; within:9; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024681; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2017_09_08, malware_family URLZone, performance_impact Low, updated_at 2018_04_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Adwind)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.svx2id6wmwgfxela.net"; distance:1; within:25; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, malware_family Adwind, performance_impact Low, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|fiftyflorston.win"; distance:1; within:18; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, malware_family Zeus_Panda, performance_impact Low, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|lio.party"; distance:1; within:10; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024684; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, malware_family Zeus_Panda, performance_impact Low, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslstatsita.info"; distance:1; within:18; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, malware_family Zeus_Panda, performance_impact Low, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|115f697a1698.bid"; distance:1; within:18; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024686; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, malware_family Zeus_Panda, performance_impact Low, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|7193a37d9d98.bid"; distance:1; within:18; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2024687; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, malware_family Zeus_Panda, performance_impact Low, updated_at 2017_09_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Unk.Bot CnC Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&taskid="; http_uri; distance:0; content:"&status="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:trojan-activity; sid:2024692; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_11, performance_impact Moderate, updated_at 2017_09_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN [PTsecurity] pkt checker 0"; flow:established, to_server; dsize:200<>513; stream_size:client,>,0; stream_size:server,=,1; stream_size:client, <,513; flowbits:noalert; flowbits:set,FB180732_0; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_11, malware_family Remcos, performance_impact Moderate, updated_at 2017_09_11;)

#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] pkt checker 1"; flow:established, to_client; dsize:30<>33; stream_size:server,<,35; stream_size:client,<,513; stream_size:server,>,0; stream_size:client,>,30; flowbits:noalert; flowbits:isset,FB180732_0; flowbits:unset, FB180732_0; flowbits:set,FB180732_1; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_11, malware_family Remcos, performance_impact Moderate, updated_at 2017_09_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN [PTsecurity] pkt checker 2"; flow:established, to_server; dsize:50<>93; stream_size:server, <,35; stream_size:client, <,610; stream_size:server, >,0; stream_size:client, >,30; flowbits:noalert; flowbits:isset, FB180732_1; flowbits:unset,FB180732_1; flowbits:set,FB180732_2; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024696; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_11, malware_family Remcos, performance_impact Significant, updated_at 2017_10_02;)

#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] pkt checker 3"; flow:established, to_client; dsize:30<>33; stream_size:server, <,70; stream_size:client, <,610; stream_size:client, >,0; stream_size:server, >,35; flowbits:noalert; flowbits:isset, FB180732_2; flowbits:unset, FB180732_2; flowbits:set, FB180732_3; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_11, malware_family Remcos, performance_impact Moderate, updated_at 2017_09_11;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Backdoor.Win32/Remcos RAT pkt checker 4"; flow:established, to_server; dsize:81<>93; stream_size:server,<,70; stream_size:client,<,696; stream_size:client,>,0; stream_size:server,>,35; flowbits:isset,FB180732_3; flowbits:unset,FB180732_3; threshold:type limit,track by_src,count 1, seconds 30; metadata: former_category TROJAN; reference:url,blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2; classtype:trojan-activity; sid:2024698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_11, malware_family Remcos, performance_impact Moderate, updated_at 2017_10_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] JS.Trojan-Downloader.Nemucod.yo HTTP POST (:Exec:)"; flow: established, to_server;  content:!"Referer|3a|"; http_header; content:"|3a 3a 3a|Exec|3a 3a 3a|http"; http_client_body; depth:40; fast_pattern; content:"|3a|//"; http_client_body; distance:0; within:4; content:".exe|3a 3a|";http_client_body; distance:0; within:100; threshold:type limit, track by_src, count 1, seconds 30; reference:md5, bc24bc2e9f62579e1f7db72f34c5404d; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, signature_severity Major, created_at 2017_09_12, malware_family Nemucod, performance_impact Moderate, updated_at 2017_09_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Feb 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|ab6d54340c1a|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2017_09_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Mar 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|aba9a949bc1d|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024709; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2017_09_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Apr 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|ab2da3d400c20|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2017_09_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA May 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|ab3520430c23|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024711; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2017_09_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Jun 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|ab1c403220c27|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2017_09_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Jul 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|ab1abad1d0c2a|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024713; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2017_09_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Aug 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|ab8cee60c2d|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024714; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2017_09_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Sep 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|ab1145b758c30|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024715; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2018_01_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Oct 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|ab890e964c34|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2018_01_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Nov 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|ab3d685a0c37|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024717; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2017_09_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Dec 2017"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|ab70a139cc3a|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024718; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2017_09_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lucifer Loader Requesting Payload"; flow:established,to_server; urilen:15; content:"/demonsgate.php"; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,74a3c324a8565d7f567763bee960bcca; classtype:trojan-activity; sid:2024719; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, malware_family Lucifer_Loader, performance_impact Moderate, updated_at 2017_09_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lookingpersonals|03|top|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_19, malware_family Ransomware, performance_impact Moderate, updated_at 2017_09_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query For TURNEDUP.Backdoor CnC (chromup)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|chromup|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:trojan-activity; sid:2024730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_20, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query For TURNEDUP.Backdoor CnC (securityupdated)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securityupdated|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:trojan-activity; sid:2024731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_20, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query For TURNEDUP.Backdoor CnC (googlmail)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|googlmail|03|net"; fast_pattern; distance:0; nocase; threshold: type both, track by_src, count 1, seconds 5; metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:trojan-activity; sid:2024732; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_20, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query For TURNEDUP.Backdoor / NanoCore CnC (microsoftupdated)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|microsoftupdated|03|net"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:trojan-activity; sid:2024733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_20, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, updated_at 2017_09_20;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query For TURNEDUP.Backdoor CnC (syn.broadcaster)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|syn|0b|broadcaster|05|rocks"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:trojan-activity; sid:2024734; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_20, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, updated_at 2017_09_20;)

#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow:established, to_client; content:"|308204|"; depth:300; content:"|308203|"; distance:1; within:3; content:"|a0030201020204|"; distance:1; within:7; content:"|300d06092a864886f70d01010b05003081|"; distance:4; within:17; flowbits:set,FB332502_; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024751; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2017_09_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow:established, to_server; content:"|1703|"; depth:2; content:"|0040|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server, <,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_; flowbits:set, FB332502_0; flowbits:noalert; metadata: former_category TROJAN; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024752; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2017_09_21;)

#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0040|"; distance:1;within:2; fast_pattern; stream_size:server, >,1789; stream_size:server,<,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_0; flowbits:unset, FB332502_0; flowbits:set, FB332502_1;flowbits:noalert; metadata: former_category TROJAN; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024753; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2017_09_21;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow:established,to_server; content:"|1703|"; depth:2; byte_test:2, >=,1024, 1, relative; byte_test:2, <=,1100, 1, relative; stream_size:server, >,1889;stream_size:server, <,2124; stream_size:client, >,1476; stream_size:client, <,1722; flowbits:isset, FB332502_1; flowbits:unset, FB332502_1;flowbits:set, FB332502_2; flowbits:noalert; metadata: former_category TROJAN; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2017_09_21;)

#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0050|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2224; stream_size:client, >,1476; stream_size:client, <,8722; flowbits:isset, FB332502_2; flowbits:unset, FB332502_2; flowbits:set, FB332502_3; flowbits:noalert; metadata: former_category TROJAN; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024755; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2017_09_21;)

#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu"; flow:established, to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2436; stream_size:client, >,1476; stream_size:client, <,8834; flowbits:isset, FB332502_3; flowbits:unset, FB332502_3; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024756; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2017_09_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (MalDoc DL)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|vinci-energie.co"; distance:1; within:17; metadata: former_category TROJAN; reference:md5,69f8181bfe4a53d9e0b73c81a4ae4587; classtype:trojan-activity; sid:2024757; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2017_09_21, malware_family Maldoc, performance_impact Moderate, updated_at 2017_09_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Scarsi Variant CnC Activity"; flow:to_server,established; content:"/WP"; http_uri; content:".php"; distance:0; within:50; http_uri; content:"User-Agent|3a 20|Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; http_header; fast_pattern; content:"Content-Length|3a 20|"; http_header; content:"Content-Length|3a 20|"; http_header; byte_test:1,>,0x30,0; content:!"Referer|3a 20|"; http_header; pcre:"/\/WP(?:Security|CoreLog)\/(?:data\/)?\w+\.php$/Ui"; pcre:"/^[\x20-\x25\x27-\x3c\x3e-\x7e]{25,}$/Psi"; metadata: former_category TROJAN; reference:md5,52c193a7994a6bb55ec85addc8987c10; classtype:trojan-activity; sid:2024758; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, performance_impact Low, updated_at 2017_09_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Possible Cobalt Strike payload"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Length|3a 20|"; http_header; content:"|0d 0a|"; http_header; distance:5; within:4; file_data; content: "|fc e8 00 00 00 00 eb|"; depth:7; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024771; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_27, malware_family CobaltStrike, performance_impact Low, updated_at 2017_09_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert"; flow:established,to_client; content:"|30 82|"; depth:300; content:"|a0 03 02 01 02 02|"; distance:6; within:6; content:"|63 50 61 6e 65 6c 2c 20 49 6e 63|"; distance:60; within:120; fast_pattern;  flowbits:set,FB346039_0; flowbits:noalert; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024772; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_27, malware_family Upatre, performance_impact Moderate, updated_at 2017_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 0"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 a0|"; distance:1; within:2; fast_pattern; stream_size:server,>,4868; stream_size:server,<,5949; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:noalert; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_27, malware_family Upatre, performance_impact Moderate, updated_at 2017_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 1"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 b0|"; distance:1; within:2; fast_pattern; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:set,FB346039_2; flowbits:noalert; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_27, malware_family Upatre, performance_impact Moderate, updated_at 2017_09_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 2"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0140|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_1; flowbits:unset,FB346039_1; flowbits:unset,FB346039_2; flowbits:set,FB346039_3; flowbits:noalert; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024775; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_27, malware_family Upatre, performance_impact Moderate, updated_at 2017_09_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 3"; flow:established,to_client; content:"|1703|"; depth:2; content:"|04A0|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_3; flowbits:unset,FB346039_3; flowbits:set,FB346039_4; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_27, malware_family Upatre, performance_impact Moderate, updated_at 2017_09_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 4"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|02 00|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,6500; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_2; flowbits:unset,FB346039_2; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_27, malware_family Upatre, performance_impact Moderate, updated_at 2017_09_29;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 5"; flow:established,to_client; content:"|1503|"; depth:2; content:"|0020|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_4; flowbits:unset,FB346039_4; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_27, malware_family Upatre, performance_impact Moderate, updated_at 2017_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] TR/Spy.Banker.agdtw Checkin"; flow:established,to_server; content:"page"; http_uri; content:"POST"; http_method; content:"Connection|3a 20|"; http_header; content:"Content-Type|3a 20|multipart"; nocase; http_header; distance:0; content:"Content-Length|3a 20|"; nocase; http_header; distance:0; content: "Accept|3a 20|"; http_header; distance:0; content: "Accept-Encoding|3a 20|"; nocase; http_header; distance:0; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|"; http_header; distance:0; content:"name=|22|ing|22|"; http_client_body; fast_pattern; depth:300; content:"name=|22|AT|22|"; http_client_body; distance:0; within:300; content:"ver"; http_client_body; distance:0; within:300; content:"name=|22|MD|22|"; http_client_body; distance:0; within:300; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_28, performance_impact Moderate, updated_at 2017_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Formgrabber Data Exfil"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"c="; depth:2; http_client_body; content:"&v="; http_client_body; distance:0; content:"&h="; http_client_body; distance:0; content:"&t="; fast_pattern; http_client_body; distance:0; content:!"Referer|3a|"; http_header; pcre:"/^c=[A-F0-9]{10,}&v=[^&]+&h=[^&]+&t=[0-9]$/Psi"; metadata: former_category TROJAN; reference:md5,cb066c5625aa85957d6b8d4caef4e497; reference:url,thisissecurity.stormshield.com/2017/09/28/analyzing-form-grabber-malware-targeting-browsers; classtype:trojan-activity; sid:2024781; rev:2; metadata:created_at 2017_09_28, updated_at 2017_09_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Black Stealer Exfil System Info"; flow:established,to_server; content: "|2b 20 2b 20 2b 20 5b 20|VicTim Info|20 5d 20 2b 20 2b 20 2b|"; depth:120; nocase; fast_pattern; content:"End Stealer|20 3d 20 3d 20 3d 20 3d 20 3d 20 3d|"; distance:0; nocase; isdataat:!1,relative; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024790; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_02, malware_family BlackStealer, performance_impact Low, updated_at 2017_10_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN [PTsecurity] Black Stealer Exfil FTP STOR"; flow:established,to_server; content:"STOR Black Stealer"; depth:18; nocase; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_02, performance_impact Low, updated_at 2017_10_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Lazarus Decafett DNS Lookup 1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|download|05|ns360|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024803; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag Lazarus, signature_severity Critical, created_at 2017_10_05, malware_family Decafett, performance_impact Low, updated_at 2017_10_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Lazarus Decafett DNS Lookup 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|update|06|craftx|03|biz|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag Lazarus, signature_severity Critical, created_at 2017_10_05, malware_family Decafett, performance_impact Low, updated_at 2017_10_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Lazarus Decafett DNS Lookup 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|mozilla|05|tftpd|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag Lazarus, signature_severity Critical, created_at 2017_10_05, malware_family Decafett, performance_impact Low, updated_at 2017_10_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Lazarus Decafett DNS Lookup 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|checkupdates|09|flashserv|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag Lazarus, signature_severity Critical, created_at 2017_10_05, malware_family Decafett, performance_impact Low, updated_at 2017_10_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Jan 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|ab3c2b0d28ba6|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024816; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Feb 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|ab99c24c0ba9|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024817; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Mar 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|ab2e1b782bad|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Apr 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|ab253af862bb0|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024819; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA May 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|ab2d02b02bb3|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024820; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Jun 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|ab1b0eaa24bb6|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024821; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Jul 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|abf09fc5abba|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024822; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Aug 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|abce85a51bbd|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024823; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2018_01_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Sep 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|abccc097dbc0|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024824; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Oct 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|ab33b8aa69bc4|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024825; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Nov 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|ab693f4c0bc7|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024826; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CCleaner Backdoor DGA Dec 2018"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|ab23660730bca|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024827; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_09, performance_impact Low, updated_at 2017_10_09;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Ursnif Encoded Payload Inbound"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|3d fa 61 3c 79 ee de ea 18 90 08 95 55 44 8d 41|"; depth:16; fast_pattern; metadata: former_category TROJAN; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_12, malware_family Ursniff, performance_impact Low, updated_at 2017_10_12;)

alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN DNSMessenger Payload (TXT base64 gzip header)"; content:"|00 10 00 01|"; content:"H4sIA"; distance:7; within:5; fast_pattern; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html; classtype:trojan-activity; sid:2024840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_13, malware_family DNSMessenger, performance_impact Moderate, updated_at 2017_10_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.JS.Agent.dwz Checkin"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"|00|"; http_client_body; content:"|61 3d|"; depth:2; fast_pattern; http_client_body; byte_extract:2,12,byte0,relative; byte_test:2,=,byte0,30,relative; isdataat:!32,relative; metadata: former_category TROJAN; reference:md5,f886dbf6bd47a0a015ef40fc2bed03a2; classtype:trojan-activity; sid:2024848; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_17, performance_impact Moderate, updated_at 2017_10_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Trojan.JS.Agent.dwz Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"Accept|3a 20|*/*"; http_header; content:"auth255|3a 20|login"; http_header; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:!"Referer|3a|"; http_header; content:"a="; http_client_body; depth:2; pcre:"/^(?:[a-f0-9]{30,60})$/R"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024849; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_17, performance_impact Low, updated_at 2017_10_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"strangelol.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024851; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|strangelol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024852; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"ssrsec.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024853; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ssrsec|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024854; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"sqlmapff.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024855; rev:2; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|sqlmapff|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024856; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"outerlol.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024857; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|outerlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024858; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"microsoftsec.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024859; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|microsoftsec|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024860; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"martianlol.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024861; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|martianlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024862; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"dnslog.mobi"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024863; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"dnslog.mobi"; http_header; fast_pattern; metadata: former_category TROJAN; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024864; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|dnslog|04|mobi|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024865; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"alienlol.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024866; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|alienlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024867; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|yoyakuweb|0a|technology|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024869; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|exoticlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024870; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup (google-statics .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|google-statics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024871; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup (google-searching .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|google-searching|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024872; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|awsstatics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024873; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|immigrantlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024874; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination (google-searching .com)"; flow:established,to_server; content:"google-searching.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024875; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"awsstatics.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024876; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Winnti-related Destination"; flow:established,to_server; content:"immigrantlol.com"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024877; rev:1; metadata:created_at 2017_10_18, updated_at 2017_10_18;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/Proton.C/D Domain (eltima .in in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|eltima|02|in|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024888; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Proton, performance_impact Moderate, updated_at 2017_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN OSX/Proton.C/D Domain (eltima .in in TLS SNI)"; flow:established,to_server; content:"|00 00 09|eltima.in"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024889; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Proton, performance_impact Moderate, updated_at 2017_10_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/Proton.C/D Domain (handbrakestore .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0e|handbrakestore|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024890; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Proton, performance_impact Moderate, updated_at 2017_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN OSX/Proton.C/D Domain (handbrakestore .com in TLS SNI)"; flow:established,to_server; content:"|00 00 12|handbrakestore.com"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024891; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Proton, performance_impact Moderate, updated_at 2017_10_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/Proton.C/D Domain (handbrake .cc in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|handbrake|02|cc|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024892; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Proton, performance_impact Moderate, updated_at 2017_10_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN OSX/Proton.C/D Domain (handbrake .cc in TLS SNI)"; flow:established,to_server; content:"|00 00 0c|handbrake.cc"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024893; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Proton, performance_impact Moderate, updated_at 2017_10_24;)

alert tcp any any -> any 445 (msg:"ET TROJAN Possible Dragonfly APT Activity - SMB credential harvesting"; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; metadata: former_category TROJAN; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:trojan-activity; sid:2024898; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_23, updated_at 2017_10_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Dragonfly APT Activity HTTP URI OPTIONS"; flow:established,to_server; content:"OPTIONS"; http_method; content:"/ame_icon.png"; http_uri; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:trojan-activity; sid:2024899; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_23, updated_at 2017_10_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Locky Intermediate Downloader"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"User-Agent|3a 20|Windows-Update-Agent"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; metadata: former_category TROJAN; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Locky, signature_severity Major, created_at 2017_10_23, updated_at 2017_10_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trickbot Payload Request"; flow:to_server,established; content:"GET"; http_method; content:".png HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern:only;  content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^\/(?:kas|ser|mac)[0-9]+\.png$/Ui"; metadata: former_category TROJAN; reference:md5,2c6cd25a31fe097ee7532422fc8eedc8; classtype:trojan-activity; sid:2024901; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Trickbot, signature_severity Major, created_at 2017_10_23, updated_at 2017_10_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|salegrutboy.eu"; distance:1; within:15; metadata: former_category TROJAN; reference:md5,3b79f06be1f6909149bcadfaacfad2d0; classtype:trojan-activity; sid:2024902; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_23, malware_family Snatch, performance_impact Moderate, updated_at 2017_10_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lookmans.eu"; distance:1; within:12; metadata: former_category TROJAN; reference:md5,aa50e2ce1fc07ccfbc6b916ccdbfd19b; classtype:trojan-activity; sid:2024903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_23, malware_family Snatch, performance_impact Moderate, updated_at 2017_10_23;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN BadRabbit Ransomware Activity Via WebDAV (cscc)"; flow:established,to_server; content:"PROPFIND"; http_method; urilen:16; content:"/admin$/cscc.dat"; http_uri; fast_pattern; content:"User-Agent|3a 20|Microsoft-WebDAV"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024905; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, malware_family BadRabbit, performance_impact Moderate, updated_at 2017_10_24;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN BadRabbit Ransomware Activity Via WebDAV (infpub)"; flow:established,to_server; content:"PROPFIND"; http_method; urilen:18; content:"/admin$/infpub.dat"; http_uri; fast_pattern; content:"User-Agent|3a 20|Microsoft-WebDAV"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024906; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, malware_family BadRabbit, performance_impact Moderate, updated_at 2017_10_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN BadRabbit Ransomware Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|caforssztxqzf2nm"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,fbbdc39af1139aebba4da004475e8839; classtype:trojan-activity; sid:2024910; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, performance_impact Low, updated_at 2017_10_24;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN IoT_reaper DNS Lookup M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|hl852|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024921; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN IoT_reaper DNS Lookup M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|hl859|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024922; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN IoT_reaper DNS Lookup M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|hi8520|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024923; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible IoT_reaper ELF Binary Request M1 (set)"; flow:established,to_server; flowbits:set,ET.iotreaper; flowbits:noalert; urilen:3; content:"GET"; http_method; content:"/sa"; http_uri; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024924; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible IoT_reaper ELF Binary Request M2 (set)"; flow:established,to_server; flowbits:set,ET.iotreaper; flowbits:noalert; urilen:3; content:"GET"; http_method; content:"/sm"; http_uri; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024925; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible IoT_reaper ELF Binary Request M3 (set)"; flow:established,to_server; flowbits:set,ET.iotreaper; flowbits:noalert; urilen:5; content:"GET"; http_method; content:"/xget"; http_uri; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024926; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible IoT_reaper ELF Binary Request M4 (set)"; flow:established,to_server; flowbits:set,ET.iotreaper; flowbits:noalert; urilen:4; content:"GET"; http_method; content:"/sa5"; http_uri; fast_pattern; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024927; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible IoT_reaper ELF Binary Request M5 (set)"; flow:established,to_server; flowbits:set,ET.iotreaper; flowbits:noalert; content:"GET"; http_method; content:"/server.armel"; http_uri; fast_pattern; pcre:"/\.armel$/U"; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024928; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible IoT_reaper ELF Binary Download"; flow:established,from_server; flowbits:isset,ET.iotreaper; file_data; content:"|7f 45 4c 46|"; depth:4; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024929; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN IoT_reaper DNS Lookup M4"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|cbk99|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024933; rev:3; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_31, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN IoT_reaper DNS Lookup M5"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|bbk80|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024934; rev:3; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_31, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN IoT_reaper DNS Lookup M6"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|bbk86|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024935; rev:3; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_31, updated_at 2017_10_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN IoT_reaper DNS Lookup M7"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|ha859|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024936; rev:3; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_31, updated_at 2017_10_31;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Downeks/Quasar DNS Lookup (cloudns .club)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|download|0b|data-server|07|cloudns|04|club"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024937; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_31, performance_impact Low, updated_at 2017_11_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Downeks/Quasar DNS Lookup (topsite .life)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|ping|07|topsite|04|life"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024938; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_31, performance_impact Low, updated_at 2017_11_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Downeks/Quasar DNS Lookup (updatesforme .club)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|signup|0c|updatesforme|04|club"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024939; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_31, performance_impact Low, updated_at 2017_11_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Downeks/Quasar DNS Lookup (moreoffer .life)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|moreoffer|04|life"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024940; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_31, performance_impact Low, updated_at 2017_10_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SAD Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&osname="; http_uri; content:"&pcname="; http_uri; content:"&key="; http_uri; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,f4c2f65b5b89d4f4e74099571b40c0d5; classtype:trojan-activity; sid:2024954; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_03, malware_family SAD_Ransomware, performance_impact Moderate, updated_at 2017_11_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Win32/Randrew!rfn CnC Activity"; flow:established,to_server; content:"botversion="; depth:11; http_client_body; content:"xfor="; within:22; http_client_body; content:"winver="; within:33; http_client_body; threshold:type limit,track by_src,count 1,seconds 30; metadata: former_category TROJAN; reference:md5,74dd0e38deaf778e621434a2ca9c7c74; reference:url,microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:Win32/Randrew.A!bit; classtype:trojan-activity; sid:2024955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (cba4a6e5d3c956548a337c52388473f1 .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|cba4a6e5d3c956548a337c52388473f1|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024956; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (0a0074066c49886a39b5a3072582f5d6 .net in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|0a0074066c49886a39b5a3072582f5d6|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024957; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (73780fbd309561e201a4aee9914d882d .org in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|73780fbd309561e201a4aee9914d882d|03|org|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024958; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (dcb5684707f6c66492aaa9f7d9bfb5a6 .biz in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|dcb5684707f6c66492aaa9f7d9bfb5a6|03|biz|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024959; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (322ffbbc7c1b312c2f9d942f20422f8d .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|322ffbbc7c1b312c2f9d942f20422f8d|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024960; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (18bca7c5fd709ac468ba148c590ef6bf .net in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|18bca7c5fd709ac468ba148c590ef6bf|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024961; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (aaafc94b3a37b75ae9cb60afc42e86fe .org in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|aaafc94b3a37b75ae9cb60afc42e86fe|03|org|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024962; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (c13a856f4a879a89e9a638207efd6c94 .biz in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|c13a856f4a879a89e9a638207efd6c94|03|biz|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024963; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (2fa3c2fa16c47d9b9bff8986a42b048f .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|2fa3c2fa16c47d9b9bff8986a42b048f|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024964; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN RouteX CnC Domain (3ec9b600789b3bacf2c72ebae142a9c3 .net in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|20|3ec9b600789b3bacf2c72ebae142a9c3|03|net|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:trojan-activity; sid:2024965; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Volex - OceanLotus JavaScript Load (connect.js)"; flow:to_server,established; content:"GET"; http_method; content:"connect.js?timestamp="; http_uri; metadata: former_category TROJAN; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:trojan-activity; sid:2024966; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_06, performance_impact Low, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Volex - OceanLotus JavaScript Fake Page URL Builder Response"; flow:to_client,established; file_data; content:"|7b 22|link|22 3a 22|http"; depth:13; content:"|22|load|22|"; metadata: former_category TROJAN; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:trojan-activity; sid:2024967; rev:3; metadata:created_at 2017_11_06, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Volex - OceanLotus System Profiling JavaScript (linkStorage.x00SOCKET)"; flow:to_client,established; file_data; content:"linkStorage.x00SOCKET"; metadata: former_category TROJAN; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:trojan-activity; sid:2024968; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_06, performance_impact Low, updated_at 2017_11_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OceanLotus System Profiling JavaScript HTTP Request"; flow:established,to_server; content:".jpg?v="; http_uri; fast_pattern; content:"&d="; distance:0; http_uri; pcre:"/\.jpg\?v=\d+&d=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"c.shld.net|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:trojan-activity; sid:2024969; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag OceanLotus, signature_severity Critical, created_at 2017_11_07, performance_impact Low, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (IcedID CnC)"; flow:established,from_server; content:"|09 00 b9 5a 68 02 24 e5 3e 2e|"; fast_pattern; content:"|55 04 03|"; content:"|06|Server"; distance:1; within:7; metadata: former_category TROJAN; reference:url,securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research; reference:md5,de4ef2e24306b35d29891b45c1e3fbfd; classtype:trojan-activity; sid:2024979; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_13, performance_impact Moderate, updated_at 2017_11_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Lazarus FALLCHILL Fake SSL Checkin 1"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|88 4d 76|"; distance:5; within:3; fast_pattern; pcre:"/[\x04\x06]\x88\x4d\x76$/"; metadata: former_category TROJAN; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:trojan-activity; sid:2024990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Lazarus, signature_severity Critical, created_at 2017_11_13, malware_family FALLCHILL, performance_impact Low, updated_at 2017_11_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|tkyjzgbqfwk3gr55"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024981; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_11_14, malware_family Ransomware, updated_at 2017_11_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|u2sg7pqxmmrhnzms"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_11_14, malware_family Ransomware, updated_at 2017_11_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|u7duee44hwu5lf7r"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2017_11_14, malware_family Ransomware, updated_at 2017_11_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/RCAP CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/callback.php?k="; http_uri; fast_pattern; content:"&x="; http_uri; distance:0; content:"Connection|3a 20|close|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,3410af519f791af5f9554cbff7ece24a; classtype:trojan-activity; sid:2024984; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_14, performance_impact Moderate, updated_at 2017_11_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN SunOrcal Reaver Domain Observed (tashdqdxp .com in DNS Lookup)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|tashdqdxp|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024986; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_14, malware_family SunOrcal, malware_family Reaver, performance_impact Low, updated_at 2017_11_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN SunOrcal Reaver Domain Observed (weryhstui .com in DNS Lookup)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|weryhstui|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024987; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_14, malware_family SunOrcal, malware_family Reaver, performance_impact Low, updated_at 2017_11_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN SunOrcal Reaver Domain Observed (fyoutside .com in DNS Lookup)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|fyoutside|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024988; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_14, malware_family SunOrcal, malware_family Reaver, performance_impact Low, updated_at 2017_11_14;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN SunOrcal Reaver Domain Observed (olinaodi .com in DNS Lookup)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|olinaodi|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2024989; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_14, malware_family SunOrcal, malware_family Reaver, performance_impact Low, updated_at 2017_11_14;)

alert tcp any any -> any any (msg:"ET TROJAN Lazarus FALLCHILL Fake SSL Checkin 2"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|63 70 7b|"; distance:5; within:3; fast_pattern; pcre:"/[\xb0\xb2]\x63\x70\x7b$/"; metadata: former_category TROJAN; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:trojan-activity; sid:2024992; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Lazarus, signature_severity Critical, created_at 2017_11_14, malware_family FALLCHILL, performance_impact Low, updated_at 2017_11_14;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Powershell commands sent when remote host claims to send an image "; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; content:"New-Object"; nocase; content:"System.Net.WebClient"; nocase; content:"Start-Process"; fast_pattern:only; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025007; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_16, malware_family PowerShell_Downloader, performance_impact Low, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Powershell commands sent B64 1"; flow:established,from_server; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; fast_pattern:only; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025010; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_16, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Powershell commands sent B64 2"; flow:established,from_server; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; fast_pattern:only; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025011; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_16, updated_at 2017_11_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Powershell commands sent B64 3"; flow:established,from_server; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; fast_pattern:only; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025012; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_16, updated_at 2017_11_16;)

alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET [!37018,!37039,1024:65535] (msg:"ET TROJAN Possible NanoCore C2 64B"; flow:established,to_server; dsize:68; content:"|40 00 00 00|"; depth:5; pcre:"/^(?!.{0,63}\x00.{0,62}\x00.{0,61}\x00.{0,60}\x00)(?!.{0,62}\x00{2})(?!.{0,59}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,63}(?P=b1).{0,62}(?P=b1).{0,61}(?P=b1).{0,60}(?P=b1))(?!.(?P<b2>.).{0,62}(?P=b2).{0,61}(?P=b2).{0,60}(?P=b2).{0,59}(?P=b2))(?!..(?P<b3>.).{0,61}(?P=b3).{0,60}(?P=b3).{0,59}(?P=b3).{0,58}(?P=b3))(?!...(?P<b4>.).{0,60}(?P=b4).{0,59}(?P=b4).{0,58}(?P=b4).{0,57}(?P=b4))(?!....(?P<b5>.).{0,59}(?P=b5).{0,58}(?P=b5).{0,57}(?P=b5).{0,56}(?P=b5))(?!.....(?P<b6>.).{0,58}(?P=b6).{0,57}(?P=b6).{0,56}(?P=b6).{0,55}(?P=b6))(?!......(?P<b7>.).{0,57}(?P=b7).{0,56}(?P=b7).{0,55}(?P=b7).{0,54}(?P=b7))(?!.......(?P<b8>.).{0,56}(?P=b8).{0,55}(?P=b8).{0,54}(?P=b8).{0,53}(?P=b8))(?!........(?P<b9>.).{0,55}(?P=b9).{0,54}(?P=b9).{0,53}(?P=b9).{0,52}(?P=b9))(?!.........(?P<b10>.).{0,54}(?P=b10).{0,53}(?P=b10).{0,52}(?P=b10).{0,51}(?P=b10))/Rs"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Nanocore, created_at 2017_11_22, malware_family NanoCore, updated_at 2017_11_22;)

alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Possible NanoCore C2 60B"; flow:established,to_server; dsize:60; content:"|38 00 00 00|"; depth:5; pcre:"/^(?!.{0,56}\x00.{0,55}\x00.{0,54}\x00.{0,53}\x00)(?!.{0,54}\x00{2})(?!.{0,50}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,53}(?P=b1).{0,52}(?P=b1).{0,51}(?P=b1).{0,50}(?P=b1))(?!.(?P<b2>.).{0,52}(?P=b2).{0,51}(?P=b2).{0,50}(?P=b2).{0,49}(?P=b2))(?!..(?P<b3>.).{0,51}(?P=b3).{0,50}(?P=b3).{0,49}(?P=b3).{0,48}(?P=b3))(?!...(?P<b4>.).{0,50}(?P=b4).{0,49}(?P=b4).{0,48}(?P=b4).{0,47}(?P=b4))(?!....(?P<b5>.).{0,49}(?P=b5).{0,48}(?P=b5).{0,47}(?P=b5).{0,46}(?P=b5))(?!.....(?P<b6>.).{0,48}(?P=b6).{0,47}(?P=b6).{0,46}(?P=b6).{0,45}(?P=b6))(?!......(?P<b7>.).{0,47}(?P=b7).{0,46}(?P=b7).{0,45}(?P=b7).{0,44}(?P=b7))(?!.......(?P<b8>.).{0,46}(?P=b8).{0,45}(?P=b8).{0,44}(?P=b8).{0,43}(?P=b8))(?!........(?P<b9>.).{0,45}(?P=b9).{0,44}(?P=b9).{0,43}(?P=b9).{0,42}(?P=b9))(?!.........(?P<b10>.).{0,44}(?P=b10).{0,43}(?P=b10).{0,42}(?P=b10).{0,41}(?P=b10))/Rs"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Nanocore, created_at 2017_11_22, malware_family NanoCore, updated_at 2017_11_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Patchwork DNS Tunneling (nsn1.winodwsupdates .me)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|nsn1|0e|winodwsupdates|02|me|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_27, malware_family Patchwork, performance_impact Low, updated_at 2017_11_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Patchwork Domain (randreports .org in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|randreports|03|org|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_27, malware_family Patchwork, performance_impact Low, updated_at 2017_11_27;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Patchwork Domain (rannd .org in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|rannd|03|org|00|"; nocase; fast_pattern; distance:0; metadata: former_category TROJAN; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_27, malware_family Patchwork, performance_impact Low, updated_at 2017_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Bladabindi/njRAT (HAMAD versions)"; flow:established,to_server; dsize:<200; content:"|00|"; depth:4; content:"HAMAD"; fast_pattern; distance:0; within:10; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; metadata: former_category TROJAN; reference:md5,cc18ad38eccdf096f0ac5840f380ef4f; classtype:trojan-activity; sid:2025074; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_27, malware_family Bladabindi, malware_family njrat, performance_impact Low, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Brazilian Banker SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|15|processamentos.com.br"; distance:1; within:22; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025075; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_11_28, malware_family Banking_Trojan, performance_impact Low, updated_at 2017_11_28;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Brazilian Banker SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|robervalmotores.com.br"; distance:1; within:23; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025076; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_11_28, malware_family Banking_Trojan, performance_impact Low, updated_at 2017_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Bladabindi/njRAT (Dd19271927)"; flow:established,to_server; content:"|00|llDd19271927"; fast_pattern; offset:2; depth:14; dsize:<512; metadata: former_category TROJAN; reference:md5,18fcc5f04f74737ca8a3fcf65a45629c; classtype:trojan-activity; sid:2025077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_28, malware_family njrat, performance_impact Moderate, updated_at 2017_11_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Variant Domain (bigboatreps .pw in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|bigboatreps|02|pw|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025078; rev:3; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_11_28, malware_family Mirai, performance_impact Low, updated_at 2017_11_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai Variant Domain (blacklister .nl in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|blacklister|02|nl|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025079; rev:3; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_11_28, malware_family Mirai, performance_impact Low, updated_at 2017_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN UBoatRAT CnC Check-in"; flow:established,to_server; dsize:>48; content:"|bc b0 b0 88 88 88 88 88 88 88 88 88|"; depth:12; fast_pattern; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/; classtype:trojan-activity; sid:2025093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_01, malware_family UBoatRAT, performance_impact Low, updated_at 2017_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Observed SluttyPutty Maldoc User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent|3a 20|come-tome|0d 0a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025118; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke CnC Beacon 7"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; depth:1; content:"/"; http_uri; distance:0; isdataat:!1,relative; content:"|0d 0a|Content-Length|3a 20|63|0d 0a|"; http_header; fast_pattern; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+(?:MSIE|rv\x3a)/Hmi"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; content:"GET"; http_method; content:"/kb/"; http_uri; depth:4; fast_pattern; pcre:"/^\/kb\/\d{4,8}$/U"; content:"User-Agent|3a|"; http_header; content:!"Microsoft Outlook"; distance:0; http_header; content:"|0d 0a|"; distance:0; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025120; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_05, updated_at 2018_01_31;)

alert udp $HOME_NET any -> any any (msg:"ET TROJAN MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|cxkefbwo7qcmlelb"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,e69b3a5b8fccd8607e08dd6d34ae99a9; classtype:trojan-activity; sid:2025121; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2017_12_05, performance_impact Low, updated_at 2017_12_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Botnet Nitol.B Checkin"; flow:established,to_server,no_stream; dsize:<400; content:"|00 00 77 00 00 00|"; depth:30; fast_pattern; content:"MHz"; distance:0; within:350; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:120; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025135; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_12_06, malware_family nitol, performance_impact Moderate, updated_at 2018_01_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njRAT/Bladabindi Variant (Lime) CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|ll"; within:6; content:"TGltZV8"; distance:0; within:30; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/s"; metadata: former_category TROJAN; reference:md5,ce37b5b473377810bc76e0491533b4e7; classtype:trojan-activity; sid:2025136; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_06, malware_family njrat, performance_impact Moderate, updated_at 2017_12_06;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Injected WP Keylogger/Coinminer Domain Detected (cloudflare .solutions in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|cloudflare|09|solutions|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.sucuri.net/2017/12/cloudflare-solutions-keylogger-on-thousands-of-infected-wordpress-sites.html; classtype:trojan-activity; sid:2025141; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_12_07, malware_family CoinMiner, performance_impact Moderate, updated_at 2017_12_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke CnC Beacon 8"; flow:established,to_server; content:"POST"; http_method; content:"/ HTTP/1.1|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Pragma|3a 20|no-cache|0d 0a|Content-Type|3a 20|"; fast_pattern:only; content:"|0d 0a|Content-Length|3a 20|"; http_header; content:"|0d 0a|"; http_header; distance:2; within:2; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; metadata: former_category TROJAN; reference:md5,5b0e06e3e896d541264a03abef5f30c7; classtype:trojan-activity; sid:2025142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_07, updated_at 2017_12_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MSIL/NxRansomware C2 Domain Detected (0cf5ff34 .ngrok .io in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|0cf5ff34|05|ngrok|02|io|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,twitter.com/struppigel/status/940239612324319232; classtype:trojan-activity; sid:2025143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_11, malware_family Ransomware, performance_impact Moderate, updated_at 2017_12_11;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN GratefulPOS Covert DNS CnC Initial Checkin"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|"; distance:0; within:3; pcre:"/^[a-f0-9]{8}[\x03-\x06]grp/R"; content:"|04|ping|03|adm"; distance:0; fast_pattern; isdataat:30,relative; metadata: former_category TROJAN; reference:md5,67a53bd24ee8499fed79c8c368e05f7a; reference:url,community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season; classtype:trojan-activity; sid:2025144; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_11, malware_family Grateful_POS, performance_impact Moderate, updated_at 2017_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Backdoor.Randrew.A CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".aspx?A="; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-TW"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Cache"; http_header; pcre:"/\.aspx\?A=[A-Z0-9\-]{30,42}$/U"; metadata: former_category TROJAN; reference:md5,BFB3C542AD815436EC3F2FD71582AD08B7E7301C; classtype:trojan-activity; sid:2025145; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_11, malware_family Randrew_A, performance_impact Low, updated_at 2017_12_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?a=Te"; http_uri; fast_pattern; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Cache"; http_header; content:!"Accept"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\n(?:\r\n)?$/Hi"; metadata: former_category TROJAN; reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:trojan-activity; sid:2025147; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_13, malware_family Downloader_Small_BIL, performance_impact Low, updated_at 2017_12_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Bot.Sezin CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?machine_id="; http_uri; fast_pattern; content:"&x64"; http_uri; distance:0; content:"&version="; http_uri; distance:0; content:"&video_card="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:"&junk="; http_uri; distance:0; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,73611bd5d1d0ad865cd26b003aa525b4; classtype:trojan-activity; sid:2025148; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_13, malware_family Bot_Sezin, performance_impact Low, updated_at 2017_12_13;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] DorkBot.Downloader CnC Response"; flow:established,to_client; dsize:517; content:"|45 36 27 18|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; metadata: former_category TROJAN; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:trojan-activity; sid:2025152; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_15, performance_impact Low, updated_at 2018_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN [PTsecurity] DorkBot.Downloader CnC Beacon"; flow:established,to_server; dsize:170; content:"|45 36 27 18 08 20|"; depth:6; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; metadata: former_category TROJAN; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:trojan-activity; sid:2025153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_15, performance_impact Low, updated_at 2018_02_05;)

alert tcp $EXTERNAL_NET [443,449] -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; content:"|55 04 06|"; content:"|02|AU"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0b|gf23et65adt"; distance:1; within:12; content:"|55 04 0a|"; distance:0; content:"|08|tg4r6tds"; distance:1; within:9; content:"|55 04 0b|"; distance:0; content:"|03|rst"; distance:1; within:4; content:"|55 04 03|"; distance:0; content:"|08|rvgvtfdf"; distance:1; within:9; metadata: former_category TROJAN; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2025155; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, created_at 2017_12_19, updated_at 2017_12_19;)

alert tcp $EXTERNAL_NET [443,449] -> $HOME_NET any (msg:"ET TROJAN Possible Trickbot/Dyre Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 89 BF 80 13 42 0A 2E F5|"; within:35; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025156; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Trickbot, signature_severity Major, created_at 2017_12_20, updated_at 2017_12_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Backdoor.YesMaster CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"x-user-agent|3a 20|YesMaster|0d 0a|"; http_header; fast_pattern; content:"x-whoami:"; http_header; content:"x-pwd:"; http_header; content:"x-hostname:"; http_header; content:"x-isadm"; http_header; content:"x-is64Env:"; http_header; content:!"User-Agent:"; http_header; metadata: former_category TROJAN; reference:md5,4941501aca63cb8bdc86dadeffc9c29c; classtype:trojan-activity; sid:2025157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_20, malware_family YesMaster, performance_impact Moderate, updated_at 2017_12_20;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Windows executable sent when remote host claims to send an image M4"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|image/jpeg|0d 0a|"; http_header; file_data; content:"This program must be run under Win"; within:125; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025161; rev:2; metadata:created_at 2017_12_21, updated_at 2017_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Patchwork.Backdoor Communicating with CnC"; flow:established,to_server; content:"POST"; http_method; content:".php?cx="; http_uri; nocase; fast_pattern; content:"&b="; http_uri; nocase; distance:0; content:"&gt="; http_uri; nocase; distance:0; content:"&tx="; http_uri; nocase; distance:0; content:"|0d 0a|Content-Length|3a 20|0|0d 0a|"; http_header; pcre:"/\.php\?cx=[A-F0-9]+&b=[A-F0-9]+&gt=[A-F0-9]+&tx=[A-F0-9]+$/Ui"; metadata: former_category TROJAN; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:trojan-activity; sid:2025163; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2018_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Patchwork.Backdoor CnC Check-in M2"; flow:established,to_server; content:"POST"; http_method; content:".php?b="; http_uri; nocase; content:"|0d 0a|Content-Length|3a 20|0|0d 0a|"; http_header; pcre:"/\.php\?b=[A-F0-9]{30}$/Ui"; metadata: former_category TROJAN; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:trojan-activity; sid:2025164; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2018_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WooSIP Downloader CnC CreateFolderOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/process_ad.php?sDir="; http_uri; nocase; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WooSIP Downloader CnC DeleteFileOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/process_ad.php?fileDel="; http_uri; nocase; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WooSIP Downloader CnC WriteMetadataOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/write_meta.php?sDir="; http_uri; nocase; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smurf2 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; http_header; content:"Accept|3a 20|??"; http_header; content:"teststr="; depth:8; nocase; http_client_body; fast_pattern; content:"&testval="; nocase; distance:0; http_client_body; metadata: former_category TROJAN; reference:md5,e2d136bb63edc092d2f3d26885b239d9; classtype:trojan-activity; sid:2025168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Windows Executable Downloaded With Image Content-Type Header"; flow:established,to_client; content:"Content-Type|3a 20|image/"; http_header; file_data; content:"This program must be run under Win"; within:125; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_12_21, updated_at 2017_12_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:"/api/up.php"; http_uri; fast_pattern; content:"Host|3a|"; http_header; depth:5; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20[^\r\n]+\r\n)?\r\n$/Hmi"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:"/update.php"; http_uri; fast_pattern; content:"data="; http_client_body; depth:5; content:!"Accept"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; pcre:"/^data=(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Psi"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025171; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Activity"; flow:established,to_server; content:".php?mac="; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20[^\r\n]+\r\n)?\r\n$/Hmi"; pcre:"/\.php\?mac=[0-9A-F]{12}$/U"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Zeus Panda CnC Domain (in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|13|pprulispikosqcsiwef|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,20adfac68ced5225c9021bc051e66d18; classtype:trojan-activity; sid:2025177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_29, malware_family Zeus_Panda, performance_impact Moderate, updated_at 2017_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; urilen:1; content:"|0d 0a|Content-Length|3a 20|63|0d 0a|"; http_header; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+(?:MSIE|rv\x3a)/Hmi"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_29, updated_at 2017_12_29;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Qasar Variant Domain (datapeople-cn .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|datapeople-cn|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,twitter.com/blu3_team/status/947858470816112640; classtype:trojan-activity; sid:2025179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Patchwork, signature_severity Major, created_at 2018_01_02, malware_family Qasar_Rat, performance_impact Moderate, updated_at 2018_01_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oilrig Stealer CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?version="; http_uri; fast_pattern; pcre:"/\.aspx\?version=[0-9]+lu[0-9]+d[0-9]+$/Ui"; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; metadata: former_category TROJAN; reference:url,docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub; classtype:trojan-activity; sid:2025182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_04, malware_family OilRig, performance_impact Low, updated_at 2018_01_04;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Python Monero Miner CnC DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|zsw8|02|cc|00|"; nocase; distance:0; fast_pattern; pcre:"/\x01[a-z]\x04zsw8\x02cc\x00/";  metadata: former_category TROJAN; reference:url,f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar; classtype:trojan-activity; sid:2025183; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, tag Cryptominer, signature_severity Major, created_at 2018_01_04, updated_at 2018_01_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MedusaHTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; http_header; content:"xyz="; http_client_body; depth:4; fast_pattern; content:"|7c|"; http_client_body; distance:0; content:"|7c|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:trojan-activity; sid:2025187; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_05, malware_family MedusaHTTP, performance_impact Moderate, updated_at 2018_01_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bitter RAT HTTP CnC Beacon M2"; flow:established,to_server; content:"GET"; http_method; content:".php?TIe="; http_uri; fast_pattern; pcre:"/\.php\?TIe=[a-zA-Z0-9\x21\x2a\x2f\x2e\x3b\x3a\x5b\x5d]+$/U";content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; threshold: type both, count 5, seconds 120, track by_src; metadata: former_category TROJAN; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018; reference:md5,cc58dd8592555ff6275196e62af3242e; classtype:trojan-activity; sid:2025198; rev:1; metadata:created_at 2018_01_11, updated_at 2018_01_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Mami CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"User-Agent|3a 20 0d 0a|"; http_header; fast_pattern; content:"r="; http_client_body; depth:2; content:"&rc="; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,objective-see.com/blog/blog_0x26.html; reference:md5,8482fc5dbc6e00da151bea3eba61e360; classtype:trojan-activity; sid:2025199; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_14, malware_family Mami, performance_impact Moderate, updated_at 2018_01_14;)

alert udp $HOME_NET any -> [82.163.143.135,82.163.142.137] 53 (msg:"ET TROJAN OSX/Mami Possible DNS Query to Evil DNS Server"; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,8482fc5dbc6e00da151bea3eba61e360; reference:url,objective-see.com/blog/blog_0x26.html; classtype:trojan-activity; sid:2025200; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Mami, performance_impact Moderate, updated_at 2018_01_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Observed Evrial Domain (cryptoclipper .ru in TLS SNI)"; flow:established,to_server; content:"|00 00 10|cryptoclipper.ru"; fast_pattern; nocase; metadata: former_category TROJAN; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025201; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Evrial, performance_impact Moderate, updated_at 2018_01_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Trojan.Downloader VBA Script obfuscation (binary_getter)"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"(Chr((((asc(Mid("; depth:300; content:",1,1))-65))*25+(asc(Mid("; within:100; content:",2,1))-65)-"; within:100; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,bad07f85a7baaeaa8aeb72997712aa98; classtype:trojan-activity; sid:2025202; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, updated_at 2018_01_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MoneroPay Ransomware Payment Activity"; flow:established,to_server; content:"GET"; http_method; content:"/paid?id="; http_uri; fast_pattern; pcre:"/\/paid\?id=[a-f0-9]{16}$/U"; content:"Host|3a 20|"; depth:6; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Cookie"; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,14ea53020b4d0cb5acbea0bf2207f3f6; classtype:trojan-activity; sid:2025204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Ransomware, performance_impact Moderate, updated_at 2018_01_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Gozi/Ursnif Payload v14"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|d9 2c c6 af f6 26 56 bb 73 f5 c4 68 0f 90 d9 d4|"; depth:16; fast_pattern; metadata: former_category TROJAN; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2025205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_17, malware_family ursnif, malware_family Gozi, performance_impact Low, updated_at 2018_01_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Adwind SSL Certificate Observed"; flow:established,from_server; content:"|0b|"; content:"|04 70 fe e3 2f|"; distance:18; within:20; content:"|55 04 0a|"; distance:0; content:"|07|khgvjbk"; distance:1; within:13; fast_pattern; metadata: former_category TROJAN; reference:md5,f2bf38a25919e24f0c96d9ec30e4e8d4; classtype:trojan-activity; sid:2025209; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, malware_family Adwind, malware_family Qarallex, performance_impact Low, updated_at 2018_01_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Malicious Chrome Extension Requesting Websocket"; flow:established,to_server; content:"GET"; http_method; content:"Upgrade|3a 20|websocket|0d 0a|"; http_header; content:"Origin|3a 20|chrome-extension|3a|//ppmibgfeefcglejjlpeihfdimbkfbbnm|0d 0a|"; http_header; fast_pattern:27,20; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025220; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, performance_impact Moderate, updated_at 2018_01_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Malicious Chrome Extension Click Fraud Activity via Websocket"; flow:established,to_client; content:"|7b 22|id|22 3a|"; within:10; content:"|2c 22|data|22 3a 7b 22|method|22 3a 22|GET|22 2c 22|url|22 3a 22|"; distance:0; content:"|22 2c 22|headers|22 3a 7b 22|"; distance:0; content:"|2c 22|timeout|22 3a|30000|2c 22|body|22 3a 22|"; distance:0; fast_pattern; threshold: type both, track by_dst, count 1, seconds 120; metadata: former_category TROJAN; reference:url,www.icebrg.io/index.php?p=blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; reference:url,www.icebrg.io/blog/more-extensions-more-money-more-problems; classtype:trojan-activity; sid:2025221; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, performance_impact Moderate, updated_at 2018_06_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown EXE Dropped by 2017-11882 RTF"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"|20|name=|22|kind|22|"; http_client_body; fast_pattern; content:"|20|name=|22|fname|22|"; http_client_body; distance:0; content:"Host|3a 20|"; http_header; depth:6; metadata: former_category TROJAN; reference:url,twitter.com/securitydoggo/status/954337767751905280; classtype:trojan-activity; sid:2025224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_19, performance_impact Moderate, updated_at 2018_01_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Drun Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"kind="; http_client_body; depth:5; fast_pattern; content:"&id="; http_client_body; distance:0; content:"Host|3a 20|"; http_header; depth:6; metadata: former_category TROJAN; reference:url,twitter.com/securitydoggo/status/954337767751905280; classtype:trojan-activity; sid:2025225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, deployment Perimeter, signature_severity Major, created_at 2018_01_19, performance_impact Moderate, updated_at 2018_01_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed Evrial Domain (projectevrial .ru in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|projectevrial|02|ru|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025228; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, malware_family Evrial, performance_impact Moderate, updated_at 2018_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBS.ARS Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?os=windows"; http_uri; nocase; fast_pattern; content:"&user="; http_uri; distance:0; content:"&av="; http_uri; distance:0; content:"&fw="; http_uri; distance:0; content:"&hwid="; http_uri; distance:0; content:"&x="; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; metadata: former_category TROJAN; reference:url,twitter.com/B_H101/status/954984729329184768; classtype:trojan-activity; sid:2025230; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, performance_impact Moderate, updated_at 2018_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rodecap/Travle/PYLOT CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; fast_pattern:5,20; http_header; content:"l"; http_client_body; depth:1; content:"=OTl"; within:8; http_client_body; content:"&e"; http_client_body; distance:0; content:"="; http_client_body; within:6; content:"&m"; http_client_body; distance:0; content:"="; http_client_body; within:6; metadata: former_category TROJAN; reference:md5,ba6dcea82f59799d86111fa28ae95641; reference:url,securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455; classtype:trojan-activity; sid:2025234; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, malware_family travle, malware_family PYLOT, malware_family Rodecap, performance_impact Moderate, updated_at 2018_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/SamMiner CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:".php?act=hi&uid="; http_uri; fast_pattern; content:"&ver="; http_uri; content:"&dotnetver="; http_uri; content:"&onwork="; http_uri; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; metadata: former_category TROJAN; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:trojan-activity; sid:2025235; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, performance_impact Moderate, updated_at 2018_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/SamMiner CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php?act=info&uid="; http_uri; fast_pattern; content:"&ver="; http_uri; content:"info="; depth:5; http_client_body; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; metadata: former_category TROJAN; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:trojan-activity; sid:2025237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, performance_impact Moderate, updated_at 2018_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Brazilian Banker CnC Activity"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Embarcadero URI Client/1.0"; http_header; content:"AS100="; fast_pattern; http_client_body; content:"AS200="; distance:0; http_client_body; metadata: former_category TROJAN; reference:md5,94cd521945da6ab73bc7a1462283d22a; classtype:trojan-activity; sid:2025241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_01_22, malware_family Banking_Trojan, performance_impact Low, updated_at 2018_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ELF/TooEasy Miner CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?p="; http_uri; content:"User-Agent|3a 20|curl/"; http_header; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|msg|22|"; http_client_body; content:"|0d 0a|Downloading files|0d 0a|"; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; metadata: former_category TROJAN; reference:md5,dc62dd14321dfa9f14c094a7b1e20979; classtype:trojan-activity; sid:2025251; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_25, performance_impact Moderate, updated_at 2018_01_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SchwSonne CnC Beacon M2"; flow:established,to_server; content:"C|7c|P-UID-"; depth:8; fast_pattern; content:"|7c|Microsoft"; distance:0; content:"|7c|["; distance:0; content:"]|7c|"; distance:0; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_25, malware_family SchwartzSonnne, performance_impact Moderate, updated_at 2018_01_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; content:"?hwid="; http_uri; content:"&group="; http_uri; fast_pattern; content:"&os="; http_uri; content:"&cpu="; http_uri; content:"GET"; http_method;  content:!"Referer|3a|"; http_header; threshold: type both, track by_src, count 2, seconds 60; metadata: former_category TROJAN; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:trojan-activity; sid:2025253; rev:3; metadata:created_at 2018_01_26, updated_at 2018_01_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/GandCrab Ransomware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:".php?token="; http_uri; fast_pattern; pcre:"/\.php\?token=[0-9]{2,6}$/U"; content:"data="; http_client_body; depth:5; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ps"; pcre:"/Content-Length\x3a\x20[0-9]{3,}\x0d\x0a/H"; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Cookie"; metadata: former_category TROJAN; reference:md5,aedf80c426fb649bb258e430a3830d85; classtype:trojan-activity; sid:2025254; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_26, malware_family GandCrab, performance_impact Moderate, updated_at 2018_01_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed Evrial Domain (cryptoclipper .ru in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|cryptoclipper|02|ru|00|"; nocase; distance:0; fast_pattern; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025256; rev:1; metadata:created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Observed Evrial Domain (projectevrial .ru in TLS SNI)"; flow:established,to_server; content:"|00 00 10|projectevrial.ru"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025257; rev:1; metadata:created_at 2018_01_29, updated_at 2018_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Evrial Stealer CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"/upload.php?user="; http_uri; fast_pattern; content:"&hwid="; http_uri; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http_client_body; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,485069677e997ff6ce193be7258c783f; classtype:trojan-activity; sid:2025266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_29, malware_family Evrial, performance_impact Moderate, updated_at 2018_01_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Delf Checkin"; flow:established,to_server; content:"/autoupdate/versaoatual.txt"; fast_pattern; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; metadata: former_category TROJAN; reference:md5,52765b346c12d55e255a669bb8cfebb8; classtype:trojan-activity; sid:2025283; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_01, malware_family Dropper, performance_impact Low, updated_at 2018_02_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Operation EvilTraffic Initial Redirect M1"; flow:to_server,established; urilen:>40; content:"GET"; http_method; content:"/for/77/?d="; http_uri; nocase; content:"&mykeys="; http_uri; nocase; distance:0; content:"Host|3a 20|superasdc.pw|0d 0a|"; http_header; fast_pattern; metadata: former_category TROJAN; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_02_01, performance_impact Moderate, updated_at 2018_02_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Operation EvilTraffic Initial Redirect M2"; flow:to_server,established; urilen:>40; content:"GET"; http_method; content:"/for/77/?d="; http_uri; nocase; content:"&mykeys="; http_uri; nocase; distance:0; content:"Host|3a 20|caforyn.pw|0d 0a|"; http_header; fast_pattern; metadata: former_category TROJAN; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025288; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_01, performance_impact Moderate, updated_at 2018_02_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Elise Style IP Check"; flow:to_server,established; urilen:16; content:"/myip?format=txt"; http_uri; fast_pattern; content:"Host|3a 20|api.ipaddress.com"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|3b| .NET4.0C|3b| .NET4.0E)"; http_header; pcre:"/^Connection\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+/H"; metadata: former_category TROJAN; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025289; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_01, malware_family elise, performance_impact Moderate, updated_at 2018_02_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/U"; content:"=|3b 20|"; http_cookie; content:"=|3b 20|"; http_cookie; distance:0; content:"=|3b|"; http_cookie; distance:0;  content:"Cache-Control|3a 20|no-cache|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Pragma|3a 20|no-cache|0d 0a|Accept|3a 20|"; http_header; content:"=|3b 0d 0a|Host|3a|"; fast_pattern; metadata: former_category TROJAN; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025291; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, malware_family elise, performance_impact Moderate, updated_at 2018_02_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed ExecPS/Cobolt Domain (getfreshnews .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|getfreshnews|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,5d4d3ba6823a07f070f5a42cbcc7a5c8; classtype:trojan-activity; sid:2025304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, performance_impact Moderate, updated_at 2018_02_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [Flashpoint] Possible CVE-2018-4878 Check-in"; flow:established,to_server; content:"?id="; http_uri; nocase; content:"&fp_vs="; http_uri; nocase; distance:0; fast_pattern; content:"&os_vs="; http_uri; nocase; distance:0; metadata: former_category TROJAN; reference:url,www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/; reference:cve,2018-4878; classtype:trojan-activity; sid:2025305; rev:3; metadata:cve cve_2018_4878, created_at 2018_02_02, updated_at 2018_02_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Shurl0ckr Ransomware CnC (kdvm5fd6tn6jsbwh .onion .to in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|kdvm5fd6tn6jsbwh"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025332; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_08, malware_family Shurl0ckr, performance_impact Moderate, updated_at 2018_02_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SPARS/ARS Stealer Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?action="; http_uri;  content:"&hwid="; http_uri; distance:0; content:"&access="; fast_pattern; http_uri; distance:0; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,76516b465b3589547a9c7c7d955238d8; classtype:trojan-activity; sid:2025344; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_12, malware_family Ars_Stealer, performance_impact Moderate, updated_at 2018_02_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Evrial Stealer Retrieving CnC Information"; flow:established,to_server; content:"GET"; http_method; content:"/Project-Evrial-C2-DOMAIN-"; http_uri; fast_pattern; nocase; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Cookie"; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,540c736b7e11287805ddd4f3a9d37934; classtype:trojan-activity; sid:2025346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_13, malware_family Evrial, performance_impact Moderate, updated_at 2018_02_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Agent.BIC Variant CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?response="; http_uri; content:"&cpu="; http_uri; distance:0; content:"&gpu="; http_uri; distance:0; content:"&ram="; http_uri; distance:0; content:"&name="; http_uri; distance:0; content:"&os="; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Accept"; http_header; content:!"Cache"; http_header; metadata: former_category TROJAN; reference:md5,C6C781F0ED065476A4297C2AC96A6D83; classtype:trojan-activity; sid:2025359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_15, malware_family Agent_BIC, performance_impact Low, updated_at 2018_02_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server; dsize:<300; content:"POST /waiting HTTP/1.1|0d|"; depth:23; content:"|0a|User-Agent|3a 20|BC_Vic_"; distance:0; fast_pattern; content:"BC_SPL|0d 0a|"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:"|0d 0a|Expect|3a 20|"; content:!"|0d 0a|Referer|3a 20|"; content:!"|0d 0a|Accept"; content:!"|0d 0a|Cache"; threshold: type limit, track by_dst, seconds 30, count 1; metadata: former_category TROJAN; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:trojan-activity; sid:2025370; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_19, malware_family Backdoor_Small, performance_impact Low, updated_at 2018_02_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Evrial Stealer CnC Activity M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|report - "; http_client_body; fast_pattern:44,20; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; http_client_body; distance:19; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/\.php$/U"; metadata: former_category TROJAN; reference:md5,ecd56f1f42f932865e98fd319301e1a5; classtype:trojan-activity; sid:2025375; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_21, malware_family Evrial, performance_impact Moderate, updated_at 2018_02_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Malicious Redirector in DNS Lookup (vip.rm028 .cn)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|vip|05|rm028|02|cn"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/; classtype:trojan-activity; sid:2025382; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_23, performance_impact Low, updated_at 2018_02_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Malicious Redirector in DNS Lookup (by007 .cn)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|by007|02|cn"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/; classtype:trojan-activity; sid:2025383; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_23, performance_impact Low, updated_at 2018_02_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai/OMG Proxy Variant CnC in DNS Lookup (ccnew.mm .my)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|ccnew|02|mm|02|my"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-proxy-servers5a8e05ccc4f85; classtype:trojan-activity; sid:2025384; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_02_23, malware_family Mirai, performance_impact Low, updated_at 2018_02_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Mirai/OMG Proxy Variant CnC in DNS Lookup (rpnew.mm .my)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|rpnew|02|mm|02|my"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-proxy-servers5a8e05ccc4f85; classtype:trojan-activity; sid:2025385; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_02_23, malware_family Mirai, performance_impact Low, updated_at 2018_02_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN SteamStealer DNS Lookup (steamdesktopauthenticator)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|19|steamdesktopauthenticator|03|com"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025386; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, malware_family Steam_Stealer, performance_impact Low, updated_at 2018_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN SteamStealer Domain in SNI"; flow:to_server,established; content:"|16|"; depth:1; content:"|00 00 29|steamdesktopauthenticator.com"; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025387; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, malware_family Steam_Stealer, performance_impact Low, updated_at 2018_02_26;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SteamStealer Malicious SSL Certificate Detected"; flow:established,from_server; content:"|55 04 03|"; content:"|29|steamdesktopauthenticator.com"; distance:1; within:32; metadata: former_category TROJAN; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025388; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, malware_family Steam_Stealer, performance_impact Low, updated_at 2018_02_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN SteamStealer DNS Lookup (lightalex)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|lightalex|02|ru"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025389; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, malware_family Steam_Stealer, performance_impact Low, updated_at 2018_02_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN SteamStealer DNS Lookup (steamdesktop)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|steamdesktop|03|com"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025390; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, malware_family Steam_Stealer, performance_impact Low, updated_at 2018_02_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; isdataat:!1,relative; threshold: type both, track by_src, count 10, seconds 30; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Qrat, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_03_06;)

alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025392; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_07_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN QRat.Java.RAT Post-Checkin Request"; flow:established,to_server; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; depth:10; offset:2; fast_pattern; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|2c 22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Qrat, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_03_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin"; flow:established,to_server; content:"|00 00 00 69 64 3d|"; depth:10; content:"|26 6f 73 3d|"; distance:0; within:30; content:"|26 70 72 69 76 3d|"; distance:0; within:20; content:"|26 63 72 65 64 3d|"; distance:0; within:20; content:"|26 70 63 6e 61 6d 65 3d|"; distance:0; content:"|26 61 76 6e 61 6d 65 3d|"; distance:0; content:"|26 62 75 69 6c 64 5f 74 69 6d 65 3d|"; distance:0; fast_pattern; content:"|26 63 61 72 64 3d|"; distance:0; metadata: former_category TROJAN; reference:md5,32485b8cedc5b79aa1bf2d7ceae0ef31; classtype:trojan-activity; sid:2025408; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_01, malware_family FlawedAmmyy, performance_impact Moderate, updated_at 2018_03_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed Princess Ransomware Payment Domain (royal25fphqilqft in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|royal25fphqilqft"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_02, malware_family Princess_Ransomware, performance_impact Low, updated_at 2018_03_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed GandCrab Ransomware CnC/IP Check Domain (politiaromana .bit in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|politiaromana|03|bit|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_05, malware_family GandCrab, performance_impact Moderate, updated_at 2018_03_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed GandCrab Ransomware CnC/IP Check Domain (malwarehunterteam .bit in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|11|malwarehunterteam|03|bit|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025406; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_05, malware_family GandCrab, performance_impact Moderate, updated_at 2018_03_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed GandCrab Ransomware CnC/IP Check Domain (gdcb .bit in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|gdcb|03|bit|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025407; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_05, malware_family GandCrab, performance_impact Moderate, updated_at 2018_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/GandCrab Ransomware CnC Activity M2"; flow:established,to_server; content:"POST"; http_method; pcre:"/^\/[a-z]{3,20}(?:\?[a-z]{3,20}=[a-z]{0,10}&[a-z]{3,20}=[a-z]{0,10})?$/U"; content:"Host|3a 20|"; http_header; depth:6; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http_header; fast_pattern:12,20; content:"Content-Length|3a 20|"; http_header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; http_header; distance:4; within:29; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:bit|coin|sex|com|gandcrab\d*)\r\nContent-Type\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20[4-9][0-9]{3,}\r\nCache-Control\x3a\x20[^\r\n]+\r\n\r\n$/Hmi"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Psi"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,8b7d3093c477b2e99effde5065affbd5; classtype:trojan-activity; sid:2025455; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_06, performance_impact Moderate, updated_at 2018_04_10;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Arizona"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|07|Phoenix"; distance:1; within:8; content:"|55 04 0a|"; distance:0; content:"|12|Yahoo Widget, Inc."; distance:1; within:19; content:"|55 04 0b|"; distance:0; content:"|13|Yahoo|20|Widget|20|Bureau"; distance:1; within:20; content:"|55 04 03|"; distance:0; content:"|12|Yahoo Widget, Inc."; distance:1; within:19; fast_pattern; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Arizona"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|07|Phoenix"; distance:1; within:8; content:"|55 04 0a|"; distance:0; content:"|12|Yahoo Widget, Inc."; distance:1; within:19; content:"|55 04 0b|"; distance:0; content:"|13|Yahoo|20|Widget|20|Bureau"; distance:1; within:20; content:"|55 04 03|"; distance:0; content:"|12|Yahoo Widget, Inc."; distance:1; within:19; metadata: former_category TROJAN; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|0a|California"; distance:1; within:11; content:"|55 04 07|"; distance:0; content:"|0e|Redwood Shores"; distance:1; within:15; content:"|55 04 0a|"; distance:0; content:"|14|Oracle|20|America, Inc."; distance:1; within:21; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|13|Code|20|Signing|20|Bureau"; distance:1; within:20; content:"|55 04 03|"; distance:0; content:"|14|Oracle|20|America, Inc."; distance:1; within:21; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|0a|California"; distance:1; within:11; content:"|55 04 07|"; distance:0; content:"|0e|Redwood Shores"; distance:1; within:15; content:"|55 04 0a|"; distance:0; content:"|14|Oracle|20|America, Inc."; distance:1; within:21; content:"|55 04 0b|"; distance:0; content:"|13|Code|20|Signing|20|Bureau"; distance:1; within:20; content:"|55 04 03|"; distance:0; content:"|14|Oracle|20|America, Inc."; distance:1; within:21; metadata: former_category TROJAN; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Google)"; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Florida"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|05|Tampa"; distance:1; within:6; content:"|55 04 0a|"; distance:0; content:"|0c|Google,|20|Inc."; distance:1; within:13; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|10|Google Corp, Inc"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|0c|Google,|20|Inc."; distance:1; within:13; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Florida"; distance:1; within:8; content:"|55 04 07|"; content:"|05|Tampa"; distance:1; within:6; content:"|55 04 0a|"; distance:0; content:"|0c|Google,|20|Inc."; distance:1; within:13; content:"|55 04 0b|"; distance:0; content:"|10|Google Corp, Inc"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|0c|Google,|20|Inc."; distance:1; within:13; metadata: former_category TROJAN; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; content:"|55 04 06|"; content:"|06|canada"; distance:1; within:7; content:"|55 04 08|"; distance:0; content:"|06|quebec"; distance:1; within:7; content:"|55 04 07|"; distance:0; content:"|0e|Redwood Shores"; distance:1; within:15; content:"|55 04 0a|"; distance:0; content:"|13|Oracle canada, Inc."; distance:1; within:20; content:"|55 04 0b|"; distance:0; content:"|13|Code|20|Signing|20|Bureau"; distance:1; within:20; content:"|55 04 03|"; distance:0; content:"|13|Oracle canada, Inc."; distance:1; within:20; fast_pattern; content:"|55 04 06|"; content:"|06|canada"; distance:1; within:7; content:"|55 04 08|"; distance:0; content:"|06|quebec"; distance:1; within:7; content:"|55 04 07|"; distance:0; content:"|0e|Redwood Shores"; distance:1; within:15; content:"|55 04 0a|"; distance:0; content:"|13|Oracle canada, Inc."; distance:1; within:20; content:"|55 04 0b|"; distance:0; content:"|13|Code|20|Signing|20|Bureau"; distance:1; within:20; content:"|55 04 03|"; distance:0; content:"|13|Oracle canada, Inc."; distance:1; within:20; metadata: former_category TROJAN; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN StrongPity APT SSL Certificate Detected"; flow:established,from_server; content:"|55 04 03|"; content:"|17|mevlut.oncu.example.com"; distance:1; within:24; metadata: former_category TROJAN; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:trojan-activity; sid:2025416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family StrongPity, performance_impact Low, updated_at 2018_03_12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arkei Stealer IP Lookup"; flow:established,to_server;  content:"POST"; http_method; content:"User-Agent|3a 20|Arkei/"; http_header; fast_pattern; content:"Host|3a 20|ip-api.com"; http_header; metadata: former_category TROJAN; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arkei Stealer Config Download Request"; flow:established,to_server;  content:"POST"; http_method; content:"/grubConfig"; http_uri; content:"User-Agent|3a 20|Arkei/"; http_header; fast_pattern; metadata: former_category TROJAN; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Arkei Stealer Client Data Upload"; flow:established,to_server;  content:"POST"; http_method; content:"User-Agent|3a 20|Arkei/"; http_header; fast_pattern; content:"form-data|3b 20|name=|22|hwid|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|os|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|platform|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|user|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|pcount|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|cccount|22|"; http_client_body; nocase; distance:0; metadata: former_category TROJAN; reference:md5,72bcbfd1020d002d2e20e0707b8ef700; classtype:trojan-activity; sid:2025431; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_04_23;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Bancos Variant CnC)"; flow:established,to_client; content:"|55 04 03|"; content:"|1a|www.instrumentshigh.com.br"; distance:1; within:27; fast_pattern; metadata: former_category TROJAN; reference:md5,f8b2e89717f77633c7d112c98f2d22ab; classtype:trojan-activity; sid:2025433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2018_03_14, malware_family Bancos, performance_impact Moderate, updated_at 2018_04_23;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed Sofacy CnC Domain (ndpmedia24 .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|ndpmedia24|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency; classtype:trojan-activity; sid:2025434; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_16, malware_family Sofacy, performance_impact Moderate, updated_at 2018_03_16;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Cobalt Group SSL Certificate Detected"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dns-verifon.com"; distance:1; within:16; metadata: former_category TROJAN; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:trojan-activity; sid:2025438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_26, malware_family Cobalt_Group, performance_impact Low, updated_at 2018_03_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M2"; flow:established,to_server; content:"GET"; http_method; content:"/vstudio"; http_uri; fast_pattern; urilen:8; content:"Cache-Control"; http_header; depth:13; content:"Host|3a 20|msdn.microsoft.com"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025439; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, updated_at 2018_03_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M3"; flow:established,to_server; content:"GET"; http_method; content:"/visualstudio/"; http_uri; fast_pattern; urilen:14; content:"www.microsoft.com"; http_header; content:"Cache-Control"; http_header; depth:13; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025440; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, updated_at 2018_03_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sharik/Smoke CnC Beacon 10"; flow:established,to_server; content:"POST"; http_method; pcre:"/\/\d+\/$/U"; content:"|0d 0a|Content-Length|3a 20|63|0d 0a|"; http_header; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Host|3a 20|"; http_header; pcre:"/(?:MSIE|rv\x3a)/H"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025441; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, performance_impact Moderate, updated_at 2018_03_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Ursnif Socks Proxy Check-in"; flow:established,to_server; stream_size:server,=,1; content:"|2d|"; offset:8; depth:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d30|"; distance:12; within:2; content:"|0000 0000 0000 0000 0000 0000|"; distance:1; within:12; fast_pattern; pcre:"/^[0-9A-Z]{8}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9]{12}-0[0-9]{1}/"; flowbits:set,PT.UrsnifProxy; flowbits:noalert; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025444; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_28, malware_family ursnif, performance_impact Low, updated_at 2018_03_28;)

#alert tcp $EXTERNAL_NET !$HTTP_PORTS  -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Ursnif Socks5 Proxy Connection"; flow:established,from_server; flowbits:isset,PT.UrsnifProxy; stream_size:server,=,5; dsize:3; content:"|050100|"; fast_pattern; depth:3; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025445; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_28, malware_family ursnif, performance_impact Low, updated_at 2018_03_28;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|ransomware|03|bit|00|"; nocase; distance:0; fast_pattern; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025452; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_04_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|zonealarm|03|bit|00|"; nocase; distance:0; fast_pattern; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025453; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_05_01;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed GandCrab Ransomware Domain (chlenaverasiskihe .sex in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|11|chlenaverasiskihe|03|sex|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_04_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] W32/Rodecap.StealRat C2 Payload (GIF)"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|47 49 46 38 39 61 10 00 10 00 91 00 00 f7 f7 f7 ff ff ff c0 c0 c0 00 00 00 21 f9 04 00 00 00 00 5f 05 95 95 96 96 96 96 92 92 92 92 6d 92 92 92 2a 2a 2a 2a 2a 2a 2a 2a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a|"; depth:92; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025457; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, performance_impact Moderate, updated_at 2018_04_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Win32/SocStealer.Socelars C2 Response"; flow:established,to_client; content:"200"; http_stat_code; content:"|0d 0a|Server-Key|3a 20|"; http_header; content:"|0d 0a|Server-Key|3a 20|"; pcre:"/^[A-Za-z0-9]{62}\r\n/R"; file_data; content:"[DATA]"; depth:6; fast_pattern; content:"[DATA]"; distance:0; isdataat:!1,relative;  metadata: former_category TROJAN; classtype:trojan-activity; sid:2025458; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family SocStealer, performance_impact Moderate, updated_at 2018_04_02;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/InnaputRAT CnC DNS Lookup (ninjagames .top)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|ninjagames|03|top"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:trojan-activity; sid:2025462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, malware_family InnaputRAT, performance_impact Low, updated_at 2018_04_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/InnaputRAT CnC DNS Lookup (ajdhsfhiudsfhsi .top)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0f|ajdhsfhiudsfhsi|03|top"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:trojan-activity; sid:2025463; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, malware_family InnaputRAT, performance_impact Low, updated_at 2018_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/OceanLotus.D Sending Data to CnC"; flow:established,to_server; content:"POST"; http_method; content:".js"; http_uri; content:"|0d 0a|User-Agent|3a 20|curl/"; http_header; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:!"Referer|3a|"; http_header; content:!"Cache"; http_header; content:!"Accept-"; http_header; pcre:"/\.js$/U"; pcre:"/^Host\x3a[^\r\n]+\r\nUser-Agent\x3a\x20curl\/[^\r\n]+\r\nAccept\x3a\x20\*\/\*\r\nContent-Length\x3a[^\r\n]+\r\nContent-Type\x3a\x20application\/x-www-form-urlencoded\r\n(?:\r\n)?$/H"; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025464; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, malware_family OceanLotus, performance_impact Low, updated_at 2018_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; content:"|0d 0a|User-Agent|3a 20|curl/"; http_header; content:"|0d 0a|Cookie|3a 20|m_pixel_ratio="; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Cache"; http_header; content:!"Accept-"; http_header; pcre:"/\.css$/U"; pcre:"/^m_pixel_ratio=[a-f0-9]{32}\x3b$/C"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, performance_impact Low, updated_at 2018_04_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/OceanLotus.D CnC DNS Lookup (ssl .arkouthrie .com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|ssl|0a|arkouthrie|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025466; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, malware_family OceanLotus, performance_impact Low, updated_at 2018_04_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/OceanLotus.D CnC DNS Lookup (s3 .hiahornber .com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|s3|0a|hiahornber|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025467; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, malware_family OceanLotus, performance_impact Low, updated_at 2018_04_05;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/OceanLotus.D CnC DNS Lookup (widget .shoreoa .com)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|widget|07|shoreoa|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025468; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, malware_family OceanLotus, performance_impact Low, updated_at 2018_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/DanijBot User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Botnet by Danij|0d 0a|"; http_header; fast_pattern:9,20; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/DanijBot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?hwid="; http_uri; content:"&bit="; http_uri; content:"&info=Windows|3a 20|"; http_uri; content:"User-Agent|3a 20|Botnet by Danij|0d 0a|"; http_header; fast_pattern:9,20; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/DanijBot CnC Task Status"; flow:established,to_server; content:"GET"; http_method; content:"?hwid="; http_uri; content:"&taskId="; http_uri; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025471; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN LokiBot Fake 404 Response"; flow:established,from_server; flowbits:isset,ET.LokiBot; content:"404"; http_stat_code; file_data; content:"|08 00 00 00 00 00 00 00|File not found."; depth:23; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CA427D578AFA51B262272C78D1C04AB9; classtype:trojan-activity; sid:2025483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_10, malware_family lokibot, performance_impact Low, updated_at 2018_04_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pontoeb CnC"; flow:established,to_server; content:"User-Agent|3a 20|N0PE"; http_header; fast_pattern; content:"mode="; depth:5; http_client_body; metadata: former_category TROJAN; reference:md5,1a44b59105e584bac969408f9617133f; reference:url,urlhaus.abuse.ch/url/4452/; classtype:trojan-activity; sid:2025484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2018_04_11, malware_family Pontoeb, performance_impact Low, updated_at 2018_04_11;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (CoreBot C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|ok.investments"; distance:1; within:18; fast_pattern; reference:md5,75368c9240a3c238aa3b5518906a3cdb; classtype:trojan-activity; sid:2025485; rev:2; metadata:created_at 2018_04_11, updated_at 2018_04_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Iron/Maktub Locker Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"{|22|encry|22 3a 22|"; http_client_body; depth:10; fast_pattern; content:"|22|randk|22 3a 22|"; http_client_body; distance:0; content:"|22|guid|22 3a 22|"; http_client_body; distance:0; content:"|22|start|22 3a 22|"; http_client_body; distance:0; content:"|22|market|22 3a 22|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,1e60050db59e3d977d2a928fff3d34a6; reference:url,bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html; classtype:trojan-activity; sid:2025486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_12, malware_family Iron_Locker, performance_impact Moderate, updated_at 2018_04_12;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed GandCrab Payment Domain (gandcrab2pie73et in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|gandcrab2pie73et"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_16, malware_family GandCrab, performance_impact Moderate, updated_at 2018_04_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Locky C2 Domain (dyoravdkiavfkbkx in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|dyoravdkiavfkbkx"; nocase; distance:0; fast_pattern; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2025507; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Locky C2 Domain (dypmoywmjrevboat in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|dypmoywmjrevboat"; nocase; distance:0; fast_pattern; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2025508; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Locky C2 Domain (jjjooyeohgghgtwn in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|jjjooyeohgghgtwn"; nocase; distance:0; fast_pattern; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2025509; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Locky C2 Domain (lvanwwbyabcfevyi in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|lvanwwbyabcfevyi"; nocase; distance:0; fast_pattern; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2025510; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Locky C2 Domain (uxwavkmttywsuynt in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|uxwavkmttywsuynt"; nocase; distance:0; fast_pattern; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2025511; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Locky C2 Domain (yaynawvtuqcarjwc in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|yaynawvtuqcarjwc"; nocase; distance:0; fast_pattern; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2025512; rev:1; metadata:created_at 2018_04_16, updated_at 2018_04_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Trojan.JS.Agent.dwz Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"Accept|3a 20|*/*"; http_header; content:"Accept-Language|3a 20|"; http_header; distance:0; content:"auth255|3a 20|login"; http_header; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; distance:0; content:"Accept-Encoding|3a 20|gzip, deflate"; http_header; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.1|3b|"; http_header; distance:0; content:!"Referer|3a|"; http_header; content:"a="; http_client_body; depth:2; pcre:"/^a=(?:[a-f0-9]{2}){23,60}$/P"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025530; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_23, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G1 Stealer/GravityRAT Uploading File"; flow:established,to_server; content:"GET"; depth:3; content:"?Value=11&FileName="; distance:0; fast_pattern; content:"&FileSize="; distance:0; content:"&Macid="; distance:0; content:"&UserCode="; distance:0; content:"|20|HTTP/"; distance:0; content:"|0d 0a|"; distance:3; within:4; metadata: former_category TROJAN; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G1 Stealer/GravityRAT Requesting Payload"; flow:established,to_server; content:"GET"; depth:3; content:"?Value=13&idPayload="; distance:0; fast_pattern; content:"|20|HTTP/"; distance:0; content:"|0d 0a|"; distance:3; within:4; content:!"Referer|3a|"; metadata: former_category TROJAN; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G2 Stealer/GravityRAT CnC Checkin"; flow:established,to_server; content:"POST"; depth:4; content:".php?Value="; distance:0; content:"UserCode="; distance:0; content:"MacId="; distance:0; content:"HitDate="; distance:0; content:"FingerPrint="; distance:0; fast_pattern; content:"CurrentIp="; distance:0; content:"|20|HTTP/"; distance:0; content:"|0d 0a|"; distance:3; within:4; content:!"Accept"; content:!"User-Agent|3a|"; content:!"Cache"; content:!"Connection|3a|"; metadata: former_category TROJAN; reference:md5,6899c2219764bac56007ce80021bfcbf; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/GX Stealer/GravityRAT Uploading File"; flow:established,to_server; content:"POST"; depth:4; content:".php?VALUE=2&Type="; distance:0; fast_pattern; content:"&SIGNATUREHASH="; distance:0; content:"|20|HTTP/"; distance:0; content:"|0d 0a|"; distance:3; within:4; content:!"Accept"; http_header; content:!"User-Agent";  http_header; content:!"Cache"; http_header; metadata: former_category TROJAN; reference:md5,ec629f648434fc3d17e9561532d038c8; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MSIL/GravityRAT CnC Domain (msoftupdates .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|msoftupdates|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MSIL/GravityRAT CnC Domain (msoftupdates .eu in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|msoftupdates|02|eu"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MSIL/GravityRAT CnC Domain (mylogisoft .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0a|mylogisoft|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|carder|03|bit|00|"; nocase; distance:0; fast_pattern; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,9faf6dedd3e0cd018d2e45bc8855bd4a; classtype:trojan-activity; sid:2025546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_05_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M1"; content:".bit"; http_header;  pcre:"/Host\x3a\x20(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)[\r\n]/H"; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_04_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M2"; content:".coin"; http_header; pcre:"/Host\x3a\x20(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)[\r\n]/H"; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025548; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_04_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Java/QRat Variant Checkin"; flow:established,to_server; dsize:9; content:"|00 07|nemesis"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_01, malware_family QRat, updated_at 2018_05_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RedLeaves HOGFISH APT Implant CnC"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; nocase; isdataat:!1,relative; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|.NET4.0C|3b 20|.NET4.0E)"; http_header; fast_pattern:64,20; content:"Content-Length|3a 20|"; http_header; content:"|0d 0a|"; within:5; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; content:!"Referer"; http_header; content:!"Accept-Encoding"; http_header; content:!"Content-Type"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; metadata: former_category TROJAN; reference:md5,2d9ac00470a104b9841d851ddf33cad7; reference:md5,627b903657b28f3a2e388393103722c8; reference:url,www.accenture.com/t20180423T055005Z__w__/us-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf; classtype:trojan-activity; sid:2025557; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT10, signature_severity Major, created_at 2018_05_02, updated_at 2018_05_03;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|3whyfziey2vr41yq"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_07, malware_family Ransomware, updated_at 2018_05_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Ransomware Domain (y5mogzal2w25p6bn .ml in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|y5mogzal2w25p6bn|02|ml|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,5f1ab58f0639b5e43fca508eb0d4f97e; classtype:trojan-activity; sid:2025567; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_08, malware_family Ransomware, updated_at 2018_05_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ELF/Muhstik Attempting to Download Payload"; flow:established,to_server; content:"GET"; http_method; content:".php?port="; http_uri; fast_pattern; content:"User-Agent|3a 20|wget/"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/; classtype:trojan-activity; sid:2025575; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2018_05_11, malware_family Muhstik, performance_impact Low, updated_at 2018_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN InfoBot Sending Machine Details"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"User-Agent|3a 20|infobot|0d 0a|"; http_header; fast_pattern; content:"|7b 22|bits|22 3a 20 22|"; http_client_body; depth:10; content:"|22|cpun|22 3a 20 22|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,3549c3af4417a344b5cbf53dbe7ab36c; classtype:trojan-activity; sid:2025577; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN InfoBot Sending LAN Details"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri;  content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; http_client_body; depth:12; fast_pattern; content:"|22 7d|"; http_client_body; distance:0; within:3; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Unk.Stealer CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"/check.php"; http_uri; fast_pattern; content:"m="; http_client_body; depth:2; pcre:"/^m=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/Psi"; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,b38a63aea75bcf06fed11067cc75cc7e; classtype:trojan-activity; sid:2025580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Vibem.C CnC Activity"; flow:established,to_server; content:"|63 76 c4 52 99 1d 04 80 a9 1b 2d|"; depth:11; content:!"|00|"; metadata: former_category TROJAN; reference:md5,bef6faabe3d80037c18fa7b806f4488e; classtype:trojan-activity; sid:2025581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_18, updated_at 2018_05_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] PS/TrojanDownloader.Agent.NNR XORed Zip payload (key 0x91)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|c1 da 92 95 85 91 91 99 99 91|"; depth:10; fast_pattern; metadata: former_category TROJAN; reference:url,dctoralves.wordpress.com/2018/05/03/phishing-report-policia-civil/; classtype:trojan-activity; sid:2025583; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_23, performance_impact Low, updated_at 2018_05_23;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Known Sinkhole Response Header INetSim"; flow:established,from_server; content:"Content-Type|3a 20|x-msdos-program"; http_header; file_data; content:"MZ|0a|Sinkholed|0a|"; fast_pattern; depth:13;  isdataat:!1,relative; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_25, updated_at 2018_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Aurora/OneKeyLocker Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?generate="; http_uri; fast_pattern; content:"/-"; http_uri; distance:0; content:"&hwid="; http_uri; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,31d65e315115c823f619a381576984f8; classtype:trojan-activity; sid:2025586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_30, malware_family Aurora, malware_family OneKeyLocker, performance_impact Moderate, updated_at 2018_05_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Donut Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Expect|3a 20|100-continue|0d 0a|"; http_header; content:"pc_id="; http_client_body; depth:6; content:"pc_key="; http_client_body; distance:0; content:"win_ver="; http_client_body; fast_pattern; distance:0; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Cache"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025595; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2018_06_19, malware_family Donut, performance_impact Low, updated_at 2018_06_19;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN BackSwap Trojan C2 Domain Observed (debasuin .nl in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|08|debasuin|02|nl|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:trojan-activity; sid:2025596; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_20, malware_family Banking_Trojan, updated_at 2018_06_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN BackSwap Trojan C2 Domain Observed (debasuin .nl in TLS SNI)"; flow:established,to_server; content:"|00 00 0b|debasuin.nl"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:trojan-activity; sid:2025597; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_20, malware_family Banking_Trojan, updated_at 2018_06_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32/AutoIt.NU Miner Dropper CnC Checkin"; flow:established,to_server; content:"POST /?id="; depth:10; fast_pattern; content:"&pt="; distance:0; within:20; content:"|0d 0a 0d 0a|"; distance:0; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; content:"|0d 0a|Accept|3a 20|"; pcre:"/^User-Agent\x3a\x20[a-f0-9]{32}\r?\n?$/mi"; content:!"|0d 0a|Accept-"; content:!"|0d 0a|Cache"; content:!"|0d 0a|Referer|3a 20|"; metadata: former_category TROJAN; reference:md5,cd7a49513771efd9d4de873956ef8af5; classtype:trojan-activity; sid:2025598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Dropper, signature_severity Major, created_at 2018_06_21, malware_family Autoit_NU, performance_impact Low, updated_at 2018_06_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Autophyte.F C2 Domain (tpddata .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|tpddata|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,sfkino.tistory.com/60; classtype:trojan-activity; sid:2025599; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32/Autophyte.F C2 Domain (tpddata .com in TLS SNI)"; flow:established,to_server; content:"|00 00 0b|tpddata.com"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:url,sfkino.tistory.com/60; classtype:trojan-activity; sid:2025600; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_21, updated_at 2018_06_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Autophyte.F C2 Domain (www .anlway .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|www|06|anlway|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,sfkino.tistory.com/60; classtype:trojan-activity; sid:2025601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32/Autophyte.F C2 Domain (www .anlway .com in TLS SNI)"; flow:established,to_server; content:"|00 00 0e|www.anlway.com"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:url,sfkino.tistory.com/60; classtype:trojan-activity; sid:2025602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_21, updated_at 2018_06_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Autophyte.F C2 Domain (www .ap8898 .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|www|06|ap8898|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,sfkino.tistory.com/60; classtype:trojan-activity; sid:2025603; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32/Autophyte.F C2 Domain (www .ap8898 .com in TLS SNI)"; flow:established,to_server; content:"|00 00 0e|www.ap8898.com"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:url,sfkino.tistory.com/60; classtype:trojan-activity; sid:2025604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_21, updated_at 2018_06_21;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Autophyte.F C2 Domain (www .apshenyihl .com in DNS Lookup)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|www|0a|apshenyihl|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,sfkino.tistory.com/60; classtype:trojan-activity; sid:2025605; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32/Autophyte.F C2 Domain (www .apshenyihl .com in TLS SNI)"; flow:established,to_server; content:"|00 00 12|www.apshenyihl.com"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:url,sfkino.tistory.com/60; classtype:trojan-activity; sid:2025606; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_21, updated_at 2018_06_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [eSentire] VBS Retrieving Malicious Payload"; flow:established,to_server; content:"HEAD"; http_method; content:".php1"; http_uri; isdataat:!1,relative; fast_pattern; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/[0-9]{10}.php1$/U"; metadata: former_category TROJAN; reference:md5,aa56a1de9b91446c66d53f12f797bef5; classtype:trojan-activity; sid:2025626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_25, updated_at 2018_06_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Paradise Ransomware Check-in"; flow:established,to_server; content:"POST"; http_method; content:"v1="; http_client_body; depth:3; content:"v2="; http_client_body; distance:0;content:"start_e="; http_client_body; distance:0; content:"end_e="; http_client_body; distance:0; content:"files_count="; http_client_body; distance:0; fast_pattern; content:"key="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; content:!"Cache"; http_header; content:!"Accept"; http_header; content:!"User-Agent|3a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2018_06_29, malware_family Paradise, performance_impact Low, updated_at 2018_06_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Win32/SpyAgent.Raptor (realtime-spy) CnC activity 1"; flow:established,to_server; content:"GET"; http_method; content:".php?username="; http_uri; fast_pattern; content:"&password="; http_uri; distance:0; content:"&id="; http_uri; distance:0; content:"&comp="; http_uri; distance:0; content:"&user="; http_uri; distance:0; content:"Accept|3a 20|*/*"; http_header; content:"Accept-Language|3a 20|en-us"; http_header; distance:0; content:"Accept-Encoding|3a 20|gzip, deflate"; http_header; distance:0; content:"User-Agent|3a|"; http_header; distance:0; content:"Host|3a|"; http_header; distance:0; content:"Connection|3a 20|Keep-Alive"; http_header; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025633; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Spyware, signature_severity Major, created_at 2018_07_03, malware_family SpyAgent_Raptor, performance_impact Low, updated_at 2018_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [PTsecurity] Win32/SpyAgent.Raptor (realtime-spy) CnC activity 2"; flow:established,to_server; content:"POST"; http_method; content:"raptor_un="; http_client_body; depth:10; content:"raptor_pw_hash="; http_client_body; distance:0; fast_pattern; content:"logtype="; http_client_body; distance:0; content:"raptor_account_id="; http_client_body; distance:0; content:"computer_username="; http_client_body; distance:0; content:"computer_name="; http_client_body; distance:0; content:"capture_timestamp="; http_client_body; distance:0; content:"submit="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025634; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Spyware, signature_severity Major, created_at 2018_07_03, malware_family SpyAgent_Raptor, performance_impact Low, updated_at 2018_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [eSentire] Cobalt Strike Beacon"; flow:established,to_server; content:"GET"; http_method; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29 0d 0a|"; fast_pattern;  http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025635; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_03, updated_at 2018_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cobalt Strike Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29 0d 0a|"; fast_pattern; http_header; isdataat:!1,relative; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025636; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_03, updated_at 2018_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Remcos RAT Checkin 23"; flow:established,to_server; dsize:<500; content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|"; depth:11; fast_pattern; content:"|da b1|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,f4f2425e9735f92cc9f75711aa8cb210; classtype:trojan-activity; sid:2025637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_03, updated_at 2018_07_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN [eSentire] Win32/GandCrab v4 Ransomware CnC Activity"; flow:established,to_server; content:"POST"; http_method; pcre:"/\.(bmp|png|gif|jpg)$/U"; content:"Content-Type|3a 20|multipart/form-data"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http_header; content:"wfKD6iudumBkmp"; depth:14; fast_pattern; http_client_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Psi"; threshold: type limit, count 1, seconds 60, track by_src; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2025638; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2018_07_04, malware_family GandCrab, performance_impact Low, updated_at 2018_07_04;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any  (msg:"ET TROJAN [eSentire] Unknown Banker CnC Command (DOWNLOAD)"; flow:from_server,established; dsize:11; content:"DOWNLOAD1|0d 0a|"; depth:11; metadata: former_category TROJAN; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:trojan-activity; sid:2025651; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_11, malware_family Banking_Trojan, updated_at 2018_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN [eSentire] Unknown Banker CnC Checkin"; flow:to_server,established; dsize:<35; content:"|3c 7c|"; depth:2; content:"|7c 3e|OPERADOR|3c 7c 3e|"; fast_pattern; distance:0; metadata: former_category TROJAN; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:trojan-activity; sid:2025652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_11, malware_family Banking_Trojan, updated_at 2018_07_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rostpay Downloader User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Rostpay Downloader|0d 0a|"; nocase; http_header; metadata: former_category TROJAN; reference:md5,6887e8e2fb391a1ca84f192efd5c8331; classtype:trojan-activity; sid:2025697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AZORult Variant.4 Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"|4a 2f fb|"; http_client_body; fast_pattern; content:"|2f fb|"; http_client_body; depth:11; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,0ac55b5056364cdac63aaf05f9d7f654; reference:url,twitter.com/James_inthe_box/status/1020522733984100352?s=03; classtype:trojan-activity; sid:2025885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_23, malware_family AZORult, updated_at 2018_07_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN OilRig QUADAGENT CnC Domain in SNI"; flow:to_server,established; content:"|16|"; depth:1; content:"|00 00 0f|www.cpuproc.com"; distance:0; fast_pattern; nocase; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025891; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (OilRig QUADAGENT CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|cpuproc.com"; distance:1; within:15; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 0a|"; distance:0; content:"|0d|Let's Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|1a|Let's Encrypt Authority X3"; distance:1; within:27; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025892; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)

alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN OilRig QUADAGENT DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|mail|06|"; distance:0; nocase; pcre:"/^\d{6}/Ri"; content:"|07|cpuproc|03|com|00|"; fast_pattern; distance:0; within:13; nocase; threshold: type limit, count 1, seconds 60, track by_src; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025894; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Micropsia CnC Domain)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|15|new.young-spencer.com"; distance:1; within:23; fast_pattern:1,20; metadata: former_category TROJAN; reference:md5,738b3370230bd3168a97a7171d17ed64; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025918; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_27, malware_family MICROPSIA, performance_impact Low, updated_at 2018_07_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET USER_AGENTS Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent|3a| Godzilla"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001711; classtype:trojan-activity; sid:2001711; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS 2search.org User Agent (2search)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:"2search"; fast_pattern; within:150; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]+?2search/Hmi"; reference:url,doc.emergingthreats.net/2003335; classtype:trojan-activity; sid:2003335; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; classtype:bad-unknown; sid:2010721; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS TROJAN BankSnif/Nethelper User-Agent (nethelper)"; flow:to_server,established; content:" nethelper"; http_header; pcre:"/User-Agent\:[^\n]+nethelper/Hi";  metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2002877; classtype:trojan-activity; sid:2002877; rev:18; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Better Internet Spyware User-Agent (poller)"; flow: to_server,established; content:"User-Agent|3a|"; http_header; content:" Poller"; fast_pattern; http_header; pcre:"/User-Agent\:[^\n]+Poller/iH"; reference:url,doc.emergingthreats.net/2002005; classtype:trojan-activity; sid:2002005; rev:37; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32.OnLineGames User-Agent (BigFoot)"; flow:to_server,established; content:"User-Agent|3a| BigFoot"; nocase; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2010678; classtype:trojan-activity; sid:2010678; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Casino Related Spyware User-Agent Detected (Viper 4.0)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (compatible, Viper 4.0)|0d 0a|"; http_header; fast_pattern:37,12; reference:url,doc.emergingthreats.net/2008586; classtype:trojan-activity; sid:2008586; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE)"; flow:to_server,established; content:"User-Agent|3a| ClickAdsByIE"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2010220; classtype:trojan-activity; sid:2010220; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS sgrunt Dialer User Agent (sgrunt)"; flow:to_server,established; content:"sgrunt"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+sgrunt/iH"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003385; classtype:trojan-activity; sid:2003385; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WinFixer Trojan Related User-Agent (ElectroSun)"; flow:established,to_server; content:"User-Agent|3a| ElectroSun "; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008608; classtype:trojan-activity; sid:2008608; rev:9; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Drivecleaner.com Spyware User-Agent (DriveCleaner Updater)"; flow:to_server,established; content:"User-Agent|3a| DriveCleaner Updater"; fast_pattern:11,20; http_header; reference:url,www.drivecleaner.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533; reference:url,doc.emergingthreats.net/2003486; classtype:trojan-activity; sid:2003486; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS klm123.com Spyware User Agent"; flow:established,to_server; content:"User-Agent|3a| {"; http_header; content:!"Host|3a| directory.gladinet.com|0d 0a|"; http_header; content:!"ff.avast.com|0d 0a|"; http_header; content:!"ispringsolutions.com|0d 0a|"; http_header; pcre:"/User-Agent\x3a \{[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\}/iH"; reference:url,doc.emergingthreats.net/2007616; classtype:trojan-activity; sid:2007616; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ISearchTech.com XXXPornToolbar Activity (IST)"; flow: to_server,established; content:" IST"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+IST/H"; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001493; classtype:trojan-activity; sid:2001493; rev:37; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (InfoBot)"; flow:to_server,established; content:"User-Agent|3a| InfoBot"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2011276; classtype:trojan-activity; sid:2011276; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Internet Optimizer User-Agent (ROGUE)"; flow: to_server,established; content:"User-Agent|3a| ROGUE"; http_header; metadata: former_category USER_AGENTS; reference:url,www.internet-optimizer.com; reference:url,doc.emergingthreats.net/2002405; classtype:trojan-activity; sid:2002405; rev:11; metadata:created_at 2010_07_30, updated_at 2018_01_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1)"; flow: established,to_server; content:"User-Agent|3a| AV1|0d 0a|"; http_header; metadata: former_category TROJAN; reference:md5,208e5551efce47ac6c95691715c12e46; reference:md5,735dff747d0c7ce74dde31547b2b5750; reference:md5,a84a144677a786c6855fd4899d024948; classtype:trojan-activity; sid:2009223; rev:9; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vaccineprogram.co.kr Related Spyware User-Agent (Museon)"; flow:established,to_server; content:"User-Agent|3a| Museon"; http_header; reference:url,doc.emergingthreats.net/2006418; classtype:trojan-activity; sid:2006418; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; flow:established,to_server; content:"User-Agent|3a| pcsafe"; http_header; reference:url,doc.emergingthreats.net/2006420; classtype:trojan-activity; sid:2006420; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Metafisher/Goldun User-Agent (z)"; flow:to_server,established; content:"User-Agent|3a| z|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2002874; classtype:trojan-activity; sid:2002874; rev:12; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MyWaySearch Products Spyware User Agent"; flow: established,to_server; content:"MyWay"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+MyWay/iH"; reference:url,doc.emergingthreats.net/2002079; reference:url,www.funwebproducts.com; classtype:trojan-activity; sid:2002079; rev:22; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QQHelper related Spyware User-Agent (H)"; flow:to_server,established; content:"User-Agent|3a| H|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003749; classtype:trojan-activity; sid:2003749; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 account verification)"; flow:to_server,established; content:"User-Agent|3a| RFRudokop "; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008046; classtype:trojan-activity; sid:2008046; rev:7; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS SideStep User-Agent"; flow: to_server,established; content:" SideStep"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SideStep/iH"; reference:url,doc.emergingthreats.net/2002078; reference:url,github.com/chetan51/sidestep/; classtype:misc-activity; sid:2002078; rev:31; metadata:attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Minor, created_at 2010_07_30, performance_impact Low, updated_at 2017_01_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User-Agent (STEROID Download)"; flow:established,to_server; content:"User-Agent|3a| STEROID Download|0D 0A|"; nocase; http_header; metadata: former_category TROJAN; reference:url,anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10; reference:url,security.thejoshmeister.com/2009/09/new-malware-ddos-botexe-etc-and.html; reference:url,doc.emergingthreats.net/2009994; classtype:trojan-activity; sid:2009994; rev:7; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (agent)"; flow: to_server,established; content:"User-Agent|3a| agent"; http_header; content:!".battle.net"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001891; classtype:trojan-activity; sid:2001891; rev:17; metadata:created_at 2010_07_30, updated_at 2016_12_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; fast_pattern:11,25; http_header; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; content:!"itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.co.uk|0d 0a|"; http_header; threshold:type limit, track by_src, count 2, seconds 360; metadata: former_category USER_AGENTS; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:34; metadata:created_at 2010_07_30, updated_at 2017_11_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User Agent Containing http Suspicious - Likely Spyware/Trojan"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:!"rss"; nocase; http_header; pcre:"/User-Agent\:[^\n]+http\:\/\//iH"; reference:url,doc.emergingthreats.net/bin/view/Main/2003394; classtype:trojan-activity; sid:2003394; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003584; classtype:trojan-activity; sid:2003584; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (WinXP Pro Service Pack 2)"; flow:to_server,established; content:"User-Agent|3a| WinXP Pro Service Pack"; http_header; threshold: type limit, count 3, seconds 300, track by_src; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2003586; classtype:trojan-activity; sid:2003586; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent outbound (bot)"; flow:to_server,established; content:"User-Agent|3a| bot/"; nocase; http_header; threshold: type limit, count 3, seconds 300, track by_src; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2003622; classtype:trojan-activity; sid:2003622; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"User-Agent|3a| MSIE"; http_header; threshold: type limit, count 2, track by_src, seconds 300; content:!"www.msftncsi.com"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; classtype:trojan-activity; sid:2003657; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (HTTPTEST) - Seen used by downloaders"; flow:to_server,established; content:"User-Agent|3a| HTTPTEST"; nocase; http_header; content:!"PlayStation"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2003927; classtype:trojan-activity; sid:2003927; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Snatch-System)"; flow:to_server,established; content:"User-Agent|3a| Snatch-System"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2003930; classtype:trojan-activity; sid:2003930; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS KKtone Suspicious User-Agent (KKTone)"; flow:to_server,established; content:"User-Agent|3a| KKTone"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2004443; classtype:trojan-activity; sid:2004443; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MyAgent)"; flow:to_server,established; content:"User-Agent|3a| MyAgent"; nocase; http_header; content:!"Host|3a 20|driverdl.lenovo.com.cn|0d 0a|"; http_header; content:!"www.google-analytics.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category USER_AGENTS; reference:url,doc.emergingthreats.net/bin/view/Main/2005320; classtype:trojan-activity; sid:2005320; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MYURL)"; flow:to_server,established; content:"User-Agent|3a| MYURL|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2006365; classtype:trojan-activity; sid:2006365; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (_)"; flow:to_server,established; content:"User-Agent|3a| _|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007942; classtype:trojan-activity; sid:2007942; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User-Agent (Unknown)"; flow:to_server,established; content:"User-Agent|3a| Unknown|0d 0a|"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007991; classtype:trojan-activity; sid:2007991; rev:7; metadata:created_at 2010_07_30, updated_at 2017_09_13;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (c \windows)"; flow:to_server,established; content:"User-Agent|3a| c|3a 5c|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008043; classtype:trojan-activity; sid:2008043; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Version 1.23)"; flow:to_server,established; content:"User-Agent|3a| Version "; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008048; classtype:trojan-activity; sid:2008048; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\x3a App\d/Hm"; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category USER_AGENTS; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_11_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla-web)"; flow:to_server,established; content:"User-Agent|3a| Mozilla-web"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008084; classtype:trojan-activity; sid:2008084; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (INSTALLER)"; flow:to_server,established; content:"User-Agent|3a| INSTALLER|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008096; classtype:trojan-activity; sid:2008096; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (IEMGR)"; flow:to_server,established; content:"User-Agent|3a| IEMGR|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008097; classtype:trojan-activity; sid:2008097; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (GOOGLE)"; flow:to_server,established; content:"User-Agent|3a| GOOGLE|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008098; classtype:trojan-activity; sid:2008098; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (RBR)"; flow:to_server,established; content:"User-Agent|3a| RBR|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008147; classtype:trojan-activity; sid:2008147; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MS Internet Explorer)"; flow:to_server,established; content:"User-Agent|3a| MS Internet Explorer|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008181; classtype:trojan-activity; sid:2008181; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Installer)"; flow:to_server,established; content:"User-Agent|3a| Installer|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008184; classtype:trojan-activity; sid:2008184; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (QQ)"; flow:to_server,established; content:"User-Agent|3a| QQ|0d 0a|"; http_header; content:!"|0d 0a|Q-UA|3a 20|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (TestAgent)"; flow:to_server,established; content:"User-Agent|3a| TestAgent|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008208; classtype:trojan-activity; sid:2008208; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (SERVER2_03)"; flow:to_server,established; content:"User-Agent|3a| SERVER"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008209; classtype:trojan-activity; sid:2008209; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (WinProxy)"; flow:to_server,established; content:"User-Agent|3a| WinProxy|0d 0a|"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008211; classtype:trojan-activity; sid:2008211; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (sickness29a/0.1)"; flow:to_server,established; content:"User-Agent|3a| sickness"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008214; classtype:trojan-activity; sid:2008214; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (up2dash updater)"; flow:to_server,established; content:"User-Agent|3a| up2dash"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008215; classtype:trojan-activity; sid:2008215; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (NSIS_DOWNLOAD)"; flow:to_server,established; content:"User-Agent|3a| NSIS_DOWNLOAD"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008216; classtype:trojan-activity; sid:2008216; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla 1.02.45 biz)"; flow:to_server,established; content:"User-Agent|3a| Mozilla "; http_header; content:" biz|0d 0a|"; within:15; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008231; classtype:trojan-activity; sid:2008231; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (chek)"; flow:to_server,established; content:"User-Agent|3a| chek|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008253; classtype:trojan-activity; sid:2008253; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; content:"User-Agent|3a| IE|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Nimo Software HTTP Retriever 1.0)"; flow:to_server,established; content:"User-Agent|3a| Nimo Software HTTP"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008257; classtype:trojan-activity; sid:2008257; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (AutoHotkey)"; flow:to_server,established; content:"User-Agent|3a| AutoHotkey"; http_header; threshold:type limit,count 2,track by_src,seconds 300; content:!".ahk4.net|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008259; classtype:trojan-activity; sid:2008259; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (WebForm 1)"; flow:to_server,established; content:"User-Agent|3a| WebForm"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; classtype:trojan-activity; sid:2008262; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (opera)"; flow:to_server,established; content:"User-Agent|3a| opera|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008264; classtype:trojan-activity; sid:2008264; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Zilla)"; flow:to_server,established; content:"User-Agent|3a| Zilla|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008266; classtype:trojan-activity; sid:2008266; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:" loader"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (123)"; flow:to_server,established; content:"User-Agent|3a| 123|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008343; classtype:trojan-activity; sid:2008343; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (angel)"; flow:to_server,established; content:"User-Agent|3a| angel|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008355; classtype:trojan-activity; sid:2008355; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Accessing)"; flow:to_server,established; content:"User-Agent|3a| Accessing|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008361; classtype:trojan-activity; sid:2008361; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ISMYIE)"; flow:to_server,established; content:"User-Agent|3a| ISMYIE|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008363; classtype:trojan-activity; sid:2008363; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ErrCode)"; flow:established,to_server; content:"User-Agent|3a| ErrCode"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008378; classtype:trojan-activity; sid:2008378; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (svchost)"; flow:established,to_server; content:"User-Agent|3a| svchost"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008391; classtype:trojan-activity; sid:2008391; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ReadFileURL)"; flow:established,to_server; content:"User-Agent|3a| ReadFileURL|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008400; classtype:trojan-activity; sid:2008400; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (PcPcUpdater)"; flow:established,to_server; content:"User-Agent|3a| PcPcUpdater"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008413; classtype:trojan-activity; sid:2008413; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Inet_read)"; flow:established,to_server; content:"User-Agent|3a| Inet_read"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008422; classtype:trojan-activity; sid:2008422; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (CFS Agent)"; flow:established,to_server; content:"User-Agent|3a| CFS Agent"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008423; classtype:trojan-activity; sid:2008423; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (CFS_DOWNLOAD)"; flow:established,to_server; content:"User-Agent|3a| CFS_DOWNLOAD"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008424; classtype:trojan-activity; sid:2008424; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP Downloader)"; flow: established,to_server; content:"User-Agent|3a| HTTP Downloader"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008428; classtype:trojan-activity; sid:2008428; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (AdiseExplorer)"; flow:established,to_server; content:"User-Agent|3a| AdiseExplorer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008427; classtype:trojan-activity; sid:2008427; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (HttpDownload)"; flow:established,to_server; content:"User-Agent|3a| HttpDownload"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008429; classtype:trojan-activity; sid:2008429; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Download App)"; flow:established,to_server; content:"User-Agent|3a| Download App"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008440; classtype:trojan-activity; sid:2008440; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (hacker)"; flow:established,to_server; content:"User-Agent|3a| hacker"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008460; classtype:trojan-activity; sid:2008460; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ieguideupdate)"; flow:established,to_server; content:"User-Agent|3a| ieguideupdate"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008463; classtype:trojan-activity; sid:2008463; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (adsntD)"; flow:established,to_server; content:"User-Agent|3a| adsntD"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008464; classtype:trojan-activity; sid:2008464; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (NULL)"; flow:established,to_server; content:"User-Agent|3a| NULL"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008488; classtype:trojan-activity; sid:2008488; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ieagent)"; flow:established,to_server; content:"User-Agent|3a| ieagent"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008494; classtype:trojan-activity; sid:2008494; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (antispyprogram)"; flow:established,to_server; content:"User-Agent|3a| antispyprogram"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008495; classtype:trojan-activity; sid:2008495; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (SUiCiDE/1.5)"; flow:established,to_server; content:"User-Agent|3a| SUiCiDE"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008504; classtype:trojan-activity; sid:2008504; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (\xa2\xa2HttpClient)"; flow:established,to_server; content:"User-Agent|3a| |5c|xa2|5c|xa2HttpClient|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008510; classtype:trojan-activity; sid:2008510; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (C slash)"; flow:established,to_server; content:"User-Agent|3a| C|3a 5c|"; http_header; content:!"|5c|Citrix|5c|"; http_header; content:!"|5c|Panda S"; nocase; http_header; content:!"|5c|Mapinfo"; http_header; nocase; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; classtype:trojan-activity; sid:2008512; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (msIE 7.0)"; flow:established,to_server; content:"User-Agent|3a| msIE"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008513; classtype:trojan-activity; sid:2008513; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (AVP2006IE)"; flow:established,to_server; content:"User-Agent|3a| AVP200"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008514; classtype:trojan-activity; sid:2008514; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (winlogon)"; flow:established,to_server; content:"User-Agent|3a| winlogon"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008544; classtype:trojan-activity; sid:2008544; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)"; flow:established,to_server; content:"User-Agent|3a| Internet HTTP"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008564; classtype:trojan-activity; sid:2008564; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (RLMultySocket)"; flow:established,to_server; content:"User-Agent|3a| RLMultySocket|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008603; classtype:trojan-activity; sid:2008603; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Downloader1.2)"; flow:established,to_server; content:"User-Agent|3a| Downloader"; http_header; pcre:"/User-Agent\: Downloader\d+\.\d/H"; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008643; classtype:trojan-activity; sid:2008643; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Compatible)"; flow:established,to_server; content:"User-Agent|3a| Compatible|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008657; classtype:trojan-activity; sid:2008657; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (GetUrlSize)"; flow:established,to_server; content:"User-Agent|3a| GetUrlSize|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008658; classtype:trojan-activity; sid:2008658; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (aguarovex-loader v3.221)"; flow:established,to_server; content:"User-Agent|3a| aguarovex-loader v"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008663; classtype:trojan-activity; sid:2008663; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0)"; flow:established,to_server; content:"User-Agent|3a| WINS_HTTP_SEND"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008734; classtype:trojan-activity; sid:2008734; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (checkonline)"; flow:established,to_server; content:"User-Agent|3a| checkonline|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008749; classtype:trojan-activity; sid:2008749; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Kvadrlson 1.0)"; flow:established,to_server; content:"User-Agent|3a| Kvadrlson "; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008756; classtype:trojan-activity; sid:2008756; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (miip)"; flow:established,to_server; content:"User-Agent|3a| miip|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008797; classtype:trojan-activity; sid:2008797; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozil1a)"; flow:established,to_server; content:"User-Agent|3a| Mozil1a"; http_header; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008847; classtype:trojan-activity; sid:2008847; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Errordigger.com related)"; flow:established,to_server; content:"User-Agent|3a| min|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008912; classtype:trojan-activity; sid:2008912; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Trojan.Hijack.IrcBot.457 related)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/1.0 (compatible|3b| MSIE 8.0|3b|"; fast_pattern:12,20; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008913; classtype:trojan-activity; sid:2008913; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (xr - Worm.Win32.VB.cj related)"; flow:established,to_server; content:"User-Agent|3a| xr|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008914; classtype:trojan-activity; sid:2008914; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (HELLO)"; flow:established,to_server; content:"User-Agent|3a| HELLO|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008941; classtype:trojan-activity; sid:2008941; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Yandesk)"; flow:established,to_server; content:"User-Agent|3a| Yandesk|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008916; classtype:trojan-activity; sid:2008916; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent pricers.info related (section)"; flow:established,to_server; content:"User-Agent|3a| sections|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008919; classtype:trojan-activity; sid:2008919; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (IE/1.0)"; flow:to_server,established; content:"User-Agent|3a| IE/1.0|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008956; classtype:trojan-activity; sid:2008956; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; content:"User-Agent|3a| BlackSun"; http_header; nocase; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; classtype:trojan-activity; sid:2008983; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (runUpdater.html)"; flow:established,to_server; content:"User-Agent|3a| runUpdater|2e|html"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009355; classtype:trojan-activity; sid:2009355; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (runPatch.html)"; flow:established,to_server; content:"User-Agent|3a| runPatch|2e|html"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009356; classtype:trojan-activity; sid:2009356; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Session) - Possible Trojan-Clicker"; flow:established,to_server; content:"User-Agent|3a| Session|0d 0a|"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009512; classtype:trojan-activity; sid:2009512; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Poker)"; flow:to_server,established; content:"User-Agent|3a| Poker|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009534; classtype:trojan-activity; sid:2009534; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Loands) - Possible Trojan Downloader GET Request"; flow:established,to_server; content:"User-Agent\: Loands|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009537; classtype:trojan-activity; sid:2009537; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ms_ie) - Crypt.ZPACK Gen Trojan Downloader GET Request"; flow:established,to_server; content:"User-Agent\: ms_ie|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009538; classtype:trojan-activity; sid:2009538; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Forthgoner) - Possible Trojan Downloader GET Request"; flow:established,to_server; content:"User-Agent\: Forthgoner|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009547; classtype:trojan-activity; sid:2009547; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (InHold) - Possible Trojan Downloader GET Request"; flow:established,to_server; content:"User-Agent|3a| InHold|0d 0a|"; http_header; nocase; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009544; classtype:trojan-activity; sid:2009544; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (INet)"; flow:established,to_server; content:"User-Agent|3a| INet|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009703; classtype:trojan-activity; sid:2009703; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla/"; http_header; pcre:"/\x0d\x0aUser-Agent\: \d+/H"; content:!"liveupdate.symantecliveupdate.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010697; classtype:trojan-activity; sid:2010697; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| "; fast_pattern:16,20; http_header; content:!")|0d 0a|"; within:100; http_header; pcre:"/User-Agent\x3a\sMozilla\/4\.0\s\(compatible[^\)]+\r\n/H"; reference:url,doc.emergingthreats.net/2010906; classtype:bad-unknown; sid:2010906; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WebHack Control Center User-Agent Outbound (WHCC/)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:"WHCC"; http_header; fast_pattern; nocase; pcre:"/^User-Agent\:[^\n]+WHCC/Hmi"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003925; classtype:trojan-activity; sid:2003925; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"wb v"; within:150; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]+wb v\d/Hmi"; reference:url,doc.emergingthreats.net/2003449; classtype:trojan-activity; sid:2003449; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32.Tdss User Agent Detected (Mozzila)"; flow:established,to_server; content:"User-Agent|3a| Mozzila"; http_header; reference:url,doc.emergingthreats.net/2010889; classtype:trojan-activity; sid:2010889; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; flow:to_server,established; content:"User-Agent|3a| WinFix Master"; nocase; http_header; reference:url,doc.emergingthreats.net/2003545; classtype:trojan-activity; sid:2003545; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS 180 Solutions (Zango Installer) User Agent"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:"SAIv"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]+SAIv/Hm";  reference:url,doc.emergingthreats.net/2003062; classtype:trojan-activity; sid:2003062; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Gator Agent Traffic"; flow: to_server,established; content:" Gator"; nocase;  http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Gator/iH"; reference:url,doc.emergingthreats.net/2000026; classtype:policy-violation; sid:2000026; rev:36; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Bancos User-Agent Detected vb wininet"; flow:established,to_server; content:"User-Agent|3A| vb wininet"; http_header; nocase; metadata: former_category USER_AGENTS; reference:url,doc.emergingthreats.net/2004114; classtype:trojan-activity; sid:2004114; rev:5; metadata:tag Banking_Trojan, created_at 2010_07_30, malware_family Bancos, updated_at 2018_04_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Banker.anv Generally Suspicious User-Agent (CustomExchangeBrowser)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"CustomExchangeBrowser"; http_header; pcre:"/User-Agent\:[^\n]+CustomExchangeBrowser/H"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007824; classtype:trojan-activity; sid:2007824; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Banload User-Agent Detected (ExampleDL)"; flow:established,to_server; content:"User-Agent|3a| ExampleDL"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2004440; classtype:trojan-activity; sid:2004440; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Banload User-Agent Detected (WebUpdate)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008074; classtype:trojan-activity; sid:2008074; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Brontok User-Agent Detected (Brontok.A3 Browser)"; flow:established,to_server; content:"User-Agent|3a| Brontok"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2006999; classtype:trojan-activity; sid:2006999; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Brontok/Joseray User-Agent Detected (Joseray.A3 Browser)"; flow:established,to_server; content:"User-Agent|3a| Joseray"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008765; classtype:trojan-activity; sid:2008765; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (inetinst)"; flow:established,to_server; content:"User-Agent|3a| inetinst|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007808; classtype:trojan-activity; sid:2007808; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (okcpmgr)"; flow:established,to_server; content:"User-Agent|3a| okcpmgr|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007810; classtype:trojan-activity; sid:2007810; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Banker.Delf User-Agent (Varlok_11000)"; flow:established,to_server; content:"User-Agent|3a| Varlok_"; http_header; nocase; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003931; classtype:trojan-activity; sid:2003931; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Banker.Delf User-Agent (Ms)"; flow:established,to_server; content:"User-Agent|3a| Ms|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003933; classtype:trojan-activity; sid:2003933; rev:8; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Banker.Delf User-Agent (hhh)"; flow:established,to_server; content:"User-Agent|3a| hhh|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2004442; classtype:trojan-activity; sid:2004442; rev:7; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:8; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Banker.Delf User-Agent (WINDOWS_LOADS)"; flow:established,to_server; content:"User-Agent|3a| WINDOWS_LOADS"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007699; classtype:trojan-activity; sid:2007699; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Dialer-967 User-Agent"; flow:to_server,established; content:"User-Agent|3a| del|0d 0a|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2006364; classtype:trojan-activity; sid:2006364; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Diazom Trojan User-Agent in Use (cv_v2.0.1)"; flow:established,to_server; content:"User-agent|3a| cv_v"; http_header; metadata: former_category TROJAN; reference:url,ww.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-032316-0426-99&tabid=2; reference:url,doc.emergingthreats.net/2003598; classtype:trojan-activity; sid:2003598; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Matcash or related downloader User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| x"; http_header; pcre:"/^User-Agent\: x\w\wx\w\w\!x\w\wx\w\wx\w\w/Hm"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2006382; classtype:trojan-activity; sid:2006382; rev:9; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Downloader User-Agent Detected (Windows Updates Manager|3.12|...)"; flow:established,to_server; content:"User-Agent|3a| Windows Updates Manager|7c|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2006387; classtype:trojan-activity; sid:2006387; rev:8; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Downloader User-Agent Detected (ld)"; flow:established,to_server; content:"User-Agent|3a| ld|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2006394; classtype:trojan-activity; sid:2006394; rev:7; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Matcash related Trojan Downloader (Ismazo Advanced Loader)"; flow:established,to_server; content:"User-Agent|3a| Ismazo"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007633; classtype:trojan-activity; sid:2007633; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User-agent DownloadNetFile Win32.small.hsh downloader"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3A| DownloadNetFile|0D 0A|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007778; classtype:trojan-activity; sid:2007778; rev:12; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)"; flow:established,to_server; content:"User-Agent|3a| WinInet|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007837; classtype:trojan-activity; sid:2007837; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Possible Trojan Downloader Shell"; flow:established,to_server; content:"User-Agent|3a| Shell|0d 0a|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007840; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:trojan-activity; sid:2007840; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)"; flow:established,to_server; content:"User-Agent|3a| Yhrbg|0d 0a|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007912; classtype:trojan-activity; sid:2007912; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (Digital)"; flow:established,to_server; content:"User-Agent|3a| Digital|0d 0a|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007923; classtype:trojan-activity; sid:2007923; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (downloaded)"; flow:established,to_server; content:"User-Agent|3a| downloaded|0d 0a|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007924; classtype:trojan-activity; sid:2007924; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (wnames)"; flow:established,to_server; content:"User-Agent|3a| wnames|0d 0a|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007925; classtype:trojan-activity; sid:2007925; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (https)"; flow:established,to_server; content:"User-Agent|3a| https|0d 0a|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008019; classtype:trojan-activity; sid:2008019; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Downloader User-Agent (AutoDL\/1.0)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| AutoDL/1.0|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008458; classtype:trojan-activity; sid:2008458; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent filled with System Details - GET Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| mac="; http_header; nocase; content:"&hdid="; nocase; http_header; content:"&wlid="; nocase; content:"&start="; nocase; content:"&os="; nocase; content:"&mem="; nocase; content:"&alive"; nocase; content:"&ver="; nocase; content:"&mode="; nocase; content:"&guid"; content:"&install="; nocase; content:"&auto="; nocase; content:"&serveid"; nocase; content:"&area="; nocase; depth:400; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009541; classtype:trojan-activity; sid:2009541; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Tear Application User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| Tear Application|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007770; classtype:trojan-activity; sid:2007770; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (netcfg)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| netcfg|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007758; classtype:trojan-activity; sid:2007758; rev:8; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (MSIE 5.5)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| MSIE 5.5|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007833; classtype:trojan-activity; sid:2007833; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS my247eshop.com User-Agent"; flow:established,to_server; content:"User-Agent|3a| EShopee|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008243; classtype:trojan-activity; sid:2008243; rev:4; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (API-Guide test program) Used by Several trojans"; flow:established,to_server; content:"User-Agent|3a| API-Guide test program|0d 0a|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007826; classtype:trojan-activity; sid:2007826; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Generic.Malware.SFL User-Agent (Rescue/9.11)"; flow:established,to_server; content:"User-Agent|3a| Rescue/9.11"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2003645; classtype:trojan-activity; sid:2003645; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Kangkio User-Agent (lsosss)"; flow:established,to_server; content:"User-Agent|3a| lsosss|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008767; classtype:trojan-activity; sid:2008767; rev:4; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Keypack.co.kr Related Trojan User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| keypack"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008339; classtype:trojan-activity; sid:2008339; rev:4; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Kpang.com Related Trojan User-Agent (kpangupdate)"; flow:established,to_server; content:"User-Agent|3a| kpangupdate|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007779; classtype:trojan-activity; sid:2007779; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Kpang.com Related Trojan User-Agent (alertup)"; flow:established,to_server; content:"User-Agent|3a| alertup|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007849; classtype:trojan-activity; sid:2007849; rev:4; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible MSIE 7.0 na .NET CLR 2.0.50727 .NET CLR 3.0.4506.2152 .NET CLR 3.5.30729))"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| na|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.0.4506.2152|3b| .NET CLR 3.5.30729)|0d0a|"; fast_pattern:37,13; http_header; metadata: former_category TROJAN; reference:url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter; reference:url,doc.emergingthreats.net/2009810; classtype:trojan-activity; sid:2009810; rev:7; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mozilla/4.0 (SPGK)|0d 0a|"; fast_pattern:24,8; nocase; http_header; metadata: former_category TROJAN; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none; reference:url,www.threatexpert.com/threats/virus-win32-luder-b.html; reference:url,doc.emergingthreats.net/2009805; classtype:trojan-activity; sid:2009805; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Neonaby.com Related Trojan User-Agent (neonabyupdate)"; flow:established,to_server; content:"User-Agent|3a| neonabyupdate|0d 0a|"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007825; classtype:trojan-activity; sid:2007825; rev:4; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Nine Ball User-Agent Detected (NQX315)"; flow:established,to_server; content:"User-Agent|3a| NQX315|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2011188; classtype:trojan-activity; sid:2011188; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Otwycal User-Agent (Downing)"; flow:to_server,established; content:"User-Agent|3a| Downing|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008159; classtype:trojan-activity; sid:2008159; rev:4; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Pakes User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.7 [en] (WinNT"; http_header; fast_pattern:20,15; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007767; classtype:trojan-activity; sid:2007767; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Password Stealer - User-Agent (Ucheck)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"Opera/9.10"; http_header; content:"|3b| Ucheck"; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+\x3b\sUcheck/Hmi"; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009081; classtype:trojan-activity; sid:2009081; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sality - Fake Opera User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Opera/8.81 (Windows NT 6.0|3b| U|3b| en)|0d0a|"; http_header; metadata: former_category TROJAN; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009525; classtype:trojan-activity; sid:2009525; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sality - Fake Opera User-Agent (Opera/8.89)"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Opera/8.89 (Windows NT 6.0|3b| U|3b| en)|0d0a|"; http_header; metadata: former_category TROJAN; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009530; classtype:trojan-activity; sid:2009530; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sality - Fake Opera User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Opera/9.28 (Windows NT 6.0|3b| U|3b| en)|0d0a|"; http_header; metadata: former_category TROJAN; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009474; classtype:trojan-activity; sid:2009474; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Storm C&C with typo'd User-Agent (Windoss)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windoss NT"; http_header; fast_pattern:46,11; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007742; classtype:trojan-activity; sid:2007742; rev:7; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Unkown Trojan User-Agent (5.1 ...)"; flow:established,to_server; content:"User-Agent|3a| 5.1 "; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009685; classtype:trojan-activity; sid:2009685; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vapsup User-Agent (doshowmeanad loader v2.1)"; flow:to_server,established; content:"User-Agent|3a| doshowmeanad "; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008142; classtype:trojan-activity; sid:2008142; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vundo User-Agent Check-in"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0) WinNT 5.1|0d 0a|"; fast_pattern:37,21; http_header; metadata: former_category TROJAN; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99; reference:url,doc.emergingthreats.net/2010490; classtype:trojan-activity; sid:2010490; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32.Agent.pt User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| Machaon|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007663; classtype:trojan-activity; sid:2007663; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32.Small.qh/xSock User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| xSock Config"; http_header; nocase; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2007609; classtype:trojan-activity; sid:2007609; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32.VB.tdq - Fake User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 2.1|3b| SV3)|0d0a|"; fast_pattern:47,15; http_header; metadata: former_category TROJAN; reference:url,vil.nai.com/vil/content/v_187654.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654; reference:url,doc.emergingthreats.net/2009825; classtype:trojan-activity; sid:2009825; rev:8; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0(compatible|3b| TALWinHttpClient)|0d 0a|"; http_header; fast_pattern:21,19; metadata: former_category TROJAN; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010261; classtype:trojan-activity; sid:2010261; rev:5; metadata:created_at 2010_07_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (ScrapeBox)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| ScrapeBox"; http_header; classtype:trojan-activity; sid:2011282; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS IMDDOS Botnet User-Agent STORMDDOS"; flow: established,to_server; content:"User-Agent|3A| STORMDDOS"; nocase; http_header; metadata: former_category TROJAN; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011480; rev:5; metadata:created_at 2010_09_28, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS IMDDOS Botnet User-Agent IAMDDOS"; flow: established,to_server; content:"User-Agent|3A| IAMDDOS"; nocase; http_header; metadata: former_category TROJAN; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011481; rev:5; metadata:created_at 2010_09_28, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS IMDDOS Botnet User-Agent kav"; flow: established,to_server; content:"User-Agent|3A| kav"; http_header; metadata: former_category TROJAN; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011482; rev:6; metadata:created_at 2010_09_28, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS IMDDOS Botnet User-Agent YTDDOS"; flow: established,to_server; content:"User-Agent|3A| YTDDOS"; nocase; http_header; metadata: former_category TROJAN; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011483; rev:5; metadata:created_at 2010_09_28, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS IMDDOS Botnet User-Agent i am ddos"; flow: established,to_server; content:"User-Agent|3A| i am ddos"; nocase; depth:300; metadata: former_category TROJAN; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011484; rev:5; metadata:created_at 2010_09_28, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent no space"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!"User-Agent|3a 20|"; http_raw_header; classtype:bad-unknown; sid:2012180; rev:1; metadata:created_at 2011_01_14, updated_at 2011_01_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Malware Related msndown"; flow:established,to_server; content:"User-Agent|3a| msndown|0d 0a|"; http_header; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1; classtype:trojan-activity; sid:2012221; rev:1; metadata:created_at 2011_01_22, updated_at 2011_01_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/Goolbot.E Checkin UA Detected iamx"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| iamx/"; http_header; classtype:trojan-activity; sid:2012246; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;)

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent|3a| Win32"; nocase; http_header; classtype:trojan-activity; sid:2012249; rev:2; metadata:created_at 2011_02_01, updated_at 2011_02_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Our_Agent)"; flow:established,to_server; content:" Our_Agent"; http_header; classtype:trojan-activity; sid:2012278; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS suspicious user-agent (REKOM)"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|User-Agent|3a| REKOM"; nocase; http_header; classtype:trojan-activity; sid:2012295; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_02_06, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Si25f_302 User-Agent"; flow:established,to_server; content:"User-Agent|3a| Si25"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2012310; rev:4; metadata:created_at 2011_02_14, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Generic Trojan with /? and Indy Library User-Agent"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?"; depth:2; http_uri; content:"Indy Library)"; http_header; fast_pattern; content:"Accept-Encoding|3a| identity|0D 0A|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:!".ensignsoftware.com"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2012312; rev:6; metadata:created_at 2011_02_14, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Moxilla"; flow:established,to_server; content:"User-Agent|3a| Moxilla"; http_header; classtype:trojan-activity; sid:2012313; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_02_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Fake Opera 8.11 UA related to Trojan Activity"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|"; http_header; content:"|0d 0a|User-Agent|3a 20|opera/8.11|0d 0a|"; http_header; classtype:trojan-activity; sid:2012315; rev:1; metadata:created_at 2011_02_17, updated_at 2011_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Possible TDSS User-Agent CMD"; flow:established,to_server; content:" (compatible|3b| MSIE 1.0|3b| Windows NT|3b| "; http_header; fast_pattern:16,20; metadata: former_category TROJAN; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:8; metadata:created_at 2011_02_21, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent VCTestClient"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| VCTestClient"; nocase; http_header; classtype:trojan-activity; sid:2012386; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_02_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| PrivacyInfoUpdate"; nocase; http_header; classtype:trojan-activity; sid:2012387; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_02_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server;content:"User-Agent|3a|Mozilla"; http_header; content:"|3b| MyIE "; fast_pattern; http_header; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:8; metadata:created_at 2011_03_01, updated_at 2011_03_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Presto)"; flow:established,to_server; content:"User-Agent|3a| Opera/10.60 Presto/2.2.30"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2012491; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_03_11, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (VMozilla)"; flow:to_server,established; content:"User-Agent|3a| VMozilla"; http_header; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF; reference:url,www.avira.com/en/support-threats-description/tid/6259/tlang/en; classtype:trojan-activity; sid:2012555; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Im Luo"; flow:established,to_server; content:"User-Agent|3A| Im|27|Luo"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2012586; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_03_28, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; flow:to_server,established; content:"User-Agent|3a| VERTEXNET"; http_header; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:6; metadata:created_at 2011_03_30, updated_at 2011_03_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE"; flow:established,to_server; content:"user-agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:!"|0d 0a|VIA|3a 20|"; http_header; classtype:trojan-activity; sid:2012607; rev:3; metadata:created_at 2011_03_30, updated_at 2011_03_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Sample"; flow:established,to_server; content:"User-Agent|3A| sample"; nocase; http_header; classtype:trojan-activity; sid:2012611; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_03_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Mozilla/3.0"; flow:established,to_server; content:"User-Agent|3A| Mozilla/3.0|0d 0a|"; http_header; fast_pattern:11,14; classtype:trojan-activity; sid:2012619; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_03_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Optimum Installer User-Agent IE6 on Windows XP"; flow:established,to_server; content:"User-Agent|3a| IE6 on Windows XP"; fast_pattern:12,10; http_header; classtype:trojan-activity; sid:2012629; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS suspicious User Agent (Lotto)"; flow:to_server,established; content:"User-Agent|3a| Lotto"; http_header; classtype:trojan-activity; sid:2012695; rev:2; metadata:created_at 2011_04_20, updated_at 2011_04_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent String (AskPartnerCobranding)"; flow:to_server,established; content:"User-Agent|3a| AskPartner"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2012734; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_04_28, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 808 (msg:"ET USER_AGENTS suspicious user agent string (changhuatong)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a 20|changhuatong|0d 0a|"; classtype:trojan-activity; sid:2012751; rev:1; metadata:created_at 2011_04_29, updated_at 2011_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS suspicious user agent string (CholTBAgent)"; flow:to_server,established; content:"User-Agent|3a 20|CholTBAgent"; http_header; detection_filter:track by_dst, count 4, seconds 20; classtype:trojan-activity; sid:2012757; rev:4; metadata:created_at 2011_04_29, updated_at 2011_04_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious user agent (mdms)"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| mdms|0d 0a|"; http_header; classtype:trojan-activity; sid:2012761; rev:2; metadata:created_at 2011_05_02, updated_at 2011_05_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious user agent (asd)"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| asd|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2012762; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0"; flow:established,to_server; content:"User-Agent|3A| SimpleClient "; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:bad-unknown; sid:2012860; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_05_25, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Known Skunkx DDOS Bot User-Agent Cyberdog"; flow:established,to_server; content:"User-Agent|3A| Cyberdog"; http_header; nocase; reference:url,asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/; classtype:trojan-activity; sid:2012893; rev:1; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Fragment (WORKED)"; flow:established,to_server; content:"WORKED"; http_header; pcre:"/User-Agent\x3a[^\n]+WORKED/H"; classtype:trojan-activity; sid:2012909; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_05_31, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious user agent (Google page)"; flow:to_server,established; content:"User-Agent|3a| Google page"; nocase; http_header; classtype:trojan-activity; sid:2017067; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MacShield User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent|3a 20|MacShield"; http_header; metadata: former_category TROJAN; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012959; rev:3; metadata:created_at 2011_06_08, updated_at 2017_10_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| EmailSiphon"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013032; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_06_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| EmailSiphon"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013033; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_06_14, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Binget PHP Library User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Binget/"; nocase; http_header; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013050; rev:1; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS pxyscand/ Suspicious User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| pxyscand/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013052; rev:1; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS PyCurl Suspicious User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| PyCurl"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013054; rev:1; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| Atomic_Email_Hunter/"; fast_pattern:12,20; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013173; rev:3; metadata:created_at 2011_07_04, updated_at 2011_07_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Atomic_Email_Hunter/"; fast_pattern:12,20; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013174; rev:2; metadata:created_at 2011_07_04, updated_at 2011_07_04;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Artro Downloader User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| wget 3.0|3b| rv|3a|5.0) Gecko/20100101 Firefox/5.0"; http_header; fast_pattern:65,20; metadata: former_category TROJAN; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:trojan-activity; sid:2013184; rev:7; metadata:created_at 2011_07_04, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Long Fake wget 3.0 User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:"wget 3.0"; fast_pattern; distance:10; within:100; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013178; rev:3; metadata:created_at 2011_07_04, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (HardCore Software For)"; flow:to_server,established; content:"User-Agent|3a| HardCore Software For"; http_header; nocase; metadata: former_category TROJAN; classtype:trojan-activity; sid:2018608; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_07_06, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (GeneralDownloadApplication)"; flow:to_server,established; content:"User-Agent|3a| GeneralDownloadApplication|0d 0a|"; http_header; metadata: former_category USER_AGENTS; classtype:trojan-activity; sid:2025092; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_07_06, updated_at 2017_11_29;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS FakeAV User-Agent XML"; flow:established,to_server; content:"User-Agent|3A| XML|0D 0A|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013374; rev:2; metadata:created_at 2011_08_05, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/Nolja Trojan User-Agent (FileNolja)"; flow:established,to_server; content:"FileNolja"; http_header; nocase; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]*FileNolja/Hi"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013376; rev:2; metadata:created_at 2011_08_05, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Ufasoft bitcoin Related User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|Ufasoft"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013391; rev:3; metadata:created_at 2011_08_10, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/SpeedRunner User-Agent SRRemove"; flow:established,to_server; content:"User-Agent|3A| SRRemove"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013394; rev:2; metadata:created_at 2011_08_10, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent _updater_agent"; flow:established,to_server; content:"User-Agent|3A 20|_updater_agent"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013395; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_08_10, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32/Onescan FraudWare User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|test_hInternet"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013444; rev:2; metadata:created_at 2011_08_22, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (GUIDTracker)"; flow:to_server,established; content:"User-Agent|3a| GUIDTracker"; http_header; metadata: former_category TROJAN; reference:url,threatexpert.com/report.aspx?md5=7a8807f4de0999dba66a8749b2366def; classtype:trojan-activity; sid:2013455; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_08_24, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32/Dynamer Trojan Dropper User-Agent VB Http"; flow:established,to_server; content:"User-Agent|3A 20|VB Http"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FDynamer!dtc; classtype:trojan-activity; sid:2013507; rev:2; metadata:created_at 2011_08_31, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Downloader User-Agent HTTPGET"; flow:established,to_server; content:"User-Agent|3A 20|HTTPGET"; http_header; content:!"autodesk.com|0d 0a|"; http_header; content:!"rsa.com"; http_header; content:!"consumersentinel.gov"; http_header; content:!"technet.microsoft.com"; http_header; content:!"metropolis.com"; http_header; content:!"www.catalog.update.microsoft.com|0d|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013508; rev:9; metadata:created_at 2011_08_31, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MadeByLc)"; flow:established,to_server; content:"User-Agent|3A 20|MadeBy"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013512; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_08_31, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent|3A 20|Revolution"; http_header; reference:url,threatexpert.com/report.aspx?md5=1431f4ab4bbe3ad1087eb14cf4d7dff9; classtype:trojan-activity; sid:2013542; rev:1; metadata:created_at 2011_09_06, updated_at 2011_09_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Delphi Trojan Downloader User-Agent (JEDI-VCL)"; flow:established,to_server; content:"User-Agent|3a| JEDI-VCL"; http_header; content:!"apexwin.com|0d 0a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013559; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_09_12, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (windsoft)"; flow:established,to_server; content:"User-Agent|3a| WindSoft|0d 0a|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013561; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_09_12, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Backdoor.Win32.Aldibot.A User-Agent (Aldi Bot)"; flow:to_server,established; content:"User-Agent|3a| Aldi Bot"; nocase; http_header; metadata: former_category TROJAN; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013747; rev:4; metadata:created_at 2011_09_23, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Trojan Downloader User-Agent (NOPE)"; flow:established,to_server; content:"User-Agent|3a| N0PE"; http_header; metadata: former_category TROJAN; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=b0b7c391d084974b2666c1c57b349b62&id=711369; reference:url,www.virustotal.com/file-scan/report.html?id=54dcad20b326a409c09f1b059925ba4ba260ef58297cda1421ffca79942a96a5-1305296734; classtype:trojan-activity; sid:2013702; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_09_27, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Trojan Downloader User-Agent BGroom"; flow:established,to_server; content:"User-Agent|3A 20|BGroom"; http_header; classtype:trojan-activity; sid:2013717; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_09_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Trojan Downloader User-Agent (Tiny)"; flow:established,to_server; content:"User-Agent|3A 20|tiny|0D 0A|"; http_header; classtype:trojan-activity; sid:2013718; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_09_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/OnlineGames User-Agent (LockXLS)"; flow:established,to_server; content:"User-Agent|3A 20|LockXLS"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013724; rev:2; metadata:created_at 2011_09_30, updated_at 2017_10_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent|3A 20|Revolution|20 28|Win32|29|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013725; rev:1; metadata:created_at 2011_09_30, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (FULLSTUFF)"; flow: established,to_server; content:"User-Agent|3A| FULLSTUFF"; nocase; http_header; metadata: former_category TROJAN; reference:url,threatexpert.com/reports.aspx?find=mrb.mail.ru; classtype:trojan-activity; sid:2013880; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_11_08, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (NateFinder)"; flow:to_server,established; content:"User-Agent|3a| NateFinder"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013881; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_11_08, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (webfile)"; flow:to_server,established; content:"User-Agent|3a| webfile"; http_header; metadata: former_category TROJAN; reference:url,threatexpert.com/reports.aspx?find=upsh.playmusic.co.kr; classtype:trojan-activity; sid:2013883; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_11_08, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (DARecover)"; flow:to_server,established; content:"User-Agent|3a| DARecover"; http_header; metadata: former_category TROJAN; reference:url,threatexpert.com/reports.aspx?find=clients.mydealassistant.com; classtype:trojan-activity; sid:2013884; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_11_08, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MediaLabsSiteInstaller)"; flow:established,to_server; content:"User-Agent|3A 20|MediaLabsSiteInstaller"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013889; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_11_08, updated_at 2017_10_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (adlib)"; flow:established,to_server; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013967; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_11_23, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon"; flow:established,to_server; content:"User-Agent|3A 20|Mozilla/5.0|20 28|Windows NT 5.1|20 3B 20|v|2E|"; fast_pattern:23,19; http_header; classtype:trojan-activity; sid:2014001; rev:3; metadata:created_at 2011_12_08, updated_at 2011_12_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/Renos.Downloader User Agent zeroup"; flow:established,to_server; content:"User-Agent|3A 20|zeroup"; http_header; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; classtype:trojan-activity; sid:2014817; rev:1; metadata:created_at 2012_05_25, updated_at 2012_05_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (DownloadMR)"; flow:to_server,established; content:"User-Agent|3a| DownloadMR"; nocase; http_header; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016903; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2013_05_21, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User-Agent (ChilkatUpload)"; flow:to_server,established; content:"User-Agent|3a| ChilkatUpload"; http_header; nocase; reference:url,chilkatsoft.com; classtype:trojan-activity; sid:2016904; rev:1; metadata:created_at 2013_05_21, updated_at 2013_05_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS FOCA User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|FOCA|0d 0a|"; http_header; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017949; rev:3; metadata:created_at 2014_01_09, updated_at 2014_01_09;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MtGox Leak wallet stealer UA"; flow:established,to_server; content:"User-Agent|3a 20|MtGoxBackOffice"; fast_pattern:only; http_header; metadata: former_category CURRENT_EVENTS; reference:url,www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_leak_archive; reference:md5,c4e99fdcd40bee6eb6ce85167969348d; classtype:trojan-activity; sid:2018279; rev:1; metadata:created_at 2014_03_14, updated_at 2017_11_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MSF Meterpreter Default User Agent"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 0d 0a|"; http_header; fast_pattern:40,20; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings; classtype:bad-unknown; sid:2021060; rev:1; metadata:created_at 2015_05_05, updated_at 2015_05_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WildTangent User-Agent (WT Games App)"; flow:established,to_server; content:"|0d 0a|WT-User-Agent|3a 20|WT|20|Games|20|App|20|"; http_header; classtype:policy-violation; sid:2021384; rev:2; metadata:created_at 2015_07_06, updated_at 2015_07_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS BLEXBot User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| BLEXBot/"; fast_pattern:25,20; http_header; threshold:type limit, track by_dst, count 1, seconds 300; reference:url,webmeup.com/about.html; classtype:misc-activity; sid:2022775; rev:1; metadata:created_at 2016_05_02, updated_at 2016_05_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Microsoft Edge on Windows 10 SET"; flow:established,to_server; content:"User-Agent|3a 20|"; http_header; content:"Windows NT 10."; http_header; distance:0; content:"Edge/12."; http_header; distance:0; fast_pattern; flowbits:set,ET_EDGE_UA; flowbits:noalert; metadata: former_category USER_AGENTS; classtype:misc-activity; sid:2023197; rev:4; metadata:affected_product Microsoft_Edge_Browser, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2016_09_13, performance_impact Low, updated_at 2017_05_10;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Go HTTP Client User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Go-http-client|0d 0a|"; nocase; http_header; fast_pattern; metadata: former_category USER_AGENTS; classtype:misc-activity; sid:2024897; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_23, updated_at 2017_10_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS [PTsecurity] Possible Trojan.Downloader UserAgent (binary_getter)"; flow:established,to_server; content:"User-Agent|3a 20|binary_getter"; http_header; metadata: former_category USER_AGENTS; classtype:bad-unknown; sid:2025203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_01_16, updated_at 2018_01_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS APN/Ask Toolbar PUA/PUP User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|TBNotifier|0d 0a|"; http_header; fast_pattern:12,12; metadata: former_category USER_AGENTS; classtype:misc-activity; sid:2025400; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_02_27, performance_impact Low, updated_at 2018_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (=Mozilla)"; flow:established,to_server; content:"User-Agent|3a|=Mozilla/5"; http_header; fast_pattern:1,20; metadata: former_category USER_AGENTS; classtype:trojan-activity; sid:2025456; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2018_03_27, performance_impact Low, updated_at 2018_04_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Gemini/2.0)"; flow:established,to_server; content:"User-Agent|3a 20|Gemini/2.0|0d 0a|"; http_header; fast_pattern:4,20; metadata: former_category USER_AGENTS; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025889; rev:2; metadata:attack_target Server, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family VPNFilter, performance_impact Low, updated_at 2018_07_25;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Hakai/2.0)"; flow:established,to_server; content:"User-Agent|3a 20|Hakai/2.0|0d 0a|"; http_header; fast_pattern:3,20; metadata: former_category USER_AGENTS; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025890; rev:2; metadata:attack_target Server, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family VPNFilter, performance_impact Low, updated_at 2018_07_25;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; reference:url,doc.emergingthreats.net/2003474; classtype:attempted-dos; sid:2003474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood TCP"; flow:established,to_server; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2003192; classtype:attempted-dos; sid:2003192; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood UDP"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009698; classtype:attempted-dos; sid:2009698; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood TCP"; flow:established,to_server; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2003193; classtype:attempted-dos; sid:2003193; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood UDP"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009699; classtype:attempted-dos; sid:2009699; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/g"; nocase; http_uri; content:"back=++Back++"; nocase; http_client_body; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; reference:url,doc.emergingthreats.net/bin/view/Main/2003329; reference:cve,2007-0528; classtype:attempted-user; sid:2003329; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP SIP UDP Softphone INVITE overflow"; dsize:>1000; content:"INVITE"; depth:6; nocase; pcre:"/\r?\n\r?\n/R"; isdataat:1000,relative; reference:bugtraq,16213; reference:cve,2006-0189; reference:url,doc.emergingthreats.net/bin/view/Main/2002848; classtype:attempted-user; sid:2002848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP MultiTech SIP UDP Overflow"; content:"INVITE"; nocase; depth:6; isdataat:65,relative; content:!"|0a|"; within:61; reference:cve,2005-4050; reference:url,doc.emergingthreats.net/2003237; classtype:attempted-user; sid:2003237; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses TCP"; flow:established,from_server; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2003194; classtype:attempted-dos; sid:2003194; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses UDP"; content:"SIP/2.0 401 Unauthorized"; depth:24; fast_pattern; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2009700; classtype:attempted-dos; sid:2009700; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert ip any 5060 -> any any (msg:"GPL VOIP SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:2100162; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip any any -> any 5060 (msg:"GPL VOIP SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100163; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ip any any -> any 5060 (msg:"GPL VOIP SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100158; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:2100223; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Modified Sipvicious OPTIONS Scan"; content:"OPTIONS "; depth:8; content:"ccxllrlflgig|22|<sip|3A|100"; nocase; distance:0; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; classtype:attempted-recon; sid:2011422; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Modified Sipvicious Asterisk PBX User-Agent"; content:"|0d 0a|User-Agent|3A| Asterisk PBX"; nocase; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html; classtype:attempted-recon; sid:2012296; rev:1; metadata:created_at 2011_02_06, updated_at 2011_02_06;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper"; content:"|0d 0a|User-Agent|3A| Zoiper"; nocase; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html; classtype:attempted-recon; sid:2012297; rev:1; metadata:created_at 2011_02_06, updated_at 2011_02_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from Cisco ooh323"; flow:to_server,established; content:"|28 06|cisco|00|"; offset:14; depth:8; content:"|b8 00 00 27 05|ooh323|06|"; distance:0; within:60; reference:url,videonationsltd.co.uk/2015/04/h-323-cisco-spam-calls/; classtype:misc-attack; sid:2021066; rev:1; metadata:created_at 2015_05_07, updated_at 2015_05_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from MERA RTU"; flow:to_server,established; content:"|22 c0 09 00 7a b7 07|MERA RTU|08|"; classtype:misc-attack; sid:2022022; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; content:"|05 04|"; distance:3; within:2; classtype:misc-activity; sid:2022023; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP H.323 in Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; byte_jump:1,0,relative; content:"|05 04|"; within:2; byte_jump:1,0,relative; content:"|70|"; byte_jump:1,0,relative; content:"|7E|"; within:1; byte_test:1,!&,0x0F,3,relative; isdataat:31; classtype:misc-activity; sid:2022024; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"this.media.newPlayer|28|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:bid,37331; reference:cve,2009-4324; classtype:attempted-user; sid:2010495; rev:12; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; file_data; content:"%FDF-"; depth:300; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action Remote Code Execution Attempt"; flow:to_client,established; file_data; content:"PDF-"; depth:300; content:"Launch"; distance:0; content:"Win"; distance:0; content:".exe"; nocase; distance:0; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,doc.emergingthreats.net/2010968; classtype:attempted-user; sid:2010968; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Java Deployment Toolkit Launch Method Remote Code Execution Attempt"; flow:established,to_client; content:"-J-jar -J"; fast_pattern:only; pcre:"/(launch\x28.+-J-jar -J|-J-jar -J.+launch\x28)/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,www.darknet.org.uk/2010/04/serious-java-bug-exposes-users-to-code-execution/; reference:url,doc.emergingthreats.net/2011053; classtype:attempted-user; sid:2011053; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Web Start Command Injection (.jar)"; flow:established,from_server; content:"http|3a| -J-jar -J|5C 5C 5C 5C|"; nocase; content:".launch("; nocase; pcre:"/http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011698; classtype:web-application-attack; sid:2011698; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; classtype:attempted-user; sid:2010798; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; file_data; content:"document.createEventObject"; distance:0; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; classtype:attempted-user; sid:2010799; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt"; flow:established,to_client; file_data; content:".addBehavior"; nocase; content:"|23|default|23|userdata"; nocase; within:100; content:"setAttribute"; nocase; distance:0; content:"onclick"; nocase; distance:0; content:"onclick"; nocase; distance:0; reference:url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20052; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0806; reference:url,doc.emergingthreats.net/2010931; classtype:attempted-user; sid:2010931; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"content-type|3a| "; nocase; http_header; content:" image/jpeg"; nocase; http_header; file_data; content:"<iframe"; nocase; pcre:"/content-type\x3a\s+image\/jpeg/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; classtype:web-application-attack; sid:2008313; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag SQL_Injection, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"content-type|3a| "; nocase; http_header; content:" image/gif"; nocase; http_header; file_data; content:"<iframe"; nocase; pcre:"/content-type\x3a\s+image\/gif/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; classtype:web-application-attack; sid:2008314; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag SQL_Injection, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Containing Windows Commands Downloaded"; flow:established,to_client; file_data; content:"%PDF-"; depth:300; content:"|3C 3C 0D 0A 20 2f|type|20 2F|action|0D 0A 20 2F|s|20 2F|launch|0D 0A 20 2F|win"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011245; classtype:bad-unknown; sid:2011245; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Malicious PDF Containing StrReverse"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"StrReverse|28|"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011246; classtype:bad-unknown; sid:2011246; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (1)"; flow:established,from_server; content:"|22|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|22|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003326; classtype:attempted-admin; sid:2003326; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (2)"; flow:established,from_server; content:"|27|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|27|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003327; classtype:attempted-admin; sid:2003327; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; flow:established,from_server; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007703; classtype:attempted-user; sid:2007703; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007704; classtype:attempted-user; sid:2007704; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DX Studio Player Firefox Plug-in Command Injection Attempt"; flow:established,to_client; file_data; content:"<dxstudio"; fast_pattern; nocase; distance:0; content:"shell.execute("; nocase; distance:0; reference:cve,2009-2011; reference:url,doc.emergingthreats.net/2010841; classtype:attempted-user; sid:2010841; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious HTML Script Tag in 401 Unauthorized Response (External Source)"; flow:from_server,established; content:"401"; http_stat_code; content:"Unauthorized"; nocase; file_data; content:"<script"; nocase; within:280; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2010514; classtype:web-application-activity; sid:2010514; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2018_04_04;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)"; flow:from_server,established; content:"403"; http_stat_code; content:"Forbidden"; nocase; file_data; content:"<script"; nocase; depth:280; reference:url,doc.emergingthreats.net/2010516; classtype:web-application-attack; sid:2010516; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)"; flow:from_server,established; content:"404"; http_stat_code; content:"Not Found"; nocase; file_data; content:"<script"; nocase; distance:0; reference:url,doc.emergingthreats.net/2010518; classtype:web-application-attack; sid:2010518; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)"; flow:from_server,established; content:"405"; http_stat_code; content:"Method Not Allowed"; nocase; file_data; content:"<script"; nocase; depth:280; reference:url,doc.emergingthreats.net/2010520; classtype:web-application-attack; sid:2010520; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"406"; http_stat_code; content:"Not Acceptable"; nocase; file_data; content:"<script"; nocase; depth:280; reference:url,doc.emergingthreats.net/2010522; classtype:web-application-attack; sid:2010522; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"500"; http_stat_code; content:"Internal Server Error"; nocase; file_data; content:"<script"; nocase; depth:280; reference:url,doc.emergingthreats.net/2010525; classtype:web-application-attack; sid:2010525; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"503"; http_stat_code; content:"Service Unavailable"; nocase; file_data; content:"<script"; nocase; depth:280; reference:url,doc.emergingthreats.net/2010527; classtype:web-application-attack; sid:2010527; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox Window.Open Document URI Spoofing Attempt"; flow:established,to_client; content:"window.open("; nocase; content:"setTimeout("; fast_pattern; nocase; distance:0; content:"document.body.innerHTML"; nocase; distance:0; content:".stop"; nocase; distance:0; pcre:"/(window|w)\x2Estop/i"; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-45.html; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=556957; reference:cve,2010-1206; reference:url,doc.emergingthreats.net/2011240; classtype:misc-attack; sid:2011240; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (body)"; flow:from_server,established; file_data; content:"body"; distance:0; nocase; content:"onUnload"; distance:0; nocase; pcre:"/<body\s+[^>]*onUnload\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009132; classtype:web-application-attack; sid:2009132; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (img)"; flow:from_server,established; file_data; content:"img"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/<img\s+[^>]*onEnd\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009133; classtype:web-application-attack; sid:2009133; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt (body)"; flow:from_server,established; file_data; content:"body"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/<body\s+[^>]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009134; classtype:web-application-attack; sid:2009134; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt"; flow:from_server,established; file_data; content:"img"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/<img\s+[^>]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009135; classtype:web-application-attack; sid:2009135; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Attempt to execute VBScript code"; flow: from_server,established; content:"vbscript"; fast_pattern:only; nocase; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001099; classtype:misc-attack; sid:2001099; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to execute Javascript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001101; classtype:misc-attack; sid:2001101; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001102; classtype:misc-attack; sid:2001102; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to access SHELL#=#="; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001103; classtype:misc-attack; sid:2001103; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Javascript execution with expression eval"; flow: from_server,established; content:"string.fromcharcode"; fast_pattern:only; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001105; classtype:misc-activity; sid:2001105; rev:12; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Javascript execution with expression eval hex"; flow: from_server,established; content:"String.FromCharCode"; fast_pattern:only; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001106; classtype:misc-activity; sid:2001106; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE process injection iexplore.exe executable download"; flow: from_server,established; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001048; classtype:misc-activity; sid:2001048; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE trojan Ants3set 1.exe - process injection"; flow: from_server,established; content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001182; classtype:misc-attack; sid:2001182; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE StructuredGraphicsControl SourceURL Bug MoBB#6"; flow:from_server,established; content:"DirectAnimation.StructuredGraphicsControl"; fast_pattern:only; reference:url,browserfun.blogspot.com/2006/07/mobb-6-structuredgraphicscontrol.html; reference:cve,2006-3427; reference:url,doc.emergingthreats.net/bin/view/Main/2003023; classtype:web-application-activity; sid:2003023; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid memory copy"; flow:to_client,established; content:"WebViewFolderIcon"; nocase; content:".setSlice"; nocase; content:"0x7ffffff"; nocase; reference:url, riosec.com/msie-setslice-vuln; reference:url,osvdb.org/27110; reference:cve,2006-3730; reference:url,doc.emergingthreats.net/bin/view/Main/2003110; classtype:attempted-user; sid:2003110; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE FTP URL Arbitrary Command Injection"; flow:from_server,established; content:"ftp|3a|//"; fast_pattern:only; nocase; pcre:"/ftp\://[^\' \"]*%0a/i"; reference:url,osvdb.org/12299; reference:cve,2004-1166; reference:url,doc.emergingthreats.net/bin/view/Main/2003230; classtype:attempted-user; sid:2003230; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp  $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Microsoft Internet Explorer ieframe.dll Script Injection Vulnerability"; flow:to_server; content:"GET"; http_method; content:"res|3a|"; http_uri; content:"ieframe.dll"; http_uri; content:"acr_error"; pcre:"/(\&lt\;).+(\&gt\;)/Ui"; reference:bugtraq,28581; reference:url,doc.emergingthreats.net/bin/view/Main/2008170; classtype:web-application-attack; sid:2008170; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_client; content:"WScript.Shell"; nocase; content:"shell.Run"; nocase; within:40; content:"|22|"; within:6; reference:url,msdn.microsoft.com/en-us/library/d5fk67ky(VS.85).aspx; reference:url,doc.emergingthreats.net/2010961; classtype:attempted-user; sid:2010961; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; file_data; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; fast_pattern:only; reference:url,doc.emergingthreats.net/2001811; classtype:misc-activity; sid:2001811; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt"; flow:established,to_client; file_data; content:"setInterval("; nocase; distance:0; content:"document.getElementById"; nocase; distance:0; content:".innerHTML"; nocase; distance:0; content:".toString("; nocase; within:60; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20815; reference:url,reversemode.com/index.php?option=com_content&task=view&id=68&Itemid=1; reference:url,doc.emergingthreats.net/2011764; classtype:attempted-user; sid:2011764; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer/Helix Player Format String Exploit"; flow:established,from_server; content:"<imfl>"; pcre:"/<[^>%]*%/R"; content:"</imfl>"; distance:0; reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; reference:cve,2005-2710; reference:url,doc.emergingthreats.net/bin/view/Main/2002381; classtype:web-application-attack; sid:2002381; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; flow:established,to_server; content:".ass"; nocase; http_uri; flowbits:set,ET.ass.request; flowbits:noalert; reference:url,doc.emergingthreats.net/2010757; classtype:not-suspicious; sid:2010757; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:"<location>"; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype"; flow:established,to_client; file_data; content:"PDF-"; content:"/"; distance:0; content:!"Subtype"; within:7; content:"#"; within:19; pcre:"/\x2F(?!Subtype)(S|#53)(u|#75)(b|#62)(t|#74)(y|#79)(p|#70)(e|#65)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011528; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_22, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2102925; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; fast_pattern:only; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:2101840; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:2103079; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103134; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103133; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103132; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2102437; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:2103192; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:2101735; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2102671; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2102673; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; fast_pattern:only; nocase; http_header; pcre:"/^Location\x3a\s*URL\s*\x3a/Hsmi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2102577; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT object type overflow attempt"; flow:from_server,established; content:"<OBJECT"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:2103149; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; fast_pattern:only; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:2103088; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00|"; fast_pattern:only; reference:url,exploit-db.com/download_pdf/15077; classtype:attempted-user; sid:2011543; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Attempt"; flow:established,to_client; content:"appletComponentArch.DynamicTreeApplet"; nocase; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-37.html; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:2011538; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Action"; flow:established,to_client; file_data; content:"PDF-"; within:4; content:"/"; distance:0; content:!"Action"; within:6; content:"#"; within:16; pcre:"/\x2F(?!Action)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011529; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of EmbeddedFile"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"EmbeddedFile"; within:12; content:"#"; within:34; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^EmbeddedFile](E|#45)(m|#6D)(b|#62)(e|#65)(d|#64)(d|#64)(e|#65)(d#64)(F|#46)(i|#69)(l|#6C)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011530; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Type"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"Type"; within:4; content:"#"; within:11; pcre:"/\x3C\x3C[^>]*\x2F[^Type](T|#54)(y|#79)(p|#70)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011531; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Javascript"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"Javascript"; within:10; content:"#"; within:28; pcre:"/\x3C\x3C[^\n]*\x2F[^Javascript](J|#4A)(a|#61)(v|#76)(a|#61)(S|#73|#53)(c|#63)(r|#72)(i|#69)(p|#70)(t|#74)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011532; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of URL"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"URL"; within:3; content:"#"; within:7; pcre:"/\x3C\x3C[^>]*\x2F[^URL](U|#55)(R|#52)(L|#4C)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011533; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of JS"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"JS"; within:2; content:"#"; within:4; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^JS](J|#4A)(S|#53)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011535; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Pages"; flow:established,to_client; file_data; content:"PDF-"; within:4; content:"/"; distance:0; content:!"Pages"; within:5; content:"#"; within:13; pcre:"/\x2F(?!Pages)(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011536; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of OpenAction"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"OpenAction"; within:10; content:"#"; within:28; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^OpenAction](O|#4F)(p|#70)(e|#65)(n|#6E)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011537; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; flowbits:set,ET.flash.pdf; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; content:"|2C E8 88 F0 FF 33|"; fast_pattern:only; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe CoolType Smart INdependent Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"SING"; distance:0; content:"|01 00 01 0E|"; within:100; content:"|00 3A|"; within:100; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html; reference:cve,2010-2883; classtype:attempted-user; sid:2011501; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"/SubType"; distance:0; content:"flash"; fast_pattern; nocase; within:100; metadata: former_category WEB_CLIENT; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; classtype:bad-unknown; sid:2011505; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2017_05_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With eval Function - Possibly Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"eval|28|"; nocase; distance:0; reference:url,www.w3schools.com/jsref/jsref_eval.asp; classtype:bad-unknown; sid:2011506; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt"; flow:established,to_client; content:"FLV"; nocase; depth:300; content:"onMetaData"; nocase; distance:0; content:"|07 50 75 08|"; within:100; reference:url,service.real.com/realplayer/security/08262010_player/en/; reference:url,www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/; reference:bugtraq,42775; reference:cve,2010-3000; classtype:attempted-user; sid:2011485; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; file_data; classtype:bad-unknown; sid:2011281; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation"; flow:to_client,established; file_data; content:"PDF-"; within:4; content:"/"; distance:0; content:!"Launch"; within:6; content:"#"; within:16; content:".exe"; nocase; distance:0; pcre:"/\x2F(?!Launch)(L|#4C)(a|#61)(u|#75)(n#6E)(c|#63)(h|#68).+\x2F(W|#57)(i|#69)(n|#6E).+\x2Eexe/sm"; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011329; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System"; flow: to_client,established; file_data; content:"<span id=|22|loadspan|22|>Initializing Virus Protection System...</span>"; distance:0; classtype:bad-unknown; sid:2011343; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt"; flow:established,to_client; content:"String.FromCharCode("; fast_pattern:only; nocase; pcre:"/String\x2EFromCharCode\x28[0-9]{1,3}/i"; reference:url,www.w3schools.com/jsref/jsref_fromCharCode.asp; reference:url,www.roseindia.net/javascript/method-fromcharcode.shtml; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; classtype:bad-unknown; sid:2011347; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Apple Quicktime Invalid SMIL URI Buffer Overflow Attempt"; flow:established,to_client; content:"|3C|smil"; nocase; content:"|3C|img src="; nocase; distance:0; content:!"http"; nocase; within:20; content:"|3A|//"; within:20; isdataat:700,relative; content:!"|3C 2F|smil|3E|"; nocase; within:700; content:!"|0A|"; within:700; reference:url,securitytracker.com/alerts/2010/Aug/1024336.html; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:2011366; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; content:"PROPFIND "; fast_pattern:only; content:"PROPFIND"; http_method; nocase; flowbits:set,ET.PROPFIND; flowbits:noalert; classtype:misc-activity; sid:2011456; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET.PROPFIND; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; metadata: former_category WEB_CLIENT; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2017_05_11;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"unescape|28|"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010881; classtype:bad-unknown; sid:2010881; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|F2 3D 8D 23|"; fast_pattern:only; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:cve,2010-1297; classtype:attempted-user; sid:2011519; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; fast_pattern:only; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(|22|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Oracle Java APPLET Tag Children Property Memory Corruption Attempt"; flow:established,to_client; content:"APPLET"; nocase; content:"children"; nocase; distance:0; content:"location.reload"; nocase; within:100; reference:url,code.google.com/p/skylined/issues/detail?id=18; reference:url,www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html; classtype:attempted-user; sid:2011864; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious Embedded Shockwave Flash In PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"x-shockwave-flash"; nocase; distance:0; pcre:"/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i"; classtype:bad-unknown; sid:2011866; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code"; flow:established,to_client; content:"PDF-"; depth:300; content:"app.setTimeOut("; nocase; distance:0; metadata: former_category WEB_CLIENT; reference:url,www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4; reference:url,www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4; reference:cve,2018-4980; reference:cve,2018-4961; classtype:bad-unknown; sid:2011868; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_10_29, updated_at 2018_05_16;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"table"; nocase; content:"position|3A|absolute"; nocase; within:30; content:"clip|3A|rect"; fast_pattern; nocase; within:15; metadata: former_category WEB_CLIENT; reference:bid,44536; reference:cve,2010-3962; classtype:attempted-user; sid:2011891; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_05, updated_at 2017_03_03;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)"; flow:from_server,established; file_data; content:"position|3A|absolute|3B|"; content:"clip|3A|"; within:20; content:"rect|28|0|29|"; fast_pattern; within:20; reference:url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html; reference:url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks; reference:url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html; reference:url,www.offensive-security.com/0day/ie-0day.txt; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb; classtype:attempted-user; sid:2011892; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt"; flow:established,to_client; content:".printSeps"; nocase; fast_pattern:only; pcre:"/(this|doc)\x2EprintSeps/i"; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2011910; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding"; flow:established,to_client; content:"%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012041; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8 Encoding"; flow:established,to_client; content:"%u53%u74%u72%u69%u6e%u67%u2e%u66%u72%u6f%u6d%u43%u68%u61%u72%u43%u6f%u64%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012042; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding"; flow:established,to_client; content:"%63%68%61%72%43%6f%64%65%41%74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012043; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding"; flow:established,to_client; content:"%u63%u68%u61%u72%u43%u6f%u64%u65%u41%u74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012044; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX IconIndex Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|IconIndex|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15695/; classtype:misc-attack; sid:2012052; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX Text Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|Text|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15694/; classtype:misc-attack; sid:2012053; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:"AllowScriptAccess"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15698/; classtype:attempted-dos; sid:2012056; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write % Encoding"; flow:established,to_client; content:"%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012059; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-8 Encoding"; flow:established,to_client; content:"%u64%u6f%u63%u75%u6d%u65%u6e%u74%u2e%u77%u72%u69%u74%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012060; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee % Encoding"; flow:established,to_client; content:"%61%72%67%75%6d%65%6e%74%73%2e%63%61%6c%6c%65%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012061; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-8 Encoding"; flow:established,to_client; content:"%u61%u72%u67%u75%u6d%u65%u6e%u74%u73%u2e%u63%u61%u6c%u6c%u65%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012062; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; file_data; content:"PDF-"; within:4; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_16, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt"; flow:established,to_client; content:"@import url(|22|"; nocase; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,www.microsoft.com/technet/security/advisory/2488013.mspx; reference:bid,45246; reference:cve,2010-3971; classtype:attempted-user; sid:2012075; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Flowbits Set"; flow:to_client,established; content:"NtDllImageBase|22|"; nocase; content:"getModuleInfos|28|"; distance:0; content:"|27|ntdll.dll|27|"; nocase; within:50; flowbits:set,NtDll.ImageBase.Module.Called; flowbits:noalert; classtype:not-suspicious; sid:2012085; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; content:"strDup|28|"; distance:0; content:"<object|20|"; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; classtype:attempted-user; sid:2012100; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_12_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-16 Encoding"; flow:established,to_client; content:"%u6172%u6775%u6d65%u6e74%u732e%u6361%u6c6c%u6565"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012106; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-16 Encoding"; flow:established,to_client; content:"%u646f%u6375%u6d65%u6e74%u2e77%u7269%u7465"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012107; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-16 Encoding"; flow:established,to_client; content:"%u6368%u6172%u436f%u6465%u4174"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012108; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-16 Encoding"; flow:established,to_client; content:"%u5374%u7269%u6e67%u2e66%u726f%u6d43%u6861%u7243%u6f64%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012109; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_12_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage"; flow:established,to_client; content:"|5C|x"; nocase; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; pcre:"/\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; classtype:bad-unknown; sid:2012119; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT AVI RIFF Chunk Access Flowbit Set"; flow:established,to_client; flowbits:set,ET.AVI.RIFF.Chunk; content:"|52 49 46 46|"; content:"|41 56 49 20|"; distance:4; within:4; flowbits:noalert; classtype:not-suspicious; sid:2012142; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow"; flow:established,to_client; flowbits:isset,ET.AVI.RIFF.Chunk; content:"|73 74 72 66|"; content:"|93 00 00 00|"; distance:8; within:4; reference:cve,2010-0480; reference:url,www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/; reference:url,www.exploit-db.com/exploits/14895/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-026.mspx; classtype:attempted-user; sid:2012143; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DXF Extension File Detection Access Flowbit Set"; flow:established,to_client; flowbits:set,DXF.Ext.Access; content:"|20 20 30|"; content:"|0A 53 45 43 54 49 4F 4E|"; within:10; content:"|20 20 32|"; within:5; content:"|48 45 41 44 45 52|"; distance:0; content:"|0a|"; within:2; flowbits:noalert; classtype:not-suspicious; sid:2012152; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious"; flow:established,to_client; content:"eval|28|"; fast_pattern; nocase; content:"String.fromCharCode|28|"; nocase; within:40; pcre:"/eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28)/i"; classtype:bad-unknown; sid:2012173; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; fast_pattern:only; pcre:"/<<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_14, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String"; flow:established,to_client; content:"String.fromCharCode|28|"; nocase; content:"|2E|charCodeAt|28|"; nocase; within:32; pcre:"/String.fromCharCode|28|[a-z,0-9]{1,20}\x2EcharCodeAt\x28/i"; classtype:misc-activity; sid:2012205; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible % Encoded Iframe Tag"; flow:established,to_client; content:"%69%66%72%61%6d%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012241; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-8 Encoded Iframe Tag"; flow:established,to_client; content:"%u69%u66%u72%u61%u6d%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012242; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-16 Encoded Iframe Tag"; flow:established,to_client; content:"%u6966%u7261%u6d65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012243; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible # Encoded Iframe Tag"; flow:established,to_client; content:"#69#66#72#61#6d#65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012244; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write # Encoding"; flow:established,to_client; content:"#64#6f#63#75#6d#65#6e#74#2e#77#72#69#74#65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012245; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding"; flow:established,to_client; content:"%70%61%72%73%65%49%6e%74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012260; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding"; flow:established,to_client; content:"%u70%u61%u72%u73%u65%u49%u6e%u74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012261; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding"; flow:established,to_client; content:"%u7061%u7273%u6549%u6e74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012262; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding"; flow:established,to_client; content:"%3c%73%63%72%69%70%74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012263; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding"; flow:established,to_client; content:"%u3c%u73%u63%u72%u69%u70%u74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012264; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding"; flow:established,to_client; content:"%u3c73%u6372%u6970%u74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012265; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape % Encoding"; flow:established,to_client; content:"%75%6e%65%73%63%61%70%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012266; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding"; flow:established,to_client; content:"%u75%u6e%u65%u73%u63%u61%u70%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012267; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding"; flow:established,to_client; content:"%u756e%u6573%u6361%u7065"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012268; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr % Encoding"; flow:established,to_client; content:"%73%75%62%73%74%72"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012269; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding"; flow:established,to_client; content:"%u73%u75%u62%u73%u74%u72"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012270; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding"; flow:established,to_client; content:"%u7375%u6273%u7472"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012271; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval % Encoding"; flow:established,to_client; content:"%65%76%61%6c"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012272; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding"; flow:established,to_client; content:"%u65%u76%u61%u6c"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012273; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)"; flow:from_server,established; content:"200"; http_stat_code; content:"%2F%2F%3A%70%74%74%68"; classtype:bad-unknown; sid:2012326; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding"; flow:established,to_client; content:"%72%65%70%6c%61%63%65%28"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012398; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding"; flow:established,to_client; content:"%u72%u65%u70%u6c%u61%u63%u65%u28"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012399; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding"; flow:established,to_client; content:"%u7265%u706c%u6163%u6528"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012400; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Hostile Eval CRYPT.obfuscate Usage"; flow:established,to_client; content:"eval|28|CRYPT.obfuscate|28|"; nocase; fast_pattern:only; reference:url,research.zscaler.com/2010/05/malicious-hidden-iframes-using-publicly.html; classtype:bad-unknown; sid:2012404; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Android Webkit removeChild Use-After-Free Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById|28|"; nocase; content:"id.getAttributeNode|28|"; nocase; distance:0; content:"attribute.childNodes"; nocase; distance:0; content:"document.body.removeChild|28|"; nocase; distance:0; content:"attribute.removeChild|28|"; fast_pattern; nocase; distance:0; reference:bid,40642; reference:cve,2010-1119; classtype:attempted-user; sid:2012509; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Opera Window.Open document.cloneNode Null Pointer Deference Attempt"; flow:established,to_client; content:"window.open|28|"; nocase; content:"document.createElement|28|"; nocase; distance:0; content:"document.body.appendChild|28|"; nocase; distance:0; content:"close|28|"; nocase; distance:0; content:"document.cloneNode|28|"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/16979/; classtype:attempted-user; sid:2012511; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for addons.mozilla.org"; flow:established,from_server; content:"|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f|"; content:"addons.mozilla.org"; within:250; classtype:misc-activity; sid:2012546; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for Global Trustee"; flow:established,from_server; content:"|00 d8 f3 5f 4e b7 87 2b 2d ab 06 92 e3 15 38 2f b0|"; classtype:misc-activity; sid:2012547; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.live.com"; flow:established,from_server; content:"|00 b0 b7 13 3e d0 96 f9 b5 6f ae 91 c8 74 bd 3a c0|"; content:"login.live.com"; within:250; classtype:misc-activity; sid:2012548; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.skype.com"; flow:established,from_server; content:"|00 e9 02 8b 95 78 e4 15 dc 1a 71 0a 2b 88 15 44 47|"; content:"login.skype.com"; within:250; classtype:misc-activity; sid:2012549; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.yahoo.com 1"; flow:established,from_server; content:"|00 d7 55 8f da f5 f1 10 5b b2 13 28 2b 70 77 29 a3|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012550; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.yahoo.com 2"; flow:established,from_server; content:"|39 2a 43 4f 0e 07 df 1f 8a a3 05 de 34 e0 c2 29|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012551; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.yahoo.com 3"; flow:established,from_server; content:"|3e 75 ce d4 6b 69 30 21 21 88 30 ae 86 a8 2a 71|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012552; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for mail.google.com"; flow:established,from_server; content:"|04 7e cb e9 fc a5 5f 7b d0 9e ae 36 e1 0c ae 1e|"; content:"mail.google.com"; within:250; classtype:misc-activity; sid:2012553; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for www.google.com"; flow:established,from_server; content:"|00 f5 c8 6a f3 61 62 f1 3a 64 f5 4f 6d c9 58 7c 06|"; content:"www.google.com"; within:250; classtype:misc-activity; sid:2012554; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Help and Support Center XSS Attempt"; flow:established,to_client; content:"hcp|3A|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; reference:cve,2010-1885; classtype:attempted-user; sid:2012756; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT QuickTime Remote Exploit (exploit specific)"; flow:established,to_client; file_data; content:"|2f 2f|mshtml|2e|dll"; nocase; distance:0; content:"unescape|28|"; nocase; distance:0; content:"onload"; nocase; distance:0; content:"ObjectLoad|28|"; within:32; pcre:"/src\s*\x3d\s*\x22res\x3a\x2f\x2fmshtml\x2edll/"; reference:url,www.1337day.com/exploits/16077; classtype:attempted-user; sid:2012806; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Buffer Overflow Flowbit Set"; flow:established,to_client; content:"PDF-"; depth:300; content:".ses"; fast_pattern; nocase; distance:0; flowbits:set,ET_Assassin.ses; flowbits:noalert; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:bad-unknown; sid:2012813; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET_Assassin.ses; content:"|43 4F 4F 4C 4E 45 53 53 50 F2 08 00|"; fast_pattern:only; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:attempted-user; sid:2012814; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set"; flow:established,to_client; content:"stream"; content:"|0a|FWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)FWS/"; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012906; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Compressed Flash Content"; flowbits:noalert; flow:established,to_client; content:"stream"; content:"|0A|CWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)CWS/"; flowbits:set,ET.flash.pdf; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012907; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_05_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt"; flow:established,to_client; content:"COOLNESS"; content:"TRKM"; distance:0; content:"A|00|u|00|d|00|i|00|t|00|i|00|o|00|n|00|"; nocase; distance:0; content:"A|00|u|00|d|00|i|00|o|00 20 00|O|00|u|00|t|00|p|00|u|00|t|00|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file; reference:bid,47838; reference:cve,2011-0615; classtype:attempted-user; sid:2012978; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_08, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave rcsL Chunk Remote Code Execution Attempt"; flow:established,to_client; content:"rcsL"; content:"|FF F0 02 67|"; fast_pattern; distance:0; reference:url,www.abysssec.com/blog/2010/10/adobe-shockwave-player-rcsl-chunk-memory-corruption-0day/; reference:bid,42682; reference:cve,2010-2873; classtype:attempted-user; sid:2013069; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"tSAC|1D 02|"; fast_pattern; content:"|01 00 FF FF 11 11|"; distance:0; reference:url,www.exploit-db.com/moaub-22-adobe-shockwave-director-tsac-chunk-memory-corruption/; classtype:attempted-user; sid:2013070; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element invalidateSelection Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById(|27|treeset|27|)"; nocase; content:"view.selection"; nocase; distance:0; content:"invalidateRange"; nocase; distance:0; reference:bid,41853; reference:cve,2010-2753; classtype:attempted-user; sid:2013144; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern:only; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern:only; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|5C|sp"; nocase; content:"|5C|sn"; nocase; within:80; content:"pFragments"; nocase; within:80; content:"|5C|sv"; nocase; within:80; isdataat:100,relative; content:!"|0A|"; distance:1; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013250; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013251; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"|2e|location|2e|reload|28 29|"; content:"implementation=|22 23|default|23|time"; nocase; content:"contenteditable=|22|true|22|"; nocase; distance:0; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013252; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt"; flowbits:isset,OLE.CompoundFile; flow:established,to_client; content:"rtf"; nocase; content:"|7B 5C|sp|7B 5C|sn pFragments|7D 7B 5C|sv"; nocase; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013280; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|D2 60 38 40 BA 03 14 0E|"; fast_pattern:only; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:bid,40586; reference:cve,2010-1297; classtype:attempted-user; sid:2013281; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; fast_pattern:only; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer toStaticHTML HTML Sanitizing Information Disclosure Attempt"; flow:established,to_client; content:"toStaticHTML|28|"; fast_pattern; nocase; content:"expression|28|"; nocase; within:150; reference:bid,48199; reference:cve,2011-1252; classtype:attempted-user; sid:2013321; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt"; flow:established,to_server; content:"/mfc71"; http_uri; nocase; pcre:"/mfc71[a-z]{2,3}\x2Edll/Ui"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=23601; reference:url,www.microsoft.com/technet/security/bulletin/MS11-055.mspx; reference:bid,42681; reference:cve,2010-3148; classtype:attempted-user; sid:2013322; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_08_17, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt"; flow:established,to_client; content:".pdf|22|><|2F|iframe>"; nocase; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; reference:bid,49933; reference:cve,2011-2841; classtype:attempted-user; sid:2013742; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_10_05, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/U3D"; within:64; metadata: former_category WEB_CLIENT; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; reference:cve,2018-4989; reference:cve,2018-4987; classtype:bad-unknown; sid:2013995; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_12_07, updated_at 2018_05_16;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; file_data; content:"bang()"; distance:0; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_01_27, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; content:"/baby.mid"; http_uri; fast_pattern:only; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_02_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"|66 74 79 70 6D 70 34|"; distance:0; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; file_data; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; distance:0; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"4BF0D1BD8B85D111B16A00C0F0283628"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,2012-0158; classtype:attempted-user; sid:2025082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_10, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"E0F56B9944805046ADEB0B013914E99C"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,2012-0158; classtype:attempted-user; sid:2025083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_10, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"5FDC81917DE08A41ACA68EEA1ECB8E9E"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,2012-0158; classtype:attempted-user; sid:2025084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_10, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:from_server,established; flowbits:set,ETPRO.RTF; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern:only; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; metadata: former_category WEB_CLIENT; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_05_08, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Excel file download - SET 1"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; file_data; content:"|09 08 10 00 00 06 05 00|"; distance:512; content:"|57006F0072006B0062006F006F006B00|"; fast_pattern:only; flowbits:set,ETPRO.Microsoft.Excel; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,2012-0185; classtype:attempted-user; sid:2025086; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_05_10, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"stream"; distance:0; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; reference:cve,2012-0754; reference:url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac; classtype:bad-unknown; sid:2014865; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free "; flow:established,from_server; file_data; content:"<DIV id="; nocase; distance:0; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f5078f3"; content:"-c551-11d3-89b9-0000f81fe221"; nocase; distance:1; within:28; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f5078f3(2|3)-c551-11d3-89b9-0000f81fe221/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015554; rev:19; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"88d96"; nocase; content:"-f192-11d4-a65f-0040963251e5"; distance:3; within:28; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*88d96(9c(0|1)|9e(5|6)|a0(5|6))-f192-11d4-a65f-0040963251e5/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015555; rev:17; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MSXML2."; fast_pattern; content:"DOMDocument"; within:23; content:"definition"; nocase; pcre:"/MSXML2\.(FreeThreaded)?DOMDocument(\.[3-6]\.0)?/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-user; sid:2015556; rev:17; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f11-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2014938; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_07_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; fast_pattern; pcre:"/^[\r\n\s]*[\x22\x27](s|\\(x|u00)[57]3)(e|\\(x|u00)[46]5)(l|\\(x|u00)[46]c)(e|\\(x|u00)[46]5)(c|\\(x|u00)[46]3)(t|\\(x|u00)[57]4)(A|\\(x|u00)[46]1)(l|\\(x|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent|2e|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]*=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_09_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; pcre:"/^[\r\n\s]*[\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern:only; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:6; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Web_Client_Attacks, tag Metasploit, signature_severity Critical, created_at 2012_09_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"|7B 5C 72 74 66 31|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_10_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; file_data; content:"FWS"; content:"kern"; distance:0; flowbits:set,Ole.Flash.kernpresent; flowbits:noalert; classtype:trojan-activity; sid:2015809; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_10_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,Ole.Flash.kernpresent; file_data; content:"heapSpray"; classtype:trojan-activity; sid:2015810; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_10_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; classtype:trojan-activity; sid:2015887; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_11_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount"; flow:from_server,established; file_data; content:"|5c|listoverridetable"; distance:0; content:"|5c|listoverride|5c|"; fast_pattern:only; content:"|5c|listoverridecount"; isdataat:2,relative; pcre:"/^(?:0*?[19]\d|[^190])/R"; reference:cve,2012-2539; classtype:attempted-user; sid:2018315; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_12_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File With Flash"; flow:to_client,established; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; flowbits:isset,OLE.CompoundFile; flowbits:set,OLE.WithFlash; classtype:protocol-command-decode; sid:2016395; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern:only; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_05_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3163"; flow:established,from_server; file_data; content:"<bdo"; nocase; pcre:"/^[\r\n\s\+\>]((?!<\/bdo>).)*?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)*?<\/bdo>/Rsi"; reference:cve,2013-3163; classtype:attempted-user; sid:2017133; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_07_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163"; flow:established,from_server; file_data; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.body.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q)/Rsi"; content:"CollectGarbage("; fast_pattern; nocase; distance:0; content:"eval("; distance:0; nocase; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017129; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_07_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; file_data; content:"CollectGarbage("; fast_pattern:only; nocase; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_07_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Firefox CVE-2013-1690"; flow:established,from_server; file_data; content:"window.stop("; fast_pattern:only; nocase; content:"ownerDocument.write("; nocase; content:"addEventListener("; nocase; content:"readystatechange"; distance:0; nocase; content:"Array"; nocase; reference:cve,2013-1690; classtype:attempted-user; sid:2017298; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_08_08, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MS13-055 CAnchorElement Use-After-Free"; flow:established,from_server; file_data; content:".outer"; fast_pattern; pcre:"/^(?:Text|HTML)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27)/Ri"; content:".getElementById("; nocase; content:"<span"; nocase; content:"on"; pcre:"/^(?:(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; content:"<table"; nocase; pcre:"/^((?!<table>).)+?<tr[\r\n\s\>]((?!<\/tr>).)*?<span[\r\n\s\>]((?!<\/span>).)*?<(?:[QU]|S(?:TR(?:IKE|ONG)|U[BP]|MALL|AMP)?|B(?:LINK|DO|IG)?|A(?:CRONYM|BBR)|R(?:[PT]|UBY)|(?:NOB|VA)R|C(?:IT|OD)E|D(?:EL|FN)|I(?:NS)?|KBD|EM|TT)[^>]*?\bid[\r\n\s]*?=/Rsi"; classtype:attempted-user; sid:2017463; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; fast_pattern; nocase; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?function[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{.*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?.*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017478; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|Html)/Ri"; content:"onlosecapture"; nocase; fast_pattern:only; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(?:\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\).+?onlosecapture(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass"; flow:established,to_client; file_data; content:"ms-help|3a|//"; nocase; content:"onlosecapture"; nocase; fast_pattern:only; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017477; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_09_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897"; flow:established,from_server; file_data; content:"onpropertychange"; fast_pattern:only; nocase; content:".execCommand("; nocase; pcre:"/^[\r\n\s]*?[\x27\x22]Unselect[\x27\x22]/Rsi"; content:"appendChild("; nocase; content:"textarea"; nocase; content:".select("; nocase; content:".onselect"; reference:cve,2013-3897; classtype:attempted-user; sid:2017572; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_10_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage"; flow:established,from_server; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"Math.atan2"; nocase; content:"Math.atan2"; nocase; distance:0; content:"Math.atan2"; nocase; distance:0; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; reference:url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/; classtype:attempted-user; sid:2017657; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 1"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017704; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 2"; flow:established,from_server; file_data; content:"InformationCardSigninHelper"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017705; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 3"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|5c|u"; content:"|5c|u"; distance:4; within:4; content:"|5c|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x5cu\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017708; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 4"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|25|u"; content:"|25|u"; distance:4; within:4; content:"|25|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x25u\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017709; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2013_11_12, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT BeEF Cookie Outbound"; flow:to_server,established; content:"Cookie|3a 20|BEEFSESSION="; fast_pattern:only; threshold: type limit, track by_src, seconds 300, count 1; reference:url,beefproject.com; classtype:attempted-user; sid:2018088; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Default SSL Cert"; flow:established,from_server; content:"|0b|Bovine Land"; fast_pattern; content:"|1e|Browser Exploitation Framework"; classtype:attempted-user; sid:2018089; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.execute"; pcre:"/^\s*?\(/Rs"; threshold: type limit, track by_src, seconds 300, count 1; classtype:attempted-user; sid:2018090; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322"; flow:established,to_client; file_data; content:"onpropertychange"; nocase; fast_pattern:only; content:".outerHTML"; pcre:"/^\s*?=\s*?[^\s]+?\.outerHTML/Rsi"; content:"appendChild"; nocase; content:"getElementsByTagName"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]script[\x22\x27].+?\s(?P<vname>[^\s]+)\.onpropertychange\s*=.+?\s(?P<vname2>[^\s\x3d]+)\s*?=\s*?[^\s]*?createElement\s*?\(\s*?[\x22\x27]select[\x22\x27].+?(?P=vname)\.appendChild\(\s*?[\x22\x27]?(?P=vname2)[\x22\x27]?/Rsi"; reference:cve,2014-0322; classtype:attempted-user; sid:2018147; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT EMET Detection Via XMLDOM"; flow:established,from_server; file_data; content:"loadXML"; nocase; content:"parseError"; nocase; content:"res:/"; content:"AppPatch"; nocase; distance:0; pcre:"/^.+?\bEMET\.DLL/Rsi"; content:"EMET.DLL"; nocase; fast_pattern:only; classtype:attempted-user; sid:2018152; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_02_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Generic HeapSpray Construct"; flow:established,from_server; file_data; content:"createElement(|22|div|22|)"; fast_pattern:only; content:"for("; pcre:"/^\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b(?P=var)\s*?\<\s*?(?:0x)?\d{3,4}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b[^\x7d]+?\[\s*?(?P=var)\s*?\]\s*?=\s*?document\.createElement\([\x22]div[\x22]\)[^\x7d]+?\[\s*?(?P=var)\s*?\]/Rsi"; classtype:trojan-activity; sid:2018299; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_03_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-1761 HTTP"; flow:from_server,established; file_data; content:"{|5c|rt{"; content:"|5c|objocx|5c|"; distance:0; content:"MSComctlLib."; content:"|5c|u-554"; fast_pattern; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018313; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_03_24, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)"; flow:established,to_server; dsize:35<>41; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|"; distance:1; content:"google.com|0d 0a 0d 0a|"; distance:0; within:18; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018430; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.msn.com)"; flow:established,to_server; dsize:37; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.msn.com|0d 0a 0d 0a|"; distance:1; within:23; fast_pattern:3,20; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018431; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.bing.com)"; flow:established,to_server; dsize:38; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.bing.com|0d 0a 0d 0a|"; distance:1; within:24; fast_pattern:4,20; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018432; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.yahoo.com)"; flow:established,to_server; dsize:39; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.yahoo.com|0d 0a 0d 0a|"; distance:1; within:25; fast_pattern:5,20; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018433; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption"; flow:established,to_server; content:"/Generic/BEX/iexplore_exe/"; http_uri; content:"/vgx_dll_unloaded/"; http_uri; fast_pattern; content:"Host|3A| watson.microsoft.com"; http_header; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018434; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_29, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2"; flow:established,to_server; content:"/StageOne/iexplore_exe/"; http_uri; content:"/vgx_dll/"; http_uri; fast_pattern; content:"Host|3A| watson.microsoft.com"; http_header; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018436; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_04_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 Encoded Java Value"; flow:established,to_client;  file_data; content:"<applet"; content:"<param"; distance:0; content:"<value="; distance:0; pcre:"/\x3Cvalue\x3D\x22([a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=)/smi"; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:bad-unknown; sid:2018447; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_05_05, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET [!21,!22,!23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_06_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed CWS"; flow:established,from_server; content:"callback=CWS"; nocase; fast_pattern:only; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=CWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018656; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed FWS"; flow:established,from_server; content:"callback=FWS"; nocase; fast_pattern:only; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=FWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018657; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS"; flow:established,from_server; content:"callback=ZWS"; nocase; fast_pattern:only; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018658; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_07_08, updated_at 2016_07_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR Download"; flow:established,to_server; content:"/Signed_Update.jar"; nocase; http_uri; fast_pattern:only; content:"Java/1."; http_header; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018969; rev:1; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, tag DriveBy, signature_severity Major, created_at 2014_08_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR filename detected"; flow:established,to_client; file_data; content:"<applet"; content:"Signed_Update.jar"; fast_pattern:only; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018970; rev:1; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, tag DriveBy, signature_severity Major, created_at 2014_08_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone code detected"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018972; rev:1; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, tag DriveBy, signature_severity Major, created_at 2014_08_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 1"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern:only; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"dnsconfig.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019111; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_09_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 2"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern:only; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"rebootinfo.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019112; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_09_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download"; flow:to_client,established; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|fb ff ff ff|"; content:"|0b 00 00 00 01 00 00 00|"; content:"|25 00 00 00 01 00 00 00|"; content:"|8b 00 00 00 01 00 00 00|"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4141; classtype:attempted-user; sid:2019420; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_10_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC"; flow:to_client,established; flowbits:isset,ET.http.binary; file_data; content:"woqunimalegebi"; fast_pattern:only; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4113; classtype:attempted-user; sid:2019421; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_10_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"shellexecute"; nocase; fast_pattern:only; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text/vbscript[\x22\x27](?:(?!<\/script>).)+?\WShellExecute)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019707; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"Xor"; nocase; pcre:"/^\W/R"; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern:only; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC Possible IE Memory Corruption CollectGarbage with DOM Reset"; flow:established,to_client; file_data; content:"unescape"; nocase; content:"%u"; nocase; content:"CollectGarbage"; nocase; fast_pattern:only; content:"innerHTML"; nocase; pcre:"/^\s*?=\s*?(?:undefined|false|null|-?0|NaN|\x22\x22|\x27\x27)/Rsi"; classtype:attempted-user; sid:2019730; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim|25|"; nocase; fast_pattern; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; content:"redim|25|"; nocase; distance:0; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019732; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Samsung Galaxy Knox Android Browser RCE smdm attempt"; flow:to_client,established; file_data; content:"smdm|3a|//"; nocase; distance:0; metadata: former_category WEB_CLIENT; reference:url,blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html; reference:url,cxsecurity.com/issue/WLB-2014110124; classtype:web-application-activity; sid:2019750; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_11_19, updated_at 2017_05_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"/vbaProject"; nocase; pcre:"/\d*?\.bin/Ri"; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019835; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"_VBA_PROJECT"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019836; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00|"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019837; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve"; flow:to_client,established; content:!"Content-Type|3a 20|text/xml|0d 0a|"; http_header; content:!"Content-Type|3a 20|application/xml|0d 0a|"; http_header; file_data; content:"preserve"; nocase; content:"redim "; nocase; fast_pattern; pcre:"/^\s*?Preserve\s*?(?P<var1>[a-z]\w{0,254}+)\s*?\x28\s*?[^\x29]+?\x29.*?redim\s*?Preserve\s*?(?P=var1)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019842; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_02, updated_at 2016_07_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Hidden Embedded File"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/Embeddedfile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedfile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2019850; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_12_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file_data; content:"execCommand"; nocase; content:"YMjf|ff ff|KDog"; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:5; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Web_Client_Attacks, tag Metasploit, signature_severity Critical, created_at 2015_01_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:from_server,established; file_data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern:only; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_02_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow"; flow:from_server,established; file_data; content:"|7b 5c|rt"; within:4; flowbits:set,ETPRO.RTF; flowbits:noalert; reference:cve,2010-3333; classtype:misc-activity; sid:2020699; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_03_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:from_server,established; file_data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file_data; content:"generateCRMFRequest"; nocase; fast_pattern:only; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_05_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"<style"; nocase; pcre:"/^[^>]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern:only; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_08_24, updated_at 2016_07_01;)

alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - OWASP Zed Attack Proxy Certificate Seen"; content:"|16|"; depth:1; content:"OWASP Zed Attack Proxy Root CA"; nocase; classtype:misc-activity; sid:2021941; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_10_09, updated_at 2016_07_01;)

alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - BurpSuite PortSwigger Proxy Certificate Seen"; content:"|16|"; depth:1; content:"PortSwigger CA"; nocase; classtype:misc-activity; sid:2021942; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_10_09, updated_at 2016_07_01;)

alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - Fiddler Proxy Certificate Seen"; content:"|16|"; depth:1; content:"DO_NOT_TRUST_FiddlerRoot"; nocase; classtype:misc-activity; sid:2021943; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_10_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible eDellRoot Rogue Root CA"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|55 04 03|"; distance:0; content:"|09|eDellRoot"; distance:1; within:10; fast_pattern; reference:url,arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/; classtype:trojan-activity; sid:2022134; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2015_11_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2016-0063)"; flow:established,to_client; file_data; content:"prototype"; nocase; content:"DOMImplementation"; fast_pattern; pcre:"/^\s*\([^\)]*\)\s*\.\s*prototype\s*\.\s*(?:hasFeature|isPrototypeOf)/Rsi"; reference:cve,2016-0063; classtype:trojan-activity; sid:2022523; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2016_02_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Pdfium JPEG2000 Heap Overflow"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"stream"; content:"|00 00 00 0c 6a 50 20 20 0d 0a 87 0a|"; distance:0; content:"|00 00 00 00 6a 70 32 63 ff 4f|"; distance:0; content:"|ff 51|"; within:200; content:"|00 00 ff|"; distance:36; within:3; byte_test:1,>,0x51,0,relative; byte_test:1,<,0x94,0,relative; pcre:"/^[\x52\x5c\x64\x65\x90\x93]/R"; classtype:bad-unknown; sid:2022890; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2016_06_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016"; flow:established,from_server; file_data; content:"|65 78 70 6c 6f 69 74 4c 69 73 74 2e 73 70 6c 69 63 65|"; nocase; fast_pattern:only; content:"|73 65 74 54 69 6d 65 6f 75 74 28 22 6c 6f 61 64 45 78 70 6c 6f 69 74 28 29 22|"; nocase; classtype:attempted-admin; sid:2023014; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_02, performance_impact Low, updated_at 2016_08_02;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Possible Chrome WebEx Extension RCE Attempt"; flow:to_server,established; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; http_uri; fast_pattern:only; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=1096; classtype:attempted-user; sid:2023756; rev:1; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_01_24, performance_impact Low, updated_at 2017_01_24;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Microsoft-Edge protocol in use (Observed in Magnitude EK)"; flow:established,to_client; file_data; content:"microsoft-edge|3a|http"; nocase; fast_pattern; byte_test:1,>,0x21,-20,relative; byte_test:1,<,0x28,-20,relative; byte_test:1,!=,0x23,-20,relative; byte_test:1,!=,0x24,-20,relative; byte_test:1,!=,0x25,-20,relative; byte_test:1,!=,0x26,-20,relative; content:"location"; nocase; content:"iframe"; nocase; content:"contentWindow"; nocase; metadata: former_category WEB_CLIENT; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:misc-activity; sid:2024030; rev:1; metadata:attack_target Client_Endpoint, signature_severity Major, created_at 2017_03_06, malware_family BrokenBrowser, updated_at 2017_03_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Local file read using read protocol"; flow:established,to_client; file_data; content:"read|3a|"; nocase; fast_pattern; byte_test:1,>,0x21,-6,relative; byte_test:1,<,0x28,-6,relative; byte_test:1,!=,0x23,-6,relative; byte_test:1,!=,0x24,-6,relative; byte_test:1,!=,0x25,-6,relative; byte_test:1,!=,0x26,-6,relative; pcre:"/^\s*,\s*[a-zA-Z]\x3a[\x2f\x5c]/Ri"; metadata: former_category WEB_CLIENT; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:misc-activity; sid:2024031; rev:1; metadata:attack_target Client_Endpoint, signature_severity Major, created_at 2017_03_06, malware_family BrokenBrowser, updated_at 2017_03_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361)"; flow:established,from_server; file_data; content:"%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f"; content:"javascript%253aeval"; fast_pattern; content:"help|3a 2f 2f|"; pcre:"/document\s*\.\s*location\s*?\x3d\s*?[\x27\x22]help\x3a\/\/\/[^\x3b]+?\%25252f\.\.\%25252f\.\.\%25252f\.\.\%25252f/"; metadata: former_category WEB_CLIENT; reference:url,exploit-db.com/exploits/41443/; classtype:attempted-user; sid:2024034; rev:1; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_08, performance_impact Low, updated_at 2017_03_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File Download Flowbit Set"; flow:established,to_client; content:"Content-Type|3A| application/hta"; http_header; fast_pattern:12,16; flowbits:set,et.http.hta; flowbits:noalert; metadata: former_category WEB_CLIENT; classtype:not-suspicious; sid:2024195; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_10, performance_impact Low, updated_at 2017_04_10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199"; flow:established,to_client; flowbits:isset,et.http.hta; content:"Wscript.Shell"; nocase; metadata: former_category WEB_CLIENT; reference:url,www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html; reference:url,securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/; classtype:attempted-user; sid:2024196; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, signature_severity Major, created_at 2017_04_10, performance_impact Low, updated_at 2017_08_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request"; flow:established,to_server; content:".hta"; nocase; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Microsoft Office"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category WEB_CLIENT; reference:cve,2017-0199; classtype:trojan-activity; sid:2024224; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_04_19, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_06_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Office UA FB SET"; flow:established,to_server; content:"User-Agent|3a 20|Microsoft Office"; http_header; fast_pattern:10,16; content:!"Referer|3a|"; http_header; flowbits:set,Office.UA; flowbits:noalert; metadata: former_category WEB_CLIENT; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024225; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_04_19, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_04_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2"; flow:established,to_client; flowbits:isset,Office.UA; content:"application/hta|0d 0a|"; http_header; nocase; fast_pattern:only; metadata: former_category WEB_CLIENT; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024226; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_kit_RIG, signature_severity Major, created_at 2017_04_19, malware_family Exploit_Kit_RIG, performance_impact Low, updated_at 2017_04_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious SCF File Inbound"; flow:to_client,established; file_data; content:"[shell]"; nocase;  content:"iconfile"; nocase; distance:0; pcre:"/^\s*=\s*\x5c\x5c/Rs"; metadata: former_category WEB_CLIENT; reference:url,defensecode.com/news_article.php?id=21; classtype:attempted-user; sid:2024303; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_05_16, performance_impact Moderate, updated_at 2017_05_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; content:"beef.websocket.send"; pcre:"/^\s*?\(/Rs"; content:"beef.encode.base64.encode"; pcre:"/^\s*?\(/Rs"; metadata: former_category WEB_CLIENT; classtype:attempted-user; sid:2024415; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_19, performance_impact Moderate, updated_at 2017_06_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF HTTP Get Outbound"; flow:to_server,established; content:"GET /";content:".js?BEEFHOOK="; distance:0; fast_pattern; pcre:"/GET \/\w+\.js\?BEEFHOOK=/"; threshold: type limit, track by_src, seconds 300, count 1; metadata: former_category WEB_CLIENT; reference:url,beefproject.com; classtype:attempted-user; sid:2024416; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_19, performance_impact Moderate, updated_at 2017_06_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of Multimedia Content flowbit set"; flow:established,to_client; file_data; content:"|00 00 00|"; depth:3; content:"|66 74 79 70|"; distance:1; within:4; fast_pattern; flowbits:noalert; flowbits:set,ET.Multimedia.Download; metadata: former_category WEB_CLIENT; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024689; rev:1; metadata:tag noalert, created_at 2017_09_08, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of .MOV Content flowbit set"; flow:established,to_client; file_data; content:"|6D 6F 6F 76|"; distance:4; within:4; flowbits:noalert; flowbits:set,ET.MP4.Download; metadata: former_category WEB_CLIENT; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024690; rev:1; metadata:tag noalert, created_at 2017_09_08, updated_at 2017_09_08;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious Possible Zip DL containing single VBS script"; flow:established,from_server; file_data; content:"|50 4b 01 02|"; content:".vbs"; nocase; distance:0; pcre:"/^(?:(?!PK).)*?\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00/Rs"; classtype:bad-unknown; sid:2024769; rev:1; metadata:created_at 2017_09_26, updated_at 2017_09_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 1"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"cnVuZGxsMz"; content:"VXNlckluaXRNcHJMb2dvblNjcmlwd"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024971; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 2"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"J1bmRsbDMy"; content:"VzZXJJbml0TXByTG9nb25TY3JpcH"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024972; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 3"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"ydW5kbGwzM"; content:"Vc2VySW5pdE1wckxvZ29uU2NyaXB0"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024973; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 4"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"RG93bmxvYWRGaWxl"; content:"V2ViQ2xpZW50"; content:"aW8uRmlsZ"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 5"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"Rvd25sb2FkRmlsZ"; content:"dlYkNsaWVud"; content:"lvLkZpbG"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024975; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 6"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"Eb3dubG9hZEZpbG"; content:"XZWJDbGllbn"; content:"pby5GaWxl"; metadata: former_category WEB_CLIENT; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024976; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_07, updated_at 2017_11_07;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat PDF Reader use after free JavaScript engine (CVE-2017-16393)"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"this.addAnnot"; nocase; content:"this.addField"; nocase; content:".popupRect"; nocase; content:".setAction("; nocase; content:"OnFocus"; nocase; content:"setFocus"; nocase; pcre:"/\s+?(?P<var1>[^\s\x3d]+?)\s*?=\s*?this\.addAnnot.+?(?P=var1)\s*\x2epopupRect\s*?=\s*?0x4000/si"; pcre:"/\s+?(?P<var2>[^\s\x3d]+?)\s*?=\s*?this\.addField.+?(?P=var2)\s*\x2e\s*setAction\s*?\x28\s*?[\x22\x27]\s*?OnFocus[^\x29]+popupOpen\s*?=\s*?true/si"; metadata: former_category WEB_CLIENT; reference:cve,2017-16393; classtype:attempted-user; sid:2025091; rev:2; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_14, performance_impact Low, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Type Confusion Microsoft Edge (CVE-2017-11873)"; flow:established,from_server; file_data; content:"[1.1, 2.2"; fast_pattern; pcre:"/^(?:\]|, 3\.3\])\x3b/R"; content:"Array(100)"; content:"i = 0|3b| i < 100"; content:"function opt("; metadata: former_category WEB_CLIENT; reference:url,raw.githubusercontent.com/theori-io/pwnjs/master/examples/CVE-2017-11873.js; reference:cve,2017-11873; classtype:attempted-user; sid:2024993; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_15, performance_impact Significant, updated_at 2017_11_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PWNJS JS Constructs"; flow:established,from_server; file_data; content:"base_lo"; content:"base_hi"; content:"fake_object"; fast_pattern; pcre:"/^\s*?\[\s*?\d/Rs"; content:"i32"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"f64"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"array_addr"; metadata: former_category WEB_CLIENT; reference:url,raw.githubusercontent.com/theori-io/pwnjs/; classtype:attempted-user; sid:2024994; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_15, performance_impact Moderate, updated_at 2017_11_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Safari UXSS (CVE-2017-7089)"; flow:from_server,established; file_data; content:"parent-tab://"; fast_pattern:only; content:"open"; pcre:"/\b(?P<varname>[^\s\x3d]+)\s*\x3d\s*open\s*\x28\s*[^\x29]+parent-tab:\/\/.+(?P=varname)\s*\.\s*document\s*\.\s*body\s*.\s*innerHTML\s*=/si"; metadata: former_category WEB_CLIENT; reference:cve,2017-7089; classtype:attempted-user; sid:2024995; rev:2; metadata:affected_product Safari, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_15, performance_impact Low, updated_at 2017_11_15;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)"; flow:from_server,established; content:"Content-Type|3a| multipart/related"; fast_pattern:only; file_data; content:"<xsl"; pcre:"/^((?!<\/xsl).)+?src\s*=\s*[\x27\x22](?P<loc>[^\x22\x27]+?)[\x27\x22].+?Content-Location\x3a\s+(?P=loc)/Rsi"; metadata: former_category WEB_CLIENT; reference:cve,2017-5124; classtype:attempted-user; sid:2024996; rev:2; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_15, performance_impact Low, updated_at 2017_11_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Google Chrome Credential Stealing via SCF file Reflected Request"; flow:to_server,established; content:"shell"; nocase; http_uri; content:"IconFile"; http_uri; nocase; content:"|5c 5c|"; http_raw_uri; pcre:"/Shell.*%0a\s*IconFile\s*=\s*\x5c\x5c/iI"; metadata: former_category WEB_CLIENT; reference:url,defensecode.com/whitepapers/Stealing-Windows-Credentials-Using-Google-Chrome.pdf; classtype:attempted-recon; sid:2025060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Google_Chrome, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_27, performance_impact Low, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 1"; flow:from_server,established; file_data;  content:"vbscript"; nocase; content:".run"; nocase; content:"powershell.exe"; fast_pattern:only; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; metadata: former_category WEB_CLIENT; classtype:attempted-user; sid:2025061; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_27, performance_impact Low, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 2"; flow:from_server,established; file_data;  content:"vbscript"; nocase; content:"shell"; nocase; pcre:"/^\W/Rs"; content:"powershell.exe"; fast_pattern:only; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; metadata: former_category WEB_CLIENT; classtype:attempted-user; sid:2025062; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2017_11_27, performance_impact Low, updated_at 2017_11_27;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC Based)"; flow:established,from_server; file_data; content:"<script"; content:"|3c 20|simpleByteArray.length|29|"; distance:0; content:"simpleByteArray|5b|"; within:50; content:"|2a 20|TABLE1_STRIDE|29 7c 30 29 20 26 20 28|TABLE1_BYTES-1|29|"; distance:0; fast_pattern; content:"|5e 3d 20|probeTable|5b|"; distance:0; content:"|7c 30 5d 7c 30 3b|"; distance:0; metadata: former_category WEB_CLIENT; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,spectreattack.com/spectre.pdf; classtype:attempted-user; sid:2025184; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_04, updated_at 2018_02_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript"; flow:established,from_server; file_data; content:"<script"; nocase; content:"<"; distance:0; content:".length"; distance:0; nocase; fast_pattern; pcre:"/^\s*?\)\s*?\{\s*(?P<var>[^\s]+)\s*=[^\x5b]+?\x5b\s*(?P=var)\s*?\|\s*?0\s*?\]\s*?\x3b\s*?/Rsi"; content:"^="; distance:0; pcre:"/^\s*[^\s]+\x5b\s*?[^\x5d\x7c]+\x7c\s*?0\s*?\x5d\s*?\x7c\s*?0\s*?\x3b/Rsi"; metadata: former_category WEB_CLIENT; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025185; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_04, performance_impact Low, updated_at 2018_02_06;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Exploit Javascript"; flow:from_server,established; file_data; content:"0x1000000"; fast_pattern:only; pcre:"/(?<var1>[^=\s]*)\s*=\s*0x1000000.+?\x28\s*\x28\s*\x28\s*\w+\s*<<\s*12\s*\x29\s*\|\s*0\s*\x29\s*\+\s*(?P=var1)\s*\x29\s*\|\s*0/s"; metadata: former_category WEB_CLIENT; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025188; rev:4; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2018_01_09, performance_impact Moderate, updated_at 2018_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT PolarisOffice Insecure Library Loading"; flow:to_server; content:"GET"; http_method; content:"puiframeworkproresenu.dll"; http_uri; isdataat:!1,relative; metadata: former_category WEB_CLIENT; reference:cve,2018-12589; classtype:attempted-user; sid:2025792; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, created_at 2018_07_06, updated_at 2018_07_18;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010463; reference:url,opinion.josepino.com/php/howto_website_hack1; classtype:successful-user; sid:2010463; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; fast_pattern:only; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008207; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; fast_pattern:only; content:"methodCall"; http_client_body; nocase; pcre:"/>.*?\'\s*?\)\s*?\)*?\s*?\;/R"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt"; flow:established,to_server; content:"/utility.cgi?testType="; nocase; http_uri; content:"IP="; nocase; http_uri; content:"|7C 7C|"; http_uri; pcre:"/\x7C\x7C.+[a-z]/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023051.html; reference:url,www.securityfocus.com/archive/1/507263; reference:url,www.securityfocus.com/bid/36722/info; reference:url,doc.emergingthreats.net/2010159; classtype:attempted-admin; sid:2010159; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER 3Com Intelligent Management Center Cross Site Scripting Attempt"; flow:established,to_server; content:"/imc/login.jsf"; nocase; http_uri; content:"loginForm"; nocase; http_uri; content:"javax.faces.ViewState="; nocase; http_uri; pcre:"/ViewState\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,securitytracker.com/alerts/2010/May/1024022.html; reference:url,support.3com.com/documents/netmgr/imc/3Com_IMC_readme_plat_3.30-SP2.html; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-02; reference:url,doc.emergingthreats.net/2011145; classtype:web-application-attack; sid:2011145; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt"; flow:established,to_server; content:"|2F|APR|3A 3A|SockAddr|3A 3A|port|2F|"; nocase; http_uri; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/34383/info; reference:cve,2009-0796; reference:url,doc.emergingthreats.net/2010281; classtype:attempted-user; sid:2010281; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CGI AWstats Migrate Command Attempt"; flow:established,to_server; content:"/awstats.pl?"; nocase; http_uri; content:"/migrate"; fast_pattern; http_uri; pcre:"/migrate\s*=\s*\|/Ui"; reference:bugtraq,17844; reference:url,doc.emergingthreats.net/2002900; classtype:web-application-attack; sid:2002900; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/axis2/services/Version?"; nocase; http_uri; content:"xsd="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,40343; reference:url,doc.emergingthreats.net/2011160; classtype:web-application-attack; sid:2011160; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible BASE Authentication Bypass Attempt"; flow:to_server,established; content:"BASERole="; http_header; content:"794b69ad33015df95578d5f4a19d390e"; http_header; reference:url,seclists.org/bugtraq/2009/Jun/0218.html; reference:url,seclists.org/bugtraq/2009/Jun/0217.html; reference:url,doc.emergingthreats.net/2009677; classtype:web-application-attack; sid:2009677; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; nocase; http_uri; pcre:"/(f=.+\|)/Ui"; reference:bugtraq,14712; reference:url,doc.emergingthreats.net/2002362; classtype:web-application-attack; sid:2002362; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; nocase; http_uri; pcre:"/(f=\.\..+)/Ui"; reference:bugtraq,14710; reference:url,doc.emergingthreats.net/2002685; classtype:web-application-attack; sid:2002685; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; nocase; http_uri; pcre:"/file=.*\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003086; classtype:web-application-attack; sid:2003086; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; nocase; http_uri; pcre:"/file=.+\.\..+\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003087; classtype:web-application-attack; sid:2003087; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt"; flow:established,to_server; content:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase; http_uri; content:"email|3D|"; nocase; http_uri; content:"hostname|3D|"; nocase; http_uri; content:"default|5F|domain|3D|"; nocase; http_uri; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/37248/info; reference:url,doc.emergingthreats.net/2010462; classtype:web-application-attack; sid:2010462; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt"; flow:to_server,established; content:"</script>"; fast_pattern:only; nocase; http_uri; flags:!R; metadata: former_category WEB_SERVER; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt"; flow:to_server,established; content:"onmouseover="; fast_pattern:only; nocase; http_uri; reference:url,www.w3schools.com/jsref/jsref_onmouseover.asp; reference:url,doc.emergingthreats.net/2009715; classtype:web-application-attack; sid:2009715; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; content:"User-Agent|3a| CZ32ts|0d 0a|"; fast_pattern:only; nocase; http_header; reference:url,doc.emergingthreats.net/2009029; reference:url,www.Whitehatsecurityresponse.blogspot.com; classtype:web-application-attack; sid:2010621; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s)"; flow:to_server,established; content:"User-Agent|3a| czxt2s|0d 0a|"; fast_pattern:only; nocase; http_header; reference:url,doc.emergingthreats.net/2011174; classtype:web-application-attack; sid:2011174; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"User-Agent|3a| Casper Bot Search|0D 0A|"; fast_pattern:only; nocase; http_header; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; sid:2011175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like planetwork)"; flow:established,to_server; content:"User-Agent|3a| plaNETWORK Bot Search"; fast_pattern:only; nocase; http_header; metadata: former_category WEB_SERVER; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011243; classtype:web-application-attack; sid:2011243; rev:6; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.76 [ru] (X11|3b| U|3b| SunOS 5.7 sun4u)"; fast_pattern:only; nocase; http_header; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011244; classtype:web-application-attack; sid:2011244; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan)"; flow:established,to_server; content:"User-Agent|3a| Jcomers Bot scan"; fast_pattern:only; nocase; http_header; metadata: former_category WEB_SERVER; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011285; rev:6; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"User-Agent|3a| MaMa "; fast_pattern:only; nocase; http_header; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011286; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; reference:url,doc.emergingthreats.net/2010229; classtype:attempted-dos; sid:2010229; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP set enable password attack"; flow:established,to_server; content:"/configure/"; http_uri; content:"/enable/"; http_uri; reference:cve,2005-3921; reference:bugtraq,15602; reference:url,www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html; reference:url,doc.emergingthreats.net/2002721; classtype:web-application-attack; sid:2002721; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Cisco CallManager XSS Attempt serverlist.asp pattern"; flow:established,to_server; content:"/CCMAdmin/serverlist.asp?"; nocase; http_uri; content:"pattern="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2832; reference:url,www.secunia.com/advisories/25377; reference:url,doc.emergingthreats.net/2004556; classtype:web-application-attack; sid:2004556; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt"; flow:established,to_server; content:"|2B|CSCOE|2B 2F|files|2F|browse|2E|html"; nocase; http_raw_uri; content:"code|3D|init"; nocase; http_uri; content:"path|3D|ftp"; nocase; http_uri; reference:url,www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; reference:url,doc.emergingthreats.net/2010457; classtype:attempted-user; sid:2010457; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; content:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010460; classtype:attempted-user; sid:2010460; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; content:"/servlet/JavascriptProbe"; nocase; http_uri; content:"documentElement=true"; nocase; http_uri; content:"regexp=true"; nocase; http_uri; content:"frames=true"; http_uri; reference:url,www.securityfocus.com/bid/34454/info; reference:url,doc.emergingthreats.net/2010622; classtype:web-application-attack; sid:2010622; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; content:"/level/15/exec/-/"; fast_pattern:only; nocase; http_uri; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/Ui"; reference:url,doc.emergingthreats.net/2010623; classtype:web-application-attack; sid:2010623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; file_data; content:"CSCO_WebVPN"; nocase; distance:0; content:"csco_wrap_js"; within:100; nocase; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; reference:url,doc.emergingthreats.net/2010730; classtype:web-application-attack; sid:2010730; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible UNION SELECT SQL Injection In Cookie"; flow:to_server,established; content:"UNION "; nocase; http_cookie; content:"SELECT"; nocase; http_cookie; pcre:"/UNION.+SELECT/Ci"; reference:url,www.w3schools.com/sql/sql_union.asp; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009770; classtype:web-application-attack; sid:2009770; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SELECT FROM SQL Injection In Cookie"; flow:to_server,established; content:"SELECT "; nocase; http_cookie; content:"FROM"; nocase; http_cookie; pcre:"/SELECT.+FROM/Ci"; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009771; classtype:web-application-attack; sid:2009771; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible DELETE FROM SQL Injection In Cookie"; flow:to_server,established; content:"DELETE "; nocase; http_cookie; content:"FROM"; nocase; http_cookie; pcre:"/\x0a\x0dCookie\x3a[^\n]DELETE.+FROM/i"; reference:url,www.w3schools.com/Sql/sql_delete.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009772; classtype:web-application-attack; sid:2009772; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INSERT INTO SQL Injection In Cookie"; flow:to_server,established; content:"INSERT "; nocase; http_cookie; content:"INTO"; nocase; http_cookie; pcre:"/INSERT.+INTO/Ci"; reference:url,www.w3schools.com/SQL/sql_insert.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009773; classtype:web-application-attack; sid:2009773; rev:38; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INTO OUTFILE Arbitrary File Write SQL Injection In Cookie"; flow:to_server,established; content:"INTO "; nocase; http_cookie; content:"OUTFILE"; nocase; http_cookie; pcre:"/INTO.+OUTFILE/Ci"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010038; classtype:web-application-attack; sid:2010038; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER xp_cmdshell Attempt in Cookie"; flow:established,to_server; content:"xp_cmdshell"; nocase; http_header; pcre:"/\x0a\x0dCookie\x3a[^\n]+xp_cmdshell/i"; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=4072; reference:url,doc.emergingthreats.net/2010119; classtype:web-application-attack; sid:2010119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cpanel lastvisit.html Arbitary file disclosure"; flow:to_server,established; content:"GET"; http_method; content:"lastvist.html?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"../"; depth:200; reference:url,milw0rm.com/exploits/9039; reference:bugtraq,35518; reference:url,doc.emergingthreats.net/2009484; classtype:web-application-attack; sid:2009484; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:to_server,established; content:"/cgi-bin/|3B|"; fast_pattern:only; nocase; http_uri; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/Ui"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,doc.emergingthreats.net/2009678; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER DataCha0s Web Scanner/Robot"; flow:established,to_server; content:"User-Agent|3a| DataCha0s"; fast_pattern:only; nocase; http_header; reference:url,www.internetofficer.com/web-robot/datacha0s.html; reference:url,doc.emergingthreats.net/2003616; classtype:web-application-activity; sid:2003616; rev:38; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/HNAP1/"; nocase; http_uri; content:"SOAPAction|3A|"; nocase; http_header; content:"DeviceSettings"; http_header; nocase; pcre:"/SoapAction\x3A.+\x2FHNAP1\x2F(set|get)DeviceSettings/si"; reference:url,www.securityfocus.com/bid/37690; reference:url,doc.emergingthreats.net/2010698; classtype:web-application-attack; sid:2010698; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino BaseTarget XSS attempt"; flow:to_server,established; content:"OpenForm"; nocase; http_uri; pcre:"/BaseTarget=.*?\"/iU"; reference:bugtraq,14845; reference:url,doc.emergingthreats.net/2002376; classtype:web-application-attack; sid:2002376; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino Src XSS attempt"; flow:to_server,established; content:"OpenFrameSet"; nocase; http_uri; pcre:"/src=.*\"><\/FRAMESET>.*<script>.*<\/script>/iU"; reference:bugtraq,14846; reference:url,doc.emergingthreats.net/2002377; classtype:web-application-attack; sid:2002377; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; content:"401"; http_stat_code; content:"Unauthorized";  nocase; file_data; content:"<script"; nocase; depth:280; threshold:type threshold,track by_src,count 10,seconds 60; reference:url,doc.emergingthreats.net/2010513; classtype:web-application-attack; sid:2010513; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)"; flow:from_server,established; content:"403"; http_stat_code; content:"Forbidden"; nocase; file_data; content:"<script"; nocase; depth:280; content:!"location.replace|28 22|https|3a 2f 2f|block.opendns.com"; distance:0; reference:url,doc.emergingthreats.net/2010515; classtype:web-application-attack; sid:2010515; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)"; flow:from_server,established; content:"404"; http_stat_code; content:"Not Found"; nocase; file_data; content:"<script"; nocase; depth:280; metadata: former_category WEB_SERVER; reference:url,doc.emergingthreats.net/2010517; classtype:web-application-attack; sid:2010517; rev:6; metadata:created_at 2010_07_30, updated_at 2017_09_08;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"405"; http_stat_code; content:"Method Not Allowed"; nocase; file_data; content:"<script"; nocase; depth:280; reference:url,doc.emergingthreats.net/2010519; classtype:web-application-attack; sid:2010519; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"406"; http_stat_code; content:"Not Acceptable"; nocase; file_data; content:"<script"; nocase; depth:280; reference:url,doc.emergingthreats.net/2010521; classtype:web-application-attack; sid:2010521; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"500"; http_stat_code; content:"Internal Server Error"; nocase; file_data; content:"<script"; nocase; depth:280; reference:url,doc.emergingthreats.net/2010524; classtype:web-application-attack; sid:2010524; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"503"; http_stat_code; content:"Service Unavailable"; nocase; file_data; content:"<script"; nocase; depth:280; reference:url,doc.emergingthreats.net/2010526; classtype:web-application-attack; sid:2010526; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt"; flow:to_server,established; content:"/cmd.exe"; fast_pattern:only; nocase; http_uri; reference:url,doc.emergingthreats.net/2009361; classtype:attempted-recon; sid:2009361; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt"; flow:to_server,established; content:"/system32/"; fast_pattern:only; nocase; http_uri; reference:url,doc.emergingthreats.net/2009362; classtype:attempted-recon; sid:2009362; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Suspicious Chmod Usage in URI"; flow:to_server,established; content:"chmod"; fast_pattern:only; nocase; http_uri; pcre:"/chmod\s+([+-][rwx]|[0-7])/Ui"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER HP LaserJet Printer Cross Site Scripting Attempt"; flow:established,to_server; content:"/support_param.html/config"; nocase; http_uri; content:"Admin_Name=&Admin_Phone="; nocase; http_uri; content:"Product_URL="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange).+Apply\x3DApply/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=148; reference:cve,2009-2684; reference:url,doc.emergingthreats.net/2010919; classtype:web-application-attack; sid:2010919; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3443 (msg:"ET WEB_SERVER HP OpenView Network Node Manager Remote Command Execution Attempt"; flow:to_server,established; content:"/OvCgi/connectedNodes.ovpl?"; nocase; pcre:"/node=.*\|.+\|/i"; reference:bugtraq,14662; reference:url,doc.emergingthreats.net/2002365; classtype:web-application-attack; sid:2002365; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager CGI Directory Traversal"; flow:to_server,established; content:"GET"; http_method; content:"/OvCgi/"; nocase; http_uri; content:"/OpenView5.exe?"; nocase; http_uri; content:"Action=../../"; nocase; fast_pattern:only; content:" HTTP/1"; reference:bugtraq,28745; reference:cve,CVE-2008-0068; reference:url,aluigi.altervista.org/adv/closedviewx-adv.txt; reference:url,doc.emergingthreats.net/2008171; classtype:web-application-attack; sid:2008171; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; nocase;  http_method; content:"/OvCgi/Main/Snmp.exe"; nocase; http_uri; content:"Host="; nocase; content:"Oid="; nocase; within:50; isdataat:600,relative; pcre:"/\x2FOvCgi\x2FMain\x2FSnmp\x2Eexe.+id\x3D.{600}/smi"; reference:cve,2009-3849; reference:url,doc.emergingthreats.net/2010687; classtype:web-application-attack; sid:2010687; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/OvCgi/ovalarm.exe"; nocase; http_uri; content:"OVABverbose="; nocase; http_uri; content:"Accept-Language|3A 20|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2009-4179; reference:url,doc.emergingthreats.net/2010704; classtype:web-application-attack; sid:2010704; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/OvCgi/Toolbar.exe"; nocase; http_uri; content:"Accept-Language|3A|"; nocase; isdataat:1350,relative; content:!"|0A|"; within:1350; reference:cve,2009-0921; reference:url,doc.emergingthreats.net/2010864; classtype:web-application-attack; sid:2010864; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/OvCgi/OvWebHelp.exe"; nocase; http_uri; content:"Topic="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2009-4178; reference:url,doc.emergingthreats.net/2010970; classtype:web-application-attack; sid:2010970; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Alternate Data Stream source view attempt"; flow: to_server,established; content:"|3A 3A|$DATA"; http_uri; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; reference:url,doc.emergingthreats.net/2001365; classtype:web-application-activity; sid:2001365; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"|5C|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:25; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow: to_server,established; content:".aspx"; nocase; http_uri; content:"GET"; nocase; http_method; content:"%5C"; nocase; content:"aspx"; within:100; reference:url,doc.emergingthreats.net/2001343; classtype:web-application-attack; sid:2001343; rev:22; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp)"; flow:established,to_server; content:".asp|3B 2E|"; fast_pattern:only; nocase; http_uri; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010592; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010592; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; flow:established,to_server; content:".aspx|3B 2E|"; fast_pattern:only; nocase; http_uri; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010593; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010593; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET WEB_SERVER THCIISLame IIS SSL Exploit Attempt"; flow: to_server,established; content:"THCOWNZIIS!"; fast_pattern:only; reference:url,www.thc.org/exploits/THCIISSLame.c; reference:url,isc.sans.org/diary.php?date=2004-07-17; reference:url,doc.emergingthreats.net/2000559; classtype:web-application-attack; sid:2000559; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/jmx-console/HtmlAdaptor"; nocase; http_uri; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase; content:"=http%3A%2F%2F"; within:40; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010379; classtype:web-application-attack; sid:2010379; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; http_uri; content:"DeploymentScanner"; nocase; http_uri; content:"methodName=addURL"; nocase; http_uri; content:"=http"; nocase; http_uri; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010380; classtype:web-application-attack; sid:2010380; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; file_data; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; reference:url,doc.emergingthreats.net/2010162; classtype:attempted-recon; sid:2010162; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; flow:established,to_server; content:"POST"; nocase;  http_method; content:"/gsb/datetime.php"; nocase; http_uri; content:"delBackupName"; nocase; http_client_body; content:"backupRestoreFormSubmitted"; nocase; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; reference:url,doc.emergingthreats.net/2010863; classtype:web-application-attack; sid:2010863; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; fast_pattern; http_uri; pcre:"/date=\d{8}\)\;./Ui"; reference:url,doc.emergingthreats.net/2002777; classtype:web-application-attack; sid:2002777; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; file_data; content:"Microsoft OLE DB Provider for SQL Server error";  distance:0; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; reference:url,doc.emergingthreats.net/2001768; classtype:web-application-activity; sid:2001768; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_start_job attempt"; flow:to_server,established; content:"sp_start_job"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/2010004; classtype:attempted-user; sid:2010004; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/2000105; classtype:attempted-user; sid:2000105; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/2000106; classtype:attempted-user; sid:2000106; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_cmdshell"; nocase; http_uri; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,doc.emergingthreats.net/2009815; classtype:web-application-attack; sid:2009815; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_servicecontrol"; nocase; http_uri; pcre:"/(start|stop|continue|pause|querystate)/Ui"; reference:url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/; reference:url,doc.emergingthreats.net/2009816; classtype:web-application-attack; sid:2009816; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"sp_adduser"; nocase; http_uri; reference:url,technet.microsoft.com/en-us/library/ms181422.aspx; reference:url,doc.emergingthreats.net/2009817; classtype:web-application-attack; sid:2009817; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_reg"; nocase; http_uri; pcre:"/xp_reg(read|write|delete)/Ui"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009818; classtype:web-application-attack; sid:2009818; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_fileexist"; nocase; http_uri; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.dugger-it.com/articles/xp_fileexist.asp; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009819; classtype:web-application-attack; sid:2009819; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_enumerrorlogs"; nocase; http_uri; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009820; classtype:web-application-attack; sid:2009820; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_readerrorlogs"; nocase; http_uri; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005; reference:url,doc.emergingthreats.net/2009822; classtype:web-application-attack; sid:2009822; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumdsn/xp_enumgroups/xp_ntsec_enumdomains Stored Procedure Via URI"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_"; nocase; http_uri; content:"_enum"; nocase; http_uri; pcre:"/(xp_enumdsn|xp_enumgroups|xp_ntsec_enumdomains)/Ui"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,msdn.microsoft.com/en-us/library/ms173792.aspx; reference:url,doc.emergingthreats.net/2009823; classtype:web-application-attack; sid:2009823; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"User-Agent|3a| M Fucking Scanner"; fast_pattern:only; nocase; http_header; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2009799; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/statuswml.cgi?"; nocase; http_uri; content:"ping"; nocase; http_uri; pcre:"/ping\s*=\s*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[^\x26\x0D\x0A]*\x3B)/Ui"; reference:bugtraq,35464; reference:url,doc.emergingthreats.net/2009670; classtype:web-application-attack; sid:2009670; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow"; flow:established,to_server; content:"Accept-Language"; fast_pattern:only; nocase; pcre:"/^Accept-Language\:[^\n]*?[^,\;\n]{17}/mi"; reference:cve,2006-0992; reference:bugtraq,17503; reference:url,doc.emergingthreats.net/2002865; classtype:attempted-user; sid:2002865; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER osCommerce extras/update.php disclosure"; flow:to_server,established; content:"extras/update.php"; nocase; http_uri; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002864; classtype:attempted-recon; sid:2002864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports XML Information Disclosure"; flow:established,to_server; content:"GET"; nocase;  http_method; content:"CUSTOMIZE=/"; nocase; http_uri; pcre:"/(showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html; reference:url,doc.emergingthreats.net/2002131; classtype:web-application-activity; sid:2002131; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure"; flow:established,to_server; content:"GET"; nocase; http_method; content:"destype=file"; nocase; http_uri; content:"desformat="; nocase; http_uri; pcre:"/(showenv|parsequery|rwservlet)\?.*destype=file.*desformat=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_file.html; reference:url,doc.emergingthreats.net/2002132; classtype:web-application-activity; sid:2002132; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"report="; nocase;  http_uri; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; reference:url,doc.emergingthreats.net/2002133; classtype:web-application-activity; sid:2002133; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=125; reference:url,doc.emergingthreats.net/2009643; classtype:web-application-attack; sid:2009643; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7011 (msg:"ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/consolehelp/console-help.portal"; nocase; content:"searchQuery="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=131; reference:url,doc.emergingthreats.net/2009644; classtype:web-application-attack; sid:2009644; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)"; flow:to_server,established; content:"?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"; fast_pattern:only; http_uri; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011141; classtype:attempted-recon; sid:2011141; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)"; flow:to_server,established; content:"?=PHPE9568F34-D428-11d2-A769-00AA001ACF42"; fast_pattern:only; http_uri; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011142; classtype:attempted-recon; sid:2011142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)"; flow:to_server,established; content:"?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"; fast_pattern:only; http_uri; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011143; classtype:attempted-recon; sid:2011143; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)"; flow:to_server,established; content:"?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"; fast_pattern:only; http_uri; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011144; classtype:attempted-recon; sid:2011144; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)"; flow:to_server,established; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"cmd="; http_uri; fast_pattern; nocase; pcre:"/[&?]cmd=[^\x26\x28]*(?:cd|\;|echo|cat|perl|curl|wget|id|uname|t?ftp)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2010920; classtype:web-application-attack; sid:2010920; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)"; flow:to_server,established; content:".php"; nocase; http_uri; content:"=http|3a|/"; nocase; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009151; classtype:web-application-attack; sid:2009151; rev:7; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTPS)"; flow:to_server,established; content:".php"; nocase; http_uri; content:"=https|3a|/"; nocase; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009152; classtype:web-application-attack; sid:2009152; rev:8; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTP)"; flow:to_server,established; content:".php"; nocase; http_uri; content:"=ftp|3a|/"; nocase; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009153; classtype:web-application-attack; sid:2009153; rev:8; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTPS)"; flow:to_server,established; content:".php"; nocase; http_uri; content:"=ftps|3a|/"; nocase; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009155; classtype:web-application-attack; sid:2009155; rev:9; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Attack Tool Revolt Scanner"; flow:established,to_server; content:"User-Agent|3a| revolt"; http_header; reference:url,www.Whitehatsecurityresponse.blogspot.com; reference:url,doc.emergingthreats.net/2009288; classtype:web-application-attack; sid:2009288; rev:56; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt DELETE FROM"; flow:established,to_server; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006443; classtype:web-application-attack; sid:2006443; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt INSERT INTO"; flow:established,to_server; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006444; classtype:web-application-attack; sid:2006444; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT\b.*FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET"; flow:established,to_server; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; distance:0; http_uri; pcre:"/\WUPDATE\s+[A-Za-z0-9$_].*?\WSET\s+[A-Za-z0-9$_].*?\x3d/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006447; classtype:web-application-attack; sid:2006447; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection (varchar)"; flow:established,to_server; content:"varchar("; nocase; http_uri; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2008175; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection (exec)"; flow:established,to_server; content:"exec("; nocase; http_uri; reference:url,doc.emergingthreats.net/2008176; classtype:attempted-admin; sid:2008176; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt Danmec related (declare)"; flow:established,to_server; content:"DECLARE "; nocase; http_uri; content:"CHAR("; nocase; http_uri; content:"CAST("; nocase; http_uri; reference:url,doc.emergingthreats.net/2008467; classtype:attempted-admin; sid:2008467; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)"; flow:to_server,established; content:"User-Agent|3a| NV32ts|0d 0a|"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2009029; classtype:web-application-attack; sid:2009029; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary File Write Attempt"; flow:established,to_server; content:"INTO"; nocase; http_uri; content:"OUTFILE"; nocase; http_uri; pcre:"/INTO.+OUTFILE/Ui"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010037; classtype:web-application-attack; sid:2010037; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible ALTER SQL Injection Attempt"; flow:to_server,established; content:"ALTER"; nocase; http_uri; pcre:"/ALTER\ +(database|procedure|table|column)/Ui"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_alter.asp; reference:url,doc.emergingthreats.net/2010084; classtype:web-application-attack; sid:2010084; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible DROP SQL Injection Attempt"; flow:to_server,established; content:"DROP"; nocase; http_uri; pcre:"/DROP\ +(database|procedure|table|column)/Ui"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_drop.asp; reference:url,doc.emergingthreats.net/2010085; classtype:web-application-attack; sid:2010085; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI"; flow:to_server,established; content:"CREATE"; nocase; http_uri; pcre:"/CREATE\ +(database|procedure|table|column|directory)/Ui"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/Sql/sql_create_db.asp; reference:url,doc.emergingthreats.net/2010086; classtype:web-application-attack; sid:2010086; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in URI Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"INSTR"; nocase; http_uri; pcre:"/SELECT.+INSTR/Ui"; metadata: former_category WEB_SERVER; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010284; classtype:web-application-attack; sid:2010284; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in URI Possible Blind SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"SUBSTR"; nocase; http_uri; pcre:"/SELECT.+SUBSTR/Ui"; metadata: former_category WEB_SERVER; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010285; classtype:web-application-attack; sid:2010285; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in Cookie, Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; content:"SELECT "; nocase; http_cookie; content:"INSTR"; nocase; http_cookie; pcre:"/SELECT.+INSTR/Ci"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010286; classtype:web-application-attack; sid:2010286; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in Cookie, Possible Blind SQL Injection Attempt"; flow:established,to_server; content:"SELECT "; nocase; http_cookie; content:"SUBSTR"; nocase; http_cookie; pcre:"/SELECT.+SUBSTR/Ci"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010287; classtype:web-application-attack; sid:2010287; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT USER SQL Injection Attempt in URI"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"USER"; nocase; http_uri; pcre:"/SELECT[^a-z].+USER/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2010963; classtype:web-application-attack; sid:2010963; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI"; flow:established,to_server; content:"SHOW"; nocase; http_uri; content:"CHARACTER"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/SHOW.+CHARACTER.+SET/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.0/en/show-character-set.html; reference:url,doc.emergingthreats.net/2010964; classtype:web-application-attack; sid:2010964; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; content:"SHOW"; nocase; http_uri; content:"VARIABLES"; nocase; http_uri; pcre:"/SHOW.+VARIABLES/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; reference:url,doc.emergingthreats.net/2010965; classtype:web-application-attack; sid:2010965; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW CURDATE/CURTIME SQL Injection Attempt in URI"; flow:established,to_server; content:"SHOW"; nocase; http_uri; content:"CUR"; nocase; http_uri; pcre:"/SHOW.+CUR(DATE|TIME)/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curdate; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curtime; reference:url,doc.emergingthreats.net/2010966; classtype:web-application-attack; sid:2010966; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW TABLES SQL Injection Attempt in URI"; flow:established,to_server; content:"SHOW"; nocase; http_uri; content:"TABLES"; nocase; http_uri; pcre:"/SHOW.+TABLES/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/4.1/en/show-tables.html; reference:url,doc.emergingthreats.net/2010967; classtype:web-application-attack; sid:2010967; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; content:"BULK"; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; classtype:web-application-attack; sid:2011035; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"VERSION"; nocase; http_uri; distance:1; reference:url,support.microsoft.com/kb/321185; reference:url,doc.emergingthreats.net/2011037; classtype:web-application-attack; sid:2011037; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INSERT VALUES SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; http_uri; content:"VALUES"; nocase; http_uri; pcre:"/INSERT.+VALUES/Ui"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,en.wikipedia.org/wiki/Insert_(SQL); reference:url,doc.emergingthreats.net/2011039; classtype:web-application-attack; sid:2011039; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection"; flow:established,to_server; content:"/*"; http_uri; content:"*/"; http_uri; pcre:"/\x2F\x2A.+\x2A\x2F/U"; reference:url,dev.mysql.com/doc/refman/5.0/en/comments.html; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2011040; classtype:web-application-attack; sid:2011040; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources"; flow:established,to_server; content:"BENCHMARK("; nocase; http_uri; content:")"; http_uri; pcre:"/BENCHMARK\x28[0-9].+\x29/Ui"; reference:url,dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmark; reference:url,doc.emergingthreats.net/2011041; classtype:web-application-attack; sid:2011041; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"CONCAT"; nocase; http_uri; pcre:"/SELECT.+CONCAT/Ui"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; classtype:web-application-attack; sid:2011042; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function"; flow:established,to_server; content:"REVERSE"; fast_pattern:only; nocase; http_uri; pcre:"/[^\w]REVERSE[^\w]?\(/Ui"; reference:url,snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html; reference:url,doc.emergingthreats.net/2011122; classtype:web-application-attack; sid:2011122; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /etc/shadow Detected in URI"; flow:to_server,established; content:"/etc/shadow"; nocase; http_uri; reference:url,en.wikipedia.org/wiki/Shadow_password; reference:url,doc.emergingthreats.net/2009485; classtype:attempted-recon; sid:2009485; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx"; flow:established,to_server; content:"/default.aspx?"; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2581; reference:url,www.securityfocus.com/bid/23832; reference:url,doc.emergingthreats.net/2003903; classtype:web-application-attack; sid:2003903; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form mail"; flow:established,to_server; content:"/contact/contact/index.php?"; nocase; http_uri; content:"form[mail]="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003904; classtype:web-application-attack; sid:2003904; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt"; flow:established,to_server; content:"/_layouts/help.aspx"; nocase; http_uri; content:"cid0="; nocase; http_uri; pcre:"/cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20415; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-039.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:cve,2010-0817; reference:url,doc.emergingthreats.net/2011073; classtype:web-application-attack; sid:2011073; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/bash In URI, Possible Shell Command Execution Attempt Within Web Exploit"; flow:established,to_server; content:"/bin/bash"; http_uri; reference:url,doc.emergingthreats.net/2010667; classtype:web-application-attack; sid:2010667; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt"; flow:established,to_server; content:"UNLOCK"; nocase; http_method; content:"Connection|3A| Close"; nocase; content:"Lock-token|3A|"; nocase; reference:url,www.packetstormsecurity.org/1004-exploits/sun-knockout.txt; reference:url,doc.emergingthreats.net/2011015; classtype:web-application-attack; sid:2011015; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept"; flow:established,to_server; content:"OPTIONS|20|"; depth:8; nocase; isdataat:400,relative; content:!"|0A|"; within:400; reference:url,www.packetstormsecurity.com/1004-exploits/sunjavasystem-exec.txt; reference:cve,2010-0361; reference:url,doc.emergingthreats.net/2011016; classtype:web-application-attack; sid:2011016; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER TIEHTTP User-Agent"; flow:to_server,established; content:"User-Agent|3a| tiehttp"; fast_pattern:only; nocase; http_header; reference:url,www.torry.net/authorsmore.php?id=4292; classtype:web-application-activity; sid:2011759; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; content:"GET"; http_method; nocase; content:".php~"; nocase; http_uri; metadata: former_category WEB_SERVER; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:12; metadata:created_at 2010_07_30, updated_at 2017_04_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .pl source disclosure vulnerability"; flow:established,to_server; content:"GET"; http_method; nocase; content:".pl~"; nocase; http_uri; metadata: former_category WEB_SERVER; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009949; classtype:web-application-attack; sid:2009949; rev:11; metadata:created_at 2010_07_30, updated_at 2017_04_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .inc source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase;  http_method; content:".inc~"; nocase; http_uri; metadata: former_category WEB_SERVER; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009950; classtype:web-application-attack; sid:2009950; rev:11; metadata:created_at 2010_07_30, updated_at 2017_04_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .conf source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:".conf~"; nocase; http_uri; metadata: former_category WEB_SERVER; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009951; classtype:web-application-attack; sid:2009951; rev:11; metadata:created_at 2010_07_30, updated_at 2017_04_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .asp source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:".asp~"; nocase; http_uri; metadata: former_category WEB_SERVER; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009952; classtype:web-application-attack; sid:2009952; rev:11; metadata:created_at 2010_07_30, updated_at 2017_04_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .aspx source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:".aspx~"; nocase; http_uri; metadata: former_category WEB_SERVER; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009953; classtype:web-application-attack; sid:2009953; rev:11; metadata:created_at 2010_07_30, updated_at 2017_04_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .cgi source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:".cgi~"; nocase; http_uri; metadata: former_category WEB_SERVER; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2010820; classtype:web-application-attack; sid:2010820; rev:5; metadata:created_at 2010_07_30, updated_at 2017_04_28;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Poison Null Byte"; flow:established,to_server; content:"|00|"; http_uri; depth:2400; reference:cve,2006-4542; reference:cve,2006-4458; reference:cve,2006-3602; reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf; reference:url,doc.emergingthreats.net/2003099; classtype:web-application-activity; sid:2003099; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebDAV search overflow"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; isdataat:1000,relative; content:!"|0a|"; within:1000; reference:cve,2003-0109; reference:url,doc.emergingthreats.net/2002844; classtype:web-application-attack; sid:2002844; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Scan Precursor"; flow:established,to_server; content:"/thisdoesnotexistahaha.php"; http_uri; reference:url,doc.emergingthreats.net/2010720; classtype:web-application-attack; sid:2010720; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER sumthin scan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sumthin"; nocase; http_uri; reference:url,www.webmasterworld.com/forum11/2100.htm; reference:url,doc.emergingthreats.net/2002667; classtype:attempted-recon; sid:2002667; rev:36; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER DFind w00tw00t GET-Requests"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/w00tw00t."; nocase; http_uri; depth:10; reference:url,doc.emergingthreats.net/2010794; classtype:attempted-recon; sid:2010794; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco PIX/ASA HTTP Web Interface HTTP Response Splitting Attempt"; flow:established,to_server; content:"GET"; http_method; content:"|0D 0A|Location|3A|"; nocase; http_uri; reference:url,www.secureworks.com/ctu/advisories/SWRX-2010-001/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20737; reference:cve,2008-7257; reference:url,doc.emergingthreats.net/2011763; classtype:web-application-attack; sid:2011763; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/csh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; content:"/bin/csh"; nocase; http_uri; classtype:web-application-attack; sid:2011464; rev:6; metadata:created_at 2010_09_09, updated_at 2010_09_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/tsh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; content:"/bin/tsh"; http_uri; nocase; classtype:web-application-attack; sid:2011466; rev:8; metadata:created_at 2010_09_09, updated_at 2010_09_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/ksh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; content:"/bin/ksh"; http_uri; nocase; classtype:web-application-attack; sid:2011467; rev:7; metadata:created_at 2010_09_09, updated_at 2010_09_09;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"http|3a|//127.0.0.1"; fast_pattern:only; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:2100139; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WEB-PHP phpinfo access"; flow:to_server,established; content:"/phpinfo.php"; fast_pattern:only; http_uri; nocase; reference:bugtraq,5789; reference:cve,2002-1149; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=3356; classtype:successful-recon-limited; sid:2019526; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER TRACE attempt"; flow:to_server,established; content:"TRACE"; http_method; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2102056; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat null byte directory listing attempt"; flow:to_server,established; content:"|00|.jsp"; http_uri; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2102061; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER globals.pl access"; flow:to_server,established; content:"/globals.pl"; http_uri; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2102073; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER mod_gzip_status access"; flow:to_server,established; content:"/mod_gzip_status"; http_uri; reference:nessus,11685; classtype:web-application-activity; sid:2102156; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER perl post attempt"; flow:to_server,established; content:"POST"; http_method; content:"/perl/"; http_uri; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:2101979; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:2101369; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls| command attempt"; flow:to_server,established; content:"/bin/ls|7C|"; http_uri; nocase; classtype:web-application-attack; sid:2101368; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; content:"/bin/ps"; http_uri; nocase; classtype:web-application-attack; sid:2101328; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; http_uri; nocase; classtype:web-application-activity; sid:2101370; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; http_uri; classtype:web-application-activity; sid:2101371; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; http_uri; nocase; classtype:web-application-attack; sid:2101332; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:2101355; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:2101349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER python access attempt"; flow:to_server,established; content:"python "; http_uri; nocase; classtype:web-application-attack; sid:2101350; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER perl command attempt"; flow:to_server,established; content:"/perl?"; http_uri; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:2101649; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER printenv access"; flow:to_server,established; content:"/printenv"; http_uri; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:2101877; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100920; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100919; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100909; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100923; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:2101288; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:2100937; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; http_uri; nocase; classtype:web-application-activity; sid:2100952; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; http_uri; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:2100951; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100958; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.pwd"; flow:to_server,established; content:"/service.pwd"; http_uri; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:2100959; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100961; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER writeto.cnf access"; flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100965; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /scripts/iisadmin/default.htm access"; flow:to_server,established; content:"/scripts/iisadmin/default.htm"; http_uri; nocase; classtype:web-application-attack; sid:2100994; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102131; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; content:".printer"; http_uri; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:2100971; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER MS Site Server admin attempt"; flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri; reference:nessus,11018; classtype:web-application-attack; sid:2101818; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; content:"TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE"; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:2101817; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; http_uri; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:2100988; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER global.asa access"; flow:to_server,established; content:"/global.asa"; http_uri; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:2101016; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase; http_uri; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:2100993; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; http_uri; nocase; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:2101023; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-activity; sid:2101285; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2101945; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER .htaccess access"; flow:to_server,established; content:".htaccess"; nocase; http_uri; classtype:attempted-recon; sid:2101129; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:2101071; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; fast_pattern:only; nocase; classtype:attempted-recon; sid:2101122; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~ftp access"; flow:to_server,established; content:"/~ftp"; http_uri; nocase; classtype:attempted-recon; sid:2101662; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; reference:nessus,10484; classtype:web-application-attack; sid:2101489; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~root access"; flow:to_server,established; content:"/~root"; http_uri; nocase; classtype:attempted-recon; sid:2101145; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; fast_pattern:only; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:2101809; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER DELETE attempt"; flow:to_server,established; content:"DELETE"; http_method; nocase; reference:nessus,10498; classtype:web-application-activity; sid:2101603; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Oracle Java Process Manager access"; flow:to_server,established; content:"/oprocmgr-status"; http_uri; reference:nessus,10851; classtype:web-application-activity; sid:2101874; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat directory traversal attempt"; flow:to_server,established; content:"|00|.jsp"; http_uri; reference:bugtraq,2518; classtype:web-application-attack; sid:2101055; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat server snoop access"; flow:to_server,established; content:"/jsp/snp/"; http_uri; content:".snp"; http_uri; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:2101108; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 1"; flow:to_server,established; content:".%256Asp"; http_uri; nocase; classtype:attempted-recon; sid:2101238; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 2"; flow:to_server,established; content:".j%2573p"; http_uri; nocase; classtype:attempted-recon; sid:2101237; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 3"; flow:to_server,established; content:".js%2570"; http_uri; nocase; classtype:attempted-recon; sid:2101236; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:2101056; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache ?M=D directory list attempt"; flow:to_server,established; content:"/?M=D"; http_uri; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:2101519; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:2101156; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; http_uri; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:2101110; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER global.inc access"; flow:to_server,established; content:"/global.inc"; http_uri; nocase; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:2101738; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:2101118; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER robot.txt access"; flow:to_server,established; content:"/robot.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101857; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER robots.txt access"; flow:to_server,established; content:"/robots.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101852; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER viewcode access"; flow:to_server,established; content:"/viewcode"; http_uri; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:2101403; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER webalizer access"; flow:established,to_server; content:"/webalizer/"; nocase; http_uri; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:2101847; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; content:"403"; http_stat_code; content:" 403";  classtype:attempted-recon; sid:2101201; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET WEB_SERVER Phoenix Exploit Kit - Admin Login Page Detected Outbound"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:bad-unknown; sid:2011280; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Asprox Spambot SQL-Injection Atempt"; flow:established,to_server; content:"GET"; http_method; content:"declare "; http_uri; nocase; content:"char("; http_uri; nocase; content:"exec(@"; nocase; http_uri; classtype:web-application-attack; sid:2011291; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011289; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ftp"; http_uri; nocase; fast_pattern; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest"; http_header; nocase; content:!"www.trendmicro.com"; http_header; flowbits:set,ET.GOOTKIT; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011287; classtype:web-application-attack; sid:2011287; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/wizards/common/_logintowizard.cfm"; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011358; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/archives/index.cfm"; nocase; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011359; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/entman/index.cfm"; nocase; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011360; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/enter.cfm"; nocase; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011362; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<?php"; nocase; fast_pattern:only; http_client_body; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Using MSSQL sp_configure Command"; flow:established,to_server; content:"sp_configure"; http_uri; nocase; reference:url,technet.microsoft.com/en-us/library/ms188787.aspx; reference:url,technet.microsoft.com/en-us/library/ms190693.aspx; classtype:web-application-attack; sid:2011424; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"ScriptResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&amp|3b|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:6; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"/WebResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&amp|3b|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:4; metadata:created_at 2010_10_12, updated_at 2010_10_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; content:"/bin/sh"; fast_pattern:only; http_uri; nocase; classtype:web-application-attack; sid:2011465; rev:6; metadata:created_at 2010_10_13, updated_at 2010_10_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER DD-WRT Information Disclosure Attempt"; flow:established,to_server; content:"/Info.live.htm"; nocase; http_uri; flowbits:set,et.ddwrt.infodis; reference:url,www.exploit-db.com/exploits/15842/; classtype:attempted-recon; sid:2012116; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful DD-WRT Information Disclosure"; flowbits:isset,et.ddwrt.infodis; flow:established,from_server; content:"lan_mac|3A 3A|"; content:"wlan_mac|3A 3A|"; distance:0; content:"lan_ip|3A 3A|"; distance:0; content:"mem_info|3A 3A|"; distance:0; reference:url,www.exploit-db.com/exploits/15842/; classtype:successful-recon-limited; sid:2012117; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI"; flow:established,to_server; content:"2.2250738585072011e-308"; http_uri; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012150; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS Inbound"; flow:established,to_server; content:"2.2250738585072011e-308"; http_client_body; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012151; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/environ"; flow:established,to_server; content:"/proc/self/environ"; http_uri; nocase; classtype:web-application-attack; sid:2012230; rev:3; metadata:created_at 2011_01_25, updated_at 2011_01_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Automated Site Scanning for backupdata"; flow:established,to_server; content:"backupdata"; nocase; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:attempted-recon; sid:2012286; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Automated Site Scanning for backup_data"; flow:established,to_server; content:"backup_data"; nocase; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:attempted-recon; sid:2012287; rev:3; metadata:created_at 2011_02_04, updated_at 2011_02_04;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"414"; http_stat_code; content:"Request-URI Too Large"; nocase; classtype:web-application-attack; sid:2012708; rev:4; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service"; flow:to_server,established; urilen:>1400; content:"|2F 3F|P|3D 2A 3F 2A 3F 2A 3F 2A 3F 2A 3F|"; http_uri; pcre:"/(\x2a\x3f){700}/U"; reference:cve,2011-0419; reference:url,cxib.net/stuff/apr_fnmatch.txt; reference:url,bugzilla.redhat.com/show_bug.cgi?id=703390; classtype:attempted-dos; sid:2012926; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible file Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=file|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013002; rev:5; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=php|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013001; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible ftps Local File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=ftps|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013000; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible ftp Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=ftp|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012999; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible https Local File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=https|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012998; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible http Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=http|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012997; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible zlib Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=zlib|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013014; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible data Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=data|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013003; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible glob Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=glob|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013004; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible phar Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=phar|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013005; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible ssh2 Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=ssh2|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013006; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible rar Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=rar|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013007; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible ogg Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=ogg|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013008; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible expect Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=expect|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013009; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Binget PHP Library User Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| Binget/"; nocase; http_header; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013049; rev:1; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER pxyscand Suspicious User Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| pxyscand/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013051; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PyCurl Suspicious User Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| PyCurl"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013053; rev:1; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Inbound PHP User-Agent"; flow:established,to_server; content:"User-Agent|3a| PHP/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013057; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Outbound PHP User-Agent"; flow:established,to_server; content:"User-Agent|3a| PHP/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013058; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Muieblackcat scanner"; flow:established,to_server; content:"GET /muieblackcat HTTP/1.1"; depth:26; classtype:attempted-recon; sid:2013115; rev:3; metadata:created_at 2011_06_24, updated_at 2011_06_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PUT Website Defacement Attempt"; flow:established,to_server; content:"PUT"; http_method; content:"<title>.|3a 3a|[+] Defaced by "; nocase; http_client_body; classtype:web-application-attack; sid:2013365; rev:1; metadata:created_at 2011_08_05, updated_at 2011_08_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER DNS changer cPanel attempt"; flow:to_server,established; content:"pwCfm=Dn5Ch4ng3"; http_client_body; classtype:web-application-attack; sid:2013921; rev:1; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (system() function used)"; flow:to_server,established; content:"QHN5c3Rl"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013937; rev:5; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M1"; flow:to_server,established; content:"QHBhc3N0aHJ1KC"; http_header;  metadata: former_category WEB_SERVER; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013938; rev:4; metadata:created_at 2011_11_21, updated_at 2018_06_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; content:"aGVsbF9l"; http_header;  reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013939; rev:3; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; content:"JHAgPSBhcnJheShhcnJh"; http_header;  reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013940; rev:3; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; content:"JGggPSBwb3Bl"; http_header;  reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013941; rev:3; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (python_eval() function used)"; flow:to_server,established; content:"QHB5dGhvbl9l"; http_header; metadata: former_category WEB_SERVER; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013942; rev:4; metadata:created_at 2011_11_21, updated_at 2017_03_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (pcntl_exec() function used)"; flow:to_server,established; content:"JGFyZ3MgPSBh"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013943; rev:4; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; content:"JHBlcmwgPSBuZXcg"; http_header;  reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013944; rev:3; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; content:"ZXhlYygn"; http_header;  reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013945; rev:3; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:to_server,established; content:"HEAD"; http_method; content:"/jmx-console/HtmlAdaptor?"; http_uri; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:1; metadata:created_at 2011_12_09, updated_at 2011_12_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt"; flow:to_server,established; content:"HEAD"; http_method; content:"/jmx-console/HtmlAdaptor?"; http_uri; nocase; content:"Runtime.getRuntime().exec("; http_uri; reference:cve,2010-0738; classtype:web-application-activity; sid:2014018; rev:1; metadata:created_at 2011_12_09, updated_at 2011_12_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST"; http_method; content:"log|3d|"; http_client_body; content:"pwd|3d|"; http_client_body; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_12_12, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack"; flow:established,to_server; content:"Content-Type|3A| application|2F|x-www-form-urlencoded"; nocase; http_header; isdataat:1500; pcre:"/([\w\x25]+=[\w\x25]*&){500}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014045; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack 2"; flow:established,to_server; content:"Content-Type|3A| multipart/form-data"; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014046; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:to_server,established; content:"/CreatingUserAccounts.aspx"; http_uri; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:2; metadata:created_at 2012_01_03, updated_at 2012_01_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Unusually Fast HTTP Requests With Referer Url Matching DoS Tool"; flow:to_server,established; content:"Referer|3a 20|"; http_header; content:"/slowhttptest/"; http_header; fast_pattern:only; pcre:"/Referer\x3a\x20[^\r\n]*\/slowhttptest\//Hi"; threshold: type both, track by_src, count 15, seconds 30; reference:url,community.qualys.com/blogs/securitylabs/2012/01/05/slow-read; classtype:web-application-activity; sid:2014103; rev:3; metadata:created_at 2012_01_09, updated_at 2012_01_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER LOIC Javascript DDoS Inbound"; flow:established,to_server; content:"GET"; http_method; content:"?id="; http_uri; content:"&msg="; http_uri; distance:13; within:5; pcre:"/\?id=[0-9]{13}&msg=[^&]+$/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014140; rev:4; metadata:created_at 2012_01_23, updated_at 2012_01_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER eval/base64_decode Exploit Attempt Inbound"; flow:established,to_server; content:"eval|28|base64_decode|28|"; http_uri; classtype:web-application-attack; sid:2014296; rev:2; metadata:created_at 2012_02_29, updated_at 2012_02_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related"; flow:established,to_server; content:"CHAR("; http_uri; nocase; pcre:"/CHAR\([0-9]{2,3}\)char\([^\x0d\x0a\x20]{98}/Ui"; classtype:attempted-admin; sid:2014352; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_03_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER IIS INDEX_ALLOCATION Auth Bypass Attempt"; flow:established,to_server; content:"|3a|$INDEX_ALLOCATION"; http_uri; nocase; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2012-June/087269.html; classtype:bad-unknown; sid:2014886; rev:1; metadata:created_at 2012_06_11, updated_at 2012_06_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible attempt to enumerate MS SQL Server version"; flow:established,to_server; content:"@@version"; nocase; http_uri; reference:url,support.microsoft.com/kb/321185; classtype:attempted-admin; sid:2014890; rev:1; metadata:created_at 2012_06_13, updated_at 2012_06_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href browser redirect"; flow:established,to_server; content:"/rds-help/advanced/deferredView.jsp?"; nocase; http_uri; content:"href="; nocase; http_uri; pcre:"/href=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014986; rev:1; metadata:created_at 2012_06_29, updated_at 2012_06_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href Cross Site Scripting Attempt"; flow:established,to_server; content:"/rds-help/advanced/deferredView.jsp?"; nocase; http_uri; content:"href="; nocase; http_uri; pcre:"/href\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|javascript)/Ui"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014987; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS 8.3 Filename With Wildcard (Possible File/Dir Bruteforce)"; flow:established,to_server; content:"~1"; http_uri; fast_pattern:only; pcre:"/([\*\?]~1|~1\.?[\*\?]|\/~1\/)/U"; reference:url,soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf; classtype:network-scan; sid:2015023; rev:2; metadata:created_at 2012_07_04, updated_at 2012_07_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER possible SAP Crystal Report Server 2008 path parameter Directory Traversal vulnerability"; flow:established,to_server; content:"/PerformanceManagement/jsp/qa.jsp?"; nocase; http_uri; content:"func="; nocase; http_uri; content:"root="; nocase; http_uri; content:"path="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,1337day.com/exploits/15332; classtype:web-application-attack; sid:2015035; rev:1; metadata:created_at 2012_07_06, updated_at 2012_07_06;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Fake Googlebot UA 1 Inbound"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!" Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b| +http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:75; content:!" Googlebot/2.1 (+http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:50; content:"Googlebot"; fast_pattern; http_header; nocase; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot[^\-].+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:bad-unknown; sid:2015526; rev:5; metadata:created_at 2012_07_25, updated_at 2012_07_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Fake Googlebot UA 2 Inbound"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!"Googlebot-News|0d 0a|"; within:16; http_header; content:!" Googlebot-Image/1.0|0d 0a|"; within:22; http_header; content:!" Googlebot-Video/1.0|0d 0a|"; within:22; http_header; content:"Googlebot-"; fast_pattern; http_header; nocase; distance:0; content:!"Mobile/2.1|3b| +http|3a|//www.google.com/bot.html)|0d 0a|"; within:46; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot-.+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:network-scan; sid:2015527; rev:4; metadata:created_at 2012_07_25, updated_at 2012_07_25;)

alert tcp $HOME_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Magento XMLRPC-Exploit Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/api/xmlrpc"; http_uri; content:"file|3a 2f 2f 2f|"; reference:url,www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/; reference:url,www.magentocommerce.com/blog/update-zend-framework-vulnerability-security-update; reference:url,www.exploit-db.com/exploits/19793/; classtype:web-application-attack; sid:2015625; rev:1; metadata:created_at 2012_08_15, updated_at 2012_08_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Brutus Scan Inbound"; flow:established,to_server; content:"Brutus/AET"; http_header; classtype:attempted-recon; sid:2015703; rev:1; metadata:created_at 2012_09_17, updated_at 2012_09_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHPMyAdmin BackDoor Access"; flow:established,to_server; content:"POST"; http_method; content:"/server_sync.php?"; fast_pattern:only; http_uri; content:"c="; http_uri; pcre:"/\/server_sync.php\?(?:.+?&)?c=/Ui"; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:attempted-admin; sid:2015737; rev:5; metadata:created_at 2012_09_25, updated_at 2012_09_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; content:"utl_inaddr.get_host"; nocase; http_uri; fast_pattern:only; classtype:attempted-admin; sid:2015749; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Image Content-Type with Obfuscated PHP (Seen with C99 Shell)"; flow:from_server,established; content:"Content-Type|3a| image/"; http_header; file_data; content:"eval(gzinflate(base64_decode("; distance:0; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2012/10/how-far-phpc99shell-malware-can-go-from.html; classtype:attempted-user; sid:2015755; rev:2; metadata:created_at 2012_10_02, updated_at 2012_10_02;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FaTaLisTiCz_Fx Webshell Detected"; flow:established,from_server; content:"visitz="; http_cookie; file_data; content:"FaTaLisTiCz_Fx"; classtype:web-application-activity; sid:2015811; rev:1; metadata:created_at 2012_10_18, updated_at 2012_10_18;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - D.K - Title"; flow:established,to_client; file_data; content:"<title>"; content:" - D.K "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:bad-unknown; sid:2015917; rev:1; metadata:created_at 2012_11_21, updated_at 2012_11_21;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<span>Uname<br>User<br>Php<br>Hdd<br>Cwd</span>"; classtype:attempted-user; sid:2015918; rev:1; metadata:created_at 2012_11_21, updated_at 2012_11_21;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header w/colons"; flow:established,to_client; file_data; content:"<span>Uname|3a|<br>User|3a|<br>Php|3a|<br>Hdd|3a|<br>Cwd|3a|</span>"; classtype:attempted-user; sid:2015919; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure w/multipart"; flow:established,to_server; content:"POST"; http_method; content:"form-data\; name=|22|a|22|"; http_client_body; content:"form-data\; name=|22|c|22|"; http_client_body; content:"form-data\; name=|22|p1|22|"; http_client_body; classtype:attempted-user; sid:2015920; rev:1; metadata:created_at 2012_11_21, updated_at 2012_11_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PHP eMailer"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b| name=|22|from|22|"; http_client_body; content:"form-data|3b| name=|22|realname|22|"; http_client_body; content:"form-data|3b| name=|22|amount|22|"; http_client_body; classtype:web-application-activity; sid:2015924; rev:1; metadata:created_at 2012_11_23, updated_at 2012_11_23;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=|22|?x=selfremove|22|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:1; metadata:created_at 2012_11_23, updated_at 2012_11_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Unknown - .php?x=img&img="; flow:established,to_server; content:".php?x=img&img="; http_uri; fast_pattern:only; classtype:web-application-activity; sid:2015926; rev:1; metadata:created_at 2012_11_23, updated_at 2012_11_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PostMan"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b| name=|22|formSubmited|22|"; http_client_body; content:"form-data|3b| name=|22|scriptPassword|22|"; http_client_body; classtype:misc-activity; sid:2015937; rev:6; metadata:created_at 2012_11_26, updated_at 2012_11_26;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER PIWIK Backdored Version calls home"; flow:established,to_server; content:"POST"; http_method; content:"prostoivse.com|0d 0a|"; http_header; nocase; content:"/x.php"; http_uri; content:"reff="; http_client_body; nocase; reference:url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/; reference:url,forum.piwik.org/read.php?2,97666; classtype:web-application-attack; sid:2015953; rev:3; metadata:created_at 2012_11_28, updated_at 2012_11_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Joomla Component SQLi Attempt"; flow:established,to_server; content:"option=com_"; http_uri; nocase; content:"union"; http_uri; nocase; distance:0; content:"select"; nocase; http_uri; distance:0; content:"from"; nocase; http_uri; distance:0; content:"jos_users"; distance:0; http_uri; nocase; fast_pattern; classtype:web-application-attack; sid:2015984; rev:2; metadata:created_at 2012_12_04, updated_at 2012_12_04;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP RAT"; flow:established,to_client; file_data; content:"<table id=\"filetable\" class=\"filelist\" cellspacing=\"1px\" cellpadding=\"0px\">"; classtype:attempted-user; sid:2016151; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP File Admin"; flow:established,to_client; file_data; content:"<h2>(L)aunch external program</h2>"; classtype:attempted-user; sid:2016152; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - JSP File Admin - POST Structure - dir"; flow:established,to_server; content:"POST"; http_method; content:"dir="; http_client_body; content:"&sort="; http_client_body; content:"&command="; http_client_body; content:"&Submit="; http_client_body; classtype:attempted-user; sid:2016153; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion componentutils access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/CFIDE/componentutils"; http_uri; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016182; rev:4; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion adminapi access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/CFIDE/adminapi"; http_uri; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016183; rev:3; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion administrator access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/CFIDE/administrator"; http_uri; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016184; rev:3; metadata:created_at 2013_01_09, updated_at 2013_01_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby"; flow:established,to_server; content:" type"; nocase; fast_pattern; content:"yaml"; distance:0; nocase; content:"!ruby"; nocase; distance:0; pcre:"/<(?P<tname>[^\s]+)[^>]*?\stype\s*=\s*(?P<q>[\x22\x27])yaml(?P=q)((?!<\/(?P=tname)).+?)!ruby/si"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016204; rev:4; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Symlink_Sa"; flow:established,to_client; file_data; content:"<title>Symlink_Sa"; classtype:bad-unknown; sid:2016244; rev:1; metadata:created_at 2013_01_21, updated_at 2013_01_21;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<b>Software|3a|"; content:"<b>uname -a|3a|"; content:"<b>uid="; classtype:bad-unknown; sid:2016245; rev:2; metadata:created_at 2013_01_21, updated_at 2013_01_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Ruby on Rails CVE-2013-0333 Attempt"; flow:established,to_server; content:"|0d 0a|Content-Type|3a|"; nocase; pcre:"/^[^\r\n]*(?:application\/json(?:request)?|text\/x-json)/Ri"; content:"!ruby/"; nocase; distance:0; content:"NamedRouteCollection"; nocase; distance:0; reference:url,gist.github.com/4660248; classtype:web-application-activity; sid:2016305; rev:6; metadata:created_at 2013_01_29, updated_at 2013_01_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP tag in UA"; flow:established,to_server; content:"<?php"; http_header; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]\<\?php/Hmi"; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016415; rev:1; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER base64_decode in UA"; flow:established,to_server; content:"base64_decode("; http_header; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]base64_decode\x28/Hmi"; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016416; rev:1; metadata:created_at 2013_02_16, updated_at 2013_02_16;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - zecmd - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=|22|GET|22| NAME=|22|comments|22| ACTION=|22 22|>"; classtype:attempted-user; sid:2016501; rev:1; metadata:created_at 2013_02_25, updated_at 2013_02_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure"; flow:established,to_server; content:"POST"; http_method; content:"act="; depth:4; fast_pattern; http_client_body; content:"&d="; http_client_body; within:20; classtype:attempted-user; sid:2016516; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Database List"; flow:established,to_client; file_data; content:"<h1>Databases List</h1>"; classtype:bad-unknown; sid:2016574; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - MySQL Interface - Client Cookie mysql_web_admin*="; flow:established,to_server; content:"mysql_web_admin_"; http_cookie; content:"mysql_web_admin"; fast_pattern:only; classtype:bad-unknown; sid:2016575; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Server Set Cookie mysql_web_admin*="; flow:established,to_client; content:"mysql_web_admin_"; http_cookie; content:"mysql_web_admin"; fast_pattern:only; classtype:bad-unknown; sid:2016576; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Romanian Webshell"; flow:established,to_client; file_data; content:"Incarca fisier|3a|"; content:"Exeuta comada|3a|"; classtype:bad-unknown; sid:2016577; rev:4; metadata:created_at 2013_03_13, updated_at 2013_03_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection (varchar2)"; flow:established,to_server; content:"varchar2("; nocase; http_uri; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2016596; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2013_03_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"#!/usr/bin/perl"; nocase; http_client_body; fast_pattern:only; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016641; rev:5; metadata:created_at 2013_03_21, updated_at 2013_03_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"#!/bin/sh"; nocase; http_client_body; fast_pattern:only; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016642; rev:5; metadata:created_at 2013_03_21, updated_at 2013_03_21;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mssql_query)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"mssql_query"; distance:0; classtype:bad-unknown; sid:2016664; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mssql_query)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"mssql_query"; distance:0; classtype:bad-unknown; sid:2016665; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (pgsql_query)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"pgsql_query"; distance:0; classtype:bad-unknown; sid:2016666; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (pgsql_query)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"pgsql_query"; distance:0; classtype:bad-unknown; sid:2016667; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mysql_query)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"mysql_query"; distance:0; classtype:bad-unknown; sid:2016668; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mysql_query)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"mysql_query"; distance:0; classtype:bad-unknown; sid:2016669; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"SqlException"; distance:0; classtype:bad-unknown; sid:2016670; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (SqlException)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"SqlException"; distance:0; classtype:bad-unknown; sid:2016671; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"error in your SQL syntax"; fast_pattern:only; classtype:bad-unknown; sid:2016672; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (error in your SQL syntax)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"error in your SQL syntax"; distance:0; classtype:bad-unknown; sid:2016673; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ERROR syntax error at or near)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ERROR|3a|  syntax error at or near"; distance:0; classtype:bad-unknown; sid:2016674; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ERROR syntax error at or near)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"ERROR|3a|  syntax error at or near"; distance:0; classtype:bad-unknown; sid:2016675; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016676; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ORA-)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016677; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Simple - Title"; flow:established,to_client; file_data; content:"- Simple Shell</title>"; classtype:bad-unknown; sid:2016679; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - net user"; flow:established,to_server; content:"POST"; http_method; content:"net"; nocase; http_client_body; fast_pattern; content:!"work"; within:4; nocase; http_client_body; content:"user"; nocase; within:11; http_client_body; content:!"-agent"; nocase; http_client_body; within:6; pcre:"/net(?:%(?:25)?20|\s)+user/Pi"; classtype:bad-unknown; sid:2016680; rev:7; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - netsh firewall"; flow:established,to_server; content:"netsh"; nocase; fast_pattern; http_client_body; content:"firewall"; within:15; http_client_body; classtype:bad-unknown; sid:2016681; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - reg HKEY_LOCAL_MACHINE"; flow:established,to_server; content:"reg"; nocase; http_client_body; content:"HKEY_LOCAL_MACHINE"; nocase; within:80; http_client_body; classtype:bad-unknown; sid:2016682; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - wget http - POST"; flow:established,to_server; content:"wget"; nocase; http_client_body; content:"http"; nocase; http_client_body; within:11; classtype:bad-unknown; sid:2016683; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSPCMD - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=\"GET\" NAME=\"comments\" ACTION=\"\">"; classtype:bad-unknown; sid:2016684; rev:1; metadata:created_at 2013_03_27, updated_at 2013_03_27;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt"; flow:established,to_client; file_data; content:"bG9nb25fc3VibWl0"; classtype:bad-unknown; sid:2016689; rev:1; metadata:created_at 2013_04_01, updated_at 2013_04_01;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - PHPShell - Comment"; flow:established,to_client; file_data; content:"<!-- PHPShell "; classtype:attempted-user; sid:2016760; rev:1; metadata:created_at 2013_04_16, updated_at 2013_04_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PHPShell - Haxplorer URI"; flow:established,to_server; content:".php?&s=r&cmd=dir&dir="; http_uri; classtype:attempted-user; sid:2016761; rev:1; metadata:created_at 2013_04_16, updated_at 2013_04_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI"; flow:established,to_server; content:".php?&s=r&cmd=con"; http_uri; classtype:attempted-user; sid:2016762; rev:1; metadata:created_at 2013_04_16, updated_at 2013_04_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi CVE-2012-1557"; flow:established,to_server;  content:"POST "; depth:5; content:"/enterprise/control/agent.php"; distance:0; content:"HTTP_AUTH_LOGIN|3a|"; distance:0; pcre:"/^[^\r\n]*?[\x27\x22\t\\%\x00\x08\x26]/R"; reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion password.properties access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"password.properties"; http_uri; nocase; reference:url,cxsecurity.com/issue/WLB-2013050065; classtype:web-application-attack; sid:2016836; rev:2; metadata:created_at 2013_05_08, updated_at 2013_05_08;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER  ColdFusion path disclosure to get the absolute path"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/administrator/analyzer/index.cfm"; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; reference:url,www.exploit-db.com/exploits/25305/; classtype:web-application-attack; sid:2016841; rev:3; metadata:created_at 2013_05_09, updated_at 2013_05_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion scheduletasks access"; flow:established,to_server; content:"/CFIDE/administrator/scheduler/scheduletasks.cfm"; http_uri; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016842; rev:1; metadata:created_at 2013_05_14, updated_at 2013_05_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion scheduleedit access"; flow:established,to_server; content:"/CFIDE/administrator/scheduler/scheduleedit.cfm"; http_uri; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016843; rev:1; metadata:created_at 2013_05_14, updated_at 2013_05_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HTTPing Usage Inbound"; flow:established,to_server; content:"User-Agent|3a 20|HTTPing"; http_header; reference:url,www.vanheusden.com/httping/; classtype:policy-violation; sid:2016845; rev:1; metadata:created_at 2013_05_14, updated_at 2013_05_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific"; flow:established,to_server; content:"chunked"; http_header; nocase; fast_pattern:only; pcre:"/Transfer-Encoding\x3a[^\r\n]*?chunked/Hi"; pcre:"/^[\r\n\s]*?[^\r\n]+HTTP\/1\.\d[^\r\n]*?\r?\n((?!(\r?\n\r?\n)).)*?Transfer-Encoding\x3a[^\r\n]*?Chunked((?!(\r?\n\r?\n)).)*?\r?\n\r?\n[\r\n\s]*?(f{6}[8-9a-f][0-9a-f]|[a-f0-9]{9})/si"; reference:url,www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb; classtype:attempted-admin; sid:2016918; rev:6; metadata:created_at 2013_05_22, updated_at 2013_05_22;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution"; flow:established,to_server; content:"xwork"; http_uri; nocase; content:"MethodAccessor"; http_uri; nocase; content:"denyMethodExecution"; http_uri; nocase; fast_pattern:only; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-admin; sid:2016920; rev:1; metadata:created_at 2013_05_23, updated_at 2013_05_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Select Sleep Time Delay"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"SLEEP|28|"; http_uri; nocase; distance:0; pcre:"/\bSELECT.*?\bSLEEP\x28/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016935; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2013_05_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Local File Access Attempt Using LOAD_FILE"; flow:established,to_server; content:"LOAD_FILE("; http_uri; nocase; fast_pattern:only; reference:url,dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_load-file; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016936; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2013_05_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection List Priveleges Attempt"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"PRIV"; http_uri; nocase; distance:0; pcre:"/\bSELECT.*?\bPRIV/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016937; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2013_05_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER allow_url_include PHP config option in uri"; flow:established,to_server; content:"allow_url_include"; http_uri; fast_pattern:only; pcre:"/\ballow_url_include\s*?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016977; rev:3; metadata:created_at 2013_06_05, updated_at 2013_06_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER safe_mode PHP config option in uri"; flow:established,to_server; content:"safe_mode"; http_uri; fast_pattern:only; pcre:"/\bsafe_mode\s*?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016978; rev:2; metadata:created_at 2013_06_05, updated_at 2013_06_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; content:"suhosin.simulation"; http_uri; fast_pattern:only; pcre:"/\bsuhosin\.simulation\s*?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016979; rev:3; metadata:created_at 2013_06_05, updated_at 2013_06_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER disable_functions PHP config option in uri"; flow:established,to_server; content:"disable_functions"; http_uri; fast_pattern:only; pcre:"/\bdisable_functions[\s\+]*?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016980; rev:4; metadata:created_at 2013_06_05, updated_at 2013_06_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER open_basedir PHP config option in uri"; flow:established,to_server; content:"open_basedir"; http_uri; fast_pattern:only; pcre:"/\bopen_basedir\s*?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016981; rev:3; metadata:created_at 2013_06_05, updated_at 2013_06_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER auto_prepend_file PHP config option in uri"; flow:established,to_server; content:"auto_prepend_file"; http_uri; fast_pattern:only; pcre:"/\bauto_prepend_file\s*?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016982; rev:2; metadata:created_at 2013_06_05, updated_at 2013_06_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Access to /phppath/php Possible Plesk 0-day Exploit June 05 2013"; flow:established,to_server; content:"/phppath/php"; http_uri; pcre:"/\/phppath\/php\b/Ui"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:attempted-admin; sid:2016983; rev:1; metadata:created_at 2013_06_05, updated_at 2013_06_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - *.tar.gz in POST body"; flow:established,to_server; content:".tar.gz"; nocase; http_client_body; classtype:bad-unknown; sid:2016992; rev:1; metadata:created_at 2013_06_07, updated_at 2013_06_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQLi xp_cmdshell POST body"; flow:established,to_server; content:"xp_cmdshell"; nocase; http_client_body; fast_pattern:only; classtype:bad-unknown; sid:2017010; rev:3; metadata:created_at 2013_06_12, updated_at 2013_06_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; content:"|7F|ELF"; http_client_body; classtype:bad-unknown; sid:2017054; rev:1; metadata:created_at 2013_06_21, updated_at 2013_06_21;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GOD Hacker"; flow:established,to_client; file_data; content:"GOD Hacker"; classtype:trojan-activity; sid:2017083; rev:1; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GODSpy title"; flow:established,to_client; file_data; content:"GODSpy</title>"; classtype:trojan-activity; sid:2017084; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp any any -> any any (msg:"ET WEB_SERVER WebShell - GODSpy - Cookie"; flow:established; content:"godid="; http_cookie; content:"godid="; fast_pattern:only; classtype:trojan-activity; sid:2017085; rev:1; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - GODSpy - MySQL"; flow:established,to_server; content:"dbhost="; http_client_body; content:"dbuser="; http_client_body; content:"dbpass="; classtype:trojan-activity; sid:2017086; rev:1; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - Auth Prompt"; flow:established,to_client; file_data; content:"name=|22|haz|22| value=|22|pasa|22|>"; classtype:trojan-activity; sid:2017087; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - GODSPy - Auth Creds"; flow:established,to_server; content:"ctr="; http_client_body; content:"haz=pasa"; http_client_body; classtype:trojan-activity; sid:2017088; rev:1; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Pouya - Pouya_Server Shell"; flow:established,to_client; file_data; content:"Pouya_Server Shell"; classtype:trojan-activity; sid:2017089; rev:1; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Pouya - URI - raiz"; flow:established,to_server; content:".asp?raiz="; http_uri; classtype:trojan-activity; sid:2017090; rev:1; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Pouya - URI - action="; flow:established,to_server; content:".asp?action="; http_uri; nocase; fast_pattern:only; pcre:"/\.asp\?action=(?:txt(?:edit|view)|upload|info|del)(&|$)/Ui"; classtype:trojan-activity; sid:2017091; rev:1; metadata:created_at 2013_07_02, updated_at 2013_07_02;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form"; flow:established,to_client; file_data; content:"GIF89a"; within:6; content:"<form "; nocase; fast_pattern; within:150; content:!"_VIEWSTATE"; classtype:trojan-activity; sid:2017134; rev:4; metadata:created_at 2013_07_11, updated_at 2013_07_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CRLF Injection - Newline Characters in URL"; flow:established,to_server; content:"|0D 0A|"; fast_pattern:only; http_uri; pcre:"/[\n\r](?:content-(type|length)|set-cookie|location)\x3a/Ui"; reference:url,www.owasp.org/index.php/CRLF_Injection; classtype:web-application-attack; sid:2017143; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; content:"Content-Length|3A|"; http_header; content:"Content-Length|3A|"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified"; flow:established,to_server; content:"Transfer-Encoding"; http_header; content:"Transfer-Encoding"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017147; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; content:"redirect|3a 25|"; http_uri; content:"{"; http_uri; distance:0; pcre:"/[\?&]redirect\x3a\x25/U"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017155; rev:2; metadata:created_at 2013_07_16, updated_at 2013_07_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; content:"redirectAction|3a 25|"; http_uri; content:"{"; http_uri; distance:0; pcre:"/[\?&]redirectAction\x3a\x25/U"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017156; rev:2; metadata:created_at 2013_07_16, updated_at 2013_07_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; content:"action|3a 25|"; http_uri; content:"{"; http_uri; distance:0; pcre:"/[\?&]action\x3a\x25/U"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017157; rev:2; metadata:created_at 2013_07_16, updated_at 2013_07_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; content:"redirect|3a|"; http_client_body; content:"{"; http_client_body; distance:0; pcre:"/\bredirect\x3a/P"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017174; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; content:"redirectAction|3a|"; http_client_body; content:"{"; http_client_body; pcre:"/\bredirectAction\x3a/P"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017175; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; content:"action|3a|"; http_client_body; content:"{"; http_client_body; distance:0; pcre:"/\baction\x3a/P"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017176; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell ASPXShell - Title"; flow:established,to_client; file_data; content:"<title>"; content:"ASPX Shell"; fast_pattern; nocase;  content:"</title>"; distance:0; classtype:trojan-activity; sid:2017183; rev:3; metadata:created_at 2013_07_24, updated_at 2013_07_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - ASP File Uploaded"; flow:established,to_server; content:"|0D 0A|"; http_client_body; content:"<%"; within:5; http_client_body; fast_pattern; content:"%>"; http_client_body; distance:0; pcre:"/<%[\x00-\x7f]{20}/P"; classtype:trojan-activity; sid:2017260; rev:10; metadata:created_at 2013_07_31, updated_at 2013_07_31;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; content:"/${"; http_uri; fast_pattern:only; pcre:"/\/\$\{[^\}\x2c]+?=/U"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:3; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible OpenX Backdoor Backdoor Access POST to flowplayer"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/flowplayer-3.1.1.min.js"; http_uri; nocase; reference:url,blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html; classtype:trojan-activity; sid:2017280; rev:2; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER - EXE File Uploaded - Hex Encoded"; flow:established,to_server; content:"4d5a"; nocase; http_client_body; content:"50450000"; distance:0; http_client_body; classtype:bad-unknown; sid:2017293; rev:1; metadata:created_at 2013_08_06, updated_at 2013_08_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Joomla Upload File Filter Bypass"; flow:established,to_server; content:"option=com_media"; http_uri; nocase; fast_pattern:only; content:"Filedata[]"; http_client_body; nocase; pcre:"/filename[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[^\r\n\x22\x27\x3b]+?\.[\r\n\x3b\x22\x27]/Pi"; classtype:attempted-user; sid:2017327; rev:1; metadata:created_at 2013_08_14, updated_at 2013_08_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQLi - SELECT and sysobject"; flow:established,to_server; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:1; metadata:created_at 2013_08_14, updated_at 2013_08_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns"; flow:established,to_server; content:"SELECT"; nocase; content:"information_schema.columns"; distance:0; nocase; classtype:attempted-user; sid:2017337; rev:1; metadata:created_at 2013_08_19, updated_at 2013_08_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632"; flow:to_server; content:"POST"; http_method; content:"/adminapi/administrator.cfc?"; http_uri; nocase; content:"method"; http_uri; nocase; content:"login"; http_uri; nocase; content:"rdsPasswordAllowed"; nocase; http_client_body; fast_pattern:only; pcre:"/rdsPasswordAllowed[\r\n\s]*?=[\r\n\s]*?(true|1)/Pi"; reference:url,www.exploit-db.com/exploits/27755/; reference:cve,2013-0632; classtype:attempted-user; sid:2017366; rev:1; metadata:created_at 2013_08_21, updated_at 2013_08_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Creds"; flow:established,to_server; content:!"&date="; http_client_body; content:"code="; http_client_body; depth:5; content:"&submit="; distance:0; http_client_body; classtype:trojan-activity; sid:2017389; rev:4; metadata:created_at 2013_08_28, updated_at 2013_08_28;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - Interface"; flow:established,to_client; file_data; content:"document.myform.txtpath.value"; classtype:trojan-activity; sid:2017390; rev:2; metadata:created_at 2013_08_28, updated_at 2013_08_28;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Prompt"; flow:established,to_client; file_data; content:"<INPUT type=password name=code >"; classtype:trojan-activity; sid:2017391; rev:1; metadata:created_at 2013_08_28, updated_at 2013_08_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - POST Structure"; flow:established,to_server; content:"POST"; http_method; nocase; content:"txtpath="; http_client_body; depth:8; content:"&cmd="; http_client_body; classtype:trojan-activity; sid:2017392; rev:1; metadata:created_at 2013_08_28, updated_at 2013_08_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - ASPyder -File Upload - POST Structure"; flow:established,to_server; content:"POST"; http_method; nocase; content:"?upload=@&txtpath="; http_uri; content:"Upload !"; http_client_body; classtype:trojan-activity; sid:2017393; rev:1; metadata:created_at 2013_08_28, updated_at 2013_08_28;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Upload - Response"; flow:established,to_client; file_data; content:"<title>ASPYDrvsInfo</title>"; classtype:trojan-activity; sid:2017394; rev:1; metadata:created_at 2013_08_28, updated_at 2013_08_28;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:6; metadata:created_at 2013_08_30, updated_at 2013_08_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzinflate"; flow:established,from_server; file_data; content:"gzinflate"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzinflate/Rsi"; classtype:trojan-activity; sid:2017400; rev:6; metadata:created_at 2013_08_30, updated_at 2013_08_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of str_rot13"; flow:established,from_server; file_data; content:"str_rot13"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?str_rot13/Rsi"; classtype:trojan-activity; sid:2017401; rev:6; metadata:created_at 2013_08_30, updated_at 2013_08_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzuncompress"; flow:established,from_server; file_data; content:"gzuncompress"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzuncompress/Rsi"; classtype:trojan-activity; sid:2017402; rev:6; metadata:created_at 2013_08_30, updated_at 2013_08_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of convert_uudecode"; flow:established,from_server; file_data; content:"convert_uudecode"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?convert_uudecode/Rsi"; classtype:trojan-activity; sid:2017403; rev:6; metadata:created_at 2013_08_30, updated_at 2013_08_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in URI"; flow:established,to_server; content:"_SERVER["; fast_pattern:only; http_uri; pcre:"/[&\?]_SERVER\[[^\]]+?\][^=]*?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017436; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP GET SuperGlobal in URI"; flow:established,to_server; content:"_GET["; fast_pattern:only; http_uri; pcre:"/[&\?]_GET\[[^\]]+?\][^=]*?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017437; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP POST SuperGlobal in URI"; flow:established,to_server; content:"_POST["; fast_pattern:only; http_uri; pcre:"/[&\?]_POST\[[^\]]+?\][^=]*?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017438; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in URI"; flow:established,to_server; content:"_COOKIE["; fast_pattern:only; http_uri; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017439; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in URI"; flow:established,to_server; content:"_SESSION["; fast_pattern:only; http_uri; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017440; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in URI"; flow:established,to_server; content:"_REQUEST["; fast_pattern:only; http_uri; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017441; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP ENV SuperGlobal in URI"; flow:established,to_server; content:"_ENV["; fast_pattern:only; http_uri; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017442; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in POST"; flow:established,to_server; content:"_SERVER["; fast_pattern:only; http_client_body; pcre:"/(?:[&\?\r\n]|^)_SERVER\[[^\]]+?\][^=]*?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017443; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP GET SuperGlobal in POST"; flow:established,to_server; content:"_GET["; fast_pattern:only; http_client_body; pcre:"/(?:[&\?\r\n]|^)_GET\[[^\]]+?\][^=]*?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017444; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP POST SuperGlobal in POST"; flow:established,to_server; content:"_POST["; fast_pattern:only; http_client_body; pcre:"/(?:[&\?\r\n]|^)_POST\[[^\]]+?\][^=]*?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017445; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in POST"; flow:established,to_server; content:"_COOKIE["; fast_pattern:only; http_client_body; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017446; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in POST"; flow:established,to_server; content:"_SESSION["; fast_pattern:only; http_client_body; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017447; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in POST"; flow:established,to_server; content:"_REQUEST["; fast_pattern:only; http_client_body; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017448; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP ENV SuperGlobal in POST"; flow:established,to_server; content:"_ENV["; fast_pattern:only; http_client_body; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017449; rev:1; metadata:created_at 2013_09_10, updated_at 2013_09_10;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER UA WordPress probable DDOS-Attack"; flow:established,to_server; content:"User-Agent|3A| Wordpress/"; http_header; metadata: former_category WEB_SERVER; reference:url,thehackernews.com/2013/09/thousands-of-wordpress-blogs.html; reference:url,pastebin.com/NP64hTQr; classtype:bad-unknown; sid:2017528; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_09_30, updated_at 2017_05_11;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (OUTBOUND)"; flow:established,to_client; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017604; rev:1; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (OUTBOUND)"; flow:established,to_client; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017605; rev:1; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (OUTBOUND)"; flow:established,to_client; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017606; rev:1; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (INBOUND)"; flow:established,from_server; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017607; rev:1; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (INBOUND)"; flow:established,from_server; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017608; rev:1; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (INBOUND)"; flow:established,from_server; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017609; rev:1; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell Download"; flow:established,to_client; file_data; content:"eval"; content:"mcrypt_decrypt"; distance:0; within:30; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017640; rev:2; metadata:affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2013_10_28, performance_impact Low, updated_at 2017_01_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Encrypted Webshell in POST"; flow:established,to_server; content:"POST"; http_method; content:"eval"; http_client_body; content:"mcrypt_decrypt"; http_client_body; distance:0; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017641; rev:2; metadata:created_at 2013_10_28, updated_at 2013_10_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi/login.cgi"; http_uri; nocase; content:"name="; nocase; http_client_body; content:"pwd="; http_client_body; nocase; pcre:"/(?:^|[\n\&])pwd=/Pi"; pcre:"/(?:^|[\n\&])name=(?:%\d{2}|[^%&]){129}/Pi"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017684; rev:1; metadata:created_at 2013_11_07, updated_at 2013_11_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi PWD Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi/login.cgi"; http_uri; nocase; content:"name="; http_client_body; nocase; content:"pwd="; http_client_body; nocase; pcre:"/(?:^|[\n\&])name=/Pi"; pcre:"/(?:^|[\n\&])pwd=(?:%\d{2}|[^%&]){25}/Pi"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017685; rev:1; metadata:created_at 2013_11_07, updated_at 2013_11_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi sess_sid Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi/close_window.cgi"; http_uri; nocase; content:"sess_sid="; http_client_body; nocase; pcre:"/(?:^|[\n\&])sess_sid=(?:%\d{2}|[^%&]){21}/P"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017686; rev:1; metadata:created_at 2013_11_07, updated_at 2013_11_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi ACT Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi/close_window.cgi"; http_uri; nocase; content:"ACT="; http_client_body; nocase; pcre:"/(?:^|[\n\&])ACT=(?:%\d{2}|[^%&]){21}/Pi"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017687; rev:1; metadata:created_at 2013_11_07, updated_at 2013_11_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI url_redirect.cgi Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/cgi/url_redirect.cgi"; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017688; rev:1; metadata:created_at 2013_11_07, updated_at 2013_11_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WEBSHELL pwn.jsp shell"; flow:established,to_server; content:"/pwn.jsp?"; http_uri; nocase; fast_pattern:only; content:"cmd="; http_uri; nocase; reference:url,nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html; reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; classtype:attempted-admin; sid:2017734; rev:3; metadata:created_at 2013_11_19, updated_at 2013_11_19;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=system"; http_client_body; nocase; content:"j_password=Passw0rd"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017803; rev:3; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=system"; http_client_body; content:"j_password=password"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017804; rev:2; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible WebLogic Monitor Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=monitor"; http_client_body; content:"j_password=password"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017805; rev:2; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible WebLogic Operator Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=operator"; http_client_body; content:"j_password=password"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017806; rev:1; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible MySQL SQLi User-Dump Attempt"; flow:to_server,established; content:"select"; nocase; http_uri; content:"mysql.user"; http_uri; nocase; distance:1; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017807; rev:2; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema Access"; flow:to_server,established; content:"information_schema"; nocase; http_uri; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017808; rev:1; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER IIS ISN BackDoor Command GetLog"; flow:established,to_server; content:"isn_getlog"; http_uri; nocase; fast_pattern:only; pcre:"/[?&]isn_getlog/Ui"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017820; rev:4; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ISN BackDoor Command Delete Log"; flow:established,to_server; content:"isn_logdel"; http_uri; nocase; fast_pattern:only; pcre:"/[?&]isn_logdel/Ui"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017821; rev:5; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ISN BackDoor Command Get Logpath"; flow:established,to_server; content:"isn_logpath"; http_uri; nocase; fast_pattern:only; pcre:"/[?&]isn_logpath/Ui"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017822; rev:5; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning"; fast_pattern; within:50; content:"for open ports."; within:40; classtype:trojan-activity; sid:2017828; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Open port(s)|3A| "; fast_pattern; within:50; classtype:trojan-activity; sid:2017829; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"No open ports found"; fast_pattern; within:50; classtype:trojan-activity; sid:2017830; rev:1; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attacking"; within:50; fast_pattern; classtype:trojan-activity; sid:2017831; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attack"; fast_pattern; within:50; content:"done"; within:8; classtype:trojan-activity; sid:2017832; rev:1; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"perlb0t ver"; within:50; classtype:trojan-activity; sid:2017833; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning for unpatched mambo for"; within:80; classtype:trojan-activity; sid:2017834; rev:2; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Exploited"; within:50; content:"boxes in"; within:30; classtype:trojan-activity; sid:2017835; rev:3; metadata:created_at 2013_12_09, updated_at 2013_12_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Coldfusion cfcexplorer Directory Traversal"; flow:established,to_server; content:"/cfcexplorer.cfc"; nocase; http_uri; fast_pattern:only; content:"path="; nocase; pcre:"/^[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html; classtype:attempted-user; sid:2017875; rev:1; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8983 (msg:"ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack"; flow:to_server,established; content:"../../"; fast_pattern:only; content:"&wt=xslt"; nocase; content:"&tr="; reference:cve,CVE-2013-6397; reference:url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:attempted-user; sid:2017882; rev:1; metadata:created_at 2013_12_17, updated_at 2013_12_17;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title"; flow:established,to_client; file_data; content:"<title>PHP Shell offender</title>"; nocase; classtype:web-application-attack; sid:2017951; rev:2; metadata:created_at 2014_01_10, updated_at 2014_01_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command"; flow:established,to_server; content:"work_dir="; http_client_body; content:"command="; http_client_body; content:"submit_btn=Execute+Command"; http_client_body; classtype:web-application-attack; sid:2017952; rev:1; metadata:created_at 2014_01_10, updated_at 2014_01_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY."; flow:established,to_server; content:"DOCTYPE"; http_client_body; nocase; fast_pattern:only; content:"SYSTEM"; nocase; http_client_body; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; classtype:trojan-activity; sid:2018056; rev:1; metadata:created_at 2014_02_03, updated_at 2014_02_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152"; flow:established,to_server; content:"/reports/rwservlet?"; http_uri; nocase; content:"JOBTYPE"; http_uri; nocase; content:"rwurl"; nocase; http_uri; content:"URLPARAMETER"; http_uri; nocase; pcre:"/URLPARAMETER\s*?=\s*?[\x22\x27]?(?:f(?:ile|tp)|gopher|https?|mailto)\s*?\x3a/Ui"; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018092; rev:1; metadata:created_at 2014_02_06, updated_at 2014_02_06;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Oracle Reports Parse Query Returned Creds CVE-2012-3153"; flow:established,to_client; file_data; content:"Result Reports Server Command"; content:"userid="; distance:0; content:"/"; distance:0; content:"@"; distance:0; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018093; rev:1; metadata:created_at 2014_02_06, updated_at 2014_02_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Tomcat Boundary Overflow DOS/File Upload Attempt"; flow:established,to_server; content:"POST"; http_method; content:"multipart/form-data"; http_header; fast_pattern:only; content:"Content-Type|3A|"; nocase; pcre:"/^[^\r\n]*?boundary\s*?=\s*?[^\r\n]/Ri"; isdataat:4091,relative; content:!"|0A|"; within:4091; reference:url,blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html; reference:cve,2014-0050; classtype:web-application-attack; sid:2018113; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Recon-ng User-Agent"; flow: established,to_server; content:"User-Agent|3a| Recon-ng"; http_header; reference:url,itbucket.org/LaNMaSteR53/recon-ng/overview; classtype:attempted-recon; sid:2018118; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER log4jAdmin access from non-local network (can modify logging levels)"; flow:established,to_server; content:"/log4jAdmin.jsp"; http_uri; fast_pattern:only; reference:url, gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018202; rev:1; metadata:created_at 2014_03_03, updated_at 2014_03_03;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER log4jAdmin access from non-local network Page Body (can modify logging levels)"; flow:established,from_server; file_data; content:"<title>Log4J Administration</title>"; fast_pattern:only; content:"Change Log Level To"; reference:url, gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018203; rev:1; metadata:created_at 2014_03_03, updated_at 2014_03_03;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL CFM Shell Access"; flow:established,from_server; file_data; content:"<title>CFM shell"; nocase; reference:url,blog.spiderlabs.com/2014/03/coldfusion-admin-compromise-analysis-cve-2010-2861.html; classtype:successful-admin; sid:2018290; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL K-Shell/ZHC Shell 1.0/Aspx Shell Backdoor NetCat_Listener"; flow:established,from_server; file_data; content:"Silentz's Tricks:"; content:"action=cmd2"; content:"Start NC"; reference:url,www.fidelissecurity.com/webfm_send/377; reference:url,pastebin.com/XAG1Hnfd; classtype:web-application-attack; sid:2018369; rev:1; metadata:created_at 2014_04_07, updated_at 2014_04_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp"; flow:established,to_server; content:".asp?mevla=1"; http_uri; nocase; fast_pattern:only; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018370; rev:3; metadata:created_at 2014_04_07, updated_at 2014_04_07;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp - content"; flow:established,from_server; file_data; content:"<title>zehir3--> powered by zehir"; content:"Sistem Bilgileri"; content:"color=red>Local Adres</td"; content:"zehirhacker"; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018371; rev:1; metadata:created_at 2014_04_07, updated_at 2014_04_07;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SUSPICIOUS Possible WebShell Login Form (Outbound)"; flow:established,from_server; file_data; content:"<pre align=center><form method=post>Password|3a| <input type=password name=pass><input type=submit value=|27|>>|27|></form></pre>"; within:120; isdataat:!2,relative; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:trojan-activity; sid:2018459; rev:1; metadata:created_at 2014_05_09, updated_at 2014_05_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt"; flow:established,to_server; content:"search"; nocase; content:"source="; nocase; distance:0; content:"script_fields"; nocase; distance:0; content:"import"; distance:0; nocase; content:"java."; nocase; distance:0; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:attempted-admin; sid:2018495; rev:2; metadata:created_at 2014_05_21, updated_at 2014_05_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override URI"; flow:to_server,established; content:"c99shcook["; nocase; http_uri; fast_pattern:only; pcre:"/[&?]c99shcook\[/Ui"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018601; rev:1; metadata:created_at 2014_06_24, updated_at 2014_06_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Cookie"; flow:to_server,established; content:"c99shcook"; nocase; fast_pattern:only; pcre:"/c99shcook/Ci"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018602; rev:1; metadata:created_at 2014_06_24, updated_at 2014_06_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Client Body"; flow:to_server,established; content:"c99shcook["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&)c99shcook\[/Pi"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018603; rev:1; metadata:created_at 2014_06_24, updated_at 2014_06_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Crawler"; flow:established,to_server; content:"User-Agent|3a 20|PHPCrawl|0d 0a|"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,phpcrawl.cuab.de/; classtype:attempted-user; sid:2018607; rev:1; metadata:created_at 2014_06_25, updated_at 2014_06_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Adobe Flash Player Rosetta Flash compressed CWS in URI"; flow:established,to_server; urilen:>70; content:"callback=CWS"; nocase; http_uri; content:"hC"; nocase; distance:5; within:2; http_uri; pcre:"/callback=CWS[a-z0-9\.\_]{5}hC[a-z0-9\.\_]{50}/Ui"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018740; rev:1; metadata:created_at 2014_07_18, updated_at 2014_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/fd/"; flow:established,to_server; content:"/proc/self/fd/"; nocase; http_uri; fast_pattern:only; classtype:web-application-attack; sid:2019110; rev:1; metadata:created_at 2014_09_04, updated_at 2014_09_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HTTP POST Generic eval of base64_decode"; flow:established,to_server; content:"base64_decode"; nocase; http_client_body; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2019182; rev:1; metadata:created_at 2014_09_16, updated_at 2014_09_16;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI"; flow:established,to_server; content:"|28 29 20 7b|"; http_uri; fast_pattern:only; pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b/U"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019231; rev:3; metadata:created_at 2014_09_24, updated_at 2014_09_24;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; content:"|28 29 20 7b|"; http_header; fast_pattern:only; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:3; metadata:created_at 2014_09_24, updated_at 2014_09_24;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; content:"|28 29 20 7b|"; http_client_body; fast_pattern:only; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b/P"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019233; rev:3; metadata:created_at 2014_09_24, updated_at 2014_09_24;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2"; flow:established,to_server; content:"|25|28|25|29|25|20|25|7b|25|20"; http_client_body; fast_pattern:only; pcre:"/(:?(:?\x5e|%5e)|(:?[=?&]|\x25(:?3d|3f|26)))\s*?(:?%28|\x28)(:?%29|\x29)(:?%20|\x20)(:?%7b|\x7b)(:?%20|\x20)/Pi"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019234; rev:3; metadata:created_at 2014_09_24, updated_at 2014_09_24;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number"; flow:established,to_server; content:"|20 28 29 20 7b|"; fast_pattern:only; pcre:"/^[^\s]+\s+[^\s]+\s+\x28\x29\x20\x7b[^\r\n]*?\r?$/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019236; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie"; flow:established,to_server; content:"|28 29 20 7b|"; fast_pattern:only; content:"|28 29 20 7b|"; http_cookie; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019239; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 3"; flow:established,to_server; content:"()|25|20|25|7b"; http_client_body; fast_pattern:only; pcre:"/(:?(?:\x5e|%5e)|([=?&]|\x25(?:3d|3f|26)))\s*?\(\)(?:%20|\x20)(?:%7b|\x7b)/Pi"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019241; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019244; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019245; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019246; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019247; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019248; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019249; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b|20|"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019250; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b%20"; nocase; fast_pattern; within:15; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019251; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{|20|"; nocase; fast_pattern; within:6; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019252; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{%20"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019253; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019254; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019255; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019256; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019257; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b|20|"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019258; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b%20"; nocase; fast_pattern; within:12; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019259; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019260; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019261; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019262; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019263; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019264; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019265; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019266; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019267; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|{%20"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019268; rev:3; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019269; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019270; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019271; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019272; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019273; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer"; flow:established,to_server; content:"/dev/tcp/"; fast_pattern:only; classtype:bad-unknown; sid:2019285; rev:2; metadata:created_at 2014_09_26, updated_at 2014_09_26;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; flow:to_server,established; content:"|28 29 0a 20 7b|"; fast_pattern:only; http_header; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019291; rev:2; metadata:created_at 2014_09_28, updated_at 2014_09_28;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; flow:to_server,established; content:"|28 29 0d 0a 20 7b|"; fast_pattern:only; http_header; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019292; rev:2; metadata:created_at 2014_09_28, updated_at 2014_09_28;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CURL Command Specifying Output in HTTP Headers"; flow:established,to_server; content:"curl "; fast_pattern:only; http_header; pcre:"/(?!^User-Agent\x3a)\bcurl\s[^\r\n]*?-(?:[Oo]|-(?:remote-name|output))[^\r\n]+(?:\x3b|&&)/Hm"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019308; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"; flow:established,to_server; content:"wget "; fast_pattern:only; http_header; pcre:"/(?!^User-Agent\x3a)\bwget\s[^\r\n]+(?:\x3b|&&)/Hm"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019309; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"; flow:established,to_server; content:"lwp-download "; fast_pattern:only; http_header; pcre:"/(?!^User-Agent\x3a)\blwp-download\s[^\r\n]+(?:\x3b|&&)/Hm"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019310; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible bash shell piped to dev udp Inbound to WebServer"; flow:established,to_server; content:"/dev/udp/"; fast_pattern:only; classtype:bad-unknown; sid:2019314; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MongoDB Negated Parameter Server Side JavaScript Injection Attempt"; flow:established,to_server; content:"[$ne]"; http_uri; fast_pattern:only; reference:url,blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html; reference:url,docs.mongodb.org/manual/reference/operator/query/ne/; classtype:web-application-attack; sid:2019460; rev:1; metadata:created_at 2014_10_17, updated_at 2014_10_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cookie Based BackDoor Used in Drupal Attacks"; flow:established,to_server; content:"preg_replace"; http_cookie; nocase; reference:url,www.kahusecurity.com/2014/drupal-7-sql-injection-info/; classtype:attempted-user; sid:2019627; rev:1; metadata:created_at 2014_11_03, updated_at 2014_11_03;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a| form-data|3b| name=|22|serverKey|22|"; http_client_body; fast_pattern:28,20; content:"Content-Disposition|3a| form-data|3b| name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a| form-data|3b| name=|22|key|22|"; http_client_body; content:!"Referer|3a| "; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:1; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST (fsockopen)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Connection|3a| close"; http_header; content:"serverKey="; fast_pattern; content:"data="; content:"key="; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019749; rev:1; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP.//Input in HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"php|3a 2f 2f|input"; http_raw_uri; content:"<?"; http_client_body; depth:2; reference:url,www.deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2019804; rev:3; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Double Encoded Characters in URI (../)"; flow:to_server,established; content:"%252E%252E%252F"; nocase; http_raw_uri; content:"%252E%252E%252F"; nocase; fast_pattern; classtype:misc-attack; sid:2019880; rev:2; metadata:created_at 2014_12_05, updated_at 2014_12_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Insomnia Shell HTTP Request"; flow:to_server,established; content:"POST"; http_method; content:".aspx"; http_uri; content:"txtRemoteHost="; http_client_body; fast_pattern; content:"txtRemotePort="; http_client_body; distance:0; content:"txtBindPort="; http_client_body; distance:0; content:"txtPipeName="; http_client_body; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019899; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)

alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Insomnia Shell Outbound CMD Banner"; flow:to_server,established; content:"Shell enroute......."; depth:20; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019900; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MorXploit Shell Command"; flow:established,to_server; content:"?cmd=ZXhpdA=="; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla 5"; http_header; reference:url,seclists.org/fulldisclosure/2014/Nov/78; classtype:bad-unknown; sid:2019951; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Generic PHP Remote File Include"; flow:to_server,established; content:"POST"; http_method; content:"allow_url_include"; http_uri; content:"safe_mode"; http_uri; content:"php|3a 2f 2f|input"; http_raw_uri; content:"<?php"; fast_pattern:only; http_client_body; content:"chmod 777"; http_client_body; classtype:attempted-user; sid:2019957; rev:1; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2014_12_17, updated_at 2016_07_01;)

alert tcp any $HTTP_PORTS -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - Landing Page"; flow:established,to_client; file_data; content:"cPanel Cracker"; classtype:trojan-activity; sid:2020096; rev:1; metadata:created_at 2015_01_06, updated_at 2015_01_06;)

alert tcp any any -> any $HTTP_PORTS (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - cPanel Cracker"; flow:established,to_server; content:"user=CRACKER"; http_client_body; classtype:trojan-activity; sid:2020097; rev:1; metadata:created_at 2015_01_06, updated_at 2015_01_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP System Command in HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"<?"; http_client_body; content:"system|28|"; http_client_body; distance:0; classtype:web-application-attack; sid:2020102; rev:3; metadata:created_at 2015_01_06, updated_at 2015_01_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Heimdallbot Attack Tool Inbound"; flow:established,to_server; content:"Heimdallbot"; http_header; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*?Heimdallbot/Hmi"; threshold: type limit, count 1, seconds 60, track by_src; classtype:web-application-attack; sid:2020323; rev:1; metadata:created_at 2015_01_28, updated_at 2015_01_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WPScan User Agent"; flow:established,to_server; content:"User-Agent|3a 20|WPScan v"; http_header; fast_pattern:12,8; threshold: type limit, count 1, seconds 60, track by_src; reference:url,github.com/wpscanteam/wpscan; classtype:web-application-attack; sid:2020338; rev:2; metadata:created_at 2015_01_30, updated_at 2015_01_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Downloaded"; flow:established,to_client; file_data; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020555; rev:1; metadata:created_at 2015_02_24, updated_at 2015_02_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - POSTed"; flow:established,to_server; content:"<?php|0A|$"; http_client_body; content:"="; distance:4; within:2; http_client_body; content:" str_replace("; distance:0; http_client_body; classtype:trojan-activity; sid:2020556; rev:1; metadata:created_at 2015_02_24, updated_at 2015_02_24;)

alert tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Cookie"; flow:established,to_server; content:"ing|3a| identity|0D 0A|Host|3a|"; http_header; content:"SESS="; http_cookie; content:"|3B| SID="; distance:0; http_cookie; content:"|3B| PREF="; distance:0; http_cookie; content:"|3B|SSID="; distance:0; http_cookie; classtype:trojan-activity; sid:2020557; rev:1; metadata:created_at 2015_02_24, updated_at 2015_02_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - ASPyder - File Create - POST Structure"; flow:established,to_server; content:"POST"; http_method; content:"Fname="; http_client_body; depth:6; content:"&cmd="; http_client_body; classtype:trojan-activity; sid:2020572; rev:3; metadata:created_at 2015_02_25, updated_at 2015_02_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2015-1427 Elastic Search Sandbox Escape Remote Code Execution Attempt"; flow:established,to_server; content:"POST /"; depth:6; content:"search"; distance:0; content:"script_fields"; distance:0; nocase; content:".class.forName"; nocase; distance:0; content:"java.lang.Runtime"; nocase; distance:0; reference:url,jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427; classtype:attempted-admin; sid:2020648; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)"; flow:established,to_server; content:"18446744073709551615"; http_header; fast_pattern:only; content:"Range|3a|"; nocase; http_header; pcre:"/^Range\x3a[^\r\n]*?18446744073709551615/Hmi"; reference:cve,2015-1635; classtype:web-application-attack; sid:2020912; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)"; flow:to_server,established; content:"|20|/_plugin/"; offset:3; depth:11; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ri"; reference:cve,2015-3337; classtype:web-application-attack; sid:2021138; rev:3; metadata:created_at 2015_05_22, updated_at 2015_05_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Jorgee Scan"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Mozilla/5.0 Jorgee|0d 0a|"; http_header; fast_pattern:12,20; threshold: type limit, track by_dst, count 3, seconds 60; metadata: former_category WEB_SERVER; reference:url,www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/; classtype:trojan-activity; sid:2024265; rev:2; metadata:created_at 2015_06_26, updated_at 2017_05_01;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Darkleech C2"; flow:established,to_server; content:"/blog/?"; http_uri; depth:7; fast_pattern; content:"&utm_source="; http_uri; pcre:"/^\/blog\/\?[a-z]{3,20}+\&utm_source=\d+\x3a\d+\x3a\d+$/U"; content:!"Referer|3a|"; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:trojan-activity; sid:2022260; rev:1; metadata:created_at 2015_12_14, updated_at 2015_12_14;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WeBaCoo Web Backdoor Detected"; flow:to_server,established; content:"GET"; http_method; content:"cm="; http_cookie; content:"cn=M-cookie|3b|"; fast_pattern:only; content:"cp="; http_cookie; reference:url,panagioto.com/webacoo-backdoor-detection; classtype:web-application-activity; sid:2022295; rev:1; metadata:created_at 2015_12_21, updated_at 2015_12_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WEBSHELL JSP/Backdoor Shell Access"; flow:established,to_server; content:".war?cmd="; http_uri; fast_pattern:only; content:"&winurl="; http_uri; content:"&linurl="; http_uri; pcre:"/\.war\?cmd=[a-zA-Z0-9+/=]+&winurl=[a-zA-Z0-9+/=]*&linurl=[a-zA-Z0-9+/=]*/U"; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:successful-admin; sid:2022348; rev:2; metadata:created_at 2016_01_11, updated_at 2016_01_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WEBSHELL Linux/Torte Uploaded"; flow:established,to_server; content:"POST"; http_method; content:"JGVudiA9ICJYRFZTTl9TRVNTSU9OX0NPT0tJR"; http_client_body; fast_pattern:only; content:"eval(base64_decode($_REQUEST["; http_client_body; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:attempted-admin; sid:2022359; rev:1; metadata:created_at 2016_01_13, updated_at 2016_01_13;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Compromised Webserver Retriving Inject"; flow:established,to_server; content:"/blog/?"; depth:7; http_uri; pcre:"/^\/blog\/\?[a-z]+&utm_source=\d+\x3a\d+\x3a\d+$/U"; pcre:"/^Host\x3a\x20(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\x3a\d{1,5})?\r?\n/Hmi"; classtype:trojan-activity; sid:2022485; rev:1; metadata:created_at 2016_02_03, updated_at 2016_02_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Custom Content Type Manager WP Backdoor Access"; flow:established,to_server; content:"/plugins/custom-content-type-manager/auto-update.php"; http_uri; fast_pattern:32,20; nocase; reference:url,blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html; classtype:trojan-activity; sid:2022596; rev:3; metadata:created_at 2016_03_06, updated_at 2016_03_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (mvg)"; flow:established,to_server; content:"viewbox "; nocase; http_client_body; fast_pattern:only; pcre:"/https\x3a.+(?<!\x5c)(:[\x22\x27]|\\x2[27])\s*?[\x3b&\x7c><].*?(:[\x22\x27]|\\x2[27])/Psi"; classtype:web-application-attack; sid:2022789; rev:3; metadata:created_at 2016_05_04, updated_at 2016_05_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (svg)"; flow:established,to_server; content:"<svg "; http_client_body; nocase; fast_pattern:only; content:"xlink"; http_client_body; nocase; pcre:"/xlink\s*?\x3a\s*?href\s*?=\s*?(:[\x22\x27]|\\x2[27])https.+?&quot\s*?\x3b(?:\x7c|&(?:[gl]t|amp)\s*?\x3b)/Psi"; classtype:web-application-attack; sid:2022790; rev:3; metadata:created_at 2016_05_04, updated_at 2016_05_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ImageMagick CVE-2016-3718 SSRF Inbound (mvg + fill + url)"; flow:established,to_server; content:"viewbox "; nocase; http_client_body; fast_pattern:only; content:"fill"; http_client_body; content:"url("; http_client_body; distance:0; nocase; pcre:"/url\(\s*https?\x3a\/\//Pi"; classtype:web-application-attack; sid:2022791; rev:2; metadata:created_at 2016_05_04, updated_at 2016_05_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ImageMagick CVE-2016-3715 File Deletion Inbound (ephermeral:+ mvg)"; flow:established,to_server; content:"viewbox "; nocase; http_client_body; fast_pattern:only; content:"ephemeral"; http_client_body; nocase; pcre:"/ephemeral\s*\x3a\s*[./]/Pi"; classtype:web-application-attack; sid:2022792; rev:2; metadata:created_at 2016_05_04, updated_at 2016_05_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ImageMagick CVE-2016-3716 Move File Inbound (msl: + mvg)"; flow:established,to_server; content:"viewbox "; nocase; http_client_body; fast_pattern:only; content:"msl"; http_client_body; nocase; pcre:"/msl\s*\x3a\s*[./]/Pi"; classtype:web-application-attack; sid:2022793; rev:2; metadata:created_at 2016_05_04, updated_at 2016_05_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ImageMagick CVE-2016-3717 Local File Read Inbound (label: + mvg)"; flow:established,to_server; content:"viewbox "; nocase; http_client_body; fast_pattern:only; content:"label"; http_client_body; nocase; pcre:"/label\s*\x3a\s*\x40/Pi"; classtype:web-application-attack; sid:2022794; rev:2; metadata:created_at 2016_05_04, updated_at 2016_05_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQLi Attempt in User Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|"; http_header; content:"select"; nocase; distance:0; fast_pattern; http_header; content:"from"; nocase; http_header; within:20; pcre:"/User-Agent\x3a\x20[^\r\n]+select[^\r\n]+from/Hi"; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:trojan-activity; sid:2022816; rev:1; metadata:created_at 2016_05_17, updated_at 2016_05_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M1"; flow:established,to_server; content:"<svg"; nocase; http_client_body; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 22 7c|"; http_client_body; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022846; rev:1; metadata:created_at 2016_06_01, updated_at 2016_06_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M2"; flow:established,to_server; content:"<svg"; nocase; http_client_body; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 27 7c|"; http_client_body; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022847; rev:1; metadata:created_at 2016_06_01, updated_at 2016_06_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M1"; flow:established,to_server; content:"viewbox "; nocase; http_client_body; fast_pattern:only; content:"|20 27 7c|"; http_client_body; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022848; rev:1; metadata:created_at 2016_06_01, updated_at 2016_06_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M2"; flow:established,to_server; content:"viewbox "; nocase; http_client_body; fast_pattern:only; content:"|20 22 7c|"; http_client_body; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022849; rev:1; metadata:created_at 2016_06_01, updated_at 2016_06_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Aribitrary File Upload Vulnerability in WP Mobile Detector"; flow:from_client,established; content:"/wp-content/plugins/wp-mobile-detector/"; http_uri; content:"resize.php?src=http"; http_uri; fast_pattern; reference:url,pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/; classtype:attempted-user; sid:2022860; rev:1; metadata:created_at 2016_06_03, updated_at 2016_06_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Continuum Arbitrary Command Execution"; flow:to_server,established; content:"POST"; http_method; content:"/saveInstallation.action"; http_uri; fast_pattern:only; content:"&installation.varValue="; http_client_body; content:"|25|60"; http_client_body; classtype:attempted-user; sid:2022912; rev:2; metadata:created_at 2016_06_22, updated_at 2016_06_22;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER AnonGhost PHP Webshell"; flow:from_server,established; file_data; content:"base64_decode("; content:"Bbm9uR2hvc3Qg"; fast_pattern; classtype:trojan-activity; sid:2023143; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_09_01, performance_impact Low, updated_at 2016_09_01;)

alert udp $HTTP_SERVERS any -> any 53 (msg:"ET WEB_SERVER DNS Query for Suspicious 33db9538.com Domain - Anuna Checkin - Compromised PHP Site"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|33db9538|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category WEB_SERVER; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023227; rev:2; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, updated_at 2018_03_21;)

alert udp $HTTP_SERVERS any -> any 53 (msg:"ET WEB_SERVER DNS Query for Suspicious 9507c4e8.com Domain - Anuna Checkin - Compromised PHP Site"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|9507c4e8|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category WEB_SERVER; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023228; rev:2; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, updated_at 2018_03_22;)

alert udp $HTTP_SERVERS any -> any 53 (msg:"ET WEB_SERVER DNS Query for Suspicious e5b57288.com Domain - Anuna Checkin - Compromised PHP Site"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|e5b57288|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category WEB_SERVER; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023229; rev:2; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, updated_at 2018_03_21;)

alert udp $HTTP_SERVERS any -> any 53 (msg:"ET WEB_SERVER DNS Query for Suspicious 54dfa1cb.com Domain - Anuna Checkin - Compromised PHP Site"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|54dfa1cb|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category WEB_SERVER; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023230; rev:2; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, updated_at 2018_03_22;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER HTTP Request to a *.33db9538.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; content:"33db9538.com"; http_header; fast_pattern:only; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023231; rev:1; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER HTTP Request to a *.9507c4e8.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; content:"9507c4e8.com"; http_header; fast_pattern:only; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023232; rev:1; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER HTTP Request to a *.e5b57288.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; content:"e5b57288.com"; http_header; fast_pattern:only; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023233; rev:1; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER HTTP Request to a *.54dfa1cb.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; content:"54dfa1cb.com"; http_header; fast_pattern:only; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023234; rev:1; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2016_09_15, updated_at 2016_09_15;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Expression Injection"; flow:to_server,established; content:"|24 7b|"; http_uri; content:"|25 7b|"; distance:0; http_uri; content:"|7d|"; distance:0; http_uri; pcre:"/\${\s*?%{/U"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:web-application-attack; sid:2023535; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_11_18, performance_impact Low, updated_at 2016_11_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft IIS Remote Code Execution (CVE-2017-7269)"; flow:to_server,established; content:"If|3a 20 3c|"; http_header; pcre:"/^If\x3a\x20\x3c[^\r\n>]+?(?:[\x7f-\xff])/Hmi"; metadata: former_category WEB_SERVER; reference:url,github.com/edwardz246003/IIS_exploit/blob/master/exploit.py; classtype:attempted-user; sid:2024107; rev:2; metadata:affected_product Microsoft_IIS, attack_target Web_Server, deployment Datacenter, cve cve_2017_7269, signature_severity Major, created_at 2017_03_28, performance_impact Low, updated_at 2017_03_28;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible OptionsBleed (CVE-2017-9798)"; flow:established,to_server; content:"OPTIONS"; http_method; flowbits:set,ET.2017-9798; threshold: type both, count 30, seconds 30, track by_src; metadata: former_category WEB_SERVER; classtype:misc-activity; sid:2024759; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve 2017_9798, signature_severity Major, created_at 2017_09_19, performance_impact Moderate, updated_at 2017_09_22;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER OptionsBleed (CVE-2017-9798)"; flow:established,from_server; content:"Allow|3a 20|"; http_header; pcre:"/Allow: [^\n]+(?:[^ -~\x0d\x0a]|,\x20*,)/H"; metadata: former_category WEB_SERVER; reference:cve,CVE-2017-9798; classtype:misc-activity; sid:2024760; rev:3; metadata:affected_product Apache_HTTP_server, attack_target Server, deployment Datacenter, signature_severity Minor, created_at 2017_09_19, performance_impact Significant, updated_at 2017_09_22;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body"; flow:established,to_server; content:"wget"; nocase; http_client_body; content:"http"; nocase; http_client_body; within:11; threshold:type limit, track by_src, seconds 3600, count 1; metadata: former_category WEB_SERVER; classtype:web-application-attack; sid:2024930; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2017_10_26, malware_family webshell, performance_impact Moderate, updated_at 2017_10_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M2"; flow:to_server,established; content:"BwYXNzdGhydSgn"; http_header; metadata: former_category WEB_SERVER; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2025593; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_14, malware_family weevely, updated_at 2018_06_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M3"; flow:to_server,established; content:"AcGFzc3RocnUoJ"; http_header; metadata: former_category WEB_SERVER; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2025594; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_14, malware_family weevely, updated_at 2018_06_14;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff|3f|f="; nocase; http_uri; pcre:"/\/filediff\?((&?v\d?=[\d.]+?)+?&f\x3d|f\x3d.+?(&v\d?=[\d.]+?)+?).+?\x3b.+?\x3b/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; classtype:web-application-attack; sid:2002697; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaInit.php?"; nocase; http_uri; content:"pathForArdeaCore="; nocase; http_uri; pcre:"/pathForArdeaCore=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,40811; reference:url,vupen.com/english/advisories/2010/1444; reference:url,exploit-db.com/exploits/13832/; reference:url,doc.emergingthreats.net/2011214; classtype:web-application-attack; sid:2011214; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011215; classtype:web-application-attack; sid:2011215; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011216; classtype:web-application-attack; sid:2011216; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011217; classtype:web-application-attack; sid:2011217; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011218; classtype:web-application-attack; sid:2011218; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011219; classtype:web-application-attack; sid:2011219; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/layouts/standard.php?"; nocase; http_uri; content:"page_include="; nocase; http_uri; pcre:"/page_include=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2009/0360; reference:url,milw0rm.com/exploits/8003; reference:url,doc.emergingthreats.net/2009717; classtype:web-application-attack; sid:2009717; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007510; classtype:web-application-attack; sid:2007510; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007511; classtype:web-application-attack; sid:2007511; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007512; classtype:web-application-attack; sid:2007512; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007513; classtype:web-application-attack; sid:2007513; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007514; classtype:web-application-attack; sid:2007514; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007515; classtype:web-application-attack; sid:2007515; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007516; classtype:web-application-attack; sid:2007516; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007517; classtype:web-application-attack; sid:2007517; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007518; classtype:web-application-attack; sid:2007518; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007519; classtype:web-application-attack; sid:2007519; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007520; classtype:web-application-attack; sid:2007520; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007521; classtype:web-application-attack; sid:2007521; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007522; classtype:web-application-attack; sid:2007522; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007523; classtype:web-application-attack; sid:2007523; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007524; classtype:web-application-attack; sid:2007524; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_09_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007525; classtype:web-application-attack; sid:2007525; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007526; classtype:web-application-attack; sid:2007526; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007527; classtype:web-application-attack; sid:2007527; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007528; classtype:web-application-attack; sid:2007528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri;  content:"manufacturer="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007529; classtype:web-application-attack; sid:2007529; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007530; classtype:web-application-attack; sid:2007530; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007531; classtype:web-application-attack; sid:2007531; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007532; classtype:web-application-attack; sid:2007532; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007533; classtype:web-application-attack; sid:2007533; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007534; classtype:web-application-attack; sid:2007534; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007535; classtype:web-application-attack; sid:2007535; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007536; classtype:web-application-attack; sid:2007536; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007537; classtype:web-application-attack; sid:2007537; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007538; classtype:web-application-attack; sid:2007538; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007539; classtype:web-application-attack; sid:2007539; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007540; classtype:web-application-attack; sid:2007540; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007541; classtype:web-application-attack; sid:2007541; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007542; classtype:web-application-attack; sid:2007542; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007543; classtype:web-application-attack; sid:2007543; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007544; classtype:web-application-attack; sid:2007544; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007545; classtype:web-application-attack; sid:2007545; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007546; classtype:web-application-attack; sid:2007546; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007547; classtype:web-application-attack; sid:2007547; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007548; classtype:web-application-attack; sid:2007548; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007549; classtype:web-application-attack; sid:2007549; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007550; classtype:web-application-attack; sid:2007550; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007551; classtype:web-application-attack; sid:2007551; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007552; classtype:web-application-attack; sid:2007552; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007553; classtype:web-application-attack; sid:2007553; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007554; classtype:web-application-attack; sid:2007554; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007555; classtype:web-application-attack; sid:2007555; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007556; classtype:web-application-attack; sid:2007556; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007557; classtype:web-application-attack; sid:2007557; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007558; classtype:web-application-attack; sid:2007558; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007559; classtype:web-application-attack; sid:2007559; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007560; classtype:web-application-attack; sid:2007560; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007561; classtype:web-application-attack; sid:2007561; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007562; classtype:web-application-attack; sid:2007562; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007563; classtype:web-application-attack; sid:2007563; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 212cafe Board view.php qID Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/view.php?"; nocase; http_uri; content:"qID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,31426; reference:url,xforce.iss.net/xforce/xfdb/45428; reference:url,milw0rm.com/exploits/6578; reference:url,doc.emergingthreats.net/2009734; classtype:web-application-attack; sid:2009734; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/lib/page/pageDescriptionObject.php?"; nocase; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011164; reference:cve,2010-1922; classtype:web-application-attack; sid:2011164; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/lib/layout/layoutHeaderFuncs.php?"; nocase; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011165; classtype:web-application-attack; sid:2011165; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/lib/layout/layoutManager.php?"; nocase; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011666; classtype:web-application-attack; sid:2011666; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/lib/layout/layoutParser.php?"; nocase; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011167; classtype:web-application-attack; sid:2011167; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/2fly_gift.php?"; nocase; http_uri; content:"gameid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/36294/; reference:url,osvdb.org/show/osvdb/57136; reference:url,doc.emergingthreats.net/2010196; classtype:web-application-attack; sid:2010196; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating SELECT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004059; classtype:web-application-attack; sid:2004059; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UNION SELECT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004060; classtype:web-application-attack; sid:2004060; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating INSERT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004061; classtype:web-application-attack; sid:2004061; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating DELETE"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004062; classtype:web-application-attack; sid:2004062; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating ASCII"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004063; classtype:web-application-attack; sid:2004063; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004064; classtype:web-application-attack; sid:2004064; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id SELECT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004071; classtype:web-application-attack; sid:2004071; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UNION SELECT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004072; classtype:web-application-attack; sid:2004072; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id INSERT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004073; classtype:web-application-attack; sid:2004073; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id DELETE"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004074; classtype:web-application-attack; sid:2004074; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id ASCII"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004075; classtype:web-application-attack; sid:2004075; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004076; classtype:web-application-attack; sid:2004076; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"imgdir="; nocase; http_uri; content:".."; pcre:"/\/index\.php(\?|.*\x26)imgdir=([^\x26\x3B\x0D\x0A]*[\x2F\x5C])?\.\.[\x2F\x5C]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt; reference:url,doc.emergingthreats.net/2010601; classtype:web-application-attack; sid:2010601; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007217; classtype:web-application-attack; sid:2007217; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007218; classtype:web-application-attack; sid:2007218; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007219; classtype:web-application-attack; sid:2007219; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007220; classtype:web-application-attack; sid:2007220; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007221; classtype:web-application-attack; sid:2007221; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007222; classtype:web-application-attack; sid:2007222; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod SELECT"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005057; classtype:web-application-attack; sid:2005057; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UNION SELECT"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005058; classtype:web-application-attack; sid:2005058; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod INSERT"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005059; classtype:web-application-attack; sid:2005059; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod DELETE"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005060; classtype:web-application-attack; sid:2005060; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod ASCII"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005061; classtype:web-application-attack; sid:2005061; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005062; classtype:web-application-attack; sid:2005062; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods"; flow:established,to_server; content:"/search/list/action_search/index.php?"; nocase; http_uri; content:"form[mods]["; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003905; classtype:web-application-attack; sid:2003905; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form"; flow:established,to_server; content:"/search/list/action_search/index.php?"; nocase; http_uri; content:"form["; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003906; classtype:web-application-attack; sid:2003906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id"; flow:established,to_server; content:"/modules/dl/download.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003907; classtype:web-application-attack; sid:2003907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat"; flow:established,to_server; content:"/news/list/index.php?"; nocase; http_uri; content:"form[cat]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003908; classtype:web-application-attack; sid:2003908; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat"; flow:established,to_server; content:"/action_create/index.php?"; nocase; http_uri; content:"form[cat]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003909; classtype:web-application-attack; sid:2003909; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name"; flow:established,to_server; content:"/action_create/index.php?"; nocase; http_uri; content:"form[name]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003910; classtype:web-application-attack; sid:2003910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message"; flow:established,to_server; content:"/action_create/index.php?"; nocase; http_uri; content:"form[message]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003911; classtype:web-application-attack; sid:2003911; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail"; flow:established,to_server; content:"/newsletter/create/index.php?"; nocase; http_uri; content:"form[mail]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003912; classtype:web-application-attack; sid:2003912; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir"; flow:established,to_server; content:"/common/func.php?"; nocase; http_uri; content:"CommonAbsDir="; nocase; http_uri; reference:cve,CVE-2007-2596; reference:url,www.milw0rm.com/exploits/3884; reference:url,doc.emergingthreats.net/2003704; classtype:web-application-attack; sid:2003704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header"; flow:established,to_server; content:"/common/errormsg.php?"; nocase; http_uri; content:"header="; nocase; http_uri; reference:cve,CVE-2007-2634; reference:url,secunia.com/advisories/25224; reference:url,doc.emergingthreats.net/2003736; classtype:web-application-attack; sid:2003736; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2625; reference:url,www.frsirt.com/english/advisories/2007/1637; reference:url,doc.emergingthreats.net/2003886; classtype:web-application-attack; sid:2003886; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php"; flow:established,to_server; content:"/shared/config/cp_config.php?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2624; reference:url,www.securityfocus.com/bid/23790; reference:url,doc.emergingthreats.net/2003887; classtype:web-application-attack; sid:2003887; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name SELECT"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005573; classtype:web-application-attack; sid:2005573; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UNION SELECT"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005574; classtype:web-application-attack; sid:2005574; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name INSERT"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005575; classtype:web-application-attack; sid:2005575; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name DELETE"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005576; classtype:web-application-attack; sid:2005576; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name ASCII"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005577; classtype:web-application-attack; sid:2005577; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005578; classtype:web-application-attack; sid:2005578; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did SELECT"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005579; classtype:web-application-attack; sid:2005579; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UNION SELECT"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005580; classtype:web-application-attack; sid:2005580; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did INSERT"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005581; classtype:web-application-attack; sid:2005581; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did DELETE"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005582; classtype:web-application-attack; sid:2005582; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did ASCII"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005583; classtype:web-application-attack; sid:2005583; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005584; classtype:web-application-attack; sid:2005584; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/public/code/cp_html2xhtmlbasic.php?"; nocase; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/Ui";  reference:url,www.securityfocus.com/bid/36609/info; reference:url,www.securityfocus.com/archive/1/507030; reference:url,doc.emergingthreats.net/2010080; classtype:web-application-attack; sid:2010080; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; distance:1; http_uri; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; classtype:web-application-attack; sid:2004529; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri;  distance:0; pcre:"/UNION\s+?SELECT/Ui"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; classtype:web-application-attack; sid:2004531; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004532; classtype:web-application-attack; sid:2004532; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004533; classtype:web-application-attack; sid:2004533; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004534; classtype:web-application-attack; sid:2004534; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004535; classtype:web-application-attack; sid:2004535; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:1; pcre:"/UNION\s+?SELECT/Ui"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004536; classtype:web-application-attack; sid:2004536; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004537; classtype:web-application-attack; sid:2004537; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004538; classtype:web-application-attack; sid:2004538; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004539; classtype:web-application-attack; sid:2004539; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004540; classtype:web-application-attack; sid:2004540; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004541; classtype:web-application-attack; sid:2004541; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UNION SELECT"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004542; classtype:web-application-attack; sid:2004542; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid INSERT"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004543; classtype:web-application-attack; sid:2004543; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid DELETE"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004544; classtype:web-application-attack; sid:2004544; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid ASCII"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004545; classtype:web-application-attack; sid:2004545; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004546; classtype:web-application-attack; sid:2004546; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id SELECT"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004547; classtype:web-application-attack; sid:2004547; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UNION SELECT"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2005177; classtype:web-application-attack; sid:2005177; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id INSERT"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004548; classtype:web-application-attack; sid:2004548; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id DELETE"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004549; classtype:web-application-attack; sid:2004549; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id ASCII"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004550; classtype:web-application-attack; sid:2004550; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004551; classtype:web-application-attack; sid:2004551; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible APC Switched Rack PDU Web Administration Interface Cross Site Scripting Attempt"; flow:to_server,established; content:"/Forms/login1?login_username="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,securitytracker.com/alerts/2009/Dec/1023331.html; reference:url,doc.emergingthreats.net/2010507; classtype:web-application-attack; sid:2010507; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt"; flow:established,to_server; content:"/Forms/login"; nocase; http_uri; content:"login_username="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:cve,2009-1798; reference:url,doc.emergingthreats.net/2010862; classtype:web-application-attack; sid:2010862; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2892; reference:url,www.securityfocus.com/bid/24135; reference:url,doc.emergingthreats.net/2004594; classtype:web-application-attack; sid:2004594; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid SELECT"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006819; classtype:web-application-attack; sid:2006819; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UNION SELECT"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006820; classtype:web-application-attack; sid:2006820; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid INSERT"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006821; classtype:web-application-attack; sid:2006821; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid DELETE"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006822; classtype:web-application-attack; sid:2006822; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid ASCII"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006823; classtype:web-application-attack; sid:2006823; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006824; classtype:web-application-attack; sid:2006824; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak SELECT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006825; classtype:web-application-attack; sid:2006825; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UNION SELECT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006826; classtype:web-application-attack; sid:2006826; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak INSERT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006827; classtype:web-application-attack; sid:2006827; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak DELETE"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006828; classtype:web-application-attack; sid:2006828; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ASCII"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006829; classtype:web-application-attack; sid:2006829; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006830; classtype:web-application-attack; sid:2006830; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler SELECT"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006831; classtype:web-application-attack; sid:2006831; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UNION SELECT"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006832; classtype:web-application-attack; sid:2006832; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler INSERT"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006833; classtype:web-application-attack; sid:2006833; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler DELETE"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006834; classtype:web-application-attack; sid:2006834; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler ASCII"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006835; classtype:web-application-attack; sid:2006835; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006836; classtype:web-application-attack; sid:2006836; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006837; classtype:web-application-attack; sid:2006837; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UNION SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006838; classtype:web-application-attack; sid:2006838; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi INSERT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006839; classtype:web-application-attack; sid:2006839; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi DELETE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006840; classtype:web-application-attack; sid:2006840; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi ASCII"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006841; classtype:web-application-attack; sid:2006841; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006842; classtype:web-application-attack; sid:2006842; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno SELECT"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006843; classtype:web-application-attack; sid:2006843; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UNION SELECT"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006844; classtype:web-application-attack; sid:2006844; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno INSERT"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006845; classtype:web-application-attack; sid:2006845; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno DELETE"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006846; classtype:web-application-attack; sid:2006846; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno ASCII"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006847; classtype:web-application-attack; sid:2006847; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006848; classtype:web-application-attack; sid:2006848; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf SELECT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006849; classtype:web-application-attack; sid:2006849; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UNION SELECT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006850; classtype:web-application-attack; sid:2006850; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf INSERT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006851; classtype:web-application-attack; sid:2006851; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf DELETE"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006852; classtype:web-application-attack; sid:2006852; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf ASCII"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006853; classtype:web-application-attack; sid:2006853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006854; classtype:web-application-attack; sid:2006854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik SELECT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006855; classtype:web-application-attack; sid:2006855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UNION SELECT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006856; classtype:web-application-attack; sid:2006856; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik INSERT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006857; classtype:web-application-attack; sid:2006857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik DELETE"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006858; classtype:web-application-attack; sid:2006858; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik ASCII"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006859; classtype:web-application-attack; sid:2006859; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006860; classtype:web-application-attack; sid:2006860; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username SELECT"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005105; classtype:web-application-attack; sid:2005105; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UNION SELECT"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005106; classtype:web-application-attack; sid:2005106; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username INSERT"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005107; classtype:web-application-attack; sid:2005107; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username DELETE"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005108; classtype:web-application-attack; sid:2005108; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username ASCII"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005109; classtype:web-application-attack; sid:2005109; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005110; classtype:web-application-attack; sid:2005110; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id SELECT"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005164; classtype:web-application-attack; sid:2005164; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UNION SELECT"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005165; classtype:web-application-attack; sid:2005165; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id INSERT"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005166; classtype:web-application-attack; sid:2005166; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id DELETE"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005167; classtype:web-application-attack; sid:2005167; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id ASCII"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005168; classtype:web-application-attack; sid:2005168; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005169; classtype:web-application-attack; sid:2005169; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user SELECT"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005170; classtype:web-application-attack; sid:2005170; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UNION SELECT"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005171; classtype:web-application-attack; sid:2005171; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user INSERT"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005172; classtype:web-application-attack; sid:2005172; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user DELETE"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005173; classtype:web-application-attack; sid:2005173; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user ASCII"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005174; classtype:web-application-attack; sid:2005174; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005175; classtype:web-application-attack; sid:2005175; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005883; classtype:web-application-attack; sid:2005883; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005884; classtype:web-application-attack; sid:2005884; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005885; classtype:web-application-attack; sid:2005885; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005886; classtype:web-application-attack; sid:2005886; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005887; classtype:web-application-attack; sid:2005887; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005888; classtype:web-application-attack; sid:2005888; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID SELECT"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007000; classtype:web-application-attack; sid:2007000; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UNION SELECT"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007001; classtype:web-application-attack; sid:2007001; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID INSERT"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007002; classtype:web-application-attack; sid:2007002; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID DELETE"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007003; classtype:web-application-attack; sid:2007003; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID ASCII"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007004; classtype:web-application-attack; sid:2007004; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007005; classtype:web-application-attack; sid:2007005; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS A Better Member-Based ASP Photo Gallery view.asp entry parameter SQL injection"; flow:established,to_server; content:"GET"; http_method; content:"/view.asp?"; nocase; http_uri; content:"entry="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33693; reference:url,milw0rm.com/exploits/8012; reference:url,doc.emergingthreats.net/2009185; classtype:web-application-attack; sid:2009185; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt"; flow:established,to_server; content:"CONFIG[PATH]="; nocase; http_uri; pcre:"/(join|lostpw)\.php\?/Ui"; pcre:"/&CONFIG\x5bpath\x5d=(https?|ftps?|php)\:/Ui"; reference:cve,CVE-2006-2149; reference:url,www.osvdb.org/25158; reference:url,doc.emergingthreats.net/2002901; classtype:web-application-attack; sid:2002901; rev:7; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004319; classtype:web-application-attack; sid:2004319; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UNION SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004320; classtype:web-application-attack; sid:2004320; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid INSERT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004321; classtype:web-application-attack; sid:2004321; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid DELETE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004322; classtype:web-application-attack; sid:2004322; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid ASCII"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004323; classtype:web-application-attack; sid:2004323; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004324; classtype:web-application-attack; sid:2004324; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid SELECT"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007392; classtype:web-application-attack; sid:2007392; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UNION SELECT"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007393; classtype:web-application-attack; sid:2007393; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid INSERT"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007394; classtype:web-application-attack; sid:2007394; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid DELETE"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007395; classtype:web-application-attack; sid:2007395; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid ASCII"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007396; classtype:web-application-attack; sid:2007396; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007397; classtype:web-application-attack; sid:2007397; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007398; classtype:web-application-attack; sid:2007398; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007399; classtype:web-application-attack; sid:2007399; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007400; classtype:web-application-attack; sid:2007400; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007401; classtype:web-application-attack; sid:2007401; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007402; classtype:web-application-attack; sid:2007402; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007403; classtype:web-application-attack; sid:2007403; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010131; classtype:web-application-attack; sid:2010131; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010132; classtype:web-application-attack; sid:2010132; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010133; classtype:web-application-attack; sid:2010133; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010134; classtype:web-application-attack; sid:2010134; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010135; classtype:web-application-attack; sid:2010135; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/debugger.php?"; nocase; http_uri; content:"config_atkroot="; nocase; http_uri; pcre:"/config_atkroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,36822; reference:url,doc.emergingthreats.net/2010354; classtype:web-application-attack; sid:2010354; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID SELECT"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007476; classtype:web-application-attack; sid:2007476; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UNION SELECT"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007477; classtype:web-application-attack; sid:2007477; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID INSERT"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007478; classtype:web-application-attack; sid:2007478; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID DELETE"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007479; classtype:web-application-attack; sid:2007479; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID ASCII"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007480; classtype:web-application-attack; sid:2007480; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri;content:"articleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007481; classtype:web-application-attack; sid:2007481; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007482; classtype:web-application-attack; sid:2007482; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007483; classtype:web-application-attack; sid:2007483; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007564; classtype:web-application-attack; sid:2007564; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007484; classtype:web-application-attack; sid:2007484; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007485; classtype:web-application-attack; sid:2007485; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007486; classtype:web-application-attack; sid:2007486; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID SELECT"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007487; classtype:web-application-attack; sid:2007487; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UNION SELECT"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007488; classtype:web-application-attack; sid:2007488; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID INSERT"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007489; classtype:web-application-attack; sid:2007489; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID DELETE"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007490; classtype:web-application-attack; sid:2007490; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ASCII"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri;content:"catID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007491; classtype:web-application-attack; sid:2007491; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007492; classtype:web-application-attack; sid:2007492; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID SELECT"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007493; classtype:web-application-attack; sid:2007493; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UNION SELECT"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007494; classtype:web-application-attack; sid:2007494; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID INSERT"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007495; classtype:web-application-attack; sid:2007495; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID DELETE"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007496; classtype:web-application-attack; sid:2007496; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID ASCII"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007497; classtype:web-application-attack; sid:2007497; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007498; classtype:web-application-attack; sid:2007498; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query SELECT"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007499; classtype:web-application-attack; sid:2007499; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UNION SELECT"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007500; classtype:web-application-attack; sid:2007500; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query INSERT"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007501; classtype:web-application-attack; sid:2007501; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query DELETE"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007502; classtype:web-application-attack; sid:2007502; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query ASCII"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007503; classtype:web-application-attack; sid:2007503; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007565; classtype:web-application-attack; sid:2007565; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/container.php?"; nocase; http_uri; content:"theme_directory="; nocase; http_uri; content:"../"; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009377; classtype:web-application-attack; sid:2009377; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/container.php?"; nocase; http_uri; content:"theme_directory="; nocase; http_uri; pcre:"/theme_directory=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009378; classtype:web-application-attack; sid:2009378; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/header.php?"; nocase; http_uri; content:"theme_directory="; nocase; http_uri; pcre:"/theme_directory=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009379; classtype:web-application-attack; sid:2009379; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/header.php?"; nocase; http_uri; content:"theme_directory="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009380; classtype:web-application-attack; sid:2009380; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/latestposts.php?"; nocase; http_uri; content:"forumspath="; nocase; http_uri; pcre:"/forumspath=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/35315/; reference:url,milw0rm.com/exploits/8851; reference:url,doc.emergingthreats.net/2009903; classtype:web-application-attack; sid:2009903; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/latestposts.php?"; nocase; http_uri; content:"forumspath="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/35315/; reference:url,milw0rm.com/exploits/8851; reference:url,doc.emergingthreats.net/2009904; classtype:web-application-attack; sid:2009904; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/rss_importer_functions.php?"; nocase; http_uri; content:"sitepath="; nocase; http_uri; pcre:"/sitepath=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8016; reference:bugtraq,33698; reference:url,doc.emergingthreats.net/2009167; classtype:web-application-attack; sid:2009167; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptWeb a_index.php CodigoDisciplina Parameter Remote SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/a_index.php?"; nocase; http_uri; content:"CodigoDisciplina="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2009-2152; reference:url,en.securitylab.ru/nvd/381723.php; reference:url,milw0rm.com/exploits/8954; reference:url,doc.emergingthreats.net/2010022; classtype:web-application-attack; sid:2010022; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal"; flow:to_server,established; content:"GET"; http_method; content:"/logging/logviewer.jsp?"; nocase; http_uri; content:"logfile="; nocase; http_uri; content:"../"; depth:200; reference:url,www.dsecrg.ru/pages/vul/show.php?id=152; reference:url,www.vupen.com/english/advisories/2009/2285; reference:url,doc.emergingthreats.net/2010194; classtype:web-application-attack; sid:2010194; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt"; flow:established,to_server; content:"/Flex/index.template.html"; nocase; http_uri; pcre:"/index.template.html.+(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:cve,2009-1879; reference:url,securitytracker.com/alerts/2009/Aug/1022748.html; reference:url,doc.emergingthreats.net/2010214; classtype:web-application-attack; sid:2010214; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whstart.js"; flow:established,to_server; content:"/whstart.js?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003897; classtype:web-application-attack; sid:2003897; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whcsh_home.htm"; flow:established,to_server; content:"/whcsh_home.htm?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003898; classtype:web-application-attack; sid:2003898; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startpage.js"; flow:established,to_server; content:"/wf_startpage.js?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003899; classtype:web-application-attack; sid:2003899; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startqs.htm"; flow:established,to_server; content:"/wf_startqs.htm?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003900; classtype:web-application-attack; sid:2003900; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt WindowManager.dll"; flow:established,to_server; content:"/WindowManager.dll?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003901; classtype:web-application-attack; sid:2003901; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture"; flow:established,to_server; content:"/picture.php?"; nocase; http_uri; content:"picture="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-0605; reference:url,www.securityfocus.com/bid/23873; reference:url,doc.emergingthreats.net/2003915; classtype:web-application-attack; sid:2003915; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/admin/frontpage_right.php?"; nocase; http_uri; content:"loadadminpage="; nocase; http_uri; pcre:"/loadadminpage=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,31959; reference:url,milw0rm.com/exploits/6859; reference:url,vupen.com/english/advisories/2008/2959; reference:url,doc.emergingthreats.net/2009382; classtype:web-application-attack; sid:2009382; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aj Square RSS Reader url SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/EditUrl.php?"; nocase; http_uri;content:"url="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32413/; reference:url,milw0rm.com/exploits/6856; reference:url,doc.emergingthreats.net/2008785; classtype:web-application-attack; sid:2008785; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AjaxPortal ajaxp_backend.php page Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/ajaxp_backend.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8341; reference:bugtraq,34338; reference:url,doc.emergingthreats.net/2009424; classtype:web-application-attack; sid:2009424; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/install/di.php?"; nocase; http_uri; content:"pathtoserverdata="; nocase; http_uri; pcre:"/pathtoserverdata\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/55485; reference:url,doc.emergingthreats.net/2010362; classtype:web-application-attack; sid:2010362; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id SELECT"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004887; classtype:web-application-attack; sid:2004887; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UNION SELECT"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004888; classtype:web-application-attack; sid:2004888; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id INSERT"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004889; classtype:web-application-attack; sid:2004889; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id DELETE"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004890; classtype:web-application-attack; sid:2004890; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id ASCII"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004891; classtype:web-application-attack; sid:2004891; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004892; classtype:web-application-attack; sid:2004892; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid SELECT"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004893; classtype:web-application-attack; sid:2004893; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UNION SELECT"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri;content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004894; classtype:web-application-attack; sid:2004894; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid INSERT"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004895; classtype:web-application-attack; sid:2004895; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid DELETE"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004896; classtype:web-application-attack; sid:2004896; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid ASCII"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004897; classtype:web-application-attack; sid:2004897; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004898; classtype:web-application-attack; sid:2004898; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005772; classtype:web-application-attack; sid:2005772; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005773; classtype:web-application-attack; sid:2005773; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005774; classtype:web-application-attack; sid:2005774; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005775; classtype:web-application-attack; sid:2005775; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005776; classtype:web-application-attack; sid:2005776; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005777; classtype:web-application-attack; sid:2005777; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel poll_id parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/cp_polls_results.php?"; nocase; http_uri; content:"poll_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/6854; reference:url,secunia.com/advisories/32431; reference:url,doc.emergingthreats.net/2008787; classtype:web-application-attack; sid:2008787; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pack="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004022; classtype:web-application-attack; sid:2004022; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft Affiliate Network Pro (pgm) Parameter SQL Injection"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"Act="; nocase; http_uri; content:"&pgm"; nocase; http_uri; pcre:"/\+UNION\+SELECT/Ui"; reference:bugtraq,30259; reference:url,milw0rm.com/exploits/6087; reference:url,doc.emergingthreats.net/2008439; classtype:web-application-attack; sid:2008439; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/album.php?"; nocase; http_uri; content:"UID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2008-3386; reference:url,www.milw0rm.com/exploits/6092; reference:url,secunia.com/advisories/31134/; reference:url,doc.emergingthreats.net/2009228; classtype:web-application-attack; sid:2009228; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004717; classtype:web-application-attack; sid:2004717; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004718; classtype:web-application-attack; sid:2004718; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004719; classtype:web-application-attack; sid:2004719; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004720; classtype:web-application-attack; sid:2004720; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004721; classtype:web-application-attack; sid:2004721; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004723; classtype:web-application-attack; sid:2004723; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006560; classtype:web-application-attack; sid:2006560; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006561; classtype:web-application-attack; sid:2006561; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri;content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006562; classtype:web-application-attack; sid:2006562; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006564; classtype:web-application-attack; sid:2006564; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006565; classtype:web-application-attack; sid:2006565; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006566; classtype:web-application-attack; sid:2006566; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no SELECT"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006567; classtype:web-application-attack; sid:2006567; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UNION SELECT"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006568; classtype:web-application-attack; sid:2006568; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no INSERT"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006569; classtype:web-application-attack; sid:2006569; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no DELETE"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006570; classtype:web-application-attack; sid:2006570; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no ASCII"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006571; classtype:web-application-attack; sid:2006571; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006572; classtype:web-application-attack; sid:2006572; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre SELECT"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006573; classtype:web-application-attack; sid:2006573; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UNION SELECT"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006574; classtype:web-application-attack; sid:2006574; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre INSERT"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006575; classtype:web-application-attack; sid:2006575; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre DELETE"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006576; classtype:web-application-attack; sid:2006576; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre ASCII"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006577; classtype:web-application-attack; sid:2006577; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006578; classtype:web-application-attack; sid:2006578; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce SELECT"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006579; classtype:web-application-attack; sid:2006579; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UNION SELECT"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006580; classtype:web-application-attack; sid:2006580; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce INSERT"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006581; classtype:web-application-attack; sid:2006581; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce DELETE"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006582; classtype:web-application-attack; sid:2006582; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce ASCII"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006583; classtype:web-application-attack; sid:2006583; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006584; classtype:web-application-attack; sid:2006584; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce SELECT"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006585; classtype:web-application-attack; sid:2006585; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UNION SELECT"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006586; classtype:web-application-attack; sid:2006586; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce INSERT"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006587; classtype:web-application-attack; sid:2006587; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce DELETE"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006588; classtype:web-application-attack; sid:2006588; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce ASCII"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006589; classtype:web-application-attack; sid:2006589; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006590; classtype:web-application-attack; sid:2006590; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt"; flow:established,to_server; content:"/host-manager/html/add"; nocase; http_uri; content:"method="; nocase; http_uri; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/29502/info; reference:cve,2008-1947; reference:url,doc.emergingthreats.net/2010146; classtype:web-application-attack; sid:2010146; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/Aris/wflogin.jsp?"; nocase; http_uri; content:"errmsg="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,38441; reference:url,secunia.com/advisories/38793; reference:url,doc.emergingthreats.net/2011114; classtype:web-application-attack; sid:2011114; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPApps.com Template Creature media_level.asp mcatid parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/media_level.asp?"; nocase; http_uri; content:"mcatid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/7339; reference:bugtraq,32641; reference:url,doc.emergingthreats.net/2008936; classtype:web-application-attack; sid:2008936; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006783; classtype:web-application-attack; sid:2006783; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UNION SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006784; classtype:web-application-attack; sid:2006784; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici INSERT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006785; classtype:web-application-attack; sid:2006785; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici DELETE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006786; classtype:web-application-attack; sid:2006786; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici ASCII"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006787; classtype:web-application-attack; sid:2006787; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006788; classtype:web-application-attack; sid:2006788; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006789; classtype:web-application-attack; sid:2006789; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UNION SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006790; classtype:web-application-attack; sid:2006790; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola INSERT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006791; classtype:web-application-attack; sid:2006791; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola DELETE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006792; classtype:web-application-attack; sid:2006792; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola ASCII"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006793; classtype:web-application-attack; sid:2006793; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006794; classtype:web-application-attack; sid:2006794; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AstroSPACES profile.php SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/profile.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:bugtraq,31771; reference:url,www.milw0rm.com/exploits/6758; reference:url,doc.emergingthreats.net/2008669; classtype:web-application-attack; sid:2008669; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt"; flow: to_server,established; content:"/athenareg.php?pass= |3b|"; nocase; http_uri; reference:cve,CAN-2004-1782; reference:bugtraq,9349; reference:url,doc.emergingthreats.net/2001949; classtype:web-application-attack; sid:2001949; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID SELECT"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004724; classtype:web-application-attack; sid:2004724; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UNION SELECT"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004725; classtype:web-application-attack; sid:2004725; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID INSERT"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004726; classtype:web-application-attack; sid:2004726; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID DELETE"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004727; classtype:web-application-attack; sid:2004727; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID ASCII"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004728; classtype:web-application-attack; sid:2004728; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004729; classtype:web-application-attack; sid:2004729; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Auto Listings Script moreinfo.php itemno Parameter SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/moreinfo.php?"; nocase; http_uri; content:"itemno="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32131; reference:url,milw0rm.com/exploits/7003; reference:url,doc.emergingthreats.net/2009186; classtype:web-application-attack; sid:2009186; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/include/_bot.php?"; nocase; http_uri; content:"master[currentskin]="; nocase; http_uri; pcre:"/master\[currentskin\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36354; reference:url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt; reference:url,doc.emergingthreats.net/2010198; classtype:web-application-attack; sid:2010198; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Autos catid SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/searchresults.php?catid="; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/6696; reference:url,secunia.com/advisories/32139/; reference:url,doc.emergingthreats.net/2008650; classtype:web-application-attack; sid:2008650; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AvailScript Photo Album Script pics.php sid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/pics.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,31085; reference:url,milw0rm.com/exploits/6411; reference:url,doc.emergingthreats.net/2009718; classtype:web-application-attack; sid:2009718; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/articles.php?"; nocase; http_uri; content:"aIDS="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2008-4371; reference:url,secunia.com/advisories/31816/; reference:url,milw0rm.com/exploits/6409; reference:url,doc.emergingthreats.net/2009747; classtype:web-application-attack; sid:2009747; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt"; flow:established,to_server; content:"/awstats/awstats.pl?config="; nocase; http_uri; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/Ui"; reference:url,www.securityfocus.com/bid/30730/info; reference:url,bugzilla.redhat.com/show_bug.cgi?id=474396; reference:url,sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764; reference:cve,2008-3714; reference:url,doc.emergingthreats.net/2010082; classtype:web-application-attack; sid:2010082; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob SELECT"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007452; classtype:web-application-attack; sid:2007452; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UNION SELECT"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007453; classtype:web-application-attack; sid:2007453; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob INSERT"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007454; classtype:web-application-attack; sid:2007454; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob DELETE"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007455; classtype:web-application-attack; sid:2007455; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob ASCII"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007456; classtype:web-application-attack; sid:2007456; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007457; classtype:web-application-attack; sid:2007457; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID SELECT"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007458; classtype:web-application-attack; sid:2007458; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UNION SELECT"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007459; classtype:web-application-attack; sid:2007459; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID INSERT"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007460; classtype:web-application-attack; sid:2007460; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID DELETE"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007461; classtype:web-application-attack; sid:2007461; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID ASCII"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007462; classtype:web-application-attack; sid:2007462; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007463; classtype:web-application-attack; sid:2007463; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004331; classtype:web-application-attack; sid:2004331; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004332; classtype:web-application-attack; sid:2004332; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004333; classtype:web-application-attack; sid:2004333; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004334; classtype:web-application-attack; sid:2004334; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004335; classtype:web-application-attack; sid:2004335; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004336; classtype:web-application-attack; sid:2004336; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bahar Download Script aspkat.asp SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/aspkat.asp?kid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:bugtraq,31852; reference:url,doc.emergingthreats.net/2008724; classtype:web-application-attack; sid:2008724; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bandwebsite lyrics.php id parameter Sql Injection"; flow:to_server,established; content:"GET"; http_method; content:"/lyrics.php?"; nocase; http_uri; content:"section=full"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/7215; reference:bugtraq,32454; reference:url,doc.emergingthreats.net/2008896; classtype:web-application-attack; sid:2008896; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/LSTable.php?"; nocase; http_uri; content:"class_dir="; nocase; http_uri; pcre:"/class_dir=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31419; reference:url,milw0rm.com/exploits/6575; reference:url,doc.emergingthreats.net/2009165; classtype:web-application-attack; sid:2009165; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_username)"; flow:established,to_server; content:"/cgi-mod/index.cgi?"; nocase; http_uri; content:"backup_username="; nocase; http_uri; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_username=[^&\;]*[>\"]/iU"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010547; classtype:web-application-attack; sid:2010547; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_server)"; flow:established,to_server; content:"/cgi-mod/index.cgi?"; nocase; http_uri; content:"backup_server="; nocase; http_uri; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_server=[^&\;]*[>\"]/iU"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010548; classtype:web-application-attack; sid:2010548; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_path)"; flow:established,to_server; content:"/cgi-mod/index.cgi?"; nocase; http_uri; content:"backup_path="; nocase; http_uri; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_path=[^&\;]*[>\"]/iU"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010549; classtype:web-application-attack; sid:2010549; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_password)"; flow:established,to_server; content:"/cgi-mod/index.cgi?"; nocase; http_uri; content:"backup_password="; nocase; http_uri; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_password=[^&\;]*[>\"]/iU"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010550; classtype:web-application-attack; sid:2010550; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/main.inc.php?"; nocase; http_uri; content:"mj_config[src_path]="; nocase; http_uri; content:"../"; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009195; classtype:web-application-attack; sid:2009195; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/main.inc.php?"; nocase; http_uri; content:"mj_config[src_path]="; nocase; http_uri; pcre:"/mj_config\[src_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009196; classtype:web-application-attack; sid:2009196; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007211; classtype:web-application-attack; sid:2007211; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007212; classtype:web-application-attack; sid:2007212; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007213; classtype:web-application-attack; sid:2007213; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007214; classtype:web-application-attack; sid:2007214; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007215; classtype:web-application-attack; sid:2007215; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007216; classtype:web-application-attack; sid:2007216; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath"; flow:established,to_server; content:"/language/1/splash.lang.php?"; nocase; http_uri; content:"languagePath="; nocase; http_uri; reference:cve,CVE-2007-2663; reference:url,www.milw0rm.com/exploits/3909; reference:url,doc.emergingthreats.net/2003738; classtype:web-application-attack; sid:2003738; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/linkadmin.php?"; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; reference:url,doc.emergingthreats.net/2009364; classtype:web-application-attack; sid:2009364; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin edlink.php linkid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/edlink.php?"; nocase; http_uri; content:"linkid"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; reference:url,doc.emergingthreats.net/2009365; classtype:web-application-attack; sid:2009365; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot"; flow:established,to_server; content:"/berylium-classes.php?"; nocase; http_uri; content:"beryliumroot="; nocase; http_uri; reference:cve,CVE-2007-2531; reference:url,www.milw0rm.com/exploits/3869; reference:url,doc.emergingthreats.net/2003677; classtype:web-application-attack; sid:2003677; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BibCiter projects.php idp Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/reports/projects.php?"; nocase; http_uri; content:"idp="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009740; classtype:web-application-attack; sid:2009740; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BibCiter contacts.php idc Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/reports/contacts.php?"; nocase; http_uri; content:"idc="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009741; classtype:web-application-attack; sid:2009741; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BibCiter users.php idu Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/reports/users.php?"; nocase; http_uri; content:"idu="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009742; classtype:web-application-attack; sid:2009742; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/block_center_down.php?"; nocase; http_uri; content:"row_mysql_blocks_center_down[file]="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009417; classtype:web-application-attack; sid:2009417; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/block_center_top.php?"; nocase; http_uri; content:"row_mysql_blocks_center_top[file]="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009418; classtype:web-application-attack; sid:2009418; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/block_left.php?"; nocase; http_uri; content:"row_mysql_blocks_left[file]="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009420; classtype:web-application-attack; sid:2009420; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/block_right.php?"; nocase; http_uri; content:"row_mysql_blocks_right[file]="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009421; classtype:web-application-attack; sid:2009421; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/window_down.php?"; nocase; http_uri; content:"row_mysql_bloginfo[theme]="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009422; classtype:web-application-attack; sid:2009422; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/window_top.php?"; nocase; http_uri; content:"row_mysql_bloginfo[theme]="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009423; classtype:web-application-attack; sid:2009423; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blog Spam Insert Attempt"; flow:to_server,established; content:"|0D 0A|x-aaaaaaaaa"; nocase; reference:url,spamhuntress.com/2005/05/14/new-block-for-bulgarians/; reference:url,lists.geeklog.net/pipermail/geeklog-spam/2005-June/000020.html; reference:url,www.webmasterworld.com/forum92/3683.htm; reference:url,doc.emergingthreats.net/2002069; classtype:web-application-attack; sid:2002069; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/search.5.html?search="; nocase; http_uri; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36700/info; reference:url,doc.emergingthreats.net/2010147; classtype:web-application-attack; sid:2010147; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php SELECT"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006333; classtype:web-application-attack; sid:2006333; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UNION SELECT"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006334; classtype:web-application-attack; sid:2006334; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php INSERT"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006335; classtype:web-application-attack; sid:2006335; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php DELETE"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006336; classtype:web-application-attack; sid:2006336; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php ASCII"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006337; classtype:web-application-attack; sid:2006337; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006338; classtype:web-application-attack; sid:2006338; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"blog="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2932; reference:url,www.securityfocus.com/bid/24156; reference:url,doc.emergingthreats.net/2004583; classtype:web-application-attack; sid:2004583; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd SELECT"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004828; classtype:web-application-attack; sid:2004828; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UNION SELECT"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004829; classtype:web-application-attack; sid:2004829; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd INSERT"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004830; classtype:web-application-attack; sid:2004830; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd DELETE"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004831; classtype:web-application-attack; sid:2004831; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd ASCII"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004832; classtype:web-application-attack; sid:2004832; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004833; classtype:web-application-attack; sid:2004833; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/HTMLSax3.php?"; nocase; http_uri; content:"dir[plugins]="; nocase; http_uri; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009370; classtype:web-application-attack; sid:2009370; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/safehtml.php?"; nocase; http_uri; content:"dir[plugins]="; nocase; http_uri; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009371; classtype:web-application-attack; sid:2009371; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/inc/content.inc.php?"; nocase; http_uri; content:"sIncPath="; nocase; http_uri; pcre:"/sIncPath=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009372; classtype:web-application-attack; sid:2009372; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004023; classtype:web-application-attack; sid:2004023; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004024; classtype:web-application-attack; sid:2004024; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004025; classtype:web-application-attack; sid:2004025; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004026; classtype:web-application-attack; sid:2004026; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004027; classtype:web-application-attack; sid:2004027; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004028; classtype:web-application-attack; sid:2004028; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004029; classtype:web-application-attack; sid:2004029; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004030; classtype:web-application-attack; sid:2004030; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004031; classtype:web-application-attack; sid:2004031; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004032; classtype:web-application-attack; sid:2004032; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004033; classtype:web-application-attack; sid:2004033; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004034; classtype:web-application-attack; sid:2004034; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by SELECT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004985; classtype:web-application-attack; sid:2004985; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UNION SELECT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004986; classtype:web-application-attack; sid:2004986; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by INSERT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004987; classtype:web-application-attack; sid:2004987; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by DELETE"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004988; classtype:web-application-attack; sid:2004988; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by ASCII"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004989; classtype:web-application-attack; sid:2004989; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004990; classtype:web-application-attack; sid:2004990; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order SELECT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004991; classtype:web-application-attack; sid:2004991; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UNION SELECT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004992; classtype:web-application-attack; sid:2004992; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order INSERT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004993; classtype:web-application-attack; sid:2004993; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order DELETE"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004994; classtype:web-application-attack; sid:2004994; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order ASCII"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004995; classtype:web-application-attack; sid:2004995; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004996; classtype:web-application-attack; sid:2004996; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Built2go Real Estate Listings event_id SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/event_detail.php?event_id="; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/6697; reference:url,secunia.com/Advisories/32129/; reference:url,doc.emergingthreats.net/2008653; classtype:web-application-attack; sid:2008653; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id SELECT"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003776; classtype:web-application-attack; sid:2003776; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UNION SELECT"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003777; classtype:web-application-attack; sid:2003777; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id INSERT"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003778; classtype:web-application-attack; sid:2003778; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id DELETE"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003779; classtype:web-application-attack; sid:2003779; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id ASCII"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003780; classtype:web-application-attack; sid:2003780; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003781; classtype:web-application-attack; sid:2003781; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid SELECT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006249; classtype:web-application-attack; sid:2006249; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UNION SELECT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006250; classtype:web-application-attack; sid:2006250; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid INSERT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006251; classtype:web-application-attack; sid:2006251; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid DELETE"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006252; classtype:web-application-attack; sid:2006252; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid ASCII"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006253; classtype:web-application-attack; sid:2006253; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006254; classtype:web-application-attack; sid:2006254; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id SELECT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006255; classtype:web-application-attack; sid:2006255; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UNION SELECT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006256; classtype:web-application-attack; sid:2006256; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id INSERT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006257; classtype:web-application-attack; sid:2006257; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id DELETE"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006258; classtype:web-application-attack; sid:2006258; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id ASCII"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006259; classtype:web-application-attack; sid:2006259; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006260; classtype:web-application-attack; sid:2006260; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id SELECT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006261; classtype:web-application-attack; sid:2006261; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UNION SELECT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006262; classtype:web-application-attack; sid:2006262; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id INSERT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006263; classtype:web-application-attack; sid:2006263; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id DELETE"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006264; classtype:web-application-attack; sid:2006264; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id ASCII"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006265; classtype:web-application-attack; sid:2006265; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006266; classtype:web-application-attack; sid:2006266; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid SELECT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006267; classtype:web-application-attack; sid:2006267; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UNION SELECT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006268; classtype:web-application-attack; sid:2006268; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid INSERT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006269; classtype:web-application-attack; sid:2006269; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid DELETE"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006270; classtype:web-application-attack; sid:2006270; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid ASCII"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006271; classtype:web-application-attack; sid:2006271; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006272; classtype:web-application-attack; sid:2006272; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006273; classtype:web-application-attack; sid:2006273; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006274; classtype:web-application-attack; sid:2006274; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006275; classtype:web-application-attack; sid:2006275; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006276; classtype:web-application-attack; sid:2006276; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006277; classtype:web-application-attack; sid:2006277; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006278; classtype:web-application-attack; sid:2006278; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/spaw_control.class.php?"; nocase; http_uri; content:"spaw_root="; nocase; http_uri; content:"../"; reference:url,xforce.iss.net/xforce/xfdb/43536; reference:bugtraq,30042; reference:url,milw0rm.com/exploits/5983; reference:url,doc.emergingthreats.net/2009429; classtype:web-application-attack; sid:2009429; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CF_Calendar calid parameter SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/calendarevent.cfm?"; nocase; http_uri; content:"calid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33074/; reference:url,milw0rm.com/exploits/7413; reference:url,doc.emergingthreats.net/2008995; classtype:web-application-attack; sid:2008995; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX"; flow:established,to_server; content:"/mtdialogo.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003726; classtype:web-application-attack; sid:2003726; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX"; flow:established,to_server; content:"/ltdialogo.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003727; classtype:web-application-attack; sid:2003727; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003729; classtype:web-application-attack; sid:2003729; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX"; flow:established,to_server; content:"/inc/logingecon.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003728; classtype:web-application-attack; sid:2003728; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir"; flow:established,to_server; content:"/pcltrace.lib.php?"; nocase; http_uri; content:"g_pcltar_lib_dir="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2660; reference:url,www.milw0rm.com/exploits/3915; reference:url,doc.emergingthreats.net/2003737; classtype:web-application-attack; sid:2003737; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Faethon info.php item Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/info.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33775; reference:url,milw0rm.com/exploits/8054; reference:url,doc.emergingthreats.net/2009192; classtype:web-application-attack; sid:2009192; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid SELECT"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003794; classtype:web-application-attack; sid:2003794; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UNION SELECT"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003795; classtype:web-application-attack; sid:2003795; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid INSERT"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003796; classtype:web-application-attack; sid:2003796; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid DELETE"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003865; classtype:web-application-attack; sid:2003865; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid ASCII"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003797; classtype:web-application-attack; sid:2003797; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003798; classtype:web-application-attack; sid:2003798; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/id_menu\x3d.+DELETE.+FROM/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009977; classtype:web-application-attack; sid:2009977; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; fast_pattern; distance:0; nocase; http_uri; content:"INSERT"; distance:0; nocase; http_uri; content:"INTO"; distance:0; nocase; http_uri; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/id_menu\x3d.+UPDATE.+SET/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009979; classtype:web-application-attack; sid:2009979; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; fast_pattern; nocase; http_uri; distance:0; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CSV-DB CSV_DB.CGI Remote Command Execution Attempt"; flow:to_server,established; content:"/cgi-bin/csv_db.cgi?"; nocase; http_uri; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14059; reference:url,doc.emergingthreats.net/2002066; classtype:web-application-attack; sid:2002066; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack"; flow:established,to_server; content:"GET"; http_method; content:"top_graph_header.php"; http_uri; pcre:"/top_graph_header\.php\?.*=(http|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; reference:url,doc.emergingthreats.net/2002129; classtype:web-application-activity; sid:2002129; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti graph_image.php Remote Command Execution Attempt"; flow:to_server,established; content:"/graph_image.php?"; nocase; http_uri; pcre:"/(graph_start=%0a.+%0a)/i"; reference:cve,CAN-2005-1524; reference:bugtraq,14129; reference:bugtraq,14042; reference:url,doc.emergingthreats.net/2002313; classtype:web-application-attack; sid:2002313; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt"; flow:to_server,established; content:"/cmd.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; reference:cve,CVE-2006-6799; reference:bugtraq,21799; reference:url,doc.emergingthreats.net/2003334; classtype:web-application-attack; sid:2003334; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007889; classtype:web-application-attack; sid:2007889; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list INSERT"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007890; classtype:web-application-attack; sid:2007890; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list DELETE"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007891; classtype:web-application-attack; sid:2007891; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007892; classtype:web-application-attack; sid:2007892; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id SELECT"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007893; classtype:web-application-attack; sid:2007893; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007894; classtype:web-application-attack; sid:2007894; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id INSERT"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007895; classtype:web-application-attack; sid:2007895; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id DELETE"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007896; classtype:web-application-attack; sid:2007896; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007897; classtype:web-application-attack; sid:2007897; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs"; flow:established,to_server; content:"/cand_login.asp?"; nocase; http_uri; content:"strJobIDs="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.*script/iU"; reference:cve,CVE-2007-2818; reference:url,www.securityfocus.com/bid/24078; reference:url,doc.emergingthreats.net/2004559; classtype:web-application-attack; sid:2004559; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt"; flow:established,to_server; content:"_invoice.asp"; nocase; http_uri; content:"script>"; nocase; http_uri; pcre:"/(alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.coresecurity.com/content/cactushop-xss-persistent-vulnerability; reference:cve,2010-1486; reference:url,doc.emergingthreats.net/2011054; classtype:web-application-attack; sid:2011054; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (dish.php)"; flow:established,to_server; content:"GET"; http_method; content:"/dish.php"; nocase; http_uri; content:"?id="; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32308/; reference:url,milw0rm.com/exploits/6762; reference:url,doc.emergingthreats.net/2008679; classtype:web-application-attack; sid:2008679; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (menu.php)"; flow:established,to_server; content:"GET"; http_method; content:"/menu.php"; nocase; http_uri; content:"?id="; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32308/; reference:url,milw0rm.com/exploits/6762; reference:url,doc.emergingthreats.net/2008680; classtype:web-application-attack; sid:2008680; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID SELECT"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006165; classtype:web-application-attack; sid:2006165; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UNION SELECT"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006166; classtype:web-application-attack; sid:2006166; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID INSERT"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006167; classtype:web-application-attack; sid:2006167; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID DELETE"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006168; classtype:web-application-attack; sid:2006168; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID ASCII"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006169; classtype:web-application-attack; sid:2006169; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006170; classtype:web-application-attack; sid:2006170; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID SELECT"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006183; classtype:web-application-attack; sid:2006183; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UNION SELECT"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006184; classtype:web-application-attack; sid:2006184; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID INSERT"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006185; classtype:web-application-attack; sid:2006185; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID DELETE"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006186; classtype:web-application-attack; sid:2006186; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID ASCII"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006187; classtype:web-application-attack; sid:2006187; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006188; classtype:web-application-attack; sid:2006188; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand"; flow:established,to_server; content:"/scripts/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2804; reference:url,www.secunia.com/advisories/25370; reference:url,doc.emergingthreats.net/2004569; classtype:web-application-attack; sid:2004569; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg"; flow:established,to_server; content:"/scripts/prodList.asp?"; nocase; http_uri; content:"Msg="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2804; reference:url,www.secunia.com/advisories/25370; reference:url,doc.emergingthreats.net/2004570; classtype:web-application-attack; sid:2004570; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy SELECT"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007464; classtype:web-application-attack; sid:2007464; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UNION SELECT"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007465; classtype:web-application-attack; sid:2007465; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy INSERT"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007466; classtype:web-application-attack; sid:2007466; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy DELETE"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007467; classtype:web-application-attack; sid:2007467; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy ASCII"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007468; classtype:web-application-attack; sid:2007468; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007469; classtype:web-application-attack; sid:2007469; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand SELECT"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007470; classtype:web-application-attack; sid:2007470; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UNION SELECT"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007471; classtype:web-application-attack; sid:2007471; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand INSERT"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007472; classtype:web-application-attack; sid:2007472; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand DELETE"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007473; classtype:web-application-attack; sid:2007473; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand ASCII"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007474; classtype:web-application-attack; sid:2007474; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007475; classtype:web-application-attack; sid:2007475; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Check New findoffice.php search parameter Remote SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/findoffice.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/7328; reference:bugtraq,32590; reference:url,doc.emergingthreats.net/2008933; classtype:web-application-attack; sid:2008933; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/+webvpn+/index.html"; nocase; http_uri; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; reference:cve,2009-1220; reference:url,doc.emergingthreats.net/2010505; classtype:attempted-user; sid:2010505; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; content:"/ekgnkm/AccessCodeStart.asp"; nocase; http_uri; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010506; classtype:attempted-user; sid:2010506; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt"; flow:established,to_server; content:"/webline/html/admin/wcs/LoginPage.jhtml"; nocase; http_uri; content:"dest="; nocase; http_uri; pcre:"/dest\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.exploit-db.com/exploits/11403/; reference:cve,2010-0641; reference:url,doc.emergingthreats.net/2011676; classtype:web-application-attack; sid:2011676; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Cisco IOS HTTP Server Cross Site Scripting Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ping?"; nocase; http_uri; fast_pattern:only; pcre:"/\/ping\?.+(script|alert|on(mouse[a-z]+|key[a-z]+|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17364; reference:url,www.cisco.com/en/US/products/products_security_response09186a0080a5c501.html; reference:cve,2008-3821; reference:url,doc.emergingthreats.net/2011189; classtype:web-application-attack; sid:2011189; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/config/edituser.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009590; classtype:web-application-attack; sid:2009590; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/console.php?"; nocase; http_uri; content:"location="; nocase; http_uri; content:"vmname="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009591; classtype:web-application-attack; sid:2009591; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/forcesd.php?"; nocase; http_uri; content:"vmrefid="; nocase; http_uri; content:"vmname="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009592; classtype:web-application-attack; sid:2009592; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/forcerestart.php?"; nocase; http_uri; content:"vmrefid="; nocase; http_uri; content:"vmname="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009593; classtype:web-application-attack; sid:2009593; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb changepw.php CSRF attempt"; flow:to_server,established; content:"GET"; http_method; content:"/config/changepw.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"&newpass="; nocase; http_uri; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009594; classtype:web-application-attack; sid:2009594; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb hardstopvm.php CSRF attempt"; flow:to_server,established; content:"GET"; http_method; content:"hardstopvm.php?"; nocase; http_uri; content:"stop_vmref="; nocase; http_uri; content:"&stop_vmname="; nocase; http_uri; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009595; classtype:web-application-attack; sid:2009595; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb writeconfig.php Remote Command Execution attempt"; flow:to_server,established; content:"GET"; http_method; content:"writeconfig.php?"; nocase; http_uri; content:"pool1="; nocase; http_uri; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009596; classtype:web-application-attack; sid:2009596; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClaSS export.php ftype parameter Information Disclosure"; flow:to_server,established; content:"GET"; http_method; content:"/scripts/export.php?"; nocase; http_uri; content:"ftype="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/33222; reference:bugtraq,32929; reference:url,doc.emergingthreats.net/2009009; classtype:web-application-attack; sid:2009009; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 82 (msg:"ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt"; flow:established,to_server; content:"GET"; content:"script"; nocase; content:"/proxy.php?"; nocase; content:"url="; nocase; pcre:"/\/proxy\.php(\?|.*[\x26\x3B])url=[^&\;\x0D\x0A]*[<>\"\']/i"; reference:url,www.securityfocus.com/bid/37446/info; reference:url,doc.emergingthreats.net/2010602; classtype:web-application-attack; sid:2010602; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/install.clickheat.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009754; classtype:web-application-attack; sid:2009754; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1"; flow:to_server,established; content:"GET"; http_method; content:"/heatmap/_main.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009755; classtype:web-application-attack; sid:2009755; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2"; flow:to_server,established; content:"GET"; http_method; content:"/heatmap/main.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009756; classtype:web-application-attack; sid:2009756; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/Clickheat/Cache.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009757; classtype:web-application-attack; sid:2009757; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/Clickheat_Heatmap.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009758; classtype:web-application-attack; sid:2009758; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1"; flow:to_server,established; content:"GET"; http_method; content:"/GlobalVariables.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009759; classtype:web-application-attack; sid:2009759; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET"; http_method; content:"/overview/main.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009760; classtype:web-application-attack; sid:2009760; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date SELECT"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007223; classtype:web-application-attack; sid:2007223; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UNION SELECT"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007224; classtype:web-application-attack; sid:2007224; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date INSERT"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007225; classtype:web-application-attack; sid:2007225; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date DELETE"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007226; classtype:web-application-attack; sid:2007226; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date ASCII"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007227; classtype:web-application-attack; sid:2007227; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007228; classtype:web-application-attack; sid:2007228; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage SELECT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007229; classtype:web-application-attack; sid:2007229; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UNION SELECT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007230; classtype:web-application-attack; sid:2007230; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage INSERT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007231; classtype:web-application-attack; sid:2007231; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage DELETE"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007232; classtype:web-application-attack; sid:2007232; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage ASCII"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007233; classtype:web-application-attack; sid:2007233; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007234; classtype:web-application-attack; sid:2007234; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id SELECT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007235; classtype:web-application-attack; sid:2007235; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UNION SELECT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007236; classtype:web-application-attack; sid:2007236; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id INSERT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007237; classtype:web-application-attack; sid:2007237; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id DELETE"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007238; classtype:web-application-attack; sid:2007238; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id ASCII"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007239; classtype:web-application-attack; sid:2007239; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007240; classtype:web-application-attack; sid:2007240; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id SELECT"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007241; classtype:web-application-attack; sid:2007241; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UNION SELECT"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007242; classtype:web-application-attack; sid:2007242; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id INSERT"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007243; classtype:web-application-attack; sid:2007243; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id DELETE"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007244; classtype:web-application-attack; sid:2007244; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id ASCII"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007245; classtype:web-application-attack; sid:2007245; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007246; classtype:web-application-attack; sid:2007246; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007247; classtype:web-application-attack; sid:2007247; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UNION SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007248; classtype:web-application-attack; sid:2007248; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage INSERT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007249; classtype:web-application-attack; sid:2007249; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage DELETE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007250; classtype:web-application-attack; sid:2007250; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage ASCII"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007251; classtype:web-application-attack; sid:2007251; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007252; classtype:web-application-attack; sid:2007252; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007253; classtype:web-application-attack; sid:2007253; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UNION SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007254; classtype:web-application-attack; sid:2007254; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby INSERT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007255; classtype:web-application-attack; sid:2007255; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby DELETE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007256; classtype:web-application-attack; sid:2007256; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby ASCII"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007257; classtype:web-application-attack; sid:2007257; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007258; classtype:web-application-attack; sid:2007258; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage SELECT"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007259; classtype:web-application-attack; sid:2007259; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UNION SELECT"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007260; classtype:web-application-attack; sid:2007260; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage INSERT"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007261; classtype:web-application-attack; sid:2007261; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage DELETE"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007262; classtype:web-application-attack; sid:2007262; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage ASCII"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007263; classtype:web-application-attack; sid:2007263; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007264; classtype:web-application-attack; sid:2007264; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007265; classtype:web-application-attack; sid:2007265; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; fast_pattern; distance:0; nocase; http_uri; content:"UNION"; nocase; http_uri; distance:0; content:"SELECT"; nocase; http_uri; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007267; classtype:web-application-attack; sid:2007267; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007268; classtype:web-application-attack; sid:2007268; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007269; classtype:web-application-attack; sid:2007269; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007270; classtype:web-application-attack; sid:2007270; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007271; classtype:web-application-attack; sid:2007271; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007272; classtype:web-application-attack; sid:2007272; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007273; classtype:web-application-attack; sid:2007273; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007274; classtype:web-application-attack; sid:2007274; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007275; classtype:web-application-attack; sid:2007275; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007276; classtype:web-application-attack; sid:2007276; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007277; classtype:web-application-attack; sid:2007277; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007278; classtype:web-application-attack; sid:2007278; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007279; classtype:web-application-attack; sid:2007279; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007280; classtype:web-application-attack; sid:2007280; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007281; classtype:web-application-attack; sid:2007281; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007282; classtype:web-application-attack; sid:2007282; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"ticketID="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004566; classtype:web-application-attack; sid:2004566; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004567; classtype:web-application-attack; sid:2004567; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fuse="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004568; classtype:web-application-attack; sid:2004568; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClipShare Pro channel_detail.php chid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/channel_detail.php?"; nocase; http_uri; content:"chid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32311; reference:url,milw0rm.com/exploits/7128; reference:url,doc.emergingthreats.net/2008866; classtype:web-application-attack; sid:2008866; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"query="; nocase; fast_pattern; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2913; reference:url,www.securityfocus.com/archive/1/archive/1/469230/100/0/threaded; reference:url,doc.emergingthreats.net/2004591; classtype:web-application-attack; sid:2004591; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID SELECT"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004875; classtype:web-application-attack; sid:2004875; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UNION SELECT"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004876; classtype:web-application-attack; sid:2004876; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID INSERT"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004877; classtype:web-application-attack; sid:2004877; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID DELETE"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004878; classtype:web-application-attack; sid:2004878; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID ASCII"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004879; classtype:web-application-attack; sid:2004879; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004880; classtype:web-application-attack; sid:2004880; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct SELECT"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006504; classtype:web-application-attack; sid:2006504; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UNION SELECT"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006505; classtype:web-application-attack; sid:2006505; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct INSERT"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006506; classtype:web-application-attack; sid:2006506; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct DELETE"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006507; classtype:web-application-attack; sid:2006507; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct ASCII"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006508; classtype:web-application-attack; sid:2006508; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006509; classtype:web-application-attack; sid:2006509; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004635; classtype:web-application-attack; sid:2004635; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004636; classtype:web-application-attack; sid:2004636; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004637; classtype:web-application-attack; sid:2004637; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004638; classtype:web-application-attack; sid:2004638; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004639; classtype:web-application-attack; sid:2004639; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004640; classtype:web-application-attack; sid:2004640; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CommonSpot Server longproc.cfm Cross Site Scripting Attempt"; flow:to_server,established; content:"/commonspot/utilities/longproc.cfm?"; nocase; http_uri; content:"onlyurlvars="; nocase; http_uri; content:"url="; nocase; http_uri; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/Ui"; reference:bugtraq,37986; reference:url,doc.emergingthreats.net/2010988; classtype:web-application-attack; sid:2010988; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Community CMS view.php article_id Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/view.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34303; reference:url,milw0rm.com/exploits/8323; reference:url,doc.emergingthreats.net/2009787; classtype:web-application-attack; sid:2009787; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt"; flow:established,to_server; content:"/siteminderagent/forms/smpwservices.fcc"; nocase; http_uri; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:cve,2007-5923; reference:url,www.securityfocus.com/bid/26375/info; reference:url,doc.emergingthreats.net/2010200; classtype:web-application-attack; sid:2010200; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comtrend ADSL Router srvName parameter XSS attempt"; flow:established,to_server; content:"GET"; http_method; content:"/scvrtsrv.cmd?"; nocase; http_uri; content:"srvName="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,packetstorm.foofus.com/1001-exploits/comtrend-xss.txt; reference:url,xforce.iss.net/xforce/xfdb/47765; reference:url,doc.emergingthreats.net/2011019; classtype:web-application-attack; sid:2011019; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/header.php?"; nocase; http_uri; content:"sections_file="; nocase; http_uri; pcre:"/sections_file=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31461; reference:url,milw0rm.com/exploits/6598; reference:url,doc.emergingthreats.net/2009166; classtype:web-application-attack; sid:2009166; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004705; classtype:web-application-attack; sid:2004705; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004706; classtype:web-application-attack; sid:2004706; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004707; classtype:web-application-attack; sid:2004707; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004708; classtype:web-application-attack; sid:2004708; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004709; classtype:web-application-attack; sid:2004709; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004710; classtype:web-application-attack; sid:2004710; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004711; classtype:web-application-attack; sid:2004711; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004712; classtype:web-application-attack; sid:2004712; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004713; classtype:web-application-attack; sid:2004713; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004714; classtype:web-application-attack; sid:2004714; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004715; classtype:web-application-attack; sid:2004715; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004716; classtype:web-application-attack; sid:2004716; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt"; flow:established,to_server; content:"/verify/asp/n6plugindestructor.asp?"; nocase; http_uri; content:"backurl="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,39999; reference:url,juniper.net/security/auto/vulnerabilities/vuln39999.html; reference:url,doc.emergingthreats.net/2011152; classtype:web-application-attack; sid:2011152; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007336; classtype:web-application-attack; sid:2007336; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007337; classtype:web-application-attack; sid:2007337; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007338; classtype:web-application-attack; sid:2007338; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007339; classtype:web-application-attack; sid:2007339; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007340; classtype:web-application-attack; sid:2007340; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007341; classtype:web-application-attack; sid:2007341; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id SELECT"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006303; classtype:web-application-attack; sid:2006303; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UNION SELECT"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006304; classtype:web-application-attack; sid:2006304; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id INSERT"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006305; classtype:web-application-attack; sid:2006305; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id DELETE"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006306; classtype:web-application-attack; sid:2006306; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id ASCII"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006307; classtype:web-application-attack; sid:2006307; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006308; classtype:web-application-attack; sid:2006308; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav SELECT"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004809; classtype:web-application-attack; sid:2004809; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UNION SELECT"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004810; classtype:web-application-attack; sid:2004810; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav INSERT"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004811; classtype:web-application-attack; sid:2004811; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav DELETE"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004812; classtype:web-application-attack; sid:2004812; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav ASCII"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004813; classtype:web-application-attack; sid:2004813; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004815; classtype:web-application-attack; sid:2004815; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat SELECT"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005841; classtype:web-application-attack; sid:2005841; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UNION SELECT"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005842; classtype:web-application-attack; sid:2005842; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005843; classtype:web-application-attack; sid:2005843; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat DELETE"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005844; classtype:web-application-attack; sid:2005844; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat ASCII"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005845; classtype:web-application-attack; sid:2005845; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005846; classtype:web-application-attack; sid:2005846; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid SELECT"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005847; classtype:web-application-attack; sid:2005847; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UNION SELECT"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005848; classtype:web-application-attack; sid:2005848; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid INSERT"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005849; classtype:web-application-attack; sid:2005849; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid DELETE"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005850; classtype:web-application-attack; sid:2005850; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid ASCII"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005851; classtype:web-application-attack; sid:2005851; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005852; classtype:web-application-attack; sid:2005852; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start SELECT"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005853; classtype:web-application-attack; sid:2005853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UNION SELECT"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005854; classtype:web-application-attack; sid:2005854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start INSERT"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005855; classtype:web-application-attack; sid:2005855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start DELETE"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005856; classtype:web-application-attack; sid:2005856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start ASCII"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005857; classtype:web-application-attack; sid:2005857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005858; classtype:web-application-attack; sid:2005858; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/footer.php?"; nocase; http_uri; content:"footer_file="; nocase; http_uri; pcre:"/footer_file=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31217; reference:url,milw0rm.com/exploits/6475; reference:url,doc.emergingthreats.net/2009793; classtype:web-application-attack; sid:2009793; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id SELECT"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003752; classtype:web-application-attack; sid:2003752; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UNION SELECT"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003753; classtype:web-application-attack; sid:2003753; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id INSERT"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003754; classtype:web-application-attack; sid:2003754; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id DELETE"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003755; classtype:web-application-attack; sid:2003755; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id ASCII"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003756; classtype:web-application-attack; sid:2003756; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003757; classtype:web-application-attack; sid:2003757; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid SELECT"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005859; classtype:web-application-attack; sid:2005859; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UNION SELECT"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005860; classtype:web-application-attack; sid:2005860; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid INSERT"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005861; classtype:web-application-attack; sid:2005861; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid DELETE"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005862; classtype:web-application-attack; sid:2005862; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid ASCII"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005863; classtype:web-application-attack; sid:2005863; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005864; classtype:web-application-attack; sid:2005864; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Business Objects Crystal Reports Web Form Viewer Directory Traversal Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/crystalreportviewers/crystalimagehandler.aspx?"; nocase; http_uri; content:"dynamicimage="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/11803/; reference:bugtraq,10260; reference:url,doc.emergingthreats.net/2011113; classtype:web-application-attack; sid:2011113; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php SELECT"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004035; classtype:web-application-attack; sid:2004035; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UNION SELECT"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004036; classtype:web-application-attack; sid:2004036; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php INSERT"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004037; classtype:web-application-attack; sid:2004037; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php DELETE"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004038; classtype:web-application-attack; sid:2004038; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004039; classtype:web-application-attack; sid:2004039; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004040; classtype:web-application-attack; sid:2004040; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; content:"/show_news.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2002668; classtype:misc-activity; sid:2002668; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; content:"/show_archives.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2003152; classtype:misc-activity; sid:2003152; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/portfolio/css.php?"; nocase; http_uri; content:"theme="; nocase; http_uri; content:"../"; reference:cve,CVE-2008-6265; reference:bugtraq,32218; reference:url,vupen.com/english/advisories/2008/3070; reference:url,milw0rm.com/exploits/7065; reference:url,doc.emergingthreats.net/2009764; classtype:web-application-attack; sid:2009764; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; content:"/show.php?"; nocase; http_uri; pcre:"/id=-?\d+\s+UNION\s/Ui"; reference:bugtraq,15418; reference:url,doc.emergingthreats.net/2002678; classtype:web-application-attack; sid:2002678; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010271; classtype:web-application-attack; sid:2010271; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010272; classtype:web-application-attack; sid:2010272; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010273; classtype:web-application-attack; sid:2010273; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010274; classtype:web-application-attack; sid:2010274; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010275; classtype:web-application-attack; sid:2010275; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004083; classtype:web-application-attack; sid:2004083; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UNION SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004084; classtype:web-application-attack; sid:2004084; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid INSERT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004085; classtype:web-application-attack; sid:2004085; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid DELETE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004086; classtype:web-application-attack; sid:2004086; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid ASCII"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004087; classtype:web-application-attack; sid:2004087; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004088; classtype:web-application-attack; sid:2004088; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004456; classtype:web-application-attack; sid:2004456; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UNION SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004457; classtype:web-application-attack; sid:2004457; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid INSERT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004458; classtype:web-application-attack; sid:2004458; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid DELETE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004459; classtype:web-application-attack; sid:2004459; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid ASCII"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004460; classtype:web-application-attack; sid:2004460; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004461; classtype:web-application-attack; sid:2004461; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright"; flow:established,to_server; content:"/footer.php?"; nocase; http_uri; content:"copyright="; nocase; http_uri; fast_pattern; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-0694; reference:url,www.securityfocus.com/bid/24200; reference:url,doc.emergingthreats.net/2004584; classtype:web-application-attack; sid:2004584; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"catid="; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004585; classtype:web-application-attack; sid:2004585; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/dm-albums/template/album.php?"; nocase; uricontent:"SECURITY_FILE="; nocase; content:"../"; depth:200; reference:url,secunia.com/advisories/35622/; reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010025; classtype:web-application-attack; sid:2010025; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/dm-albums/template/album.php?"; nocase; http_uri; content:"SECURITY_FILE="; nocase; http_uri; pcre:"/SECURITY_FILE=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/35622/; reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010027; classtype:web-application-attack; sid:2010027; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004683; classtype:web-application-attack; sid:2004683; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UNION SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004684; classtype:web-application-attack; sid:2004684; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid INSERT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004685; classtype:web-application-attack; sid:2004685; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid DELETE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004686; classtype:web-application-attack; sid:2004686; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid ASCII"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004687; classtype:web-application-attack; sid:2004687; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004688; classtype:web-application-attack; sid:2004688; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp SELECT"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006081; classtype:web-application-attack; sid:2006081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UNION SELECT"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006082; classtype:web-application-attack; sid:2006082; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp INSERT"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006083; classtype:web-application-attack; sid:2006083; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp DELETE"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006084; classtype:web-application-attack; sid:2006084; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp ASCII"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006085; classtype:web-application-attack; sid:2006085; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006086; classtype:web-application-attack; sid:2006086; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp SELECT"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006087; classtype:web-application-attack; sid:2006087; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UNION SELECT"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri;content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006088; classtype:web-application-attack; sid:2006088; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp INSERT"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006089; classtype:web-application-attack; sid:2006089; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp DELETE"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006090; classtype:web-application-attack; sid:2006090; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp ASCII"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006091; classtype:web-application-attack; sid:2006091; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006092; classtype:web-application-attack; sid:2006092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp SELECT"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006093; classtype:web-application-attack; sid:2006093; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UNION SELECT"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006094; classtype:web-application-attack; sid:2006094; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp INSERT"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006095; classtype:web-application-attack; sid:2006095; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp DELETE"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006096; classtype:web-application-attack; sid:2006096; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp ASCII"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006097; classtype:web-application-attack; sid:2006097; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006098; classtype:web-application-attack; sid:2006098; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent SELECT"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006099; classtype:web-application-attack; sid:2006099; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UNION SELECT"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006100; classtype:web-application-attack; sid:2006100; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent INSERT"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006101; classtype:web-application-attack; sid:2006101; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent DELETE"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006102; classtype:web-application-attack; sid:2006102; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent ASCII"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006103; classtype:web-application-attack; sid:2006103; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006104; classtype:web-application-attack; sid:2006104; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent SELECT"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006105; classtype:web-application-attack; sid:2006105; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UNION SELECT"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006106; classtype:web-application-attack; sid:2006106; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent INSERT"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006107; classtype:web-application-attack; sid:2006107; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent DELETE"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006108; classtype:web-application-attack; sid:2006108; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent ASCII"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006109; classtype:web-application-attack; sid:2006109; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006110; classtype:web-application-attack; sid:2006110; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent SELECT"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006111; classtype:web-application-attack; sid:2006111; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UNION SELECT"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006112; classtype:web-application-attack; sid:2006112; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent INSERT"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006113; classtype:web-application-attack; sid:2006113; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent DELETE"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006114; classtype:web-application-attack; sid:2006114; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent ASCII"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006115; classtype:web-application-attack; sid:2006115; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006116; classtype:web-application-attack; sid:2006116; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent SELECT"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006117; classtype:web-application-attack; sid:2006117; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UNION SELECT"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006118; classtype:web-application-attack; sid:2006118; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent INSERT"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006119; classtype:web-application-attack; sid:2006119; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent DELETE"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006120; classtype:web-application-attack; sid:2006120; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent ASCII"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006121; classtype:web-application-attack; sid:2006121; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006122; classtype:web-application-attack; sid:2006122; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Multiple Products upload_image_category.asp cid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/upload_image_category.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33253; reference:url,xforce.iss.net/xforce/xfdb/47959; reference:url,milw0rm.com/exploits/7767; reference:url,doc.emergingthreats.net/2009739; classtype:web-application-attack; sid:2009739; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005895; classtype:web-application-attack; sid:2005895; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005896; classtype:web-application-attack; sid:2005896; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005897; classtype:web-application-attack; sid:2005897; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005898; classtype:web-application-attack; sid:2005898; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005899; classtype:web-application-attack; sid:2005899; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005900; classtype:web-application-attack; sid:2005900; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/boardrule.php?"; nocase; http_uri; content:"groupboardid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,36282; reference:url,doc.emergingthreats.net/2010259; classtype:web-application-attack; sid:2010259; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid"; flow:established,to_server; content:"/loan.php?"; nocase; http_uri; content:"movieid="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2499; reference:url,www.securityfocus.com/bid/23764; reference:url,doc.emergingthreats.net/2003920; classtype:web-application-attack; sid:2003920; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s"; flow:established,to_server; content:"/listmovies.php?"; nocase; http_uri; content:"s="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2499; reference:url,www.securityfocus.com/bid/23764; reference:url,doc.emergingthreats.net/2003921; classtype:web-application-attack; sid:2003921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/modules/dfss/lgsl/lgsl_players.php?"; nocase; http_uri; content:"lgsl_path="; nocase; http_uri; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011099; classtype:web-application-attack; sid:2011099; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/modules/dfss/lgsl/lgsl_settings.php?"; nocase; http_uri; content:"lgsl_path="; nocase; http_uri; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011100; classtype:web-application-attack; sid:2011100; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/engine/api/api.class.php?"; nocase; http_uri; content:"dle_config_api="; nocase; http_uri; pcre:"/dle_config_api\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html; reference:url,milw0rm.com/exploits/9572; reference:url,doc.emergingthreats.net/2010252; classtype:web-application-attack; sid:2010252; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DeZine DZcms products.php pcat parameter SQL injection"; flow:to_server,established; content:"GET"; http_method; content:"/products.php?"; nocase; http_uri; content:"pcat="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33194; reference:url,milw0rm.com/exploits/7722; reference:url,doc.emergingthreats.net/2009319; classtype:web-application-attack; sid:2009319; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/detail.php?"; nocase; http_uri; content:"siteid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,frsirt.com/english/advisories/2008/3079; reference:bugtraq,32191; reference:url,doc.emergingthreats.net/2008838; classtype:web-application-attack; sid:2008838; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DeluxeBB misc.php qorder Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/misc.php?"; nocase; http_uri; content:"sub=memberlist"; nocase; http_uri; content:"qorder="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34174; reference:url,milw0rm.com/exploits/8240; reference:url,doc.emergingthreats.net/2009368; classtype:web-application-attack; sid:2009368; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Demium CMS tracking.php follow_kat Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/tracking.php?"; nocase; http_uri; content:"follow_kat="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33933; reference:url,milw0rm.com/exploits/8124; reference:url,doc.emergingthreats.net/2009323; classtype:web-application-attack; sid:2009323; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/urheber.php?"; nocase; http_uri; content:"name="; nocase; http_uri; content:"../"; reference:bugtraq,33933; reference:url,milw0rm.com/exploits/8124; reference:url,doc.emergingthreats.net/2009324; classtype:web-application-attack; sid:2009324; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id SELECT"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004834; classtype:web-application-attack; sid:2004834; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UNION SELECT"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004835; classtype:web-application-attack; sid:2004835; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id INSERT"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004836; classtype:web-application-attack; sid:2004836; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id DELETE"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004837; classtype:web-application-attack; sid:2004837; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004838; classtype:web-application-attack; sid:2004838; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004839; classtype:web-application-attack; sid:2004839; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/don3_requiem.php?"; nocase; http_uri; content:"app_path="; nocase; http_uri; pcre:"/app_path=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,2008-2649; reference:url,xforce.iss.net/xforce/xfdb/42790; reference:url,milw0rm.com/exploits/5715; reference:url,doc.emergingthreats.net/2009317; classtype:web-application-attack; sid:2009317; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/frontpage.php?"; nocase; http_uri; content:"app_path="; nocase; http_uri; pcre:"/app_path=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,2008-2649; reference:url,xforce.iss.net/xforce/xfdb/42790; reference:url,milw0rm.com/exploits/5715; reference:url,doc.emergingthreats.net/2009318; classtype:web-application-attack; sid:2009318; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery cat_id parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/gallery_category.php?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; reference:url,doc.emergingthreats.net/2008830; classtype:web-application-attack; sid:2008830; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery photo_id parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/gallery_photo.php?"; nocase; http_uri; content:"photo_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; reference:url,doc.emergingthreats.net/2008831; classtype:web-application-attack; sid:2008831; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy News And Article aid parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/article_details.php?"; nocase; http_uri; content:"aid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/7014; reference:url,secunia.com/Advisories/32595/; reference:url,doc.emergingthreats.net/2008834; classtype:web-application-attack; sid:2008834; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id SELECT"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005591; classtype:web-application-attack; sid:2005591; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UNION SELECT"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005592; classtype:web-application-attack; sid:2005592; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id INSERT"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005593; classtype:web-application-attack; sid:2005593; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id DELETE"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005594; classtype:web-application-attack; sid:2005594; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id ASCII"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005595; classtype:web-application-attack; sid:2005595; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005596; classtype:web-application-attack; sid:2005596; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name"; flow:established,to_server; content:"/room/info_book.asp?"; nocase; http_uri; content:"Room_name="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2880; reference:url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded; reference:url,doc.emergingthreats.net/2004595; classtype:web-application-attack; sid:2004595; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear"; flow:established,to_server; content:"/room/week.asp?"; nocase; http_uri; content:"curYear="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2880; reference:url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded; reference:url,doc.emergingthreats.net/2004596; classtype:web-application-attack; sid:2004596; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id SELECT"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005835; classtype:web-application-attack; sid:2005835; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UNION SELECT"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005836; classtype:web-application-attack; sid:2005836; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id INSERT"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005837; classtype:web-application-attack; sid:2005837; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id DELETE"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005838; classtype:web-application-attack; sid:2005838; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id ASCII"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005839; classtype:web-application-attack; sid:2005839; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005840; classtype:web-application-attack; sid:2005840; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/DetailFile.php?"; nocase; http_uri; content:"nFileId="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/0908-exploits/dscms-sql.txt; reference:url,doc.emergingthreats.net/2010195; classtype:web-application-attack; sid:2010195; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+UPTDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010073; classtype:web-application-attack; sid:2010073; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010074; classtype:web-application-attack; sid:2010074; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010075; classtype:web-application-attack; sid:2010075; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010076; classtype:web-application-attack; sid:2010076; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo INSERT INTO Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; distance:0; nocase; http_uri; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bINSERT\b.*?INTO\b/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010077; classtype:web-application-attack; sid:2010077; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; distance:0; content:"SET"; distance:0; nocase; http_uri; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bUPDATE\b.*?SET\b/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010078; classtype:web-application-attack; sid:2010078; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/doku.php?"; nocase; http_uri; content:"config_cascade[main][default][]="; nocase; http_uri; content:"../"; reference:bugtraq,35095; reference:url,milw0rm.com/exploits/8781; reference:url,doc.emergingthreats.net/2009876; classtype:web-application-attack; sid:2009876; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/managePerson.php?"; nocase; http_uri; content:"personId="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35032; reference:url,milw0rm.com/exploits/8738; reference:url,doc.emergingthreats.net/2009795; classtype:web-application-attack; sid:2009795; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen SELECT"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004047; classtype:web-application-attack; sid:2004047; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UNION SELECT"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004048; classtype:web-application-attack; sid:2004048; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen INSERT"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004049; classtype:web-application-attack; sid:2004049; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen DELETE"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004050; classtype:web-application-attack; sid:2004050; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen ASCII"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004051; classtype:web-application-attack; sid:2004051; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004052; classtype:web-application-attack; sid:2004052; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course SELECT"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004065; classtype:web-application-attack; sid:2004065; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UNION SELECT"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004066; classtype:web-application-attack; sid:2004066; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course INSERT"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004067; classtype:web-application-attack; sid:2004067; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course DELETE"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004068; classtype:web-application-attack; sid:2004068; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course ASCII"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004069; classtype:web-application-attack; sid:2004069; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004070; classtype:web-application-attack; sid:2004070; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img"; flow:established,to_server; content:"/main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php?"; nocase; http_uri; content:"img="; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2901; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004593; classtype:web-application-attack; sid:2004593; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID SELECT"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006141; classtype:web-application-attack; sid:2006141; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UNION SELECT"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006142; classtype:web-application-attack; sid:2006142; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID INSERT"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006143; classtype:web-application-attack; sid:2006143; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID DELETE"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006144; classtype:web-application-attack; sid:2006144; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID ASCII"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006145; classtype:web-application-attack; sid:2006145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006146; classtype:web-application-attack; sid:2006146; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/header.inc.php?"; nocase; http_uri; content:"root="; nocase; http_uri; pcre:"/root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5393; reference:bugtraq,28660; reference:url,doc.emergingthreats.net/2009848; classtype:web-application-attack; sid:2009848; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/include/libs/internals/core.write_compiled_include.php?"; nocase; http_uri; content:"smarty="; nocase; http_uri; pcre:"/smarty\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010707; classtype:web-application-attack; sid:2010707; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/include/libs/internals/core.process_compiled_include.php?"; nocase; http_uri; content:"smarty="; nocase; http_uri; pcre:"/smarty\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010708; classtype:web-application-attack; sid:2010708; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/include/libs/plugins/function.config_load.php?"; nocase; http_uri; content:"_compile_file="; nocase; http_uri; pcre:"/_compile_file\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010709; classtype:web-application-attack; sid:2010709; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id SELECT"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004385; classtype:web-application-attack; sid:2004385; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UNION SELECT"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004386; classtype:web-application-attack; sid:2004386; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id INSERT"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004387; classtype:web-application-attack; sid:2004387; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id DELETE"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004388; classtype:web-application-attack; sid:2004388; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id ASCII"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004389; classtype:web-application-attack; sid:2004389; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004390; classtype:web-application-attack; sid:2004390; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006687; classtype:web-application-attack; sid:2006687; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006688; classtype:web-application-attack; sid:2006688; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006689; classtype:web-application-attack; sid:2006689; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006690; classtype:web-application-attack; sid:2006690; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006691; classtype:web-application-attack; sid:2006691; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006692; classtype:web-application-attack; sid:2006692; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006694; classtype:web-application-attack; sid:2006694; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006695; classtype:web-application-attack; sid:2006695; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006696; classtype:web-application-attack; sid:2006696; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006697; classtype:web-application-attack; sid:2006697; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006698; classtype:web-application-attack; sid:2006698; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006699; classtype:web-application-attack; sid:2006699; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006700; classtype:web-application-attack; sid:2006700; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006701; classtype:web-application-attack; sid:2006701; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006702; classtype:web-application-attack; sid:2006702; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006703; classtype:web-application-attack; sid:2006703; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006704; classtype:web-application-attack; sid:2006704; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006705; classtype:web-application-attack; sid:2006705; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006706; classtype:web-application-attack; sid:2006706; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006707; classtype:web-application-attack; sid:2006707; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006708; classtype:web-application-attack; sid:2006708; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006709; classtype:web-application-attack; sid:2006709; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006710; classtype:web-application-attack; sid:2006710; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006711; classtype:web-application-attack; sid:2006711; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006712; classtype:web-application-attack; sid:2006712; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006713; classtype:web-application-attack; sid:2006713; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006714; classtype:web-application-attack; sid:2006714; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006715; classtype:web-application-attack; sid:2006715; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006716; classtype:web-application-attack; sid:2006716; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006717; classtype:web-application-attack; sid:2006717; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir"; flow:established,to_server; content:"/dp_logs.php?"; nocase; http_uri; content:"HomeDir="; nocase; http_uri; pcre:"/=\s*(https?|ftps|php)\:\//Ui"; reference:cve,CVE-2007-2527; reference:url,milw0rm.com/exploits/3868; reference:url,doc.emergingthreats.net/2003679; classtype:web-application-attack; sid:2003679; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"HomeDir="; nocase; http_uri; fast_pattern; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2527; reference:url,milw0rm.com/exploits/3868; reference:url,doc.emergingthreats.net/2003680; classtype:web-application-attack; sid:2003680; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a SELECT"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003770; classtype:web-application-attack; sid:2003770; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UNION SELECT"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003771; classtype:web-application-attack; sid:2003771; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a INSERT"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003772; classtype:web-application-attack; sid:2003772; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a DELETE"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003773; classtype:web-application-attack; sid:2003773; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a ASCII"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003774; classtype:web-application-attack; sid:2003774; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"UPDATE"; nocase; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003775; classtype:web-application-attack; sid:2003775; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale"; flow:established,to_server; content:"/common.php?"; nocase; http_uri; content:"locale="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2521; reference:url,www.milw0rm.com/exploits/3846; reference:url,doc.emergingthreats.net/2003682; classtype:web-application-attack; sid:2003682; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Shop Shopping Cart Script search_results.php SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/search_results.php?cid="; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,30692; reference:url,doc.emergingthreats.net/2008684; classtype:web-application-attack; sid:2008684; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ECShop user.php order_sn Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/user.php?"; nocase; uricontent:"act=order_query"; nocase; uricontent:"order_sn="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34733; reference:url,milw0rm.com/exploits/8548; reference:url,doc.emergingthreats.net/2009716; classtype:web-application-attack; sid:2009716; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"show="; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2716; reference:url,www.securityfocus.com/bid/23951; reference:url,doc.emergingthreats.net/2003876; classtype:web-application-attack; sid:2003876; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show"; flow:established,to_server; content:"/stats.php?"; nocase; http_uri; content:"show="; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2716; reference:url,www.securityfocus.com/bid/23951; reference:url,doc.emergingthreats.net/2003877; classtype:web-application-attack; sid:2003877; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank SELECT"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004624; classtype:web-application-attack; sid:2004624; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UNION SELECT"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004625; classtype:web-application-attack; sid:2004625; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank INSERT"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004626; classtype:web-application-attack; sid:2004626; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank DELETE"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004627; classtype:web-application-attack; sid:2004627; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank ASCII"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004628; classtype:web-application-attack; sid:2004628; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004629; classtype:web-application-attack; sid:2004629; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/application/views/public/commentform.php?"; nocase; http_uri; content:"tpl_base_dir="; nocase; http_uri; pcre:"/tpl_base_dir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/13890/; reference:url,vupen.com/english/advisories/2010/1497; reference:bugtraq,40881; reference:url,doc.emergingthreats.net/2011725; classtype:web-application-attack; sid:2011725; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword SELECT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005268; classtype:web-application-attack; sid:2005268; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UNION SELECT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005269; classtype:web-application-attack; sid:2005269; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword INSERT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005270; classtype:web-application-attack; sid:2005270; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword DELETE"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005271; classtype:web-application-attack; sid:2005271; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword ASCII"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005272; classtype:web-application-attack; sid:2005272; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005273; classtype:web-application-attack; sid:2005273; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row SELECT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005274; classtype:web-application-attack; sid:2005274; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UNION SELECT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005275; classtype:web-application-attack; sid:2005275; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row INSERT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005276; classtype:web-application-attack; sid:2005276; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row DELETE"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005277; classtype:web-application-attack; sid:2005277; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row ASCII"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005278; classtype:web-application-attack; sid:2005278; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005279; classtype:web-application-attack; sid:2005279; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easyedit CMS page.php intpageID parameter sql injection"; flow:to_server,established; content:"GET"; http_method; content:"/page.php?"; nocase; http_uri; content:"intPageID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; reference:url,doc.emergingthreats.net/2008883; classtype:web-application-attack; sid:2008883; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easyedit CMS subcategory.php intSubCategoryID parameter sql injection"; flow:to_server,established; content:"GET"; http_method; content:"subcategory.php?"; nocase; http_uri; content:"intSubCategoryID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; reference:url,doc.emergingthreats.net/2008884; classtype:web-application-attack; sid:2008884; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easyedit CMS news.php intPageID parameter sql injection"; flow:to_server,established; content:"GET"; http_method; content:"news.php?"; nocase; http_uri; content:"intPageID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; reference:url,doc.emergingthreats.net/2008885; classtype:web-application-attack; sid:2008885; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i SELECT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005039; classtype:web-application-attack; sid:2005039; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UNION SELECT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005040; classtype:web-application-attack; sid:2005040; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i INSERT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005041; classtype:web-application-attack; sid:2005041; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i DELETE"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005042; classtype:web-application-attack; sid:2005042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i ASCII"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005043; classtype:web-application-attack; sid:2005043; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005045; classtype:web-application-attack; sid:2005045; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id SELECT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005044; classtype:web-application-attack; sid:2005044; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UNION SELECT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005046; classtype:web-application-attack; sid:2005046; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id INSERT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005047; classtype:web-application-attack; sid:2005047; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id DELETE"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005048; classtype:web-application-attack; sid:2005048; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id ASCII"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005049; classtype:web-application-attack; sid:2005049; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005050; classtype:web-application-attack; sid:2005050; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i SELECT"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005051; classtype:web-application-attack; sid:2005051; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UNION SELECT"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005052; classtype:web-application-attack; sid:2005052; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i INSERT"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005053; classtype:web-application-attack; sid:2005053; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i DELETE"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005054; classtype:web-application-attack; sid:2005054; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i ASCII"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005055; classtype:web-application-attack; sid:2005055; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005056; classtype:web-application-attack; sid:2005056; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId SELECT"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006554; classtype:web-application-attack; sid:2006554; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UNION SELECT"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006555; classtype:web-application-attack; sid:2006555; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId INSERT"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006556; classtype:web-application-attack; sid:2006556; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId DELETE"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006557; classtype:web-application-attack; sid:2006557; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId ASCII"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006558; classtype:web-application-attack; sid:2006558; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006559; classtype:web-application-attack; sid:2006559; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasySiteNetwork Riddles Complete Website riddle.php riddleid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/riddle.php?"; nocase; http_uri; content:"riddleid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,29966; reference:url,milw0rm.com/exploits/5946; reference:url,doc.emergingthreats.net/2009366; classtype:web-application-attack; sid:2009366; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easynet4u Link Host directory.php cat_id parameter SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/directory.php?"; nocase; http_uri; content:"ax=list"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,31717; reference:url,www.milw0rm.com/exploits/6728; reference:url,doc.emergingthreats.net/2009117; classtype:web-application-attack; sid:2009117; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005087; classtype:web-application-attack; sid:2005087; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005088; classtype:web-application-attack; sid:2005088; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005089; classtype:web-application-attack; sid:2005089; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005090; classtype:web-application-attack; sid:2005090; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005091; classtype:web-application-attack; sid:2005091; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005092; classtype:web-application-attack; sid:2005092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005111; classtype:web-application-attack; sid:2005111; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005112; classtype:web-application-attack; sid:2005112; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005113; classtype:web-application-attack; sid:2005113; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005114; classtype:web-application-attack; sid:2005114; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005115; classtype:web-application-attack; sid:2005115; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005116; classtype:web-application-attack; sid:2005116; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup SELECT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005985; classtype:web-application-attack; sid:2005985; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UNION SELECT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005986; classtype:web-application-attack; sid:2005986; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup INSERT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005987; classtype:web-application-attack; sid:2005987; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup DELETE"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005988; classtype:web-application-attack; sid:2005988; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup ASCII"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005989; classtype:web-application-attack; sid:2005989; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005990; classtype:web-application-attack; sid:2005990; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005991; classtype:web-application-attack; sid:2005991; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005992; classtype:web-application-attack; sid:2005992; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005993; classtype:web-application-attack; sid:2005993; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005994; classtype:web-application-attack; sid:2005994; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005995; classtype:web-application-attack; sid:2005995; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005996; classtype:web-application-attack; sid:2005996; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id SELECT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005997; classtype:web-application-attack; sid:2005997; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UNION SELECT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005998; classtype:web-application-attack; sid:2005998; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id INSERT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005999; classtype:web-application-attack; sid:2005999; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id DELETE"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006000; classtype:web-application-attack; sid:2006000; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id ASCII"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006001; classtype:web-application-attack; sid:2006001; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006002; classtype:web-application-attack; sid:2006002; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006159; classtype:web-application-attack; sid:2006159; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006160; classtype:web-application-attack; sid:2006160; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006161; classtype:web-application-attack; sid:2006161; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006162; classtype:web-application-attack; sid:2006162; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006163; classtype:web-application-attack; sid:2006163; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006164; classtype:web-application-attack; sid:2006164; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/WorkArea/reterror.aspx?"; nocase; http_uri; content:"info="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,39679; reference:url,secunia.com/advisories/39547/; reference:url,doc.emergingthreats.net/2011153; classtype:web-application-attack; sid:2011153; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/workarea/medialist.aspx?"; nocase; http_uri; content:"selectids="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,39679; reference:url,secunia.com/advisories/39547/; reference:url,doc.emergingthreats.net/2011154; classtype:web-application-attack; sid:2011154; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php SELECT"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006449; classtype:web-application-attack; sid:2006449; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UNION SELECT"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006450; classtype:web-application-attack; sid:2006450; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php INSERT"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006451; classtype:web-application-attack; sid:2006451; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php DELETE"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006452; classtype:web-application-attack; sid:2006452; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php ASCII"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006453; classtype:web-application-attack; sid:2006453; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006454; classtype:web-application-attack; sid:2006454; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID SELECT"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006135; classtype:web-application-attack; sid:2006135; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UNION SELECT"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006136; classtype:web-application-attack; sid:2006136; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID INSERT"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006137; classtype:web-application-attack; sid:2006137; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID DELETE"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006138; classtype:web-application-attack; sid:2006138; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID ASCII"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006139; classtype:web-application-attack; sid:2006139; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006140; classtype:web-application-attack; sid:2006140; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id SELECT"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006147; classtype:web-application-attack; sid:2006147; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UNION SELECT"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006148; classtype:web-application-attack; sid:2006148; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id INSERT"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006149; classtype:web-application-attack; sid:2006149; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id DELETE"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006150; classtype:web-application-attack; sid:2006150; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id ASCII"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006151; classtype:web-application-attack; sid:2006151; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006152; classtype:web-application-attack; sid:2006152; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID SELECT"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006153; classtype:web-application-attack; sid:2006153; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UNION SELECT"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006154; classtype:web-application-attack; sid:2006154; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID INSERT"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006155; classtype:web-application-attack; sid:2006155; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID DELETE"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006156; classtype:web-application-attack; sid:2006156; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID ASCII"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006157; classtype:web-application-attack; sid:2006157; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006158; classtype:web-application-attack; sid:2006158; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007042; classtype:web-application-attack; sid:2007042; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UNION SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007043; classtype:web-application-attack; sid:2007043; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID INSERT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007044; classtype:web-application-attack; sid:2007044; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID DELETE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007045; classtype:web-application-attack; sid:2007045; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID ASCII"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007046; classtype:web-application-attack; sid:2007046; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007047; classtype:web-application-attack; sid:2007047; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id SELECT"; flow:established,to_server; uricontent:"/ad.asp?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007048; classtype:web-application-attack; sid:2007048; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UNION SELECT"; flow:established,to_server; uricontent:"/ad.asp?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007059; classtype:web-application-attack; sid:2007059; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id INSERT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007050; classtype:web-application-attack; sid:2007050; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id DELETE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007051; classtype:web-application-attack; sid:2007051; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id ASCII"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007052; classtype:web-application-attack; sid:2007052; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007053; classtype:web-application-attack; sid:2007053; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007054; classtype:web-application-attack; sid:2007054; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UNION SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007055; classtype:web-application-attack; sid:2007055; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id INSERT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007056; classtype:web-application-attack; sid:2007056; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id DELETE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007057; classtype:web-application-attack; sid:2007057; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id ASCII"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007058; classtype:web-application-attack; sid:2007058; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007049; classtype:web-application-attack; sid:2007049; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid SELECT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007030; classtype:web-application-attack; sid:2007030; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UNION SELECT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007031; classtype:web-application-attack; sid:2007031; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid INSERT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007032; classtype:web-application-attack; sid:2007032; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid DELETE"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007033; classtype:web-application-attack; sid:2007033; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid ASCII"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007034; classtype:web-application-attack; sid:2007034; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007035; classtype:web-application-attack; sid:2007035; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid SELECT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007036; classtype:web-application-attack; sid:2007036; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UNION SELECT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007037; classtype:web-application-attack; sid:2007037; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid INSERT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007038; classtype:web-application-attack; sid:2007038; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid DELETE"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007039; classtype:web-application-attack; sid:2007039; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid ASCII"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007040; classtype:web-application-attack; sid:2007040; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007041; classtype:web-application-attack; sid:2007041; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid SELECT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007076; classtype:web-application-attack; sid:2007076; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UNION SELECT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007077; classtype:web-application-attack; sid:2007077; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid INSERT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007078; classtype:web-application-attack; sid:2007078; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid DELETE"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007079; classtype:web-application-attack; sid:2007079; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid ASCII"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007080; classtype:web-application-attack; sid:2007080; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007081; classtype:web-application-attack; sid:2007081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid SELECT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007082; classtype:web-application-attack; sid:2007082; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UNION SELECT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007083; classtype:web-application-attack; sid:2007083; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid INSERT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007084; classtype:web-application-attack; sid:2007084; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid DELETE"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007085; classtype:web-application-attack; sid:2007085; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid ASCII"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007086; classtype:web-application-attack; sid:2007086; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007087; classtype:web-application-attack; sid:2007087; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID SELECT"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007088; classtype:web-application-attack; sid:2007088; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UNION SELECT"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007089; classtype:web-application-attack; sid:2007089; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID INSERT"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007090; classtype:web-application-attack; sid:2007090; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID DELETE"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007091; classtype:web-application-attack; sid:2007091; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID ASCII"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007092; classtype:web-application-attack; sid:2007092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007093; classtype:web-application-attack; sid:2007093; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID SELECT"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007094; classtype:web-application-attack; sid:2007094; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UNION SELECT"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007095; classtype:web-application-attack; sid:2007095; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID INSERT"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007096; classtype:web-application-attack; sid:2007096; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID DELETE"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007097; classtype:web-application-attack; sid:2007097; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID ASCII"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007098; classtype:web-application-attack; sid:2007098; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007099; classtype:web-application-attack; sid:2007099; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007100; classtype:web-application-attack; sid:2007100; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UNION SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007101; classtype:web-application-attack; sid:2007101; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat INSERT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007102; classtype:web-application-attack; sid:2007102; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat DELETE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007103; classtype:web-application-attack; sid:2007103; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat ASCII"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007104; classtype:web-application-attack; sid:2007104; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007105; classtype:web-application-attack; sid:2007105; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007106; classtype:web-application-attack; sid:2007106; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UNION SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007107; classtype:web-application-attack; sid:2007107; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare INSERT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007108; classtype:web-application-attack; sid:2007108; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare DELETE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007109; classtype:web-application-attack; sid:2007109; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare ASCII"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007110; classtype:web-application-attack; sid:2007110; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007111; classtype:web-application-attack; sid:2007111; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007112; classtype:web-application-attack; sid:2007112; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UNION SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007113; classtype:web-application-attack; sid:2007113; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear INSERT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007114; classtype:web-application-attack; sid:2007114; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear DELETE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007115; classtype:web-application-attack; sid:2007115; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear ASCII"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007116; classtype:web-application-attack; sid:2007116; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007117; classtype:web-application-attack; sid:2007117; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007118; classtype:web-application-attack; sid:2007118; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UNION SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007119; classtype:web-application-attack; sid:2007119; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID INSERT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007120; classtype:web-application-attack; sid:2007120; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID DELETE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007121; classtype:web-application-attack; sid:2007121; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID ASCII"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007122; classtype:web-application-attack; sid:2007122; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007123; classtype:web-application-attack; sid:2007123; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"aminprice="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007124; classtype:web-application-attack; sid:2007124; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UNION SELECT"; flow:established,to_server; uricontent:"/result.asp?"; nocase; uricontent:"aminprice="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007125; classtype:web-application-attack; sid:2007125; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice INSERT"; flow:established,to_server; uricontent:"/result.asp?"; nocase; uricontent:"aminprice="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007126; classtype:web-application-attack; sid:2007126; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice DELETE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"aminprice="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007127; classtype:web-application-attack; sid:2007127; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice ASCII"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"aminprice="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007128; classtype:web-application-attack; sid:2007128; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"aminprice="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007129; classtype:web-application-attack; sid:2007129; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007130; classtype:web-application-attack; sid:2007130; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UNION SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007131; classtype:web-application-attack; sid:2007131; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice INSERT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007132; classtype:web-application-attack; sid:2007132; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice DELETE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007133; classtype:web-application-attack; sid:2007133; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice ASCII"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007134; classtype:web-application-attack; sid:2007134; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007135; classtype:web-application-attack; sid:2007135; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007136; classtype:web-application-attack; sid:2007136; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UNION SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007137; classtype:web-application-attack; sid:2007137; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms INSERT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007138; classtype:web-application-attack; sid:2007138; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms DELETE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007139; classtype:web-application-attack; sid:2007139; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms ASCII"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007140; classtype:web-application-attack; sid:2007140; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007141; classtype:web-application-attack; sid:2007141; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat SELECT"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005256; classtype:web-application-attack; sid:2005256; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UNION SELECT"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005257; classtype:web-application-attack; sid:2005257; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat INSERT"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005258; classtype:web-application-attack; sid:2005258; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat DELETE"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005259; classtype:web-application-attack; sid:2005259; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat ASCII"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005260; classtype:web-application-attack; sid:2005260; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005261; classtype:web-application-attack; sid:2005261; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat SELECT"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005262; classtype:web-application-attack; sid:2005262; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UNION SELECT"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005263; classtype:web-application-attack; sid:2005263; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat INSERT"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005264; classtype:web-application-attack; sid:2005264; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat DELETE"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005265; classtype:web-application-attack; sid:2005265; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat ASCII"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005266; classtype:web-application-attack; sid:2005266; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005267; classtype:web-application-attack; sid:2005267; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/show_joined.php?"; nocase; http_uri; content:"path="; nocase; http_uri; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32628/; reference:url,bugreport.ir/index_57.htm; reference:url,doc.emergingthreats.net/2008832; classtype:web-application-attack; sid:2008832; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/show_joined.php?"; nocase; http_uri; content:"path="; nocase; http_uri; pcre:"/path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32628/; reference:url,bugreport.ir/index_57.htm; reference:url,doc.emergingthreats.net/2008833; classtype:web-application-attack; sid:2008833; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user SELECT"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006219; classtype:web-application-attack; sid:2006219; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UNION SELECT"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006220; classtype:web-application-attack; sid:2006220; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user INSERT"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006221; classtype:web-application-attack; sid:2006221; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user DELETE"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006222; classtype:web-application-attack; sid:2006222; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user ASCII"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006223; classtype:web-application-attack; sid:2006223; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006224; classtype:web-application-attack; sid:2006224; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id SELECT"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005877; classtype:web-application-attack; sid:2005877; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UNION SELECT"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005878; classtype:web-application-attack; sid:2005878; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id INSERT"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005879; classtype:web-application-attack; sid:2005879; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id DELETE"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005880; classtype:web-application-attack; sid:2005880; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id ASCII"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005881; classtype:web-application-attack; sid:2005881; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005882; classtype:web-application-attack; sid:2005882; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/resim.asp?"; nocase; http_uri; content:"islem=altkat"; nocase; http_uri; content:"kat_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33199/; reference:url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt; reference:url,doc.emergingthreats.net/2008998; classtype:web-application-attack; sid:2008998; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template SELECT"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005336; classtype:web-application-attack; sid:2005336; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UNION SELECT"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005337; classtype:web-application-attack; sid:2005337; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template INSERT"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005338; classtype:web-application-attack; sid:2005338; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template DELETE"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005339; classtype:web-application-attack; sid:2005339; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template ASCII"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005340; classtype:web-application-attack; sid:2005340; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005341; classtype:web-application-attack; sid:2005341; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno SELECT"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007060; classtype:web-application-attack; sid:2007060; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UNION SELECT"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007061; classtype:web-application-attack; sid:2007061; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno INSERT"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007062; classtype:web-application-attack; sid:2007062; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno DELETE"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007063; classtype:web-application-attack; sid:2007063; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno ASCII"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007064; classtype:web-application-attack; sid:2007064; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007065; classtype:web-application-attack; sid:2007065; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/threadstop/threadstop.php?"; nocase; http_uri; content:"exbb[default_lang]="; nocase; http_uri; content:"../"; reference:bugtraq,28686; reference:url,milw0rm.com/exploits/5405; reference:url,doc.emergingthreats.net/2009428; classtype:web-application-attack; sid:2009428; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id SELECT"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005081; classtype:web-application-attack; sid:2005081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UNION SELECT"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005082; classtype:web-application-attack; sid:2005082; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id INSERT"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005083; classtype:web-application-attack; sid:2005083; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id DELETE"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005084; classtype:web-application-attack; sid:2005084; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id ASCII"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005085; classtype:web-application-attack; sid:2005085; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005086; classtype:web-application-attack; sid:2005086; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Experts answer.php question_id parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/answer.php?"; nocase; http_uri; content:"question_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:cve,2008-5267; reference:url,milw0rm.com/exploits/5776; reference:bugtraq,29642; reference:url,doc.emergingthreats.net/2008931; classtype:web-application-attack; sid:2008931; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex SELECT"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006813; classtype:web-application-attack; sid:2006813; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UNION SELECT"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006814; classtype:web-application-attack; sid:2006814; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex INSERT"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006815; classtype:web-application-attack; sid:2006815; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex DELETE"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006816; classtype:web-application-attack; sid:2006816; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex ASCII"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006817; classtype:web-application-attack; sid:2006817; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006818; classtype:web-application-attack; sid:2006818; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp SELECT"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006339; classtype:web-application-attack; sid:2006339; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UNION SELECT"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006340; classtype:web-application-attack; sid:2006340; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp INSERT"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006341; classtype:web-application-attack; sid:2006341; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp DELETE"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006342; classtype:web-application-attack; sid:2006342; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp ASCII"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006343; classtype:web-application-attack; sid:2006343; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006344; classtype:web-application-attack; sid:2006344; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid SELECT"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005615; classtype:web-application-attack; sid:2005615; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UNION SELECT"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005616; classtype:web-application-attack; sid:2005616; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid INSERT"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005617; classtype:web-application-attack; sid:2005617; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid DELETE"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005618; classtype:web-application-attack; sid:2005618; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ASCII"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005619; classtype:web-application-attack; sid:2005619; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005620; classtype:web-application-attack; sid:2005620; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (poll.php)"; flow:established,to_server; content:"/mod/poll.php?"; nocase; http_uri; content:"GLOBALS[nlang]="; nocase; http_uri; pcre:"/(\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c]/iU"; reference:url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt; reference:url,doc.emergingthreats.net/2010543; classtype:web-application-attack; sid:2010543; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (new.php)"; flow:established,to_server; content:"/mod/new.php?"; nocase; http_uri; content:"GLOBALS[nlang]="; nocase; http_uri; pcre:"/(\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c]/iU"; reference:url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt; reference:url,doc.emergingthreats.net/2010544; classtype:web-application-attack; sid:2010544; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/manager/DiagLogListActionBody.do?"; nocase; http_uri; content:"logFile="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010800; classtype:web-application-attack; sid:2010800; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; http_uri; content:"captureFile="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010801; classtype:web-application-attack; sid:2010801; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/sat/ViewSatReport.do?"; nocase; http_uri; content:"fileName="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010802; classtype:web-application-attack; sid:2010802; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; http_uri; content:"capture="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010803; classtype:web-application-attack; sid:2010803; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/sat/ViewInventoryErrorReport.do?"; nocase; http_uri; content:"fileName="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010804; classtype:web-application-attack; sid:2010804; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref SELECT"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003846; classtype:web-application-attack; sid:2003846; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UNION SELECT"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003847; classtype:web-application-attack; sid:2003847; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref INSERT"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003848; classtype:web-application-attack; sid:2003848; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref DELETE"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003849; classtype:web-application-attack; sid:2003849; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref ASCII"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003850; classtype:web-application-attack; sid:2003850; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003851; classtype:web-application-attack; sid:2003851; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/lib/FSphp.php?"; nocase; http_uri; content:"FSPHP_LIB="; nocase; http_uri; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58315; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010359; classtype:web-application-attack; sid:2010359; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/lib/navigation.php?"; nocase; http_uri; content:"FSPHP_LIB="; nocase; http_uri; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58316; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010360; classtype:web-application-attack; sid:2010360; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; uricontent:"/lib/pathwirte.php?"; nocase; uricontent:"FSPHP_LIB="; nocase; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58317; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010361; classtype:web-application-attack; sid:2010361; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006123; classtype:web-application-attack; sid:2006123; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006124; classtype:web-application-attack; sid:2006124; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006125; classtype:web-application-attack; sid:2006125; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006126; classtype:web-application-attack; sid:2006126; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006127; classtype:web-application-attack; sid:2006127; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006128; classtype:web-application-attack; sid:2006128; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/sitemap.xml.php?"; nocase; http_uri; content:"dir[classes]="; nocase; http_uri; pcre:"/dir\[classes\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/28047; reference:url,milw0rm.com/exploits/4712; reference:url,doc.emergingthreats.net/2009506; classtype:web-application-attack; sid:2009506; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/sitemap.xml.php?"; nocase; http_uri; content:"dir[classes]="; nocase; http_uri; content:"../"; reference:url,secunia.com/advisories/28047; reference:url,milw0rm.com/exploits/4712; reference:url,doc.emergingthreats.net/2009507; classtype:web-application-attack; sid:2009507; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006327; classtype:web-application-attack; sid:2006327; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UNION SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006328; classtype:web-application-attack; sid:2006328; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id INSERT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006329; classtype:web-application-attack; sid:2006329; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id DELETE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006330; classtype:web-application-attack; sid:2006330; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id ASCII"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006331; classtype:web-application-attack; sid:2006331; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006332; classtype:web-application-attack; sid:2006332; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/datumscalc.php?"; nocase; http_uri; content:"kal_class_path="; nocase; http_uri; pcre:"/kal_class_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11188; reference:url,doc.emergingthreats.net/2011096; classtype:web-application-attack; sid:2011096; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/monatsblatt.php?"; nocase; http_uri; content:"kal_class_path="; nocase; http_uri; pcre:"/kal_class_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11188; reference:url,doc.emergingthreats.net/2011097; classtype:web-application-attack; sid:2011097; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003788; classtype:web-application-attack; sid:2003788; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003789; classtype:web-application-attack; sid:2003789; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003790; classtype:web-application-attack; sid:2003790; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003791; classtype:web-application-attack; sid:2003791; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003792; classtype:web-application-attack; sid:2003792; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003793; classtype:web-application-attack; sid:2003793; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006898; classtype:web-application-attack; sid:2006898; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UNION SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006899; classtype:web-application-attack; sid:2006899; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat INSERT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006900; classtype:web-application-attack; sid:2006900; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat DELETE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006901; classtype:web-application-attack; sid:2006901; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat ASCII"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006902; classtype:web-application-attack; sid:2006902; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006903; classtype:web-application-attack; sid:2006903; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006904; classtype:web-application-attack; sid:2006904; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UNION SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006905; classtype:web-application-attack; sid:2006905; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did INSERT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006906; classtype:web-application-attack; sid:2006906; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did DELETE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006907; classtype:web-application-attack; sid:2006907; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did ASCII"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006908; classtype:web-application-attack; sid:2006908; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006909; classtype:web-application-attack; sid:2006909; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/firestats/php/window-add-excluded-ip.php?"; nocase; http_uri; content:"edit="; nocase; http_uri; pcre:"/edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011256; classtype:web-application-attack; sid:2011256; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/firestats/php/window-add-excluded-url.php?"; nocase; http_uri; content:"edit="; nocase; http_uri; pcre:"/edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011257; classtype:web-application-attack; sid:2011257; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/firestats/php/window-new-edit-site.php?"; nocase; http_uri; content:"site_id="; nocase; http_uri; pcre:"/site_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011258; classtype:web-application-attack; sid:2011258; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT"; flow:established,to_server; content:"/modules/admin/include/config.php?"; nocase; http_uri; content:"DOCUMENT_ROOT="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2460; reference:url,www.frsirt.com/english/advisories/2007/1554; reference:url,doc.emergingthreats.net/2003690; classtype:web-application-attack; sid:2003690; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id SELECT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007182; classtype:web-application-attack; sid:2007182; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UNION SELECT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007183; classtype:web-application-attack; sid:2007183; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id INSERT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007184; classtype:web-application-attack; sid:2007184; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id DELETE"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007185; classtype:web-application-attack; sid:2007185; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id ASCII"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007186; classtype:web-application-attack; sid:2007186; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007187; classtype:web-application-attack; sid:2007187; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid SELECT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007188; classtype:web-application-attack; sid:2007188; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UNION SELECT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007189; classtype:web-application-attack; sid:2007189; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid INSERT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007190; classtype:web-application-attack; sid:2007190; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid DELETE"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007191; classtype:web-application-attack; sid:2007191; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid ASCII"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007192; classtype:web-application-attack; sid:2007192; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007193; classtype:web-application-attack; sid:2007193; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid SELECT"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007194; classtype:web-application-attack; sid:2007194; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UNION SELECT"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007195; classtype:web-application-attack; sid:2007195; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid INSERT"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007196; classtype:web-application-attack; sid:2007196; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid DELETE"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007197; classtype:web-application-attack; sid:2007197; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid ASCII"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007198; classtype:web-application-attack; sid:2007198; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007199; classtype:web-application-attack; sid:2007199; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz num_questions.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/num_questions.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009849; classtype:web-application-attack; sid:2009849; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz answers.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/answers.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009850; classtype:web-application-attack; sid:2009850; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz answers.php order_number Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/answers.php?"; nocase; http_uri; content:"order_number="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009851; classtype:web-application-attack; sid:2009851; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz high_score_web.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/high_score_web.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009852; classtype:web-application-attack; sid:2009852; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz results_table_web.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/results_table_web.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009853; classtype:web-application-attack; sid:2009853; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz question.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/question.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009854; classtype:web-application-attack; sid:2009854; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz question.php order_number Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/question.php?"; nocase; http_uri; content:"order_number="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009855; classtype:web-application-attack; sid:2009855; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz high_score.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/high_score.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009856; classtype:web-application-attack; sid:2009856; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid SELECT"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003823; classtype:web-application-attack; sid:2003823; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UNION SELECT"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003824; classtype:web-application-attack; sid:2003824; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid INSERT"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003825; classtype:web-application-attack; sid:2003825; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid DELETE"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003826; classtype:web-application-attack; sid:2003826; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid ASCII"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003827; classtype:web-application-attack; sid:2003827; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003828; classtype:web-application-attack; sid:2003828; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/pmscript.php?"; nocase; http_uri; content:"with="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/8549; reference:bugtraq,34734; reference:url,doc.emergingthreats.net/2009745; classtype:web-application-attack; sid:2009745; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/modules/formmailer/formmailer.admin.inc.php?"; nocase; http_uri; content:"BASE_DIR[jax_formmailer]="; nocase; http_uri; pcre:"/BASE_DIR\[jax_formmailer\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/55751; reference:url,doc.emergingthreats.net/2010484; classtype:web-application-attack; sid:2010484; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user SELECT"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005176; classtype:web-application-attack; sid:2005176; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UNION SELECT"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005147; classtype:web-application-attack; sid:2005147; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user INSERT"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005148; classtype:web-application-attack; sid:2005148; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user DELETE"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005149; classtype:web-application-attack; sid:2005149; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user ASCII"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005150; classtype:web-application-attack; sid:2005150; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005151; classtype:web-application-attack; sid:2005151; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Free Bible Search readbible.php SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/readbible.php?"; nocase; http_uri; content:"version="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33301; reference:url,milw0rm.com/exploits/7798; reference:url,doc.emergingthreats.net/2009103; classtype:web-application-attack; sid:2009103; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/init.php?"; nocase; http_uri; content:"API_HOME_DIR="; nocase; http_uri; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32745/; reference:url,milw0rm.com/exploits/7155; reference:url,doc.emergingthreats.net/2008878; classtype:web-application-attack; sid:2008878; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/init.php?"; nocase; http_uri; content:"API_HOME_DIR="; nocase; http_uri; pcre:"/API_HOME_DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32745/; reference:url,milw0rm.com/exploits/7155; reference:url,doc.emergingthreats.net/2008879; classtype:web-application-attack; sid:2008879; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/startmodules.inc.php?"; nocase; http_uri; content:"lang_file="; nocase; http_uri; content:"../"; reference:bugtraq,34538; reference:url,milw0rm.com/exploits/8446; reference:url,doc.emergingthreats.net/2009652; classtype:web-application-attack; sid:2009652; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Frontis aps_browse_sources.php source_class Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/bin/aps_browse_sources.php?"; nocase; http_uri; content:"source_class="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35369/; reference:url,milw0rm.com/exploits/8900; reference:url,doc.emergingthreats.net/2009935; classtype:web-application-attack; sid:2009935; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat SELECT"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004917; classtype:web-application-attack; sid:2004917; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UNION SELECT"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004918; classtype:web-application-attack; sid:2004918; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat INSERT"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004919; classtype:web-application-attack; sid:2004919; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat DELETE"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004920; classtype:web-application-attack; sid:2004920; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat ASCII"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004921; classtype:web-application-attack; sid:2004921; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004923; classtype:web-application-attack; sid:2004923; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id SELECT"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005075; classtype:web-application-attack; sid:2005075; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UNION SELECT"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005076; classtype:web-application-attack; sid:2005076; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id INSERT"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005077; classtype:web-application-attack; sid:2005077; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id DELETE"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005078; classtype:web-application-attack; sid:2005078; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id ASCII"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005079; classtype:web-application-attack; sid:2005079; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005080; classtype:web-application-attack; sid:2005080; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005372; classtype:web-application-attack; sid:2005372; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005373; classtype:web-application-attack; sid:2005373; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id INSERT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005374; classtype:web-application-attack; sid:2005374; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005375; classtype:web-application-attack; sid:2005375; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id ASCII"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005376; classtype:web-application-attack; sid:2005376; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005377; classtype:web-application-attack; sid:2005377; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006461; classtype:web-application-attack; sid:2006461; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UNION SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006462; classtype:web-application-attack; sid:2006462; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm INSERT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006463; classtype:web-application-attack; sid:2006463; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm DELETE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006464; classtype:web-application-attack; sid:2006464; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm ASCII"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006465; classtype:web-application-attack; sid:2006465; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006466; classtype:web-application-attack; sid:2006466; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode SELECT"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006467; classtype:web-application-attack; sid:2006467; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UNION SELECT"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006468; classtype:web-application-attack; sid:2006468; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode INSERT"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006469; classtype:web-application-attack; sid:2006469; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode DELETE"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006470; classtype:web-application-attack; sid:2006470; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode ASCII"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006471; classtype:web-application-attack; sid:2006471; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006472; classtype:web-application-attack; sid:2006472; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006189; classtype:web-application-attack; sid:2006189; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UNION SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006190; classtype:web-application-attack; sid:2006190; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId INSERT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006191; classtype:web-application-attack; sid:2006191; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId DELETE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006192; classtype:web-application-attack; sid:2006192; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId ASCII"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006193; classtype:web-application-attack; sid:2006193; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006194; classtype:web-application-attack; sid:2006194; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006195; classtype:web-application-attack; sid:2006195; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UNION SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006196; classtype:web-application-attack; sid:2006196; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid INSERT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006197; classtype:web-application-attack; sid:2006197; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid DELETE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006198; classtype:web-application-attack; sid:2006198; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid ASCII"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006199; classtype:web-application-attack; sid:2006199; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006200; classtype:web-application-attack; sid:2006200; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006201; classtype:web-application-attack; sid:2006201; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UNION SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006202; classtype:web-application-attack; sid:2006202; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId INSERT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006203; classtype:web-application-attack; sid:2006203; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId DELETE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006204; classtype:web-application-attack; sid:2006204; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId ASCII"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006205; classtype:web-application-attack; sid:2006205; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006206; classtype:web-application-attack; sid:2006206; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic SELECT"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005330; classtype:web-application-attack; sid:2005330; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UNION SELECT"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005331; classtype:web-application-attack; sid:2005331; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic INSERT"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005332; classtype:web-application-attack; sid:2005332; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic DELETE"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005333; classtype:web-application-attack; sid:2005333; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic ASCII"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005334; classtype:web-application-attack; sid:2005334; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005335; classtype:web-application-attack; sid:2005335; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/header.php?"; nocase; http_uri; content:"abspath="; nocase; http_uri; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33768/; reference:url,milw0rm.com/exploits/7955; reference:url,doc.emergingthreats.net/2009163; classtype:web-application-attack; sid:2009163; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GDL gdl.php node Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/gdl.php?"; nocase; http_uri; content:"mod=browse"; nocase; http_uri; content:"node="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34144; reference:url,milw0rm.com/exploits/8228; reference:url,doc.emergingthreats.net/2009394; classtype:web-application-attack; sid:2009394; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st"; flow:established,to_server; content:"/showown.php?"; nocase; http_uri; content:"st="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2916; reference:url,www.securityfocus.com/archive/1/archive/1/469269/100/0/threaded; reference:url,doc.emergingthreats.net/2004586; classtype:web-application-attack; sid:2004586; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/www/lib/head_auth.php?"; nocase; http_uri; content:"CFG[PREPEND_FILE]="; nocase; http_uri; pcre:"/CFG\[PREPEND_FILE\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,juniper.net/security/auto/vulnerabilities/vuln28024.html; reference:bugtraq,28024; reference:url,milw0rm.com/exploits/5197; reference:url,doc.emergingthreats.net/2010096; classtype:web-application-attack; sid:2010096; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GS Real Estate Portal email.php AgentID Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/email.php?"; nocase; http_uri; content:"AgentID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,juniper.net/security/auto/vulnerabilities/vuln32307.html; reference:url,xforce.iss.net/xforce/xfdb/46638; reference:url,milw0rm.com/exploits/7117; reference:url,doc.emergingthreats.net/2009791; classtype:web-application-attack; sid:2009791; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"galix_cat_detail="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2806; reference:url,www.securityfocus.com/bid/24066; reference:url,doc.emergingthreats.net/2004563; classtype:web-application-attack; sid:2004563; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"galix_gal_detail="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2806; reference:url,www.securityfocus.com/bid/24066; reference:url,doc.emergingthreats.net/2004564; classtype:web-application-attack; sid:2004564; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"galix_cat_detail_sort="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2806; reference:url,www.securityfocus.com/bid/24066; reference:url,doc.emergingthreats.net/2004565; classtype:web-application-attack; sid:2004565; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Galerie ShowGallery.php SQL Injection attempt"; flow:to_server,established; content:"/showGallery.php"; nocase; http_uri; content:"galid="; nocase; http_uri; pcre:"/galid=-?\d+ /Ui"; reference:bugtraq,15313; reference:url,doc.emergingthreats.net/2002671; classtype:web-application-attack; sid:2002671; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/gallery2/lib/adodb/adodb-error.inc.php?"; nocase; http_uri; content:"ADODB_LANG="; nocase; http_uri; pcre:"/ADODB_LANG\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10705; reference:url,doc.emergingthreats.net/2011018; classtype:web-application-attack; sid:2011018; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/core/includes/gfw_smarty.php?"; nocase; http_uri; content:"config[gfwroot]="; nocase; http_uri; pcre:"/config\[gfwroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12488; reference:bugtraq,39890; reference:url,doc.emergingthreats.net/2011116; classtype:web-application-attack; sid:2011116; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2003999; classtype:web-application-attack; sid:2003999; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004000; classtype:web-application-attack; sid:2004000; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id INSERT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004001; classtype:web-application-attack; sid:2004001; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004002; classtype:web-application-attack; sid:2004002; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id ASCII"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004003; classtype:web-application-attack; sid:2004003; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004004; classtype:web-application-attack; sid:2004004; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori SELECT"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004397; classtype:web-application-attack; sid:2004397; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UNION SELECT"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004398; classtype:web-application-attack; sid:2004398; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori INSERT"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004399; classtype:web-application-attack; sid:2004399; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori DELETE"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004400; classtype:web-application-attack; sid:2004400; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori ASCII"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004401; classtype:web-application-attack; sid:2004401; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004402; classtype:web-application-attack; sid:2004402; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.*\]=(data|https?|ftps?|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:8; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user SELECT"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005009; classtype:web-application-attack; sid:2005009; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UNION SELECT"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005010; classtype:web-application-attack; sid:2005010; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user INSERT"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005011; classtype:web-application-attack; sid:2005011; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user DELETE"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005012; classtype:web-application-attack; sid:2005012; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user ASCII"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005013; classtype:web-application-attack; sid:2005013; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005014; classtype:web-application-attack; sid:2005014; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid SELECT"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003866; classtype:web-application-attack; sid:2003866; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UNION SELECT"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003841; classtype:web-application-attack; sid:2003841; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid INSERT"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003842; classtype:web-application-attack; sid:2003842; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid DELETE"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003843; classtype:web-application-attack; sid:2003843; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid ASCII"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003844; classtype:web-application-attack; sid:2003844; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003845; classtype:web-application-attack; sid:2003845; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database"; flow:established,to_server; content:"/gnatsweb.pl?"; nocase; http_uri; content:"database="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2808; reference:url,www.secunia.com/advisories/25333; reference:url,doc.emergingthreats.net/2004562; classtype:web-application-attack; sid:2004562; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include"; flow:established,to_server; content:"/includes/common.php"; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,18180; reference:url,doc.emergingthreats.net/2003333; classtype:web-application-attack; sid:2003333; rev:6; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/index_logged.php?"; nocase; http_uri; content:"main_loaded="; nocase; http_uri; content:"cur_module="; nocase; http_uri; pcre:"/cur_module=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8112; reference:url,vupen.com/english/advisories/2009/0553; reference:bugtraq,33916; reference:url,doc.emergingthreats.net/2009733; classtype:web-application-attack; sid:2009733; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Google Appliance External Proxy Stylesheet"; flow:established,to_server; content:"/search?"; http_uri; content:"proxystylesheet="; http_uri; pcre:"/proxystylesheet=\s*(https?|ftps?|php)/Ui"; reference:bugtraq,15509; reference:cve,2005-3758; reference:url,doc.emergingthreats.net/2002849; classtype:web-application-attack; sid:2002849; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/functions.php?"; nocase; http_uri; content:"location="; nocase; http_uri; pcre:"/location=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,28838; reference:url,juniper.net/security/auto/vulnerabilities/vuln28838.html; reference:url,milw0rm.com/exploits/5463; reference:url,doc.emergingthreats.net/2009427; classtype:web-application-attack; sid:2009427; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/library/setup/rpc.php?"; nocase; http_uri; content:"objectname="; nocase; http_uri; pcre:"/(\.\.\/){1,}/U"; reference:url,www.milw0rm.com/exploits/7344; reference:url,secunia.com/advisories/32982/; reference:url,doc.emergingthreats.net/2008937; classtype:web-application-attack; sid:2008937; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id SELECT"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004349; classtype:web-application-attack; sid:2004349; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UNION SELECT"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004350; classtype:web-application-attack; sid:2004350; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id INSERT"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004351; classtype:web-application-attack; sid:2004351; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id DELETE"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004352; classtype:web-application-attack; sid:2004352; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id ASCII"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004353; classtype:web-application-attack; sid:2004353; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004354; classtype:web-application-attack; sid:2004354; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id SELECT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004355; classtype:web-application-attack; sid:2004355; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UNION SELECT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004356; classtype:web-application-attack; sid:2004356; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id INSERT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004357; classtype:web-application-attack; sid:2004357; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id DELETE"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004358; classtype:web-application-attack; sid:2004358; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id ASCII"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004359; classtype:web-application-attack; sid:2004359; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004360; classtype:web-application-attack; sid:2004360; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id SELECT"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004361; classtype:web-application-attack; sid:2004361; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UNION SELECT"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004362; classtype:web-application-attack; sid:2004362; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id INSERT"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004363; classtype:web-application-attack; sid:2004363; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id DELETE"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004364; classtype:web-application-attack; sid:2004364; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id ASCII"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004365; classtype:web-application-attack; sid:2004365; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004366; classtype:web-application-attack; sid:2004366; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url SELECT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004367; classtype:web-application-attack; sid:2004367; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UNION SELECT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004368; classtype:web-application-attack; sid:2004368; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url INSERT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004369; classtype:web-application-attack; sid:2004369; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url DELETE"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004370; classtype:web-application-attack; sid:2004370; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url ASCII"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004371; classtype:web-application-attack; sid:2004371; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004372; classtype:web-application-attack; sid:2004372; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011262; classtype:web-application-attack; sid:2011262; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011263; classtype:web-application-attack; sid:2011263; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011264; classtype:web-application-attack; sid:2011264; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011265; classtype:web-application-attack; sid:2011265; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011266; classtype:web-application-attack; sid:2011266; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guestbook guestbook.php mes_id SQL Injection attempt"; flow:to_server,established; content:"GET"; http_method; content:"/guestbook.php?"; nocase; http_uri; content:"mes_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/9197; reference:url,doc.emergingthreats.net/2009674; classtype:web-application-attack; sid:2009674; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id SELECT"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005222; classtype:web-application-attack; sid:2005222; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UNION SELECT"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005223; classtype:web-application-attack; sid:2005223; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id INSERT"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005224; classtype:web-application-attack; sid:2005224; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id DELETE"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005225; classtype:web-application-attack; sid:2005225; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id ASCII"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005311; classtype:web-application-attack; sid:2005311; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005226; classtype:web-application-attack; sid:2005226; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd SELECT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007404; classtype:web-application-attack; sid:2007404; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UNION SELECT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007405; classtype:web-application-attack; sid:2007405; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd INSERT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007406; classtype:web-application-attack; sid:2007406; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd DELETE"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007407; classtype:web-application-attack; sid:2007407; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd ASCII"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007408; classtype:web-application-attack; sid:2007408; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007409; classtype:web-application-attack; sid:2007409; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url SELECT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007410; classtype:web-application-attack; sid:2007410; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UNION SELECT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007411; classtype:web-application-attack; sid:2007411; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url INSERT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007412; classtype:web-application-attack; sid:2007412; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url DELETE"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007413; classtype:web-application-attack; sid:2007413; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url ASCII"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007414; classtype:web-application-attack; sid:2007414; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007415; classtype:web-application-attack; sid:2007415; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"authusername="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2847; reference:url,www.securityfocus.com/bid/24102; reference:url,doc.emergingthreats.net/2004554; classtype:web-application-attack; sid:2004554; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"authpassword="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2847; reference:url,www.securityfocus.com/bid/24102; reference:url,doc.emergingthreats.net/2004555; classtype:web-application-attack; sid:2004555; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"| 3C |"; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2812; reference:url,www.securityfocus.com/bid/24063; reference:url,doc.emergingthreats.net/2004560; classtype:web-application-attack; sid:2004560; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2812; reference:url,www.securityfocus.com/bid/24063; reference:url,doc.emergingthreats.net/2004561; classtype:web-application-attack; sid:2004561; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid ICount Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"ICount="; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-085/; reference:cve,2010-1554; reference:url,doc.emergingthreats.net/2011196; classtype:web-application-attack; sid:2011196; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid MaxAge Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"MaxAge="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-084/; reference:cve,2010-1553; reference:url,doc.emergingthreats.net/2011197; classtype:web-application-attack; sid:2011197; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid Hostname Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"Hostname="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-086/; reference:cve,2010-1555; reference:url,doc.emergingthreats.net/2011198; classtype:web-application-attack; sid:2011198; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/goform/formLogin"; nocase; http_uri; content:"Login="; nocase; http_client_body; content:!"|0A|"; http_client_body; within:300; isdataat:300,relative; pcre:"/Login=[^\r\n]{300}/Pi"; reference:url,www.securityfocus.com/bid/36933; reference:cve,2009-2685; reference:url,doc.emergingthreats.net/2010699; classtype:web-application-attack; sid:2010699; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt"; flow:established,to_server; content:"/smhui/getuiinfo"; nocase; http_uri; content:"JS"; nocase; http_uri; content:"servercert="; nocase; http_uri; pcre:"/servercert\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727; reference:cve,2009-4185; reference:url,doc.emergingthreats.net/2010770; classtype:web-application-attack; sid:2010770; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/mypage.php?"; nocase; http_uri; content:"trg="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32467; reference:bugtraq,31986; reference:url,milw0rm.com/exploits/6874; reference:url,doc.emergingthreats.net/2009878; classtype:web-application-attack; sid:2009878; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre SELECT"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004421; classtype:web-application-attack; sid:2004421; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UNION SELECT"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004422; classtype:web-application-attack; sid:2004422; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre INSERT"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004423; classtype:web-application-attack; sid:2004423; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre DELETE"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004424; classtype:web-application-attack; sid:2004424; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre ASCII"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004425; classtype:web-application-attack; sid:2004425; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004426; classtype:web-application-attack; sid:2004426; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/header.php?"; nocase; http_uri; content:"c_temp_path="; nocase; http_uri; content:"../"; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/5904; reference:url,doc.emergingthreats.net/2009231; classtype:web-application-attack; sid:2009231; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/footer.php?"; nocase; http_uri; content:"c_temp_path"; nocase; http_uri; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/8028; reference:url,doc.emergingthreats.net/2009232; classtype:web-application-attack; sid:2009232; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/header.php?"; nocase; http_uri; content:"c_temp_path"; nocase; http_uri; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/5904; reference:url,doc.emergingthreats.net/2009233; classtype:web-application-attack; sid:2009233; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt"; flow:established,to_server; content:"/knowledgebase.php?"; nocase; http_uri; content:"act=art"; nocase; http_uri; content:"article_id="; nocase; http_uri; pcre:"/(\?|&)article_id=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.www.packetstormsecurity.org/0912-exploits/helpdesk-sql.txt; reference:url,doc.emergingthreats.net/2010609; classtype:web-application-attack; sid:2010609; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/plugin_admin.php?"; nocase; http_uri; content:"_settings[pluginpath]="; nocase; http_uri; pcre:"/_settings\[pluginpath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5902; reference:bugtraq,29877; reference:url,doc.emergingthreats.net/2009398; classtype:web-application-attack; sid:2009398; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde 3.0.9-3.1.0 Help Viewer Remote PHP Exploit"; flow:established,to_server; content:"/services/help/"; nocase; http_uri; pcre:"/module=[^\;]*\;.*\"/UGi"; reference:url,www.exploit-db.com/exploits/1660; reference:cve,2006-1491; reference:bugtraq,17292; classtype:web-application-attack; sid:2002867; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde Web Mail Help Access"; flow:established,to_server; content:"/horde/services/help/"; nocase; http_uri; reference:cve,2006-1491; reference:bugtraq,17292; reference:url,doc.emergingthreats.net/2002868; classtype:web-application-activity; sid:2002868; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde README access probe"; flow:to_server,established; content:"/horde"; nocase; http_uri; pcre:"/\/horde((2|3|-3\.(0\.[1-9]|1\.0)))?\/{1,2}README/Ui"; reference:cve,CVE-2006-1491; reference:url,csirt.terradon.com/postarchive.php?month=4&year=2006#article28; reference:url,doc.emergingthreats.net/2002897; classtype:web-application-activity; sid:2002897; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt colorpicker.php"; flow:to_server,established; content:"/horde/services/images/colorpicker.php?"; nocase; http_uri; pcre:"/colorpicker\x2Ephp\x3F[^\x0A\x0D]*(form|target)\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x29\x22\x27\x3B]/iU"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009494; classtype:web-application-attack; sid:2009494; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt test.php"; flow:to_server,established; content:"/horde/test.php?"; nocase; http_uri; pcre:"/test\x2Ephp\x3F[^\x0A\x0D]*ext\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x22\x27]/iU"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009495; classtype:web-application-attack; sid:2009495; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt passwd/main.php"; flow:to_server,established; content:"/horde/passwd/main.php?"; nocase; http_uri; pcre:"/passwd/main\x2Ephp\x3F[^\x0A\x0D]*backend\x3D[^\x0A\x0D\x26]*\x22/iU"; reference:url,bugs.horde.org/ticket/8398; reference:url,doc.emergingthreats.net/2009496; classtype:web-application-attack; sid:2009496; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt colorpicker.php (2)"; flow:to_server,established; content:"/horde/services/images/colorpicker.php?"; nocase; http_uri; pcre:"/colorpicker\x2Ephp\x3F[^\x0A\x0D]*(form|target)\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x29\x22\x27\x3B]/iU"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009497; classtype:web-application-attack; sid:2009497; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt test.php (2)"; flow:to_server,established; content:"/horde/test.php?"; nocase; http_uri; pcre:"/test\x2Ephp\x3F[^\x0A\x0D]*ext\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x22\x27]/iU"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009498; classtype:web-application-attack; sid:2009498; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt passwd/main.php (2)"; flow:to_server,established; content:"/horde/passwd/main.php?"; nocase; http_uri; pcre:"/passwd/main\x2Ephp\x3F[^\x0A\x0D]*backend\x3D[^\x0A\x0D\x26]*\x22/iU"; reference:url,bugs.horde.org/ticket/8398; reference:url,doc.emergingthreats.net/2009499; classtype:web-application-attack; sid:2009499; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/includes/hnmain.inc.php3?"; nocase; http_uri; content:"config[incdir]="; nocase; http_uri; pcre:"/config\[incdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/11731; reference:url,exploit-db.com/exploits/12160; reference:url,doc.emergingthreats.net/2011161; classtype:web-application-attack; sid:2011161; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hubscript XSS Attempt"; flow:to_server,established; content:"/patch/single_winner1.php?bid_id="; nocase; http_uri; content:"<script>"; nocase; http_uri; content:"</script>"; nocase; http_uri; reference:url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt; reference:url,doc.emergingthreats.net/2009647; classtype:web-application-attack; sid:2009647; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hubscript PHPInfo Attempt"; flow:to_server,established; content:"/patch/manage/phpinfo.php"; nocase; http_uri; reference:url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt; reference:url,doc.emergingthreats.net/2009650; classtype:web-application-attack; sid:2009650; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id SELECT"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2005179; classtype:web-application-attack; sid:2005179; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UNION SELECT"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004630; classtype:web-application-attack; sid:2004630; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id INSERT"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004631; classtype:web-application-attack; sid:2004631; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id DELETE"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004632; classtype:web-application-attack; sid:2004632; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id ASCII"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004633; classtype:web-application-attack; sid:2004633; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004634; classtype:web-application-attack; sid:2004634; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri;content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005063; classtype:web-application-attack; sid:2005063; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005064; classtype:web-application-attack; sid:2005064; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id INSERT"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005065; classtype:web-application-attack; sid:2005065; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id DELETE"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005066; classtype:web-application-attack; sid:2005066; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ASCII"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005067; classtype:web-application-attack; sid:2005067; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005068; classtype:web-application-attack; sid:2005068; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/advanced/workingSet.jsp"; nocase; http_uri; content:"operation=add"; nocase; http_uri; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010145; classtype:web-application-attack; sid:2010145; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; http_uri; content:"searchWord="; nocase; http_uri; pcre:"/searchWord\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010181; classtype:web-application-attack; sid:2010181; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; http_uri; content:"maxHits="; nocase; http_uri; pcre:"/maxHits\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010182; classtype:web-application-attack; sid:2010182; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; http_uri; content:"scopedSearch="; nocase; http_uri; pcre:"/scopedSearch\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010183; classtype:web-application-attack; sid:2010183; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; http_uri; content:"scope="; nocase; http_uri; pcre:"/scope\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010184; classtype:web-application-attack; sid:2010184; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/readme.nsf/Header"; nocase; http_uri; content:"OpenPage="; nocase; http_uri; content:"BaseTarget="; nocase; http_uri; pcre:"/BaseTarget\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.securityfocus.com/bid/38481; reference:url,doc.emergingthreats.net/2010865; classtype:web-application-attack; sid:2010865; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt"; flow:established,to_server; content:"/WebEditor/Authentication/LoginPage.aspx?"; nocase; http_uri; content:"ReturnUrl="; nocase; http_uri; content:"errMsg="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstorm.foofus.com/1003-exploits/ibmenovia-xss.txt; reference:url,doc.emergingthreats.net/2010980; classtype:web-application-attack; sid:2010980; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/cindefn.php"; nocase; http_uri; content:"INDEX="; nocase; http_uri; pcre:"/INDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011190; classtype:web-application-attack; sid:2011190; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/power_management_policy_options.php"; nocase; http_uri; content:"domain="; nocase; http_uri; pcre:"/domain\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011191; classtype:web-application-attack; sid:2011191; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/pm_temp.php"; nocase; http_uri; content:"view="; nocase; http_uri; content:"mod_type="; nocase; http_uri; content:"slot="; nocase; http_uri; pcre:"/slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011192; classtype:web-application-attack; sid:2011192; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/power_module.php"; nocase; http_uri; content:"view="; nocase; http_uri; content:"mod_type="; nocase; http_uri; content:"slot="; nocase; http_uri; pcre:"/slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011193; classtype:web-application-attack; sid:2011193; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/blade_leds.php"; nocase; http_uri; content:"WEBINDEX="; nocase; http_uri; pcre:"/WEBINDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011194; classtype:web-application-attack; sid:2011194; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/ipmi_bladestatus.php"; nocase; http_uri; content:"SLOT="; nocase; http_uri; pcre:"/SLOT\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011195; classtype:web-application-attack; sid:2011195; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/portal_block.php?"; nocase; http_uri; content:"phpbb_root_path="; nocase; http_uri; pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647; reference:url,doc.emergingthreats.net/2008964; classtype:web-application-attack; sid:2008964; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/acp_lcxbbportal.php?"; nocase; http_uri; content:"phpbb_root_path="; nocase; http_uri; pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647; reference:url,doc.emergingthreats.net/2008965; classtype:web-application-attack; sid:2008965; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id SELECT"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005639; classtype:web-application-attack; sid:2005639; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UNION SELECT"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005640; classtype:web-application-attack; sid:2005640; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id INSERT"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005641; classtype:web-application-attack; sid:2005641; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id DELETE"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005642; classtype:web-application-attack; sid:2005642; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id ASCII"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005643; classtype:web-application-attack; sid:2005643; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005644; classtype:web-application-attack; sid:2005644; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005645; classtype:web-application-attack; sid:2005645; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005646; classtype:web-application-attack; sid:2005646; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"order="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005647; classtype:web-application-attack; sid:2005647; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005648; classtype:web-application-attack; sid:2005648; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005649; classtype:web-application-attack; sid:2005649; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005650; classtype:web-application-attack; sid:2005650; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005651; classtype:web-application-attack; sid:2005651; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005652; classtype:web-application-attack; sid:2005652; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005653; classtype:web-application-attack; sid:2005653; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005654; classtype:web-application-attack; sid:2005654; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005655; classtype:web-application-attack; sid:2005655; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005656; classtype:web-application-attack; sid:2005656; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id SELECT"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006862; classtype:web-application-attack; sid:2006862; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UNION SELECT"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006863; classtype:web-application-attack; sid:2006863; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id INSERT"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006864; classtype:web-application-attack; sid:2006864; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id DELETE"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006865; classtype:web-application-attack; sid:2006865; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id ASCII"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006866; classtype:web-application-attack; sid:2006866; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006867; classtype:web-application-attack; sid:2006867; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid SELECT"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006868; classtype:web-application-attack; sid:2006868; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UNION SELECT"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006869; classtype:web-application-attack; sid:2006869; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid INSERT"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006870; classtype:web-application-attack; sid:2006870; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid DELETE"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006871; classtype:web-application-attack; sid:2006871; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid ASCII"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006872; classtype:web-application-attack; sid:2006872; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006873; classtype:web-application-attack; sid:2006873; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid SELECT"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006874; classtype:web-application-attack; sid:2006874; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UNION SELECT"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006875; classtype:web-application-attack; sid:2006875; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid INSERT"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006876; classtype:web-application-attack; sid:2006876; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid DELETE"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006877; classtype:web-application-attack; sid:2006877; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid ASCII"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006878; classtype:web-application-attack; sid:2006878; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006879; classtype:web-application-attack; sid:2006879; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/embedforum.php?"; nocase; http_uri; content:"CONFIG[LANGUAGE_CPATH]="; nocase; http_uri; pcre:"/CONFIG\[LANGUAGE_CPATH\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5526; reference:bugtraq,28996; reference:url,doc.emergingthreats.net/2009381; classtype:web-application-attack; sid:2009381; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/scorm/lib.inc.php?"; nocase; http_uri; content:"CONFIG[BASE_PATH]="; nocase; http_uri; pcre:"/CONFIG\[BASE_PATH\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5526; reference:bugtraq,28996; reference:url,doc.emergingthreats.net/2009386; classtype:web-application-attack; sid:2009386; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php"; flow:established,to_server; content:"/module_bbcodeloader.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004576; classtype:web-application-attack; sid:2004576; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php"; flow:established,to_server; content:"/module_div.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004577; classtype:web-application-attack; sid:2004577; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php"; flow:established,to_server; content:"/module_email.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004578; classtype:web-application-attack; sid:2004578; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php"; flow:established,to_server; content:"/module_image.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004579; classtype:web-application-attack; sid:2004579; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php"; flow:established,to_server; content:"/module_link.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004580; classtype:web-application-attack; sid:2004580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid"; flow:established,to_server; content:"/jscripts/folder_rte_files/module_table.php?"; nocase; http_uri; content:"editorid="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004581; classtype:web-application-attack; sid:2004581; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004797; classtype:web-application-attack; sid:2004797; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UNION SELECT"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004798; classtype:web-application-attack; sid:2004798; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004799; classtype:web-application-attack; sid:2004799; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP DELETE"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004800; classtype:web-application-attack; sid:2004800; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ASCII"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004801; classtype:web-application-attack; sid:2004801; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004802; classtype:web-application-attack; sid:2004802; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img SELECT"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006669; classtype:web-application-attack; sid:2006669; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UNION SELECT"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006670; classtype:web-application-attack; sid:2006670; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img INSERT"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006671; classtype:web-application-attack; sid:2006671; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img DELETE"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006672; classtype:web-application-attack; sid:2006672; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img ASCII"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006673; classtype:web-application-attack; sid:2006673; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006674; classtype:web-application-attack; sid:2006674; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006675; classtype:web-application-attack; sid:2006675; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006676; classtype:web-application-attack; sid:2006676; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006677; classtype:web-application-attack; sid:2006677; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006678; classtype:web-application-attack; sid:2006678; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006679; classtype:web-application-attack; sid:2006679; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006680; classtype:web-application-attack; sid:2006680; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid SELECT"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006681; classtype:web-application-attack; sid:2006681; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UNION SELECT"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006682; classtype:web-application-attack; sid:2006682; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid INSERT"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006683; classtype:web-application-attack; sid:2006683; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid DELETE"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006684; classtype:web-application-attack; sid:2006684; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid ASCII"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006685; classtype:web-application-attack; sid:2006685; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006686; classtype:web-application-attack; sid:2006686; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id SELECT"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006207; classtype:web-application-attack; sid:2006207; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UNION SELECT"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006208; classtype:web-application-attack; sid:2006208; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id INSERT"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006209; classtype:web-application-attack; sid:2006209; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id DELETE"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006210; classtype:web-application-attack; sid:2006210; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id ASCII"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006211; classtype:web-application-attack; sid:2006211; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006212; classtype:web-application-attack; sid:2006212; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jeajaxeventcalendar&"; nocase; http_uri; content:"view="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/12598; reference:url,doc.emergingthreats.net/2011140; classtype:web-application-attack; sid:2011140; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005342; classtype:web-application-attack; sid:2005342; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005343; classtype:web-application-attack; sid:2005343; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005344; classtype:web-application-attack; sid:2005344; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005345; classtype:web-application-attack; sid:2005345; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005346; classtype:web-application-attack; sid:2005346; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005347; classtype:web-application-attack; sid:2005347; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005360; classtype:web-application-attack; sid:2005360; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005361; classtype:web-application-attack; sid:2005361; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005362; classtype:web-application-attack; sid:2005362; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005363; classtype:web-application-attack; sid:2005363; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005364; classtype:web-application-attack; sid:2005364; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005365; classtype:web-application-attack; sid:2005365; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004152; classtype:web-application-attack; sid:2004152; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004153; classtype:web-application-attack; sid:2004153; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004154; classtype:web-application-attack; sid:2004154; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004155; classtype:web-application-attack; sid:2004155; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004156; classtype:web-application-attack; sid:2004156; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004157; classtype:web-application-attack; sid:2004157; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004337; classtype:web-application-attack; sid:2004337; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004338; classtype:web-application-attack; sid:2004338; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004339; classtype:web-application-attack; sid:2004339; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004340; classtype:web-application-attack; sid:2004340; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004341; classtype:web-application-attack; sid:2004341; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004342; classtype:web-application-attack; sid:2004342; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq SELECT"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004480; classtype:web-application-attack; sid:2004480; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UNION SELECT"; flow:established,to_server; uricontent:"/G_Display.php?"; nocase; uricontent:"iCategoryUnq="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004481; classtype:web-application-attack; sid:2004481; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq INSERT"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004482; classtype:web-application-attack; sid:2004482; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq DELETE"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004483; classtype:web-application-attack; sid:2004483; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq ASCII"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004484; classtype:web-application-attack; sid:2004484; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004485; classtype:web-application-attack; sid:2004485; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID SELECT"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004486; classtype:web-application-attack; sid:2004486; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UNION SELECT"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004487; classtype:web-application-attack; sid:2004487; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID INSERT"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004488; classtype:web-application-attack; sid:2004488; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID DELETE"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004489; classtype:web-application-attack; sid:2004489; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID ASCII"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004490; classtype:web-application-attack; sid:2004490; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004491; classtype:web-application-attack; sid:2004491; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username SELECT"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006492; classtype:web-application-attack; sid:2006492; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UNION SELECT"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006493; classtype:web-application-attack; sid:2006493; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username INSERT"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006494; classtype:web-application-attack; sid:2006494; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username DELETE"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006495; classtype:web-application-attack; sid:2006495; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username ASCII"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006496; classtype:web-application-attack; sid:2006496; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006497; classtype:web-application-attack; sid:2006497; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006498; classtype:web-application-attack; sid:2006498; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UNION SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006499; classtype:web-application-attack; sid:2006499; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item INSERT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006500; classtype:web-application-attack; sid:2006500; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item DELETE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006501; classtype:web-application-attack; sid:2006501; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item ASCII"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006502; classtype:web-application-attack; sid:2006502; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006503; classtype:web-application-attack; sid:2006503; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt"; flow:established,to_server; content:"/HtmlAdaptor"; nocase; http_uri; content:"action=inspect"; nocase; http_uri; content:"bean"; nocase; http_uri; content:"name="; http_uri; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; reference:url,doc.emergingthreats.net/2011696; classtype:web-application-attack; sid:2011696; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt"; flow:established,to_client; content:"/HtmlAdaptor"; nocase; content:"action=invokeOpByName"; nocase; within:25; content:"DeploymentFileRepository"; nocase; within:80; content:"methodName="; nocase; within:25; content:".war"; nocase; distance:0; content:".jsp"; nocase; distance:0; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; reference:url,doc.emergingthreats.net/2011697; classtype:web-application-attack; sid:2011697; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"952E3F80-0C34-48CD-829B-A45913B29670"; nocase; distance:0; content:"isRegistered"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*952E3F80-0C34-48CD-829B-A45913B29670/si"; reference:url,www.exploit-db.com/exploits/11059; reference:url,secunia.com/advisories/38081/; reference:url,doc.emergingthreats.net/2010976; classtype:attempted-user; sid:2010976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004077; classtype:web-application-attack; sid:2004077; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004078; classtype:web-application-attack; sid:2004078; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004079; classtype:web-application-attack; sid:2004079; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004080; classtype:web-application-attack; sid:2004080; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004081; classtype:web-application-attack; sid:2004081; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004082; classtype:web-application-attack; sid:2004082; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004147; classtype:web-application-attack; sid:2004147; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php"; flow:established,to_server; content:"/calendar.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2909; reference:url,www.vbulletin.com/forum/showthread.php?postid=1355012; reference:url,doc.emergingthreats.net/2004592; classtype:web-application-attack; sid:2004592; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids SELECT"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004666; classtype:web-application-attack; sid:2004666; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UNION SELECT"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004667; classtype:web-application-attack; sid:2004667; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids INSERT"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004668; classtype:web-application-attack; sid:2004668; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids DELETE"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004669; classtype:web-application-attack; sid:2004669; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids ASCII"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004670; classtype:web-application-attack; sid:2004670; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004671; classtype:web-application-attack; sid:2004671; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php SELECT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003939; classtype:web-application-attack; sid:2003939; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UNION SELECT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003940; classtype:web-application-attack; sid:2003940; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php INSERT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003941; classtype:web-application-attack; sid:2003941; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php DELETE"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003942; classtype:web-application-attack; sid:2003942; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php ASCII"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003943; classtype:web-application-attack; sid:2003943; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003944; classtype:web-application-attack; sid:2003944; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php SELECT"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003945; classtype:web-application-attack; sid:2003945; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UNION SELECT"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003946; classtype:web-application-attack; sid:2003946; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php INSERT"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003947; classtype:web-application-attack; sid:2003947; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php DELETE"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003948; classtype:web-application-attack; sid:2003948; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php ASCII"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003949; classtype:web-application-attack; sid:2003949; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003950; classtype:web-application-attack; sid:2003950; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php SELECT"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003951; classtype:web-application-attack; sid:2003951; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UNION SELECT"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003952; classtype:web-application-attack; sid:2003952; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php INSERT"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003953; classtype:web-application-attack; sid:2003953; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php DELETE"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003954; classtype:web-application-attack; sid:2003954; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php ASCII"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003955; classtype:web-application-attack; sid:2003955; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003956; classtype:web-application-attack; sid:2003956; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003957; classtype:web-application-attack; sid:2003957; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003958; classtype:web-application-attack; sid:2003958; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003959; classtype:web-application-attack; sid:2003959; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003960; classtype:web-application-attack; sid:2003960; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003961; classtype:web-application-attack; sid:2003961; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003962; classtype:web-application-attack; sid:2003962; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id SELECT"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003963; classtype:web-application-attack; sid:2003963; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UNION SELECT"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003964; classtype:web-application-attack; sid:2003964; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id INSERT"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003965; classtype:web-application-attack; sid:2003965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id DELETE"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003966; classtype:web-application-attack; sid:2003966; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id ASCII"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003967; classtype:web-application-attack; sid:2003967; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003968; classtype:web-application-attack; sid:2003968; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003969; classtype:web-application-attack; sid:2003969; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003970; classtype:web-application-attack; sid:2003970; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003971; classtype:web-application-attack; sid:2003971; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003972; classtype:web-application-attack; sid:2003972; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003973; classtype:web-application-attack; sid:2003973; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003974; classtype:web-application-attack; sid:2003974; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2686; reference:url,www.osvdb.org/34791; reference:url,doc.emergingthreats.net/2004572; classtype:web-application-attack; sid:2004572; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetik.net ESA sayfalar.php KayitNo Parameter SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/sayfalar.php?"; nocase; http_uri; content:"KayitNo="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,31352; reference:url,www.milw0rm.com/exploits/6549; reference:url,doc.emergingthreats.net/2009118; classtype:web-application-attack; sid:2009118; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetik.net ESA diger.php KayitNo Parameter SQL Injection"; flow:established,to_server; content:"GET"; http_method; content:"/diger.php?"; nocase; http_uri; content:"KayitNo="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,31352; reference:url,www.milw0rm.com/exploits/6549; reference:url,doc.emergingthreats.net/2009119; classtype:web-application-attack; sid:2009119; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007344; classtype:web-application-attack; sid:2007344; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UNION SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007345; classtype:web-application-attack; sid:2007345; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID INSERT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007346; classtype:web-application-attack; sid:2007346; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID DELETE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007347; classtype:web-application-attack; sid:2007347; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID ASCII"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007348; classtype:web-application-attack; sid:2007348; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007349; classtype:web-application-attack; sid:2007349; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID SELECT"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007350; classtype:web-application-attack; sid:2007350; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UNION SELECT"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007351; classtype:web-application-attack; sid:2007351; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID INSERT"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007352; classtype:web-application-attack; sid:2007352; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID DELETE"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007353; classtype:web-application-attack; sid:2007353; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID ASCII"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007354; classtype:web-application-attack; sid:2007354; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007355; classtype:web-application-attack; sid:2007355; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID SELECT"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007356; classtype:web-application-attack; sid:2007356; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UNION SELECT"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007357; classtype:web-application-attack; sid:2007357; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID INSERT"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007358; classtype:web-application-attack; sid:2007358; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID DELETE"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007359; classtype:web-application-attack; sid:2007359; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID ASCII"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007360; classtype:web-application-attack; sid:2007360; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007361; classtype:web-application-attack; sid:2007361; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion"; flow:established,to_server; content:"GET"; http_method; pcre:"/(listen.php|download.php)/Ui"; content:"?src="; nocase; http_uri; pcre:"/(\.\.\/){1}/"; reference:url,www.exploit-db.com/exploits/6669/; reference:url,doc.emergingthreats.net/2008651; classtype:web-application-attack; sid:2008651; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/windetail.php?"; nocase; http_uri; content:"adtype="; nocase; http_uri; content:"../"; reference:bugtraq,34537; reference:url,milw0rm.com/exploits/8443; reference:url,doc.emergingthreats.net/2009508; classtype:web-application-attack; sid:2009508; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/detail.php?"; nocase; http_uri; content:"adtype="; nocase; http_uri; content:"../"; reference:bugtraq,34537; reference:url,milw0rm.com/exploits/8443; reference:url,doc.emergingthreats.net/2009509; classtype:web-application-attack; sid:2009509; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JobHut browse.php pk Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/browse.php?"; nocase; http_uri; content:"pk="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34300; reference:url,milw0rm.com/exploits/8318; reference:url,doc.emergingthreats.net/2009730; classtype:web-application-attack; sid:2009730; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary SELECT"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004373; classtype:web-application-attack; sid:2004373; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004374; classtype:web-application-attack; sid:2004374; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary INSERT"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004375; classtype:web-application-attack; sid:2004375; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary DELETE"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004376; classtype:web-application-attack; sid:2004376; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ASCII"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004377; classtype:web-application-attack; sid:2004377; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004378; classtype:web-application-attack; sid:2004378; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003758; classtype:web-application-attack; sid:2003758; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003759; classtype:web-application-attack; sid:2003759; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003760; classtype:web-application-attack; sid:2003760; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003761; classtype:web-application-attack; sid:2003761; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003762; classtype:web-application-attack; sid:2003762; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003763; classtype:web-application-attack; sid:2003763; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005292; classtype:web-application-attack; sid:2005292; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005293; classtype:web-application-attack; sid:2005293; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005294; classtype:web-application-attack; sid:2005294; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005295; classtype:web-application-attack; sid:2005295; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005296; classtype:web-application-attack; sid:2005296; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005297; classtype:web-application-attack; sid:2005297; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005298; classtype:web-application-attack; sid:2005298; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005299; classtype:web-application-attack; sid:2005299; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005300; classtype:web-application-attack; sid:2005300; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005301; classtype:web-application-attack; sid:2005301; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005302; classtype:web-application-attack; sid:2005302; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005303; classtype:web-application-attack; sid:2005303; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005390; classtype:web-application-attack; sid:2005390; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005391; classtype:web-application-attack; sid:2005391; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005802; classtype:web-application-attack; sid:2005802; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005392; classtype:web-application-attack; sid:2005392; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005394; classtype:web-application-attack; sid:2005394; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005395; classtype:web-application-attack; sid:2005395; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005396; classtype:web-application-attack; sid:2005396; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005397; classtype:web-application-attack; sid:2005397; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005398; classtype:web-application-attack; sid:2005398; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005399; classtype:web-application-attack; sid:2005399; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005400; classtype:web-application-attack; sid:2005400; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005401; classtype:web-application-attack; sid:2005401; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005402; classtype:web-application-attack; sid:2005402; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005403; classtype:web-application-attack; sid:2005403; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005404; classtype:web-application-attack; sid:2005404; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005405; classtype:web-application-attack; sid:2005405; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005406; classtype:web-application-attack; sid:2005406; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005407; classtype:web-application-attack; sid:2005407; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005408; classtype:web-application-attack; sid:2005408; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005409; classtype:web-application-attack; sid:2005409; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005410; classtype:web-application-attack; sid:2005410; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005411; classtype:web-application-attack; sid:2005411; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005412; classtype:web-application-attack; sid:2005412; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005413; classtype:web-application-attack; sid:2005413; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005414; classtype:web-application-attack; sid:2005414; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005415; classtype:web-application-attack; sid:2005415; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005416; classtype:web-application-attack; sid:2005416; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005417; classtype:web-application-attack; sid:2005417; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005418; classtype:web-application-attack; sid:2005418; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005419; classtype:web-application-attack; sid:2005419; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005420; classtype:web-application-attack; sid:2005420; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005421; classtype:web-application-attack; sid:2005421; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005422; classtype:web-application-attack; sid:2005422; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005423; classtype:web-application-attack; sid:2005423; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005424; classtype:web-application-attack; sid:2005424; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri;content:"where="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005425; classtype:web-application-attack; sid:2005425; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005426; classtype:web-application-attack; sid:2005426; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005427; classtype:web-application-attack; sid:2005427; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005428; classtype:web-application-attack; sid:2005428; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005429; classtype:web-application-attack; sid:2005429; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005430; classtype:web-application-attack; sid:2005430; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005431; classtype:web-application-attack; sid:2005431; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005432; classtype:web-application-attack; sid:2005432; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005433; classtype:web-application-attack; sid:2005433; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005434; classtype:web-application-attack; sid:2005434; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005435; classtype:web-application-attack; sid:2005435; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005436; classtype:web-application-attack; sid:2005436; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005437; classtype:web-application-attack; sid:2005437; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005438; classtype:web-application-attack; sid:2005438; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005439; classtype:web-application-attack; sid:2005439; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005440; classtype:web-application-attack; sid:2005440; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005441; classtype:web-application-attack; sid:2005441; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005442; classtype:web-application-attack; sid:2005442; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005443; classtype:web-application-attack; sid:2005443; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005444; classtype:web-application-attack; sid:2005444; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005445; classtype:web-application-attack; sid:2005445; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005446; classtype:web-application-attack; sid:2005446; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005447; classtype:web-application-attack; sid:2005447; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005448; classtype:web-application-attack; sid:2005448; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005449; classtype:web-application-attack; sid:2005449; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005450; classtype:web-application-attack; sid:2005450; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005451; classtype:web-application-attack; sid:2005451; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005452; classtype:web-application-attack; sid:2005452; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005453; classtype:web-application-attack; sid:2005453; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005454; classtype:web-application-attack; sid:2005454; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005455; classtype:web-application-attack; sid:2005455; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/index2.php?option=ds-syndicate"; nocase; http_uri; content:"version=1"; nocase; http_uri; content:"feed_id="; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.secunia.com/advisories/32321; reference:url,www.exploit-db.com/exploits/6792/; reference:url,doc.emergingthreats.net/2008685; classtype:web-application-attack; sid:2008685; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_pro_desk"; nocase; http_uri; content:"include_file="; nocase; http_uri; pcre:"/(\.\.\/){1}/U"; reference:url,secunia.com/advisories/32523/; reference:url,www.exploit-db.com/exploits/6980/; reference:url,doc.emergingthreats.net/2008822; classtype:web-application-attack; sid:2008822; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/admin.rssreader.php?"; nocase; http_uri; content:"mosConfig_live_site="; nocase; http_uri; pcre:"/mosConfig_live_site=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2008/3119; reference:bugtraq,32265; reference:url,www.exploit-db.com/exploits/7096/; reference:url,doc.emergingthreats.net/2009369; classtype:web-application-attack; sid:2009369; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- php5x.php"; flow:to_server,established; content:"GET"; http_method; content:"/libraries/joomla/utilities/compat/php50x.php"; nocase; http_uri; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009778; classtype:attempted-recon; sid:2009778; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- ldap.php"; flow:to_server,established; content:"GET"; http_method; content:"/libraries/joomla/client/ldap.php"; nocase; http_uri; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009779; classtype:attempted-recon; sid:2009779; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- content.php"; flow:to_server,established; content:"GET"; http_method; content:"/libraries/joomla/html/html/content.php"; nocase; http_uri; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009780; classtype:attempted-recon; sid:2009780; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_artportal&portalid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009834; classtype:web-application-attack; sid:2009834; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_artportal&portalid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009835; classtype:web-application-attack; sid:2009835; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_artportal&portalid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009836; classtype:web-application-attack; sid:2009836; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection"; flow:to_server,established; content:"/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/9593/; reference:url,doc.emergingthreats.net/2009881; classtype:web-application-attack; sid:2009881; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009913; classtype:web-application-attack; sid:2009913; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009914; classtype:web-application-attack; sid:2009914; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"INSER"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009915; classtype:web-application-attack; sid:2009915; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009916; classtype:web-application-attack; sid:2009916; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009917; classtype:web-application-attack; sid:2009917; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009919; classtype:web-application-attack; sid:2009919; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009920; classtype:web-application-attack; sid:2009920; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009921; classtype:web-application-attack; sid:2009921; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009924; classtype:web-application-attack; sid:2009924; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009922; classtype:web-application-attack; sid:2009922; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?option=com_album&"; nocase; http_uri; content:"Itemid=128&"; nocase; http_uri; content:"target="; nocase; http_uri; reference:url,www.securityfocus.com/bid/36441/info; reference:url,www.exploit-db.com/exploits/9706/; reference:url,doc.emergingthreats.net/2009929; classtype:web-application-attack; sid:2009929; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt"; flow:established,to_server; content:"/com_koesubmit/koesubmit.php?"; nocase; http_uri; content:"="; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/Ui"; reference:url,www.securityfocus.com/bid/36447/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009933; classtype:web-application-attack; sid:2009933; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_moofaq/includes/file_includer.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,35259; reference:url,www.exploit-db.com/exploits/8898/; reference:url,doc.emergingthreats.net/2009934; classtype:web-application-attack; sid:2009934; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009938; classtype:web-application-attack; sid:2009938; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009939; classtype:web-application-attack; sid:2009939; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009940; classtype:web-application-attack; sid:2009940; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009941; classtype:web-application-attack; sid:2009941; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009942; classtype:web-application-attack; sid:2009942; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009943; classtype:web-application-attack; sid:2009943; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009944; classtype:web-application-attack; sid:2009944; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009945; classtype:web-application-attack; sid:2009945; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009946; classtype:web-application-attack; sid:2009946; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009947; classtype:web-application-attack; sid:2009947; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009956; classtype:web-application-attack; sid:2009956; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009957; classtype:web-application-attack; sid:2009957; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009958; classtype:web-application-attack; sid:2009958; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009959; classtype:web-application-attack; sid:2009959; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009960; classtype:web-application-attack; sid:2009960; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009961; classtype:web-application-attack; sid:2009961; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009962; classtype:web-application-attack; sid:2009962; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009963; classtype:web-application-attack; sid:2009963; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009964; classtype:web-application-attack; sid:2009964; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009965; classtype:web-application-attack; sid:2009965; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010014; classtype:web-application-attack; sid:2010014; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010015; classtype:web-application-attack; sid:2010015; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010016; classtype:web-application-attack; sid:2010016; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010017; classtype:web-application-attack; sid:2010017; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010018; classtype:web-application-attack; sid:2010018; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010040; classtype:web-application-attack; sid:2010040; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010041; classtype:web-application-attack; sid:2010041; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010042; classtype:web-application-attack; sid:2010042; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010043; classtype:web-application-attack; sid:2010043; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010044; classtype:web-application-attack; sid:2010044; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_soundset"; nocase; http_uri; content:"showcategory"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010045; classtype:web-application-attack; sid:2010045; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_soundset"; nocase; http_uri; content:"showcategory"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010046; classtype:web-application-attack; sid:2010046; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_soundset"; nocase; http_uri; content:"showcategory"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010047; classtype:web-application-attack; sid:2010047; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_soundset"; nocase; http_uri; content:"showcategory"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010048; classtype:web-application-attack; sid:2010048; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/components/com_ajaxchat/tests/ajcuser.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/59056; reference:url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt; reference:url,doc.emergingthreats.net/2010260; classtype:web-application-attack; sid:2010260; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010349; classtype:web-application-attack; sid:2010349; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010350; classtype:web-application-attack; sid:2010350; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010351; classtype:web-application-attack; sid:2010351; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010352; classtype:web-application-attack; sid:2010352; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010353; classtype:web-application-attack; sid:2010353; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_ezine/class/php/d4m_ajax_pagenav.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,37043; reference:url,doc.emergingthreats.net/2010474; classtype:web-application-attack; sid:2010474; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010476; classtype:web-application-attack; sid:2010476; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010477; classtype:web-application-attack; sid:2010477; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010478; classtype:web-application-attack; sid:2010478; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010479; classtype:web-application-attack; sid:2010479; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010480; classtype:web-application-attack; sid:2010480; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla MyRemote Video Gallery (user_id) Blind SQL Injection Attempt"; flow:established,to_server; content:"user_id="; http_uri; content:"option=com_mytube"; nocase; http_uri; content:"index.php?"; nocase; http_uri; pcre:"/user_id=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,milw0rm.org/exploits/9733; reference:url,doc.emergingthreats.net/2010528; classtype:web-application-attack; sid:2010528; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla component com_jinc (newsid) Blind SQL Injection Attempt"; flow:established,to_server; content:"option=com_jinc"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"index.php?"; nocase; http_uri; pcre:"/newsid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,milw0rm.org/exploits/9732; reference:url,doc.emergingthreats.net/2010529; classtype:web-application-attack; sid:2010529; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component City Portal (Itemid) Blind SQL Injection Attempt"; flow:established,to_server; content:"/city_portal/index.php?"; nocase; http_uri; content:"Itemid="; nocase; http_uri; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt; reference:url,doc.emergingthreats.net/2010535; classtype:web-application-attack; sid:2010535; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component Event Manager 1.5 (id) Blind SQL Injection Attempt"; flow:established,to_server; content:"/eventmanager/index.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/(\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt; reference:url,doc.emergingthreats.net/2010536; classtype:web-application-attack; sid:2010536; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_zcalendar (eid) Blind SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_zcalendar"; nocase; http_uri; content:"eid="; nocase; http_uri; pcre:"/(\?|&)eid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt; reference:url,doc.emergingthreats.net/2010537; classtype:web-application-attack; sid:2010537; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_acmis (Itemid) SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_acmisc"; nocase; http_uri; content:"Itemid="; nocase; http_uri; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt; reference:url,doc.emergingthreats.net/2010538; classtype:web-application-attack; sid:2010538; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_digistore (pid) Blind SQL Injection Attempt"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"option=com_digistore"; nocase; uricontent:"pid="; nocase; pcre:"/(\?|&)pid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0903-exploits/joomladigistore-sql.txt; reference:url,doc.emergingthreats.net/2010539; classtype:web-application-attack; sid:2010539; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jbook (Itemid) Blind SQL Injection Attempt"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"option=com_jbook"; nocase; uricontent:"Itemid="; nocase; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/filedesc/joomlajbook-sql.txt.html; reference:url,doc.emergingthreats.net/2010540; classtype:web-application-attack; sid:2010540; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_personel (id) Blind SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_personel"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/(\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlapersonel-sql.txt; reference:url,doc.emergingthreats.net/2010541; classtype:web-application-attack; sid:2010541; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_joomportfolio (secid) Blind SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_joomportfolio"; nocase; http_uri; content:"secid="; nocase; http_uri; pcre:"/(\?|&)secid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlaportfolio-sql.txt; reference:url,doc.emergingthreats.net/2010542; classtype:web-application-attack; sid:2010542; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010555; classtype:web-application-attack; sid:2010555; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010556; classtype:web-application-attack; sid:2010556; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010557; classtype:web-application-attack; sid:2010557; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010558; classtype:web-application-attack; sid:2010558; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010559; classtype:web-application-attack; sid:2010559; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_kkcontent"; nocase; http_uri; content:"catID="; nocase; http_uri; pcre:"/(\?|&)catID=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt; reference:url,doc.emergingthreats.net/2010606; classtype:web-application-attack; sid:2010606; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acomponents/com_mamboleto/mamboleto.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/54662; reference:url,www.exploit-db.com/exploits/10369; reference:url,doc.emergingthreats.net/2010620; classtype:web-application-attack; sid:2010620; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010636; classtype:web-application-attack; sid:2010636; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010637; classtype:web-application-attack; sid:2010637; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010638; classtype:web-application-attack; sid:2010638; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010639; classtype:web-application-attack; sid:2010639; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010640; classtype:web-application-attack; sid:2010640; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_mojo/wp-comments-post.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010659; classtype:web-application-attack; sid:2010659; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_mojo/wp-trackback.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010660; classtype:web-application-attack; sid:2010660; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010710; classtype:web-application-attack; sid:2010710; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010711; classtype:web-application-attack; sid:2010711; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010712; classtype:web-application-attack; sid:2010712; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010713; classtype:web-application-attack; sid:2010713; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010714; classtype:web-application-attack; sid:2010714; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010750; classtype:web-application-attack; sid:2010750; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010751; classtype:web-application-attack; sid:2010751; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010752; classtype:web-application-attack; sid:2010752; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010753; classtype:web-application-attack; sid:2010753; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010754; classtype:web-application-attack; sid:2010754; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_mediaslide/viewer.php?"; nocase; http_uri; content:"path="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,37440; reference:url,doc.emergingthreats.net/2010780; classtype:web-application-attack; sid:2010780; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010805; classtype:web-application-attack; sid:2010805; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010806; classtype:web-application-attack; sid:2010806; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010807; classtype:web-application-attack; sid:2010807; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010808; classtype:web-application-attack; sid:2010808; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010809; classtype:web-application-attack; sid:2010809; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_intuit/models/intuit.php?"; nocase; http_uri; content:"approval="; nocase; http_uri; content:"../"; depth:200; reference:url,www.exploit-db.com/exploits/10730; reference:url,doc.emergingthreats.net/2010833; classtype:web-application-attack; sid:2010833; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010843; classtype:web-application-attack; sid:2010843; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010844; classtype:web-application-attack; sid:2010844; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010845; classtype:web-application-attack; sid:2010845; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010846; classtype:web-application-attack; sid:2010846; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010842; classtype:web-application-attack; sid:2010842; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_morfeoshow/morfeoshow.html.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; pcre:"/user_id\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secdb.4sec.org/?s1=exp&sid=18773; reference:url,doc.emergingthreats.net/2010848; classtype:web-application-attack; sid:2010848; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010853; classtype:web-application-attack; sid:2010853; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010854; classtype:web-application-attack; sid:2010854; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010855; classtype:web-application-attack; sid:2010855; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010856; classtype:web-application-attack; sid:2010856; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010857; classtype:web-application-attack; sid:2010857; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010924; classtype:web-application-attack; sid:2010924; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010925; classtype:web-application-attack; sid:2010925; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010926; classtype:web-application-attack; sid:2010926; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010927; classtype:web-application-attack; sid:2010927; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010928; classtype:web-application-attack; sid:2010928; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010947; classtype:web-application-attack; sid:2010947; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010948; classtype:web-application-attack; sid:2010948; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010949; classtype:web-application-attack; sid:2010949; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010950; classtype:web-application-attack; sid:2010950; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010951; classtype:web-application-attack; sid:2010951; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jcollection&"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,www.exploit-db.com/exploits/11088; reference:url,doc.emergingthreats.net/2010942; classtype:web-application-attack; sid:2010942; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?option=com_ccnewsletter&"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,37987; reference:url,doc.emergingthreats.net/2010989; classtype:web-application-attack; sid:2010989; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010990; classtype:web-application-attack; sid:2010990; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010991; classtype:web-application-attack; sid:2010991; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010992; classtype:web-application-attack; sid:2010992; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010993; classtype:web-application-attack; sid:2010993; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010994; classtype:web-application-attack; sid:2010994; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010981; classtype:web-application-attack; sid:2010981; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010982; classtype:web-application-attack; sid:2010982; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010983; classtype:web-application-attack; sid:2010983; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010984; classtype:web-application-attack; sid:2010984; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010985; classtype:web-application-attack; sid:2010985; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_communitypolls&"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,www.exploit-db.com/exploits/11511; reference:url,doc.emergingthreats.net/2010996; classtype:web-application-attack; sid:2010996; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011001; classtype:web-application-attack; sid:2011001; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011002; classtype:web-application-attack; sid:2011002; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011003; classtype:web-application-attack; sid:2011003; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011004; classtype:web-application-attack; sid:2011004; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011005; classtype:web-application-attack; sid:2011005; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011022; classtype:web-application-attack; sid:2011022; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011023; classtype:web-application-attack; sid:2011023; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011024; classtype:web-application-attack; sid:2011024; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011025; classtype:web-application-attack; sid:2011025; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011026; classtype:web-application-attack; sid:2011026; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_jcalpro/cal_popup.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt; reference:url,doc.emergingthreats.net/2011017; classtype:web-application-attack; sid:2011017; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_wgpicasa&"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/39467; reference:url,exploit-db.com/exploits/12230; reference:url,doc.emergingthreats.net/2011067; classtype:web-application-attack; sid:2011067; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011077; classtype:web-application-attack; sid:2011077; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011078; classtype:web-application-attack; sid:2011078; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011079; classtype:web-application-attack; sid:2011079; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011080; classtype:web-application-attack; sid:2011080; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011081; classtype:web-application-attack; sid:2011081; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/administrator/components/com_jwmmxtd/admin.jwmmxtd.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11845; reference:url,doc.emergingthreats.net/2011131; classtype:web-application-attack; sid:2011131; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/administrator/components/com_universal/includes/config/config.html.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11865; reference:bugtraq,38949; reference:url,doc.emergingthreats.net/2011132; classtype:web-application-attack; sid:2011132; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/config.dadamail.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; content:"../"; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009383; classtype:web-application-attack; sid:2009383; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/config.dadamail.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009384; classtype:web-application-attack; sid:2009384; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/com_ongumatimesheet20/lib/onguma.class.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,32095; reference:cve,CVE-2008-6347; reference:url,www.exploit-db.com/exploits/6976/; reference:url,doc.emergingthreats.net/2009391; classtype:web-application-attack; sid:2009391; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category SELECT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006760; classtype:web-application-attack; sid:2006760; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UNION SELECT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006761; classtype:web-application-attack; sid:2006761; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category INSERT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006762; classtype:web-application-attack; sid:2006762; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category DELETE"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006763; classtype:web-application-attack; sid:2006763; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category ASCII"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006764; classtype:web-application-attack; sid:2006764; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006765; classtype:web-application-attack; sid:2006765; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent SELECT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006766; classtype:web-application-attack; sid:2006766; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UNION SELECT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006767; classtype:web-application-attack; sid:2006767; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent INSERT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006768; classtype:web-application-attack; sid:2006768; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent DELETE"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006769; classtype:web-application-attack; sid:2006769; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent ASCII"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006770; classtype:web-application-attack; sid:2006770; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006771; classtype:web-application-attack; sid:2006771; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006772; classtype:web-application-attack; sid:2006772; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006773; classtype:web-application-attack; sid:2006773; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006774; classtype:web-application-attack; sid:2006774; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006775; classtype:web-application-attack; sid:2006775; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006776; classtype:web-application-attack; sid:2006776; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006777; classtype:web-application-attack; sid:2006777; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/adm/krgourl.php?"; nocase; http_uri; content:"DOCUMENT_ROOT="; nocase; http_uri; pcre:"/DOCUMENT_ROOT\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt; reference:url,doc.emergingthreats.net/2010475; classtype:web-application-attack; sid:2010475; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Product Sale Framework customer.forumtopic.php forum_topic_id parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/customer.forumtopic.php?"; nocase; http_uri; content:"forum_topic_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:cve,2008-5590; reference:bugtraq,32672; reference:url,www.exploit-db.com/exploits/7368/; reference:url,doc.emergingthreats.net/2009198; classtype:web-application-attack; sid:2009198; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Automated Link Exchange Portal cat_id Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/linking.page.php?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,29205; reference:url,milw0rm.com/exploits/5611; reference:url,doc.emergingthreats.net/2009658; classtype:web-application-attack; sid:2009658; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004641; classtype:web-application-attack; sid:2004641; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004642; classtype:web-application-attack; sid:2004642; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004643; classtype:web-application-attack; sid:2004643; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004644; classtype:web-application-attack; sid:2004644; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004645; classtype:web-application-attack; sid:2004645; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004646; classtype:web-application-attack; sid:2004646; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004122; classtype:web-application-attack; sid:2004122; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004123; classtype:web-application-attack; sid:2004123; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004124; classtype:web-application-attack; sid:2004124; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004125; classtype:web-application-attack; sid:2004125; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004126; classtype:web-application-attack; sid:2004126; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004127; classtype:web-application-attack; sid:2004127; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"_m="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2562; reference:url,www.securityfocus.com/archive/1/archive/1/467832/100/0/threaded; reference:url,doc.emergingthreats.net/2003913; classtype:web-application-attack; sid:2003913; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/include/engine/content/elements/menu.php?"; nocase; http_uri; content:"CONFIG[AdminPath]="; nocase; http_uri; pcre:"/CONFIG\[AdminPath\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/57688; reference:url,doc.emergingthreats.net/2010197; classtype:web-application-attack; sid:2010197; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid SELECT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004979; classtype:web-application-attack; sid:2004979; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UNION SELECT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004980; classtype:web-application-attack; sid:2004980; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004981; classtype:web-application-attack; sid:2004981; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid DELETE"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004982; classtype:web-application-attack; sid:2004982; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid ASCII"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004983; classtype:web-application-attack; sid:2004983; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004984; classtype:web-application-attack; sid:2004984; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005796; classtype:web-application-attack; sid:2005796; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005797; classtype:web-application-attack; sid:2005797; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005798; classtype:web-application-attack; sid:2005798; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005799; classtype:web-application-attack; sid:2005799; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005800; classtype:web-application-attack; sid:2005800; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005801; classtype:web-application-attack; sid:2005801; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004689; classtype:web-application-attack; sid:2004689; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004690; classtype:web-application-attack; sid:2004690; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004691; classtype:web-application-attack; sid:2004691; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004692; classtype:web-application-attack; sid:2004692; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004693; classtype:web-application-attack; sid:2004693; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004694; classtype:web-application-attack; sid:2004694; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid SELECT"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005069; classtype:web-application-attack; sid:2005069; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UNION SELECT"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005070; classtype:web-application-attack; sid:2005070; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid INSERT"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005071; classtype:web-application-attack; sid:2005071; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid DELETE"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005072; classtype:web-application-attack; sid:2005072; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid ASCII"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005073; classtype:web-application-attack; sid:2005073; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005074; classtype:web-application-attack; sid:2005074; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w SELECT"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005973; classtype:web-application-attack; sid:2005973; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UNION SELECT"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005974; classtype:web-application-attack; sid:2005974; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w INSERT"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005975; classtype:web-application-attack; sid:2005975; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w DELETE"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005976; classtype:web-application-attack; sid:2005976; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w ASCII"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005977; classtype:web-application-attack; sid:2005977; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005978; classtype:web-application-attack; sid:2005978; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006315; classtype:web-application-attack; sid:2006315; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006316; classtype:web-application-attack; sid:2006316; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006317; classtype:web-application-attack; sid:2006317; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006318; classtype:web-application-attack; sid:2006318; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006319; classtype:web-application-attack; sid:2006319; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006320; classtype:web-application-attack; sid:2006320; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country SELECT"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004523; classtype:web-application-attack; sid:2004523; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UNION SELECT"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004524; classtype:web-application-attack; sid:2004524; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country INSERT"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004525; classtype:web-application-attack; sid:2004525; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country DELETE"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004526; classtype:web-application-attack; sid:2004526; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country ASCII"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004527; classtype:web-application-attack; sid:2004527; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004528; classtype:web-application-attack; sid:2004528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/include/unverified.inc.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"../"; reference:bugtraq,27964; reference:url,juniper.net/security/auto/vulnerabilities/vuln27964.html; reference:url,www.exploit-db.com/exploits/5179/; reference:url,doc.emergingthreats.net/2009761; classtype:web-application-attack; sid:2009761; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path"; flow:established,to_server; content:"/views/print/printbar.php?"; nocase; http_uri; content:"views_path="; nocase; http_uri; pcre:"/=\s*(https?|ftps|php)\:\//Ui"; reference:cve,CVE-2007-2607; reference:url,www.exploit-db.com/exploits/3870/; reference:url,doc.emergingthreats.net/2003716; classtype:web-application-attack; sid:2003716; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id SELECT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007294; classtype:web-application-attack; sid:2007294; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UNION SELECT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007295; classtype:web-application-attack; sid:2007295; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id INSERT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007296; classtype:web-application-attack; sid:2007296; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id DELETE"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007297; classtype:web-application-attack; sid:2007297; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id ASCII"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007298; classtype:web-application-attack; sid:2007298; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007299; classtype:web-application-attack; sid:2007299; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id SELECT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007300; classtype:web-application-attack; sid:2007300; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UNION SELECT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007301; classtype:web-application-attack; sid:2007301; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id INSERT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007302; classtype:web-application-attack; sid:2007302; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id DELETE"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007303; classtype:web-application-attack; sid:2007303; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id ASCII"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007304; classtype:web-application-attack; sid:2007304; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007305; classtype:web-application-attack; sid:2007305; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id SELECT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007306; classtype:web-application-attack; sid:2007306; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UNION SELECT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007307; classtype:web-application-attack; sid:2007307; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id INSERT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007308; classtype:web-application-attack; sid:2007308; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id DELETE"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007309; classtype:web-application-attack; sid:2007309; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id ASCII"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007310; classtype:web-application-attack; sid:2007310; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007311; classtype:web-application-attack; sid:2007311; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid SELECT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007312; classtype:web-application-attack; sid:2007312; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UNION SELECT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007313; classtype:web-application-attack; sid:2007313; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid INSERT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007314; classtype:web-application-attack; sid:2007314; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid DELETE"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007315; classtype:web-application-attack; sid:2007315; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid ASCII"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007316; classtype:web-application-attack; sid:2007316; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007317; classtype:web-application-attack; sid:2007317; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid SELECT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007318; classtype:web-application-attack; sid:2007318; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UNION SELECT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007319; classtype:web-application-attack; sid:2007319; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid INSERT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007320; classtype:web-application-attack; sid:2007320; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid DELETE"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007321; classtype:web-application-attack; sid:2007321; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid ASCII"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007322; classtype:web-application-attack; sid:2007322; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007323; classtype:web-application-attack; sid:2007323; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid SELECT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007324; classtype:web-application-attack; sid:2007324; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UNION SELECT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007325; classtype:web-application-attack; sid:2007325; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid INSERT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007326; classtype:web-application-attack; sid:2007326; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid DELETE"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007327; classtype:web-application-attack; sid:2007327; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid ASCII"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007328; classtype:web-application-attack; sid:2007328; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007329; classtype:web-application-attack; sid:2007329; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id SELECT"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007330; classtype:web-application-attack; sid:2007330; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UNION SELECT"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007331; classtype:web-application-attack; sid:2007331; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id INSERT"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007332; classtype:web-application-attack; sid:2007332; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id DELETE"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007333; classtype:web-application-attack; sid:2007333; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id ASCII"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007334; classtype:web-application-attack; sid:2007334; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007335; classtype:web-application-attack; sid:2007335; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/locms/smarty.php?"; nocase; http_uri; content:"cwd="; nocase; http_uri; content:"../"; depth:200; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010023; classtype:web-application-attack; sid:2010023; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/locms/smarty.php?"; nocase; http_uri; content:"cwd="; nocase; http_uri; pcre:"/cwd=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010024; classtype:web-application-attack; sid:2010024; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni SELECT"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006657; classtype:web-application-attack; sid:2006657; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UNION SELECT"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006658; classtype:web-application-attack; sid:2006658; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni INSERT"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006659; classtype:web-application-attack; sid:2006659; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni DELETE"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006660; classtype:web-application-attack; sid:2006660; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni ASCII"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006661; classtype:web-application-attack; sid:2006661; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006662; classtype:web-application-attack; sid:2006662; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci SELECT"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006663; classtype:web-application-attack; sid:2006663; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UNION SELECT"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006664; classtype:web-application-attack; sid:2006664; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci INSERT"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006665; classtype:web-application-attack; sid:2006665; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci DELETE"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006666; classtype:web-application-attack; sid:2006666; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci ASCII"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006667; classtype:web-application-attack; sid:2006667; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006668; classtype:web-application-attack; sid:2006668; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch SELECT"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007362; classtype:web-application-attack; sid:2007362; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UNION SELECT"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007364; classtype:web-application-attack; sid:2007364; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch INSERT"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007363; classtype:web-application-attack; sid:2007363; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch DELETE"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007365; classtype:web-application-attack; sid:2007365; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch ASCII"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007366; classtype:web-application-attack; sid:2007366; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007367; classtype:web-application-attack; sid:2007367; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007368; classtype:web-application-attack; sid:2007368; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007369; classtype:web-application-attack; sid:2007369; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007370; classtype:web-application-attack; sid:2007370; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007371; classtype:web-application-attack; sid:2007371; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007372; classtype:web-application-attack; sid:2007372; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007373; classtype:web-application-attack; sid:2007373; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004409; classtype:web-application-attack; sid:2004409; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004410; classtype:web-application-attack; sid:2004410; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004411; classtype:web-application-attack; sid:2004411; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004412; classtype:web-application-attack; sid:2004412; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004413; classtype:web-application-attack; sid:2004413; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004414; classtype:web-application-attack; sid:2004414; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/smallaxe-0.3.1/inc/linkbar.php?"; nocase; http_uri; content:"cfile="; nocase; http_uri; pcre:"/cfile\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10676; reference:url,doc.emergingthreats.net/2011000; classtype:web-application-attack; sid:2011000; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lito Lite CMS cate.php cid parameter Remote SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/cate.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/7294/; reference:url,secunia.com/advisories/32910/; reference:url,doc.emergingthreats.net/2008927; classtype:web-application-attack; sid:2008927; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid SELECT"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006473; classtype:web-application-attack; sid:2006473; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UNION SELECT"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006474; classtype:web-application-attack; sid:2006474; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid INSERT"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006475; classtype:web-application-attack; sid:2006475; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006476; classtype:web-application-attack; sid:2006476; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid ASCII"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006477; classtype:web-application-attack; sid:2006477; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006478; classtype:web-application-attack; sid:2006478; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID SELECT"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005829; classtype:web-application-attack; sid:2005829; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UNION SELECT"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005830; classtype:web-application-attack; sid:2005830; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID INSERT"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005831; classtype:web-application-attack; sid:2005831; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID DELETE"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005832; classtype:web-application-attack; sid:2005832; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID ASCII"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005833; classtype:web-application-attack; sid:2005833; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE"; flow:established,to_server; uricontent:"/main.asp?"; nocase; uricontent:"subcatID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005834; classtype:web-application-attack; sid:2005834; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Loggix Project RFI Attempt"; flow:established,to_server; content:"pathToIndex="; nocase; http_uri; content:".php?"; nocase; http_uri; pcre:"/\.php(\?|.*\x26)pathToIndex=(https?|ftps?)\:\/\/[^\x26\x3B]+\?\?/iU"; reference:url,www.exploit-db.com/exploits/9729/; reference:url,doc.emergingthreats.net/2010530; classtype:web-application-attack; sid:2010530; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID SELECT"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006321; classtype:web-application-attack; sid:2006321; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UNION SELECT"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006322; classtype:web-application-attack; sid:2006322; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID INSERT"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006323; classtype:web-application-attack; sid:2006323; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID DELETE"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006324; classtype:web-application-attack; sid:2006324; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID ASCII"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006325; classtype:web-application-attack; sid:2006325; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006326; classtype:web-application-attack; sid:2006326; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt"; flow:established,to_server; content:"/profiles/html/simpleSearch.do?name="; nocase; http_uri; pcre:"/name=.+(IMG|SCRIPT|SRC|onkey|onmouse|onload)/Ui"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022945.html; reference:url,doc.emergingthreats.net/2009990; classtype:web-application-attack; sid:2009990; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004961; classtype:web-application-attack; sid:2004961; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004962; classtype:web-application-attack; sid:2004962; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004963; classtype:web-application-attack; sid:2004963; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004964; classtype:web-application-attack; sid:2004964; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004965; classtype:web-application-attack; sid:2004965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004966; classtype:web-application-attack; sid:2004966; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id SELECT"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004967; classtype:web-application-attack; sid:2004967; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UNION SELECT"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004968; classtype:web-application-attack; sid:2004968; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id INSERT"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004969; classtype:web-application-attack; sid:2004969; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id DELETE"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004970; classtype:web-application-attack; sid:2004970; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id ASCII"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004971; classtype:web-application-attack; sid:2004971; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004972; classtype:web-application-attack; sid:2004972; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005135; classtype:web-application-attack; sid:2005135; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005136; classtype:web-application-attack; sid:2005136; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005137; classtype:web-application-attack; sid:2005137; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005138; classtype:web-application-attack; sid:2005138; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005139; classtype:web-application-attack; sid:2005139; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005140; classtype:web-application-attack; sid:2005140; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005511; classtype:web-application-attack; sid:2005511; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005512; classtype:web-application-attack; sid:2005512; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005514; classtype:web-application-attack; sid:2005514; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005515; classtype:web-application-attack; sid:2005515; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005516; classtype:web-application-attack; sid:2005516; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005517; classtype:web-application-attack; sid:2005517; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006225; classtype:web-application-attack; sid:2006225; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006226; classtype:web-application-attack; sid:2006226; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006227; classtype:web-application-attack; sid:2006227; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006228; classtype:web-application-attack; sid:2006228; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006229; classtype:web-application-attack; sid:2006229; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006230; classtype:web-application-attack; sid:2006230; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006231; classtype:web-application-attack; sid:2006231; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UNION SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006232; classtype:web-application-attack; sid:2006232; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l INSERT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006233; classtype:web-application-attack; sid:2006233; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l DELETE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006234; classtype:web-application-attack; sid:2006234; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l ASCII"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006235; classtype:web-application-attack; sid:2006235; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006236; classtype:web-application-attack; sid:2006236; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006237; classtype:web-application-attack; sid:2006237; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UNION SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006238; classtype:web-application-attack; sid:2006238; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ INSERT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006239; classtype:web-application-attack; sid:2006239; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ DELETE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006240; classtype:web-application-attack; sid:2006240; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ ASCII"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006241; classtype:web-application-attack; sid:2006241; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006242; classtype:web-application-attack; sid:2006242; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006243; classtype:web-application-attack; sid:2006243; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UNION SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006244; classtype:web-application-attack; sid:2006244; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc INSERT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006245; classtype:web-application-attack; sid:2006245; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc DELETE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006246; classtype:web-application-attack; sid:2006246; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc ASCII"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006247; classtype:web-application-attack; sid:2006247; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006248; classtype:web-application-attack; sid:2006248; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php"; flow:established,to_server; content:"/sendmail.php?"; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2532; reference:url,www.securityfocus.com/bid/23847; reference:url,doc.emergingthreats.net/2003918; classtype:web-application-attack; sid:2003918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php"; flow:established,to_server; content:"/order_form.php?"; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2532; reference:url,www.securityfocus.com/bid/23847; reference:url,doc.emergingthreats.net/2003919; classtype:web-application-attack; sid:2003919; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/snippet.reflect.php?"; nocase; http_uri; content:"reflect_base="; nocase; http_uri; pcre:"/reflect_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008897; classtype:web-application-attack; sid:2008897; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/snippet.reflect.php?"; nocase; http_uri; content:"reflect_base="; nocase; http_uri; pcre:"/(\.\.\/){1,}/U"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008898; classtype:web-application-attack; sid:2008898; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/velid3/getid3.php?"; nocase; http_uri; content:"determined_format[include]="; nocase; http_uri; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011062; classtype:web-application-attack; sid:2011062; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/velid3/module.archive.gzip.php?"; nocase; http_uri; content:"determined_format[include]="; nocase; http_uri; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011063; classtype:web-application-attack; sid:2011063; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin"; flow:established,to_server; content:"/configure_plugin.tpl.php?"; nocase; http_uri; content:"edit_plugin="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2632; reference:url,www.securityfocus.com/bid/23917; reference:url,doc.emergingthreats.net/2003882; classtype:web-application-attack; sid:2003882; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1"; flow:established,to_server; content:"/web/phpinfo.php?"; nocase; http_uri; content:"1["; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2632; reference:url,www.securityfocus.com/bid/23917; reference:url,doc.emergingthreats.net/2003883; classtype:web-application-attack; sid:2003883; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a"; flow:established,to_server; content:"/web/phpinfo.php?"; nocase; http_uri; content:"a["; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2632; reference:url,www.securityfocus.com/bid/23917; reference:url,doc.emergingthreats.net/2003884; classtype:web-application-attack; sid:2003884; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Exploit"; flow:established,to_server; content:"mosConfig_absolute_path="; http_uri; content:".php"; nocase; http_uri; pcre:"/mosConfig_absolute_path=(https?|ftps?|php)\:\//Ui"; reference:url,seclists.org/lists/fulldisclosure/2005/Nov/0528.html; reference:url,isc.sans.org/diary.php?storyid=869; reference:url,www.us-cert.gov/cas/bulletins/SB07-106.html; reference:url,doc.emergingthreats.net/2002681; classtype:web-application-attack; sid:2002681; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003987; classtype:web-application-attack; sid:2003987; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003988; classtype:web-application-attack; sid:2003988; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003989; classtype:web-application-attack; sid:2003989; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003990; classtype:web-application-attack; sid:2003990; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003991; classtype:web-application-attack; sid:2003991; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003992; classtype:web-application-attack; sid:2003992; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname SELECT"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004427; classtype:web-application-attack; sid:2004427; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UNION SELECT"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004428; classtype:web-application-attack; sid:2004428; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname INSERT"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004429; classtype:web-application-attack; sid:2004429; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname DELETE"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004430; classtype:web-application-attack; sid:2004430; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname ASCII"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004431; classtype:web-application-attack; sid:2004431; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004432; classtype:web-application-attack; sid:2004432; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname SELECT"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004433; classtype:web-application-attack; sid:2004433; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UNION SELECT"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004434; classtype:web-application-attack; sid:2004434; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname INSERT"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004435; classtype:web-application-attack; sid:2004435; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname DELETE"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004436; classtype:web-application-attack; sid:2004436; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname ASCII"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004437; classtype:web-application-attack; sid:2004437; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004438; classtype:web-application-attack; sid:2004438; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php SELECT"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004766; classtype:web-application-attack; sid:2004766; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UNION SELECT"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004767; classtype:web-application-attack; sid:2004767; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php INSERT"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004768; classtype:web-application-attack; sid:2004768; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php DELETE"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004769; classtype:web-application-attack; sid:2004769; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php ASCII"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004770; classtype:web-application-attack; sid:2004770; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004771; classtype:web-application-attack; sid:2004771; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo MOStlyCE Module Image Manager Utility Arbitrary File Upload Attempt"; flow:established,to_server; content:"/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?"; nocase; http_uri; content:"Command=FileUpload"; nocase; http_uri; content:"/configuration.php"; nocase; http_uri; content:"CurrentFolder="; nocase; http_uri; reference:url,www.securityfocus.com/bid/27472/info; reference:url,doc.emergingthreats.net/2009937; classtype:web-application-attack; sid:2009937; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_viewfulllisting"; nocase; http_uri; content:"listing_id="; nocase; http_uri; pcre:"/(\?|&)listing_id=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt; reference:url,doc.emergingthreats.net/2010605; classtype:web-application-attack; sid:2010605; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011091; classtype:web-application-attack; sid:2011091; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011092; classtype:web-application-attack; sid:2011092; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011093; classtype:web-application-attack; sid:2011093; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011094; classtype:web-application-attack; sid:2011094; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011095; classtype:web-application-attack; sid:2011095; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Maran PHP Shop id Parameter Remote SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/prodshow.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32043; reference:url,frsirt.com/english/advisories/2008/2976; reference:url,doc.emergingthreats.net/2008837; classtype:web-application-attack; sid:2008837; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid SELECT"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005141; classtype:web-application-attack; sid:2005141; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UNION SELECT"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005142; classtype:web-application-attack; sid:2005142; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid INSERT"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005143; classtype:web-application-attack; sid:2005143; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid DELETE"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005144; classtype:web-application-attack; sid:2005144; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid ASCII"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005145; classtype:web-application-attack; sid:2005145; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005146; classtype:web-application-attack; sid:2005146; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/includes/file_manager/special.php?"; nocase; http_uri; content:"fm_includes_special="; nocase; http_uri; pcre:"/fm_includes_special=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/9350/; reference:url,vupen.com/english/advisories/2009/2136; reference:url,doc.emergingthreats.net/2011259; classtype:web-application-attack; sid:2011259; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) "; flow:established,to_server; content:"/includes/InstantSite/inc.is_root.php?is_projectPath=http|3a|"; nocase; http_uri; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009888; classtype:web-application-attack; sid:2009888; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) "; flow:established,to_server; content:"/classes/class.Tree.php?GLOBALS[thCMS_root]=http|3a|"; nocase; http_uri; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009889; classtype:web-application-attack; sid:2009889; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) "; flow:established,to_server; content:"/classes/class.thcsm_user.php?is_path=http|3a|"; nocase; http_uri; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009890; classtype:web-application-attack; sid:2009890; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) "; flow:established,to_server; content:"/modul/mod.users.php?thCMS_root=http|3a|"; nocase; http_uri; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009891; classtype:web-application-attack; sid:2009891; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/queuedMessage.do?"; nocase; http_uri; content:"method=getQueueMessages&"; nocase; http_uri; content:"queueMsgType="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011082; classtype:web-application-attack; sid:2011082; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/queuedMessage.do?"; nocase; http_uri; content:"method=getQueueMessages&"; nocase; http_uri; content:"QtnType="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011083; classtype:web-application-attack; sid:2011083; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004265; classtype:web-application-attack; sid:2004265; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004266; classtype:web-application-attack; sid:2004266; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004267; classtype:web-application-attack; sid:2004267; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004268; classtype:web-application-attack; sid:2004268; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004269; classtype:web-application-attack; sid:2004269; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004270; classtype:web-application-attack; sid:2004270; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004271; classtype:web-application-attack; sid:2004271; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004272; classtype:web-application-attack; sid:2004272; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004273; classtype:web-application-attack; sid:2004273; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004274; classtype:web-application-attack; sid:2004274; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004275; classtype:web-application-attack; sid:2004275; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004276; classtype:web-application-attack; sid:2004276; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004277; classtype:web-application-attack; sid:2004277; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004278; classtype:web-application-attack; sid:2004278; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004279; classtype:web-application-attack; sid:2004279; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004280; classtype:web-application-attack; sid:2004280; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004281; classtype:web-application-attack; sid:2004281; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004282; classtype:web-application-attack; sid:2004282; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004283; classtype:web-application-attack; sid:2004283; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004284; classtype:web-application-attack; sid:2004284; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004285; classtype:web-application-attack; sid:2004285; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004286; classtype:web-application-attack; sid:2004286; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004287; classtype:web-application-attack; sid:2004287; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004288; classtype:web-application-attack; sid:2004288; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004289; classtype:web-application-attack; sid:2004289; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004290; classtype:web-application-attack; sid:2004290; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004291; classtype:web-application-attack; sid:2004291; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004292; classtype:web-application-attack; sid:2004292; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004293; classtype:web-application-attack; sid:2004293; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004294; classtype:web-application-attack; sid:2004294; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004295; classtype:web-application-attack; sid:2004295; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004296; classtype:web-application-attack; sid:2004296; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004297; classtype:web-application-attack; sid:2004297; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004298; classtype:web-application-attack; sid:2004298; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004299; classtype:web-application-attack; sid:2004299; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004300; classtype:web-application-attack; sid:2004300; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo SELECT"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004301; classtype:web-application-attack; sid:2004301; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UNION SELECT"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004302; classtype:web-application-attack; sid:2004302; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo INSERT"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004303; classtype:web-application-attack; sid:2004303; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo DELETE"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004304; classtype:web-application-attack; sid:2004304; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo ASCII"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004305; classtype:web-application-attack; sid:2004305; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004306; classtype:web-application-attack; sid:2004306; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include"; flow:established,to_server; content:"/membres/membreManager.php"; nocase; http_uri; pcre:"/include_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22287; reference:url,doc.emergingthreats.net/2003331; classtype:web-application-attack; sid:2003331; rev:6; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa SELECT"; flow:established,to_server; content:"/lire-avis.php?"; http_uri; nocase; content:"aa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006345; classtype:web-application-attack; sid:2006345; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UNION SELECT"; flow:established,to_server; content:"/lire-avis.php?"; http_uri; nocase; content:"aa="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006346; classtype:web-application-attack; sid:2006346; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006347; classtype:web-application-attack; sid:2006347; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa DELETE"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006348; classtype:web-application-attack; sid:2006348; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa ASCII"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006349; classtype:web-application-attack; sid:2006349; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006350; classtype:web-application-attack; sid:2006350; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi SELECT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006795; classtype:web-application-attack; sid:2006795; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UNION SELECT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006796; classtype:web-application-attack; sid:2006796; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi INSERT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006797; classtype:web-application-attack; sid:2006797; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi DELETE"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006798; classtype:web-application-attack; sid:2006798; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi ASCII"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006799; classtype:web-application-attack; sid:2006799; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006800; classtype:web-application-attack; sid:2006800; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre SELECT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006801; classtype:web-application-attack; sid:2006801; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UNION SELECT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006802; classtype:web-application-attack; sid:2006802; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre INSERT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006803; classtype:web-application-attack; sid:2006803; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre DELETE"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006804; classtype:web-application-attack; sid:2006804; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre ASCII"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006805; classtype:web-application-attack; sid:2006805; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006806; classtype:web-application-attack; sid:2006806; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id SELECT"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005603; classtype:web-application-attack; sid:2005603; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UNION SELECT"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005604; classtype:web-application-attack; sid:2005604; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id INSERT"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005605; classtype:web-application-attack; sid:2005605; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id DELETE"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005606; classtype:web-application-attack; sid:2005606; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ASCII"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005607; classtype:web-application-attack; sid:2005607; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005608; classtype:web-application-attack; sid:2005608; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant SELECT"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007006; classtype:web-application-attack; sid:2007006; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UNION SELECT"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007007; classtype:web-application-attack; sid:2007007; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant INSERT"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007008; classtype:web-application-attack; sid:2007008; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant DELETE"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007009; classtype:web-application-attack; sid:2007009; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant ASCII"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007010; classtype:web-application-attack; sid:2007010; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007011; classtype:web-application-attack; sid:2007011; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup SELECT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007012; classtype:web-application-attack; sid:2007012; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UNION SELECT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007013; classtype:web-application-attack; sid:2007013; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup INSERT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007014; classtype:web-application-attack; sid:2007014; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup DELETE"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007015; classtype:web-application-attack; sid:2007015; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup ASCII"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007016; classtype:web-application-attack; sid:2007016; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007017; classtype:web-application-attack; sid:2007017; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup SELECT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007018; classtype:web-application-attack; sid:2007018; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UNION SELECT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007019; classtype:web-application-attack; sid:2007019; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup INSERT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007020; classtype:web-application-attack; sid:2007020; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup DELETE"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007021; classtype:web-application-attack; sid:2007021; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup ASCII"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007022; classtype:web-application-attack; sid:2007022; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007023; classtype:web-application-attack; sid:2007023; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/utdb_access.php?"; nocase; http_uri; content:"minsoft_path="; nocase; http_uri; pcre:"/minsoft_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31492; reference:url,milw0rm.com/exploits/6632; reference:url,doc.emergingthreats.net/2009141; classtype:web-application-attack; sid:2009141; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/utgn_message.php?"; nocase; http_uri; content:"minsoft_path="; nocase; http_uri; pcre:"/minsoft_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31492; reference:url,milw0rm.com/exploits/6632; reference:url,doc.emergingthreats.net/2009142; classtype:web-application-attack; sid:2009142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c SELECT"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004164; classtype:web-application-attack; sid:2004164; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UNION SELECT"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004165; classtype:web-application-attack; sid:2004165; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c INSERT"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004166; classtype:web-application-attack; sid:2004166; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c DELETE"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004167; classtype:web-application-attack; sid:2004167; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c ASCII"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"SELECT"; nocase; http_uri;  pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004168; classtype:web-application-attack; sid:2004168; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004169; classtype:web-application-attack; sid:2004169; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system"; flow:established,to_server; content:"/lib/smarty/SmartyFU.class.php?"; nocase; http_uri; content:"system["; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2608; reference:url,www.milw0rm.com/exploits/3878; reference:url,doc.emergingthreats.net/2003717; classtype:web-application-attack; sid:2003717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Miva Merchant Cross Site Scripting Attack"; flow:to_server,established; content:"merchant.mv"; nocase; http_uri; content:"customer_login"; nocase; http_uri; pcre:"/customer_login.*\">/Ui"; reference:bugtraq,14828; reference:url,smallbusiness.miva.com/products/mia/; reference:url,www.frsirt.com/english/advisories/2005/1758; reference:url,doc.emergingthreats.net/2002371; classtype:web-application-activity; sid:2002371; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/export_batch.inc.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008900; classtype:web-application-attack; sid:2008900; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/run_auto_suspend.cron.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008901; classtype:web-application-attack; sid:2008901; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/send_email_cache.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008902; classtype:web-application-attack; sid:2008902; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/2checkout_return.inc.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008903; classtype:web-application-attack; sid:2008903; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/nettools.popup.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008904; classtype:web-application-attack; sid:2008904; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/viewsource.php?"; nocase; http_uri; content:"dirn="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/5394; reference:url,secunia.com/advisories/29685; reference:bugtraq,28659; reference:url,doc.emergingthreats.net/2009437; classtype:web-application-attack; sid:2009437; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/viewsource.php?"; nocase; http_uri; content:"fname="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/5394; reference:url,secunia.com/advisories/29685; reference:bugtraq,28659; reference:url,doc.emergingthreats.net/2009430; classtype:web-application-attack; sid:2009430; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName SELECT"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005778; classtype:web-application-attack; sid:2005778; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UNION SELECT"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005779; classtype:web-application-attack; sid:2005779; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName INSERT"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005780; classtype:web-application-attack; sid:2005780; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName DELETE"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005781; classtype:web-application-attack; sid:2005781; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName ASCII"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005782; classtype:web-application-attack; sid:2005782; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005783; classtype:web-application-attack; sid:2005783; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/include/global.php?"; nocase; http_uri; content:"pfad="; nocase; http_uri; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32986/; reference:url,milw0rm.com/exploits/7335; reference:url,doc.emergingthreats.net/2008938; classtype:web-application-attack; sid:2008938; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Multiple Membership Script id parameter SQL injection"; flow:to_server,established; content:"GET"; http_method; content:"/sitepage.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33019/; reference:url,milw0rm.com/exploits/7346; reference:url,doc.emergingthreats.net/2008994; classtype:web-application-attack; sid:2008994; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; fast_pattern; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003835; classtype:web-application-attack; sid:2003835; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; fast_pattern; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003836; classtype:web-application-attack; sid:2003836; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; fast_pattern; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003837; classtype:web-application-attack; sid:2003837; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; fast_pattern; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003838; classtype:web-application-attack; sid:2003838; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; fast_pattern; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003839; classtype:web-application-attack; sid:2003839; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; fast_pattern; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003840; classtype:web-application-attack; sid:2003840; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/centre.php?"; nocase; http_uri; content:"padmin="; nocase; http_uri; content:"../"; reference:url,vupen.com/english/advisories/2008/2938; reference:url,www.exploit-db.com/exploits/6846/; reference:url,doc.emergingthreats.net/2009330; classtype:web-application-attack; sid:2009330; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/infusions/last_seen_users_panel/last_seen_users_panel.php?"; nocase; http_uri; content:"settings[locale]="; nocase; http_uri; content:"../"; depth:200; reference:url,osvdb.org/show/osvdb/56583; reference:url,www.exploit-db.com/exploits/9018/; reference:url,doc.emergingthreats.net/2010631; classtype:web-application-attack; sid:2010631; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyioSoft EasyBookMarker Parent parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/bookmarker_backend.php?"; nocase; http_uri; content:"Parent="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32636/; reference:url,www.exploit-db.com/exploits/7053/; reference:url,doc.emergingthreats.net/2008835; classtype:web-application-attack; sid:2008835; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My PHP Dating id parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/success_story.php?id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:url,secunia.com/advisories/32268; reference:url,www.exploit-db.com/exploits/6754/; reference:url,doc.emergingthreats.net/2008672; classtype:web-application-attack; sid:2008672; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details SELECT"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006627; classtype:web-application-attack; sid:2006627; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UNION SELECT"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006628; classtype:web-application-attack; sid:2006628; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details INSERT"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006629; classtype:web-application-attack; sid:2006629; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details DELETE"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006630; classtype:web-application-attack; sid:2006630; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details ASCII"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006631; classtype:web-application-attack; sid:2006631; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006632; classtype:web-application-attack; sid:2006632; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete SELECT"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004612; classtype:web-application-attack; sid:2004612; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UNION SELECT"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004613; classtype:web-application-attack; sid:2004613; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete INSERT"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004614; classtype:web-application-attack; sid:2004614; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete DELETE"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004615; classtype:web-application-attack; sid:2004615; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete ASCII"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004616; classtype:web-application-attack; sid:2004616; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004617; classtype:web-application-attack; sid:2004617; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004095; classtype:web-application-attack; sid:2004095; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004096; classtype:web-application-attack; sid:2004096; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004097; classtype:web-application-attack; sid:2004097; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004098; classtype:web-application-attack; sid:2004098; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004099; classtype:web-application-attack; sid:2004099; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004100; classtype:web-application-attack; sid:2004100; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv SELECT"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004742; classtype:web-application-attack; sid:2004742; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UNION SELECT"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"UNION"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004743; classtype:web-application-attack; sid:2004743; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv INSERT"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004744; classtype:web-application-attack; sid:2004744; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv DELETE"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004745; classtype:web-application-attack; sid:2004745; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv ASCII"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004746; classtype:web-application-attack; sid:2004746; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004747; classtype:web-application-attack; sid:2004747; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006880; classtype:web-application-attack; sid:2006880; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006881; classtype:web-application-attack; sid:2006881; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006882; classtype:web-application-attack; sid:2006882; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006883; classtype:web-application-attack; sid:2006883; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006884; classtype:web-application-attack; sid:2006884; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006885; classtype:web-application-attack; sid:2006885; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php SELECT"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006736; classtype:web-application-attack; sid:2006736; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UNION SELECT"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006737; classtype:web-application-attack; sid:2006737; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php INSERT"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006738; classtype:web-application-attack; sid:2006738; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php DELETE"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006739; classtype:web-application-attack; sid:2006739; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php ASCII"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006740; classtype:web-application-attack; sid:2006740; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006741; classtype:web-application-attack; sid:2006741; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php SELECT"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006742; classtype:web-application-attack; sid:2006742; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UNION SELECT"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006743; classtype:web-application-attack; sid:2006743; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php INSERT"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006744; classtype:web-application-attack; sid:2006744; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php DELETE"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006745; classtype:web-application-attack; sid:2006745; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php ASCII"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006746; classtype:web-application-attack; sid:2006746; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006747; classtype:web-application-attack; sid:2006747; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php SELECT"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006748; classtype:web-application-attack; sid:2006748; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UNION SELECT"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006749; classtype:web-application-attack; sid:2006749; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php INSERT"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006750; classtype:web-application-attack; sid:2006750; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php DELETE"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006751; classtype:web-application-attack; sid:2006751; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php ASCII"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006752; classtype:web-application-attack; sid:2006752; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006753; classtype:web-application-attack; sid:2006753; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006754; classtype:web-application-attack; sid:2006754; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006755; classtype:web-application-attack; sid:2006755; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006756; classtype:web-application-attack; sid:2006756; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006757; classtype:web-application-attack; sid:2006757; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006758; classtype:web-application-attack; sid:2006758; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006759; classtype:web-application-attack; sid:2006759; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007288; classtype:web-application-attack; sid:2007288; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007289; classtype:web-application-attack; sid:2007289; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007290; classtype:web-application-attack; sid:2007290; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007291; classtype:web-application-attack; sid:2007291; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007292; classtype:web-application-attack; sid:2007292; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007293; classtype:web-application-attack; sid:2007293; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id SELECT"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006547; classtype:web-application-attack; sid:2006547; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UNION SELECT"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006548; classtype:web-application-attack; sid:2006548; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id INSERT"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006549; classtype:web-application-attack; sid:2006549; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id DELETE"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006550; classtype:web-application-attack; sid:2006550; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id ASCII"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006551; classtype:web-application-attack; sid:2006551; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006552; classtype:web-application-attack; sid:2006552; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID SELECT"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004158; classtype:web-application-attack; sid:2004158; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UNION SELECT"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004159; classtype:web-application-attack; sid:2004159; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID INSERT"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004160; classtype:web-application-attack; sid:2004160; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID DELETE"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004161; classtype:web-application-attack; sid:2004161; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID ASCII"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004162; classtype:web-application-attack; sid:2004162; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004163; classtype:web-application-attack; sid:2004163; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004936; classtype:web-application-attack; sid:2004936; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UNION SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004937; classtype:web-application-attack; sid:2004937; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname INSERT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004938; classtype:web-application-attack; sid:2004938; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname DELETE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004939; classtype:web-application-attack; sid:2004939; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname ASCII"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004940; classtype:web-application-attack; sid:2004940; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004941; classtype:web-application-attack; sid:2004941; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004942; classtype:web-application-attack; sid:2004942; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UNION SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004943; classtype:web-application-attack; sid:2004943; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail INSERT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004945; classtype:web-application-attack; sid:2004945; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail DELETE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004946; classtype:web-application-attack; sid:2004946; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail ASCII"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004947; classtype:web-application-attack; sid:2004947; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004948; classtype:web-application-attack; sid:2004948; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004949; classtype:web-application-attack; sid:2004949; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UNION SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004950; classtype:web-application-attack; sid:2004950; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite INSERT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004951; classtype:web-application-attack; sid:2004951; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite DELETE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004952; classtype:web-application-attack; sid:2004952; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite ASCII"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004953; classtype:web-application-attack; sid:2004953; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004954; classtype:web-application-attack; sid:2004954; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004955; classtype:web-application-attack; sid:2004955; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UNION SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004956; classtype:web-application-attack; sid:2004956; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment INSERT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004957; classtype:web-application-attack; sid:2004957; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment DELETE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004958; classtype:web-application-attack; sid:2004958; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment ASCII"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004959; classtype:web-application-attack; sid:2004959; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004960; classtype:web-application-attack; sid:2004960; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php jahr Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/newsscript.php?"; nocase; http_uri; content:"m=archive"; nocase; http_uri; content:"jahr="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/7741; classtype:web-application-attack; sid:2010028; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php idneu Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/newsscript.php?"; nocase; http_uri; content:"m=archive"; nocase; http_uri; content:"idneu="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/2010122; classtype:web-application-attack; sid:2010122; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php newsid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/newsscript.php?"; nocase; http_uri; content:"mailto=ok"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/2010123; classtype:web-application-attack; sid:2010123; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/forum.php?"; nocase; http_uri; content:"GLOBALS[UTE][__tplCollection][a][file]="; nocase; http_uri; content:"../"; reference:url,www.exploit-db.com/exploits/8841/; reference:url,secunia.com/advisories/35299/; reference:url,doc.emergingthreats.net/2009905; classtype:web-application-attack; sid:2009905; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/news_show.php?"; nocase; http_uri; content:"newsoffice_directory="; nocase; http_uri; content:"../"; reference:url,secunia.com/advisories/29797; reference:bugtraq,28748; reference:url,www.exploit-db.com/exploits/5429/; reference:url,doc.emergingthreats.net/2009431; classtype:web-application-attack; sid:2009431; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/news_show.php?"; nocase; http_uri; content:"newsoffice_directory="; nocase; http_uri; pcre:"/newsoffice_directory=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/29797; reference:bugtraq,28748; reference:url,www.exploit-db.com/exploits/5429/; reference:url,doc.emergingthreats.net/2009432; classtype:web-application-attack; sid:2009432; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ch_readalso.php?"; nocase; uricontent:"read_xml_include="; nocase; pcre:"/read_xml_include=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29251; reference:url,xforce.iss.net/xforce/xfdb/42459; reference:url,milw0rm.com/exploits/5624; reference:url,doc.emergingthreats.net/2010099; classtype:web-application-attack; sid:2010099; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS nicLOR CMS-School showarticle.php aID Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showarticle.php?"; nocase; uricontent:"aID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32112; reference:url,milw0rm.com/exploits/6982; reference:url,xforce.iss.net/xforce/xfdb/46330; reference:url,doc.emergingthreats.net/2009335; classtype:web-application-attack; sid:2009335; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category SELECT"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005675; classtype:web-application-attack; sid:2005675; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UNION SELECT"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005676; classtype:web-application-attack; sid:2005676; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category INSERT"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005677; classtype:web-application-attack; sid:2005677; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category DELETE"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005678; classtype:web-application-attack; sid:2005678; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category ASCII"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005679; classtype:web-application-attack; sid:2005679; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005680; classtype:web-application-attack; sid:2005680; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nitrotech members.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/members.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32458; reference:url,doc.emergingthreats.net/2008921; classtype:web-application-attack; sid:2008921; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/common.php?"; nocase; uricontent:"root="; nocase; pcre:"/root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/29904; reference:url,milw0rm.com/exploits/7218; reference:url,doc.emergingthreats.net/2008922; classtype:web-application-attack; sid:2008922; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls"; flow:established,to_server; uricontent:"/modules/noevents/templates/mfa_theme.php?"; nocase; uricontent:"tpls["; nocase; reference:cve,CVE-2007-2572; reference:url,www.milw0rm.com/exploits/3861; reference:url,doc.emergingthreats.net/2003694; classtype:web-application-attack; sid:2003694; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username"; flow:established,to_server; uricontent:"/de/pda/dev_logon.asp?"; nocase; uricontent:"username="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003894; classtype:web-application-attack; sid:2003894; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp"; flow:established,to_server; uricontent:"/usrmgr/registerAccount.asp?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003895; classtype:web-application-attack; sid:2003895; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp"; flow:established,to_server; uricontent:"/de/create_account.asp?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003896; classtype:web-application-attack; sid:2003896; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id SELECT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005015; classtype:web-application-attack; sid:2005015; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UNION SELECT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005016; classtype:web-application-attack; sid:2005016; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id INSERT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005017; classtype:web-application-attack; sid:2005017; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id DELETE"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005018; classtype:web-application-attack; sid:2005018; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id ASCII"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005019; classtype:web-application-attack; sid:2005019; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005020; classtype:web-application-attack; sid:2005020; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/config.php?"; nocase; uricontent:"newlang=kacper"; nocase; uricontent:"languages[kacper][file]="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8504; reference:bugtraq,34636; reference:url,doc.emergingthreats.net/2009728; classtype:web-application-attack; sid:2009728; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Novell eDirectory 'dconserv.dlm' Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"/dhost/modules"; nocase; uricontent:"dconserv.dlm="; nocase; pcre:"/(script|img|src|onmouse|onkey|onload)/Ui"; reference:url,www.securityfocus.com/bid/36567/info; reference:url,doc.emergingthreats.net/2010031; classtype:web-application-attack; sid:2010031; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid SELECT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006591; classtype:web-application-attack; sid:2006591; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UNION SELECT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006592; classtype:web-application-attack; sid:2006592; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid INSERT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006593; classtype:web-application-attack; sid:2006593; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid DELETE"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006594; classtype:web-application-attack; sid:2006594; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid ASCII"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006595; classtype:web-application-attack; sid:2006595; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006596; classtype:web-application-attack; sid:2006596; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass SELECT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006597; classtype:web-application-attack; sid:2006597; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UNION SELECT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006598; classtype:web-application-attack; sid:2006598; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass INSERT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006599; classtype:web-application-attack; sid:2006599; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass DELETE"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006600; classtype:web-application-attack; sid:2006600; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass ASCII"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006601; classtype:web-application-attack; sid:2006601; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006602; classtype:web-application-attack; sid:2006602; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004307; classtype:web-application-attack; sid:2004307; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004308; classtype:web-application-attack; sid:2004308; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004309; classtype:web-application-attack; sid:2004309; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004310; classtype:web-application-attack; sid:2004310; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004311; classtype:web-application-attack; sid:2004311; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004312; classtype:web-application-attack; sid:2004312; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php SELECT"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004736; classtype:web-application-attack; sid:2004736; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UNION SELECT"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004737; classtype:web-application-attack; sid:2004737; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php INSERT"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004738; classtype:web-application-attack; sid:2004738; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php DELETE"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004739; classtype:web-application-attack; sid:2004739; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php ASCII"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004740; classtype:web-application-attack; sid:2004740; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004741; classtype:web-application-attack; sid:2004741; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid SELECT"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006807; classtype:web-application-attack; sid:2006807; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UNION SELECT"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006808; classtype:web-application-attack; sid:2006808; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid INSERT"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006809; classtype:web-application-attack; sid:2006809; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid DELETE"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006810; classtype:web-application-attack; sid:2006810; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid ASCII"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006811; classtype:web-application-attack; sid:2006811; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006812; classtype:web-application-attack; sid:2006812; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt"; flow:to_server,established; uricontent:"/fonctions_racine.php?"; nocase; uricontent:"chemin_lib="; nocase; pcre:"/chemin_lib\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/57869; reference:url,secunia.com/advisories/36658/; reference:url,doc.emergingthreats.net/2010355; classtype:web-application-attack; sid:2010355; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/resource_categories_view.php?"; nocase; uricontent:"CLASSES_ROOT="; nocase; content:"../"; reference:url,secunia.com/advisories/30784/; reference:url,milw0rm.com/exploits/5906; reference:url,doc.emergingthreats.net/2009332; classtype:web-application-attack; sid:2009332; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/resource_categories_view.php?"; nocase; uricontent:"CLASSES_ROOT="; nocase; pcre:"/CLASSES_ROOT=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/30784/; reference:url,milw0rm.com/exploits/5906; reference:url,doc.emergingthreats.net/2009333; classtype:web-application-attack; sid:2009333; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OS Commerce 2.2 RC2 Potential Anonymous Remote Code Execution"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php/"; pcre:"/\/[a-z_]+\.php\/[a-z_]+\.php/U"; reference:url,seclists.org/fulldisclosure/2009/Nov/169; reference:url,seclists.org/fulldisclosure/2009/Nov/170; reference:url,doc.emergingthreats.net/2010341; classtype:web-application-attack; sid:2010341; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/sem/"; nocase; uricontent:".php"; nocase; uricontent:"uniqueid="; nocase; uricontent:"|3B|"; pcre:"/\/sem\/\w+\.php.*(\?|&)uniqueid=\d*\;/Ui"; reference:url, www.securityfocus.com/bid/37375/info; reference:url,doc.emergingthreats.net/2010510; classtype:web-application-attack; sid:2010510; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010652; classtype:web-application-attack; sid:2010652; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010653; classtype:web-application-attack; sid:2010653; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010654; classtype:web-application-attack; sid:2010654; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010655; classtype:web-application-attack; sid:2010655; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010656; classtype:web-application-attack; sid:2010656; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSTicket Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/osticket/include"; nocase; pcre:"/.*\[.*\].*\;/U"; reference:url,secunia.com/advisories/15216; reference:url,www.gulftech.org/?node=research&article_id=00071-05022005; reference:cve,CAN-2005-1438; reference:cve,CAN-2005-1439; reference:url,doc.emergingthreats.net/bin/view/Main/2002702; classtype:web-application-attack; sid:2002702; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home"; flow:established,to_server; uricontent:"/skins/header.php?"; nocase; uricontent:"ote_home="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003741; classtype:web-application-attack; sid:2003741; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home"; flow:established,to_server; uricontent:"/skins/header.php?"; nocase; uricontent:"ote_home="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003878; classtype:web-application-attack; sid:2003878; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ADM_Pagina.php?"; nocase; uricontent:"Tipo="; nocase; pcre:"/Tipo=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2008-5063; reference:url,vupen.com/english/advisories/2008/3093; reference:url,secunia.com/advisories/32645; reference:url,doc.emergingthreats.net/2009395; classtype:web-application-attack; sid:2009395; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ADM_Pagina.php?"; nocase; uricontent:"Tipo="; content:"../"; reference:cve,CVE-2008-5063; reference:url,vupen.com/english/advisories/2008/3093; reference:url,secunia.com/advisories/32645; reference:url,doc.emergingthreats.net/2009396; classtype:web-application-attack; sid:2009396; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id SELECT"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005597; classtype:web-application-attack; sid:2005597; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UNION SELECT"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005598; classtype:web-application-attack; sid:2005598; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id INSERT"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005599; classtype:web-application-attack; sid:2005599; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id DELETE"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005600; classtype:web-application-attack; sid:2005600; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id ASCII"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005601; classtype:web-application-attack; sid:2005601; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005602; classtype:web-application-attack; sid:2005602; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp SELECT"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004450; classtype:web-application-attack; sid:2004450; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UNION SELECT"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004451; classtype:web-application-attack; sid:2004451; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp INSERT"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004452; classtype:web-application-attack; sid:2004452; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp DELETE"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004453; classtype:web-application-attack; sid:2004453; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp ASCII"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004454; classtype:web-application-attack; sid:2004454; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004455; classtype:web-application-attack; sid:2004455; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Grades parents.php ADD Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/parents/parents.php?"; nocase; uricontent:"func=mailto"; nocase; uricontent:"ADD="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35304/; reference:url,milw0rm.com/exploits/8844; reference:url,doc.emergingthreats.net/2009906; classtype:web-application-attack; sid:2009906; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id SELECT"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2005186; classtype:web-application-attack; sid:2005186; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UNION SELECT"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004846; classtype:web-application-attack; sid:2004846; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id INSERT"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004847; classtype:web-application-attack; sid:2004847; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id DELETE"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004848; classtype:web-application-attack; sid:2004848; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004849; classtype:web-application-attack; sid:2004849; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004850; classtype:web-application-attack; sid:2004850; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/filepool.php?"; nocase; uricontent:"oe_classpath="; nocase; pcre:"/oe_classpath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31423; reference:url,milw0rm.com/exploits/6585; reference:url,doc.emergingthreats.net/2009164; classtype:web-application-attack; sid:2009164; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/OpenSiteAdmin/pages/pageHeader.php?"; http_uri; nocase; content:"="; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/Ui"; reference:url,www.securityfocus.com/bid/36445/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009931; classtype:web-application-attack; sid:2009931; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/libraries/lib-remotehost.inc.php?"; nocase; uricontent:"phpAds_geoPlugin="; nocase; pcre:"/phpAds_geoPlugin=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14432/; reference:url,inj3ct0r.com/exploits/13426; reference:url,doc.emergingthreats.net/2011274; classtype:web-application-attack; sid:2011274; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011108; classtype:web-application-attack; sid:2011108; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011109; classtype:web-application-attack; sid:2011109; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011110; classtype:web-application-attack; sid:2011110; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011111; classtype:web-application-attack; sid:2011111; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011112; classtype:web-application-attack; sid:2011112; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011057; classtype:web-application-attack; sid:2011057; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011058; classtype:web-application-attack; sid:2011058; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011059; classtype:web-application-attack; sid:2011059; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011060; classtype:web-application-attack; sid:2011060; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011061; classtype:web-application-attack; sid:2011061; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/faces/jsf/tips.jsp?"; nocase; uricontent:"context="; nocase; pcre:"/context\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/14369/; reference:url,secunia.com/advisories/40605; reference:url,doc.emergingthreats.net/2011268; classtype:web-application-attack; sid:2011268; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/core/logger/init.php?"; nocase; uricontent:"GLOBALS[preloc]="; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009459; classtype:web-application-attack; sid:2009459; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/newscat.php?"; nocase; uricontent:"GLOBALS[preloc]="; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009460; classtype:web-application-attack; sid:2009460; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/core/security/init.php?"; nocase; uricontent:"GLOBALS[preloc]="; nocase; content:"../"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009461; classtype:web-application-attack; sid:2009461; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/stage1.php"; nocase; uricontent:"GLOBALS[preloc]="; nocase; content:"../"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009462; classtype:web-application-attack; sid:2009462; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/stage4.php?"; nocase; uricontent:"GLOBALS[preloc]="; nocase; content:"../"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009463; classtype:web-application-attack; sid:2009463; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/stage6.php?"; nocase; uricontent:"GLOBALS[preloc]="; nocase; content:"../"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009464; classtype:web-application-attack; sid:2009464; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate SELECT"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005937; classtype:web-application-attack; sid:2005937; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UNION SELECT"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005938; classtype:web-application-attack; sid:2005938; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate INSERT"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005939; classtype:web-application-attack; sid:2005939; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate DELETE"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005940; classtype:web-application-attack; sid:2005940; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate ASCII"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005941; classtype:web-application-attack; sid:2005941; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005942; classtype:web-application-attack; sid:2005942; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp SELECT"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005943; classtype:web-application-attack; sid:2005943; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UNION SELECT"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005944; classtype:web-application-attack; sid:2005944; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp INSERT"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005945; classtype:web-application-attack; sid:2005945; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp DELETE"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005946; classtype:web-application-attack; sid:2005946; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp ASCII"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005947; classtype:web-application-attack; sid:2005947; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005948; classtype:web-application-attack; sid:2005948; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Daily add_postit.php id Parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/add_postit.php?"; nocase; uricontent:"mode=rep"; nocase; uricontent:"id="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/32408; reference:url,milw0rm.com/exploits/6833; reference:url,doc.emergingthreats.net/2009065; classtype:web-application-attack; sid:2009065; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Daily delete.php id Parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/delete.php?"; nocase; uricontent:"mode=postit"; nocase; uricontent:"id="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/32/32408; reference:url,milw0rm.com/exploits/6833; reference:url,doc.emergingthreats.net/2009066; classtype:web-application-attack; sid:2009066; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/members.php?"; nocase; uricontent:"sortby="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33156; reference:url,milw0rm.com/exploits/7697; reference:url,doc.emergingthreats.net/2009067; classtype:web-application-attack; sid:2009067; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip SELECT"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004241; classtype:web-application-attack; sid:2004241; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UNION SELECT"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004242; classtype:web-application-attack; sid:2004242; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip INSERT"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004243; classtype:web-application-attack; sid:2004243; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip DELETE"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004244; classtype:web-application-attack; sid:2004244; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip ASCII"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004245; classtype:web-application-attack; sid:2004245; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004246; classtype:web-application-attack; sid:2004246; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGaming CMS previews.php browse parameter SQL injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/previews.php?"; nocase; uricontent:"browse="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; reference:url,doc.emergingthreats.net/2009068; classtype:web-application-attack; sid:2009068; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGaming CMS reviews.php browse parameter SQL injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/reviews.php?"; nocase; uricontent:"browse="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; reference:url,doc.emergingthreats.net/2009069; classtype:web-application-attack; sid:2009069; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006510; classtype:web-application-attack; sid:2006510; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006511; classtype:web-application-attack; sid:2006511; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006512; classtype:web-application-attack; sid:2006512; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006513; classtype:web-application-attack; sid:2006513; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006514; classtype:web-application-attack; sid:2006514; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006515; classtype:web-application-attack; sid:2006515; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006516; classtype:web-application-attack; sid:2006516; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006517; classtype:web-application-attack; sid:2006517; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006518; classtype:web-application-attack; sid:2006518; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006519; classtype:web-application-attack; sid:2006519; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006520; classtype:web-application-attack; sid:2006520; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006521; classtype:web-application-attack; sid:2006521; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006522; classtype:web-application-attack; sid:2006522; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006523; classtype:web-application-attack; sid:2006523; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006524; classtype:web-application-attack; sid:2006524; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006525; classtype:web-application-attack; sid:2006525; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006526; classtype:web-application-attack; sid:2006526; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006527; classtype:web-application-attack; sid:2006527; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006528; classtype:web-application-attack; sid:2006528; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006529; classtype:web-application-attack; sid:2006529; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006530; classtype:web-application-attack; sid:2006530; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006531; classtype:web-application-attack; sid:2006531; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006532; classtype:web-application-attack; sid:2006532; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006533; classtype:web-application-attack; sid:2006533; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006534; classtype:web-application-attack; sid:2006534; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006535; classtype:web-application-attack; sid:2006535; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006536; classtype:web-application-attack; sid:2006536; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006537; classtype:web-application-attack; sid:2006537; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006538; classtype:web-application-attack; sid:2006538; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006539; classtype:web-application-attack; sid:2006539; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006540; classtype:web-application-attack; sid:2006540; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006541; classtype:web-application-attack; sid:2006541; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006542; classtype:web-application-attack; sid:2006542; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006543; classtype:web-application-attack; sid:2006543; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006544; classtype:web-application-attack; sid:2006544; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006545; classtype:web-application-attack; sid:2006545; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/converter.inc.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009871; classtype:web-application-attack; sid:2009871; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/messages.inc.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009872; classtype:web-application-attack; sid:2009872; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/settings.inc.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009873; classtype:web-application-attack; sid:2009873; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (private message)"; flow: established,from_server; content:"privmsg.php"; pcre:"/\<a href="[^"]*(script|about|applet|activex|chrome)\s*\:/i"; reference:url,www.securitytracker.com/alerts/2005/May/1013918.html; reference:url,doc.emergingthreats.net/2001928; classtype:web-application-attack; sid:2001928; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (signature)"; flow: established,from_server; content:"_________________"; pcre:"/\<br \/\>_________________\<br \/\>\<a href="[^"]*(script|about|applet|activex|chrome)\s*\:/i"; reference:url,www.securitytracker.com/alerts/2005/May/1013918.html; reference:url,doc.emergingthreats.net/2001929; classtype:web-application-attack; sid:2001929; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB Remote Code Execution Attempt"; flow:established,to_server; uricontent:"/viewtopic.php?"; pcre:"/highlight=.*?(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})/Ui"; reference:url,secunia.com/advisories/15845/; reference:bugtraq,14086; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; reference:url,doc.emergingthreats.net/2002070; classtype:web-application-attack; sid:2002070; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(ftps?|https?|php)/Ui"; reference:url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path; reference:url,doc.emergingthreats.net/2002731; classtype:web-application-attack; sid:2002731; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005967; classtype:web-application-attack; sid:2005967; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005968; classtype:web-application-attack; sid:2005968; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005969; classtype:web-application-attack; sid:2005969; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005970; classtype:web-application-attack; sid:2005970; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005971; classtype:web-application-attack; sid:2005971; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005972; classtype:web-application-attack; sid:2005972; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006969; classtype:web-application-attack; sid:2006969; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006970; classtype:web-application-attack; sid:2006970; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006971; classtype:web-application-attack; sid:2006971; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006972; classtype:web-application-attack; sid:2006972; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006973; classtype:web-application-attack; sid:2006973; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006974; classtype:web-application-attack; sid:2006974; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage1; flowbits:noalert; reference:url,doc.emergingthreats.net/2010890; classtype:attempted-user; sid:2010890; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; content:"agreed=I+agree+to+these+terms"; content:"change_lang="; content:"creation_time"; content:"form_token"; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage1; flowbits:set,ET.phpBB3_register_stage2; flowbits:noalert; reference:url,doc.emergingthreats.net/2010891; classtype:attempted-user; sid:2010891; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=confirm"; uricontent:"confirm_id="; uricontent:"type="; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage3; flowbits:noalert; reference:url,doc.emergingthreats.net/2010892; classtype:attempted-user; sid:2010892; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; content:"username="; content:"email="; content:"email_confirm="; content:"new_password"; content:"password_confirm"; content:"lang="; content:"tz="; content:"confirm_code="; content:"refresh_vc="; content:"confirm_id="; content:"agreed="; content:"change_lang="; content:"confirm_id="; content:"creation_time="; content:"form_token="; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage3; flowbits:set,ET.phpBB3_register_stage4; flowbits:noalert; reference:url,doc.emergingthreats.net/2010893; classtype:attempted-user; sid:2010893; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^Y$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010894; classtype:web-application-attack; sid:2010894; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=register"; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^YYY$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010895; classtype:web-application-attack; sid:2010895; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2)"; flow:established,to_server; flowbits:isnotset,ET.phpBB3_register_stage1; flowbits:isset,ET.phpBB3_register_stage2; flowbits:isset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010896; classtype:web-application-attack; sid:2010896; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2)"; flow:established,to_server; flowbits:isset,ET.phpBB3_test; flowbits:isnotset,ET.phpBB3_register_stage3; flowbits:isset,ET.phpBB3_register_stage4; reference:url,doc.emergingthreats.net/2010897; classtype:web-application-attack; sid:2010897; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Bogus Stage3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=confirm"; uricontent:"id="; pcre:"/(\?|&)id=/Ui"; uricontent:"type="; reference:url,doc.emergingthreats.net/2010898; classtype:web-application-attack; sid:2010898; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 multiple login attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/ucp.php"; nocase; uricontent:"mode=login"; threshold: type threshold, track by_src, count 2, seconds 60; reference:url,doc.emergingthreats.net/2010899; classtype:attempted-user; sid:2010899; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 possible spammer posting attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/posting.php"; nocase; uricontent:"mode=post"; threshold: type threshold, track by_src, count 2, seconds 30; reference:url,doc.emergingthreats.net/2010900; classtype:web-application-attack; sid:2010900; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid"; flow:established,to_server; uricontent:"/settings.php?"; nocase; uricontent:"catid="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003879; classtype:web-application-attack; sid:2003879; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid"; flow:established,to_server; uricontent:"/cat.php?"; nocase; uricontent:"catid="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003880; classtype:web-application-attack; sid:2003880; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config"; flow:established,to_server; uricontent:"/includes/language.php?"; nocase; uricontent:"config="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003742; classtype:web-application-attack; sid:2003742; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path"; flow:established,to_server; uricontent:"/layout_admin_cfg.php?"; nocase; uricontent:"Root_Path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003743; classtype:web-application-attack; sid:2003743; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path"; flow:established,to_server; uricontent:"/layout_cfg.php?"; nocase; uricontent:"Root_Path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003744; classtype:web-application-attack; sid:2003744; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path"; flow:established,to_server; uricontent:"/skins/phpchess/layout_t_top.php?"; nocase; uricontent:"Root_Path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003745; classtype:web-application-attack; sid:2003745; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/website.php?"; nocase; uricontent:"page="; nocase; content:"../"; reference:bugtraq,30176; reference:url,milw0rm.com/exploits/6037; reference:url,doc.emergingthreats.net/2009743; classtype:web-application-attack; sid:2009743; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id SELECT"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004041; classtype:web-application-attack; sid:2004041; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UNION SELECT"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004042; classtype:web-application-attack; sid:2004042; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id INSERT"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004043; classtype:web-application-attack; sid:2004043; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id DELETE"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004044; classtype:web-application-attack; sid:2004044; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id ASCII"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004045; classtype:web-application-attack; sid:2004045; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004046; classtype:web-application-attack; sid:2004046; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEventMan remote file include"; flow:established,to_server; uricontent:"/controller/"; nocase; pcre:"/(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22358; reference:url,doc.emergingthreats.net/2003372; classtype:web-application-attack; sid:2003372; rev:5; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include"; flow:established,to_server; uricontent:"/block.php?"; nocase; uricontent:"Include="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2665; reference:url,www.milw0rm.com/exploits/3906; reference:url,doc.emergingthreats.net/2003740; classtype:web-application-attack; sid:2003740; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/CoupleDB.php?"; nocase; uricontent:"DataDirectory="; nocase; pcre:"/DataDirectory=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9155; reference:url,packetstormsecurity.org/0907-exploits/phpgenealogy-rfi.txt; reference:url,doc.emergingthreats.net/2010095; classtype:web-application-attack; sid:2010095; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003805; classtype:web-application-attack; sid:2003805; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UNION SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003806; classtype:web-application-attack; sid:2003806; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER INSERT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003807; classtype:web-application-attack; sid:2003807; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER DELETE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003808; classtype:web-application-attack; sid:2003808; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER ASCII"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003809; classtype:web-application-attack; sid:2003809; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_USER="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003810; classtype:web-application-attack; sid:2003810; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003811; classtype:web-application-attack; sid:2003811; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UNION SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003812; classtype:web-application-attack; sid:2003812; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS INSERT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003813; classtype:web-application-attack; sid:2003813; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS DELETE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003814; classtype:web-application-attack; sid:2003814; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS ASCII"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003815; classtype:web-application-attack; sid:2003815; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"ADMIN_PASS="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003816; classtype:web-application-attack; sid:2003816; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib"; flow:established,to_server; uricontent:"/examples/widget8.php?"; nocase; uricontent:"phphtmllib="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2614; reference:url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded; reference:url,doc.emergingthreats.net/2003730; classtype:web-application-attack; sid:2003730; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid SELECT"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004695; classtype:web-application-attack; sid:2004695; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UNION SELECT"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004696; classtype:web-application-attack; sid:2004696; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid INSERT"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004697; classtype:web-application-attack; sid:2004697; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid DELETE"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004698; classtype:web-application-attack; sid:2004698; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid ASCII"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004699; classtype:web-application-attack; sid:2004699; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004700; classtype:web-application-attack; sid:2004700; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid SELECT"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005784; classtype:web-application-attack; sid:2005784; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UNION SELECT"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005785; classtype:web-application-attack; sid:2005785; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid INSERT"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005786; classtype:web-application-attack; sid:2005786; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid DELETE"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005787; classtype:web-application-attack; sid:2005787; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid ASCII"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005788; classtype:web-application-attack; sid:2005788; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005789; classtype:web-application-attack; sid:2005789; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local"; flow:established,to_server; uricontent:"/ftp.php?"; nocase; uricontent:"path_local="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003731; classtype:web-application-attack; sid:2003731; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local"; flow:established,to_server; uricontent:"/libs/db.php?"; nocase; uricontent:"path_local="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003732; classtype:web-application-attack; sid:2003732; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local"; flow:established,to_server; uricontent:"/libs/ftp.php?"; nocase; uricontent:"path_local="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003733; classtype:web-application-attack; sid:2003733; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Million Pixel Ad Script tops_top.php id_cat parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tops_top.php?"; nocase; uricontent:"id_cat="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/31626/; reference:url,milw0rm.com/exploits/6044; reference:url,doc.emergingthreats.net/2009139; classtype:web-application-attack; sid:2009139; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/_conf/core/common-tpl-vars.php?"; nocase; uricontent:"lang="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; reference:url,doc.emergingthreats.net/2008961; classtype:web-application-attack; sid:2008961; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/_conf/core/common-tpl-vars.php?"; nocase; uricontent:"confdir="; nocase; pcre:"/confdir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; reference:url,doc.emergingthreats.net/2008962; classtype:web-application-attack; sid:2008962; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES"; flow:established,to_server; uricontent:"/inc/articles.inc.php?"; nocase; uricontent:"GLOBALS[CHEMINMODULES]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2594; reference:url,www.milw0rm.com/exploits/3879; reference:url,doc.emergingthreats.net/2003703; classtype:web-application-attack; sid:2003703; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/DB_adodb.class.php?"; nocase; uricontent:"PHPOF_INCLUDE_PATH="; nocase; pcre:"/PHPOF_INCLUDE_PATH=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,25541; reference:url,doc.emergingthreats.net/2009051; classtype:web-application-attack; sid:2009051; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPOutsourcing Zorum prod.php Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/prod.php?"; nocase; pcre:"/(argv[1]=\|.+)/"; reference:bugtraq,14601; reference:url,doc.emergingthreats.net/2002314; classtype:web-application-attack; sid:2002314; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Realty dpage.php docID parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/dpage.php?"; nocase; uricontent:"docID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/31484/; reference:url,packetstorm.linuxsecurity.com/0808-exploits/phprealty-sql.txt; reference:url,doc.emergingthreats.net/2009137; classtype:web-application-attack; sid:2009137; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH"; flow:established,to_server; uricontent:"/include/logout.php?"; nocase; uricontent:"PSA_PATH="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2628; reference:url,www.securityfocus.com/bid/23801; reference:url,doc.emergingthreats.net/2003735; classtype:web-application-attack; sid:2003735; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPStore Wholesales id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/track.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32741/; reference:url,packetstorm.linuxsecurity.com/0811-exploits/wholesale-sql.txt; reference:url,doc.emergingthreats.net/2008873; classtype:web-application-attack; sid:2008873; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPStore Yahoo Answers id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"cmd=4"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32717/; reference:url,milw0rm.com/exploits/7131; reference:url,doc.emergingthreats.net/2008874; classtype:web-application-attack; sid:2008874; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004701; classtype:web-application-attack; sid:2004701; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UNION SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004702; classtype:web-application-attack; sid:2004702; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php INSERT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2005180; classtype:web-application-attack; sid:2005180; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php DELETE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004703; classtype:web-application-attack; sid:2004703; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php ASCII"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004704; classtype:web-application-attack; sid:2004704; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2005181; classtype:web-application-attack; sid:2005181; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Lance show.php catid SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/show.php?catid="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/32027/; reference:url,www.milw0rm.com/exploits/6605; reference:url,doc.emergingthreats.net/2008614; classtype:web-application-attack; sid:2008614; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPNuke SQL injection attempt"; flow: to_server,established; uricontent:"/modules.php?"; uricontent:"name=Search"; uricontent:"instory="; reference:url,www.waraxe.us/index.php?modname=sa&id=35; reference:url,doc.emergingthreats.net/2001197; classtype:web-application-attack; sid:2001197; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPNuke general SQL injection attempt"; flow: to_server,established; uricontent:"/modules.php?"; content:"name="; content:"UNION"; nocase; content:"SELECT"; nocase; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,www.waraxe.us/?modname=sa&id=036; reference:url,doc.emergingthreats.net/2001202; classtype:web-application-attack; sid:2001202; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt"; flow: to_server,established; uricontent:"/modules.php?"; uricontent:"name="; uricontent:"SCRIPT"; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,doc.emergingthreats.net/2001218; classtype:web-application-attack; sid:2001218; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang SELECT"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004325; classtype:web-application-attack; sid:2004325; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UNION SELECT"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004326; classtype:web-application-attack; sid:2004326; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang INSERT"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004327; classtype:web-application-attack; sid:2004327; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang DELETE"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004328; classtype:web-application-attack; sid:2004328; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang ASCII"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004329; classtype:web-application-attack; sid:2004329; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004330; classtype:web-application-attack; sid:2004330; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004851; classtype:web-application-attack; sid:2004851; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UNION SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004852; classtype:web-application-attack; sid:2004852; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id INSERT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004853; classtype:web-application-attack; sid:2004853; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id DELETE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004854; classtype:web-application-attack; sid:2004854; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id ASCII"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004855; classtype:web-application-attack; sid:2004855; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004856; classtype:web-application-attack; sid:2004856; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active SELECT"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005456; classtype:web-application-attack; sid:2005456; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UNION SELECT"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005457; classtype:web-application-attack; sid:2005457; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active INSERT"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005458; classtype:web-application-attack; sid:2005458; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active DELETE"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005459; classtype:web-application-attack; sid:2005459; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active ASCII"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005460; classtype:web-application-attack; sid:2005460; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005461; classtype:web-application-attack; sid:2005461; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005462; classtype:web-application-attack; sid:2005462; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005463; classtype:web-application-attack; sid:2005463; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005464; classtype:web-application-attack; sid:2005464; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005465; classtype:web-application-attack; sid:2005465; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005466; classtype:web-application-attack; sid:2005466; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005467; classtype:web-application-attack; sid:2005467; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005468; classtype:web-application-attack; sid:2005468; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005469; classtype:web-application-attack; sid:2005469; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005470; classtype:web-application-attack; sid:2005470; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005471; classtype:web-application-attack; sid:2005471; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005472; classtype:web-application-attack; sid:2005472; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005473; classtype:web-application-attack; sid:2005473; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005474; classtype:web-application-attack; sid:2005474; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005475; classtype:web-application-attack; sid:2005475; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005476; classtype:web-application-attack; sid:2005476; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005477; classtype:web-application-attack; sid:2005477; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005478; classtype:web-application-attack; sid:2005478; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005479; classtype:web-application-attack; sid:2005479; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005480; classtype:web-application-attack; sid:2005480; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005481; classtype:web-application-attack; sid:2005481; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005482; classtype:web-application-attack; sid:2005482; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005483; classtype:web-application-attack; sid:2005483; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005484; classtype:web-application-attack; sid:2005484; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005485; classtype:web-application-attack; sid:2005485; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005486; classtype:web-application-attack; sid:2005486; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005487; classtype:web-application-attack; sid:2005487; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005489; classtype:web-application-attack; sid:2005489; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005490; classtype:web-application-attack; sid:2005490; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005491; classtype:web-application-attack; sid:2005491; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005492; classtype:web-application-attack; sid:2005492; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat SELECT"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005585; classtype:web-application-attack; sid:2005585; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UNION SELECT"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005586; classtype:web-application-attack; sid:2005586; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat INSERT"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005587; classtype:web-application-attack; sid:2005587; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat DELETE"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005588; classtype:web-application-attack; sid:2005588; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat ASCII"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005589; classtype:web-application-attack; sid:2005589; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005590; classtype:web-application-attack; sid:2005590; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006927; classtype:web-application-attack; sid:2006927; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UNION SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006928; classtype:web-application-attack; sid:2006928; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid INSERT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006929; classtype:web-application-attack; sid:2006929; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid DELETE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006930; classtype:web-application-attack; sid:2006930; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid ASCII"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006931; classtype:web-application-attack; sid:2006931; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE"; flow:established,to_server; content:"/modules.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006932; classtype:web-application-attack; sid:2006932; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid SELECT"; flow:established,to_server; content:"/modules.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006933; classtype:web-application-attack; sid:2006933; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UNION SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006934; classtype:web-application-attack; sid:2006934; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid INSERT"; flow:established,to_server; content:"/modules.php?"; nocase; http_uri; content:"pid="; http_uri; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006935; classtype:web-application-attack; sid:2006935; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid DELETE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"pid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006936; classtype:web-application-attack; sid:2006936; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid ASCII"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"pid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006937; classtype:web-application-attack; sid:2006937; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006938; classtype:web-application-attack; sid:2006938; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid SELECT"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007176; classtype:web-application-attack; sid:2007176; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UNION SELECT"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007177; classtype:web-application-attack; sid:2007177; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid INSERT"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007178; classtype:web-application-attack; sid:2007178; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid DELETE"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007179; classtype:web-application-attack; sid:2007179; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid ASCII"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007180; classtype:web-application-attack; sid:2007180; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007181; classtype:web-application-attack; sid:2007181; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Module Emporium SQL Injection Attempt"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"name=Shopping_Cart"; nocase; uricontent:"category_id="; nocase; pcre:"/(\?|&)category_id=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,milw0rm.com/exploits/3334; reference:url,packetstormsecurity.org/0912-exploits/phpnukeemporium-sql.txt; reference:url,doc.emergingthreats.net/2010553; classtype:web-application-attack; sid:2010553; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt"; flow:established,to_server; uricontent:"/iframe.php"; nocase; uricontent:"file="; nocase; pcre:"/file=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.zone-h.org/en/advisories/read/id=8694/; reference:url,doc.emergingthreats.net/2002800; classtype:web-application-attack; sid:2002800; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011133; classtype:web-application-attack; sid:2011133; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011134; classtype:web-application-attack; sid:2011134; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011135; classtype:web-application-attack; sid:2011135; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011136; classtype:web-application-attack; sid:2011136; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011137; classtype:web-application-attack; sid:2011137; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011168; classtype:web-application-attack; sid:2011168; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011169; classtype:web-application-attack; sid:2011169; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011170; classtype:web-application-attack; sid:2011170; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011171; classtype:web-application-attack; sid:2011171; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011172; classtype:web-application-attack; sid:2011172; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Realtor v_cat SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/view_cat.php?v_cat="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/6694; reference:url,secunia.com/advisories/32149/; reference:url,doc.emergingthreats.net/2008649; classtype:web-application-attack; sid:2008649; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ReVou Micro Blogging user_updates.php user Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/user_updates.php?"; nocase; uricontent:"user="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/7925; reference:bugtraq,33540; reference:url,doc.emergingthreats.net/2009140; classtype:web-application-attack; sid:2009140; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore"; flow:established,to_server; uricontent:"/user/turbulence.php?"; nocase; uricontent:"GLOBALS[tcore]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2504; reference:url,www.securityfocus.com/bid/23580; reference:url,doc.emergingthreats.net/2003683; classtype:web-application-attack; sid:2003683; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005901; classtype:web-application-attack; sid:2005901; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UNION SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005902; classtype:web-application-attack; sid:2005902; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage INSERT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005903; classtype:web-application-attack; sid:2005903; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage DELETE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005904; classtype:web-application-attack; sid:2005904; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage ASCII"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005905; classtype:web-application-attack; sid:2005905; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005906; classtype:web-application-attack; sid:2005906; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005907; classtype:web-application-attack; sid:2005907; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UNION SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005908; classtype:web-application-attack; sid:2005908; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname INSERT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005909; classtype:web-application-attack; sid:2005909; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname DELETE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005910; classtype:web-application-attack; sid:2005910; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname ASCII"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005911; classtype:web-application-attack; sid:2005911; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005912; classtype:web-application-attack; sid:2005912; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005913; classtype:web-application-attack; sid:2005913; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UNION SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005914; classtype:web-application-attack; sid:2005914; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite INSERT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005915; classtype:web-application-attack; sid:2005915; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite DELETE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005916; classtype:web-application-attack; sid:2005916; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite ASCII"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005917; classtype:web-application-attack; sid:2005917; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005918; classtype:web-application-attack; sid:2005918; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005919; classtype:web-application-attack; sid:2005919; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UNION SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005920; classtype:web-application-attack; sid:2005920; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail INSERT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005921; classtype:web-application-attack; sid:2005921; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail DELETE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005922; classtype:web-application-attack; sid:2005922; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail ASCII"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005923; classtype:web-application-attack; sid:2005923; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005924; classtype:web-application-attack; sid:2005924; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt"; flow:established,to_server; uricontent:"/send_reminders.php"; nocase; pcre:"/includedir=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,14651; reference:cve,2005-2717; reference:url,doc.emergingthreats.net/2002898; classtype:web-application-attack; sid:2002898; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/chat/dac.php?"; nocase; uricontent:"sendChatData="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8268; reference:bugtraq,34213; reference:url,doc.emergingthreats.net/2009390; classtype:web-application-attack; sid:2009390; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt "; flow:established,to_server; uricontent:"/home.php?page=http\:"; nocase; reference:url,packetstormsecurity.org/0907-exploits/paid4mail-rfi.txt; reference:url,doc.emergingthreats.net/2009892; classtype:web-application-attack; sid:2009892; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir"; flow:established,to_server; uricontent:"/plugin/HP_DEV/cms2.php?"; nocase; uricontent:"s_dir="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2573; reference:url,www.milw0rm.com/exploits/3860; reference:url,doc.emergingthreats.net/2003693; classtype:web-application-attack; sid:2003693; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/image/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003672; classtype:web-application-attack; sid:2003672; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/liens/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003673; classtype:web-application-attack; sid:2003673; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/liste/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003674; classtype:web-application-attack; sid:2003674; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/special/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003675; classtype:web-application-attack; sid:2003675; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod"; flow:established,to_server; uricontent:"/mod/texte/index.php?"; nocase; uricontent:"config[pathMod]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003676; classtype:web-application-attack; sid:2003676; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PmWiki Globals Variables Overwrite Attempt"; flow:to_server,established; uricontent:"/pmwiki.php"; nocase; content:"GLOBALS[FarmD]="; nocase; pcre:"/GLOBALS\x5bFarmD\x5d\x3d/i"; reference:cve,CVE-2006-0479; reference:bugtraq,16421; reference:nessus,20891; reference:url,doc.emergingthreats.net/2002837; classtype:web-application-attack; sid:2002837; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004606; classtype:web-application-attack; sid:2004606; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004607; classtype:web-application-attack; sid:2004607; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004608; classtype:web-application-attack; sid:2004608; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004609; classtype:web-application-attack; sid:2004609; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004610; classtype:web-application-attack; sid:2004610; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004611; classtype:web-application-attack; sid:2004611; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admin/admin_words.php?"; nocase; uricontent:"ModName="; nocase; content:"../"; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009073; classtype:web-application-attack; sid:2009073; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admin/admin_groups_reapir.php?"; nocase; uricontent:"ModName="; nocase; content:"../"; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009074; classtype:web-application-attack; sid:2009074; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admin/admin_smilies.php?"; nocase; uricontent:"ModName="; nocase; content:"../"; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009075; classtype:web-application-attack; sid:2009075; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id SELECT"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004930; classtype:web-application-attack; sid:2004930; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UNION SELECT"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004931; classtype:web-application-attack; sid:2004931; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id INSERT"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004932; classtype:web-application-attack; sid:2004932; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id DELETE"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004933; classtype:web-application-attack; sid:2004933; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id ASCII"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004934; classtype:web-application-attack; sid:2004934; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004935; classtype:web-application-attack; sid:2004935; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006730; classtype:web-application-attack; sid:2006730; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UNION SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006731; classtype:web-application-attack; sid:2006731; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006732; classtype:web-application-attack; sid:2006732; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main DELETE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006733; classtype:web-application-attack; sid:2006733; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main ASCII"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006734; classtype:web-application-attack; sid:2006734; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006735; classtype:web-application-attack; sid:2006735; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/message_class.php?"; nocase; uricontent:"pfadhier="; nocase; content:"../"; reference:bugtraq,33718; reference:url,milw0rm.com/exploits/8030; reference:url,doc.emergingthreats.net/2009168; classtype:web-application-attack; sid:2009168; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ParsBlogger blog.asp wr parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/blog.asp?"; nocase; uricontent:"wr="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/7239; reference:bugtraq,32488; reference:url,doc.emergingthreats.net/2008930; classtype:web-application-attack; sid:2008930; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid SELECT"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004259; classtype:web-application-attack; sid:2004259; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UNION SELECT"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004260; classtype:web-application-attack; sid:2004260; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid INSERT"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004261; classtype:web-application-attack; sid:2004261; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid DELETE"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004262; classtype:web-application-attack; sid:2004262; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid ASCII"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004263; classtype:web-application-attack; sid:2004263; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004264; classtype:web-application-attack; sid:2004264; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month SELECT"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005216; classtype:web-application-attack; sid:2005216; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UNION SELECT"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005217; classtype:web-application-attack; sid:2005217; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month INSERT"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005218; classtype:web-application-attack; sid:2005218; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month DELETE"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005219; classtype:web-application-attack; sid:2005219; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month ASCII"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005220; classtype:web-application-attack; sid:2005220; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005221; classtype:web-application-attack; sid:2005221; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"order="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2962; reference:url,www.securityfocus.com/archive/1/archive/1/469985/100/0/threaded; reference:url,doc.emergingthreats.net/2004582; classtype:web-application-attack; sid:2004582; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment SELECT"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004618; classtype:web-application-attack; sid:2004618; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UNION SELECT"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004619; classtype:web-application-attack; sid:2004619; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment INSERT"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004620; classtype:web-application-attack; sid:2004620; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment DELETE"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004621; classtype:web-application-attack; sid:2004621; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment ASCII"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004622; classtype:web-application-attack; sid:2004622; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004623; classtype:web-application-attack; sid:2004623; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/passwiki.php?site_id="; nocase; pcre:"/(\.\.\/){1}/U"; reference:bugtraq,29455; reference:url,doc.emergingthreats.net/2008687; classtype:web-application-attack; sid:2008687; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System"; flow:established,to_server; uricontent:"/blocks/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003660; classtype:web-application-attack; sid:2003660; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System"; flow:established,to_server; uricontent:"/files/blocks/latest_files.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003661; classtype:web-application-attack; sid:2003661; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System"; flow:established,to_server; uricontent:"/forums/blocks/latest_posts.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003662; classtype:web-application-attack; sid:2003662; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System"; flow:established,to_server; uricontent:"/groups/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003663; classtype:web-application-attack; sid:2003663; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System"; flow:established,to_server; uricontent:"/filters/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003664; classtype:web-application-attack; sid:2003664; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System"; flow:established,to_server; uricontent:"/links/blocks/links.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003665; classtype:web-application-attack; sid:2003665; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System"; flow:established,to_server; uricontent:"/menu/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003666; classtype:web-application-attack; sid:2003666; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System"; flow:established,to_server; uricontent:"/news/blocks/latest_news.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003667; classtype:web-application-attack; sid:2003667; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System"; flow:established,to_server; uricontent:"/settings/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003668; classtype:web-application-attack; sid:2003668; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System"; flow:established,to_server; uricontent:"/modules/users/headerfile.php?"; nocase; uricontent:"system["; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003681; classtype:web-application-attack; sid:2003681; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004089; classtype:web-application-attack; sid:2004089; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004090; classtype:web-application-attack; sid:2004090; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004091; classtype:web-application-attack; sid:2004091; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004092; classtype:web-application-attack; sid:2004092; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004093; classtype:web-application-attack; sid:2004093; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004094; classtype:web-application-attack; sid:2004094; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid SELECT"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004924; classtype:web-application-attack; sid:2004924; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UNION SELECT"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004925; classtype:web-application-attack; sid:2004925; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid INSERT"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004926; classtype:web-application-attack; sid:2004926; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid DELETE"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004927; classtype:web-application-attack; sid:2004927; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid ASCII"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004928; classtype:web-application-attack; sid:2004928; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004929; classtype:web-application-attack; sid:2004929; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/basicfogfactory.class.php?"; nocase; uricontent:"PATH_TO_CODE="; nocase; pcre:"/PATH_TO_CODE=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,28588; reference:url,milw0rm.com/exploits/5348; reference:url,doc.emergingthreats.net/2009415; classtype:web-application-attack; sid:2009415; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/init.php?"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32335; reference:url,milw0rm.com/exploits/7143; reference:url,doc.emergingthreats.net/2008871; classtype:web-application-attack; sid:2008871; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lib/action/rss.php?"; nocase; uricontent:"lib="; nocase; pcre:"/lib=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32465; reference:url,milw0rm.com/exploits/7225; reference:url,doc.emergingthreats.net/2008899; classtype:web-application-attack; sid:2008899; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pilot Online Training Solution news_read.php id SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/news_read.php?id="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/31969/; reference:url,www.milw0rm.com/exploits/6613; reference:url,doc.emergingthreats.net/2008616; classtype:web-application-attack; sid:2008616; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piranha default passwd attempt"; flow:to_server,established; uricontent:"/piranha/secure/control.php3"; content:"Authorization\: Basic cGlyYW5oYTp"; reference:bugtraq,1148; reference:cve,2000-0248; reference:nessus,10381; reference:url,doc.emergingthreats.net/2002331; classtype:attempted-recon; sid:2002331; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path"; flow:established,to_server; uricontent:"/psg.smarty.lib.php?"; nocase; uricontent:"cfg[sys][base_path]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2458; reference:url,www.frsirt.com/english/advisories/2007/1390; reference:url,doc.emergingthreats.net/2003691; classtype:web-application-attack; sid:2003691; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path"; flow:established,to_server; uricontent:"/resources/includes/class.Smarty.php?"; nocase; uricontent:"cfg[sys][base_path]="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2457; reference:url,www.milw0rm.com/exploits/3733; reference:url,doc.emergingthreats.net/2003702; classtype:web-application-attack; sid:2003702; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixel8 Web Photo Album AlbumID SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/Photo.asp?"; nocase; uricontent:"AlbumID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33373/; reference:url,milw0rm.com/exploits/7627; reference:url,doc.emergingthreats.net/2009056; classtype:web-application-attack; sid:2009056; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pligg check_url.php url parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/evb/check_url.php?"; nocase; uricontent:"url="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/7544; reference:bugtraq,32970; reference:url,doc.emergingthreats.net/2009055; classtype:web-application-attack; sid:2009055; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plogger plog-download.php checked Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/plog-download.php?"; nocase; uricontent:"checked[]="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,30547; reference:url,xforce.iss.net/xforce/xfdb/44233; reference:url,milw0rm.com/exploits/6204; reference:url,doc.emergingthreats.net/2009936; classtype:web-application-attack; sid:2009936; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt"; flow:to_server,established; uricontent:"/prepend.php"; nocase; content:"_px_config[manager_path]="; nocase; pcre:"/_px_config\x5bmanager_path\x5d=(https?|ftps?|php)\:/i"; reference:cve,CVE-2006-0725; reference:bugtraq,16662; reference:nessus,20972; reference:url,doc.emergingthreats.net/2002815; classtype:web-application-attack; sid:2002815; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id"; flow:established,to_server; uricontent:"/Default.aspx?"; nocase; uricontent:"id="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2555; reference:url,www.securityfocus.com/archive/1/archive/1/467823/100/0/threaded; reference:url,doc.emergingthreats.net/2003914; classtype:web-application-attack; sid:2003914; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/classes/pctemplate.php?"; nocase; uricontent:"pcConfig[smartyPath]="; nocase; pcre:"/pcConfig\[smartyPath\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0911-exploits/pointcomma-rfi.txt; reference:url,doc.emergingthreats.net/2010466; classtype:web-application-attack; sid:2010466; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id SELECT"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004905; classtype:web-application-attack; sid:2004905; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UNION SELECT"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004906; classtype:web-application-attack; sid:2004906; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id INSERT"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004907; classtype:web-application-attack; sid:2004907; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id DELETE"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004908; classtype:web-application-attack; sid:2004908; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id ASCII"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004909; classtype:web-application-attack; sid:2004909; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004910; classtype:web-application-attack; sid:2004910; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include"; flow:established,to_server; uricontent:"/includes/includes.php"; uricontent:"site_path"; nocase; pcre:"/site_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22361; reference:url,doc.emergingthreats.net/2003371; classtype:web-application-attack; sid:2003371; rev:7; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid SELECT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005621; classtype:web-application-attack; sid:2005621; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UNION SELECT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005622; classtype:web-application-attack; sid:2005622; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid INSERT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005623; classtype:web-application-attack; sid:2005623; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid DELETE"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005624; classtype:web-application-attack; sid:2005624; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid ASCII"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005625; classtype:web-application-attack; sid:2005625; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005626; classtype:web-application-attack; sid:2005626; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid SELECT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005627; classtype:web-application-attack; sid:2005627; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UNION SELECT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005628; classtype:web-application-attack; sid:2005628; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid INSERT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005629; classtype:web-application-attack; sid:2005629; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid DELETE"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005630; classtype:web-application-attack; sid:2005630; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid ASCII"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005631; classtype:web-application-attack; sid:2005631; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005632; classtype:web-application-attack; sid:2005632; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid SELECT"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005633; classtype:web-application-attack; sid:2005633; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UNION SELECT"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005634; classtype:web-application-attack; sid:2005634; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid INSERT"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005635; classtype:web-application-attack; sid:2005635; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid DELETE"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005636; classtype:web-application-attack; sid:2005636; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid ASCII"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005637; classtype:web-application-attack; sid:2005637; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005638; classtype:web-application-attack; sid:2005638; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/user/User_ChkLogin.asp?"; nocase; uricontent:"ComeUrl="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,39696; reference:url,secunia.com/advisories/39627; reference:url,doc.emergingthreats.net/2011117; classtype:web-application-attack; sid:2011117; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PowerNews news.php newsid parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/news.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33363/; reference:url,milw0rm.com/exploits/7641; reference:url,doc.emergingthreats.net/2009057; classtype:web-application-attack; sid:2009057; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/footer.inc.php?"; nocase; uricontent:"settings[footer]="; nocase; content:"../"; reference:cve,CVE-2008-1534; reference:url,juniper.net/security/auto/vulnerabilities/vuln28421.html; reference:bugtraq,28421; reference:url,milw0rm.com/exploits/5303; reference:url,doc.emergingthreats.net/2009659; classtype:web-application-attack; sid:2009659; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/header.inc.php?"; nocase; uricontent:"settings[header]="; nocase; content:"../"; reference:cve,CVE-2008-1534; reference:url,juniper.net/security/auto/vulnerabilities/vuln28421.html; reference:bugtraq,28421; reference:url,milw0rm.com/exploits/5303; reference:url,doc.emergingthreats.net/2009660; classtype:web-application-attack; sid:2009660; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PozScripts Classified Auctions id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/gotourl.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/6839; reference:url,secunia.com/advisories/32373; reference:url,doc.emergingthreats.net/2008786; classtype:web-application-attack; sid:2008786; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL Injection Attempt"; flow:established,to_server; uricontent:"/Script/store_info.php?"; nocase; uricontent:"id="; nocase; pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.securityfocus.com/bid/37541/info; reference:url,doc.emergingthreats.net/2010604; classtype:web-application-attack; sid:2010604; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cms/modules/form.lib.php?"; nocase; uricontent:"sourceFolder="; nocase; pcre:"/sourceFolder=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,30235; reference:url,juniper.net/security/auto/vulnerabilities/vuln30235.html; reference:url,milw0rm.com/exploits/6078; reference:url,doc.emergingthreats.net/2009898; classtype:web-application-attack; sid:2009898; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Podcast Portal tour.php id SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Tour.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32563/; reference:url,milw0rm.com/exploits/6997; reference:url,doc.emergingthreats.net/2008823; classtype:web-application-attack; sid:2008823; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa SELECT"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006351; classtype:web-application-attack; sid:2006351; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UNION SELECT"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006352; classtype:web-application-attack; sid:2006352; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"INSERT"; nocase;  http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006353; classtype:web-application-attack; sid:2006353; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa DELETE"; flow:established,to_server; uricontent:"/lire-avis.php?"; nocase; uricontent:"aa="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006354; classtype:web-application-attack; sid:2006354; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa ASCII"; flow:established,to_server; uricontent:"/lire-avis.php?"; nocase; uricontent:"aa="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006355; classtype:web-application-attack; sid:2006355; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE"; flow:established,to_server; uricontent:"/lire-avis.php?"; nocase; uricontent:"aa="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006356; classtype:web-application-attack; sid:2006356; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt"; flow:to_server,established; uricontent:"/include/prodler.class.php?"; nocase; uricontent:"sPath="; nocase; pcre:"/sPath\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58298; reference:url,doc.emergingthreats.net/2010276; classtype:web-application-attack; sid:2010276; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rating/rate.php?"; nocase; uricontent:"id="; nocase; uricontent:"<script>"; nocase; uricontent:"</script>"; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt; reference:url,doc.emergingthreats.net/2009672; classtype:web-application-attack; sid:2009672; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rating/postcomments.php?"; nocase; uricontent:"id="; nocase; uricontent:"<script>"; nocase; uricontent:"</script>"; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt; reference:url,doc.emergingthreats.net/2009673; classtype:web-application-attack; sid:2009673; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS select_image.php dir Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/imagelibrary/select_image.php?"; nocase; uricontent:"dir="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009736; classtype:web-application-attack; sid:2009736; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS admin_theme_remove.php file Parameter Remote Directory Delete"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admin_includes/admin_theme_remove.php?"; nocase; uricontent:"file="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009737; classtype:web-application-attack; sid:2009737; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PozScripts Business Directory Script cid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showcategory.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,frsirt.com/english/advisories/2008/3118; reference:url,milw0rm.com/exploits/7098; reference:url,doc.emergingthreats.net/2008865; classtype:web-application-attack; sid:2008865; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php"; flow:established,to_server; uricontent:"/awards.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004587; classtype:web-application-attack; sid:2004587; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php"; flow:established,to_server; uricontent:"/login.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004588; classtype:web-application-attack; sid:2004588; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php"; flow:established,to_server; uricontent:"/register.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004589; classtype:web-application-attack; sid:2004589; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php"; flow:established,to_server; uricontent:"/weapons.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004590; classtype:web-application-attack; sid:2004590; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"functions_navlinks.php?"; nocase; uricontent:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; reference:url,doc.emergingthreats.net/2008880; classtype:web-application-attack; sid:2008880; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"profile_send.php?"; nocase; uricontent:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; reference:url,doc.emergingthreats.net/2008881; classtype:web-application-attack; sid:2008881; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"viewtopic_PM-link.php?"; nocase; uricontent:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; reference:url,doc.emergingthreats.net/2008882; classtype:web-application-attack; sid:2008882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/server_request.php?"; nocase; uricontent:"CONFIG[gameroot]="; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009502; classtype:web-application-attack; sid:2009502; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/server_request.php?"; nocase; uricontent:"CONFIG[gameroot]="; nocase; content:"../"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009503; classtype:web-application-attack; sid:2009503; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/qlib/smarty.inc.php?"; nocase; uricontent:"CONFIG[gameroot]="; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009504; classtype:web-application-attack; sid:2009504; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/qlib/smarty.inc.php?"; nocase; uricontent:"CONFIG[gameroot]="; nocase; content:"../"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009505; classtype:web-application-attack; sid:2009505; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/qte_web.php?"; nocase; uricontent:"qte_web_path="; nocase; content:"../"; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009746; classtype:web-application-attack; sid:2009746; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/qte_web.php?"; nocase; uricontent:"qte_web_path="; nocase; pcre:"/qte_web_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009723; classtype:web-application-attack; sid:2009723; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/bin/qte_init.php?"; nocase; uricontent:"qte_root="; nocase; content:"../"; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009724; classtype:web-application-attack; sid:2009724; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010185; classtype:web-application-attack; sid:2010185; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010186; classtype:web-application-attack; sid:2010186; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010187; classtype:web-application-attack; sid:2010187; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010188; classtype:web-application-attack; sid:2010188; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010189; classtype:web-application-attack; sid:2010189; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d"; flow:established,to_server; uricontent:"cp/ps/Main/login/Login"; nocase; uricontent:"d="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2802; reference:url,www.secunia.com/advisories/25326; reference:url,doc.emergingthreats.net/2004571; classtype:web-application-attack; sid:2004571; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RS-CMS rscms_mod_newsview.php key Parameter Processing Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rscms_mod_newsview.php?"; nocase; uricontent:"key="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/9000; reference:url,vupen.com/english/advisories/2009/1658; reference:url,doc.emergingthreats.net/2010021; classtype:web-application-attack; sid:2010021; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/display.php?"; nocase; uricontent:"path="; nocase; pcre:"/path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,29873; reference:url,milw0rm.com/exploits/5900; reference:url,doc.emergingthreats.net/2009788; classtype:web-application-attack; sid:2009788; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/top_graph_header.php?"; nocase; uricontent:"config[library_path]="; nocase; pcre:"/config\[library_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,14030; reference:url,doc.emergingthreats.net/2010097; classtype:web-application-attack; sid:2010097; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rakhi Software Price Comparison Script product.php subcategory_id SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/product.php?"; nocase; uricontent:"subcategory_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32504; reference:url,milw0rm.com/exploits/7250; reference:url,doc.emergingthreats.net/2008924; classtype:web-application-attack; sid:2008924; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id SELECT"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005681; classtype:web-application-attack; sid:2005681; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UNION SELECT"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005682; classtype:web-application-attack; sid:2005682; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id INSERT"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005683; classtype:web-application-attack; sid:2005683; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id DELETE"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005684; classtype:web-application-attack; sid:2005684; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id ASCII"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005685; classtype:web-application-attack; sid:2005685; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005686; classtype:web-application-attack; sid:2005686; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005021; classtype:web-application-attack; sid:2005021; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UNION SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005022; classtype:web-application-attack; sid:2005022; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user INSERT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005023; classtype:web-application-attack; sid:2005023; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user DELETE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005024; classtype:web-application-attack; sid:2005024; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user ASCII"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005025; classtype:web-application-attack; sid:2005025; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005026; classtype:web-application-attack; sid:2005026; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005027; classtype:web-application-attack; sid:2005027; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UNION SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005028; classtype:web-application-attack; sid:2005028; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password INSERT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005029; classtype:web-application-attack; sid:2005029; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password DELETE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005030; classtype:web-application-attack; sid:2005030; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password ASCII"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005031; classtype:web-application-attack; sid:2005031; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005032; classtype:web-application-attack; sid:2005032; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id SELECT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005093; classtype:web-application-attack; sid:2005093; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UNION SELECT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005094; classtype:web-application-attack; sid:2005094; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id INSERT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005095; classtype:web-application-attack; sid:2005095; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id DELETE"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005096; classtype:web-application-attack; sid:2005096; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id ASCII"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005097; classtype:web-application-attack; sid:2005097; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005098; classtype:web-application-attack; sid:2005098; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass SELECT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005099; classtype:web-application-attack; sid:2005099; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UNION SELECT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005100; classtype:web-application-attack; sid:2005100; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass INSERT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005101; classtype:web-application-attack; sid:2005101; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass DELETE"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005102; classtype:web-application-attack; sid:2005102; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass ASCII"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005103; classtype:web-application-attack; sid:2005103; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005104; classtype:web-application-attack; sid:2005104; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Real Estate Manager realestate-index.php cat_id SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"realestate-index.php?"; nocase; uricontent:"&cat_id="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/32049/; reference:url,www.milw0rm.com/exploits/6599; reference:url,doc.emergingthreats.net/2008615; classtype:web-application-attack; sid:2008615; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/define.php?"; nocase; uricontent:"INC_DIR="; nocase; pcre:"/INC_DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33227; reference:url,milw0rm.com/exploits/7743; reference:url,doc.emergingthreats.net/2009101; classtype:web-application-attack; sid:2009101; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RealtyListings type.asp iType Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/type.asp?"; nocase; uricontent:"iType="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; reference:url,doc.emergingthreats.net/2009049; classtype:web-application-attack; sid:2009049; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RealtyListings detail.asp iPro Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; reference:url,doc.emergingthreats.net/2009050; classtype:web-application-attack; sid:2009050; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid SELECT"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006939; classtype:web-application-attack; sid:2006939; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UNION SELECT"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006940; classtype:web-application-attack; sid:2006940; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid INSERT"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006941; classtype:web-application-attack; sid:2006941; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid DELETE"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006942; classtype:web-application-attack; sid:2006942; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid ASCII"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006943; classtype:web-application-attack; sid:2006943; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006944; classtype:web-application-attack; sid:2006944; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid SELECT"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006945; classtype:web-application-attack; sid:2006945; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UNION SELECT"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006946; classtype:web-application-attack; sid:2006946; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid INSERT"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006947; classtype:web-application-attack; sid:2006947; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid DELETE"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006948; classtype:web-application-attack; sid:2006948; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid ASCII"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006949; classtype:web-application-attack; sid:2006949; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006950; classtype:web-application-attack; sid:2006950; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/add_tmsp.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009059; classtype:web-application-attack; sid:2009059; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/edit_tmsp.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009060; classtype:web-application-attack; sid:2009060; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/subscription.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009061; classtype:web-application-attack; sid:2009061; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/tmsp.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009062; classtype:web-application-attack; sid:2009062; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/competitions/add.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009466; classtype:web-application-attack; sid:2009466; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/competitions/competitions.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009467; classtype:web-application-attack; sid:2009467; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/settings/settings.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009468; classtype:web-application-attack; sid:2009468; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/addons/version/pages/index.inc.php?"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2010/0942; reference:url,exploit-db.com/exploits/12276; reference:url,doc.emergingthreats.net/2011254; classtype:web-application-attack; sid:2011254; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/pages/specials.inc.php?"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2010/0942; reference:url,exploit-db.com/exploits/12276; reference:url,doc.emergingthreats.net/2011255; classtype:web-application-attack; sid:2011255; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s"; flow:established,to_server; uricontent:"/wp-content/themes/redoable/searchloop.php?"; nocase; uricontent:"s="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003872; classtype:web-application-attack; sid:2003872; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s"; flow:established,to_server; uricontent:"/wp-content/themes/redoable/header.php?"; nocase; uricontent:"s="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003873; classtype:web-application-attack; sid:2003873; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rematic CMS referenzdetail.php id parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/referenzdetail.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33208/; reference:url,milw0rm.com/exploits/7502; reference:url,doc.emergingthreats.net/2009011; classtype:web-application-attack; sid:2009011; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rematic CMS produkte.php id parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/produkte.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33208/; reference:url,milw0rm.com/exploits/7502; reference:url,doc.emergingthreats.net/2009012; classtype:web-application-attack; sid:2009012; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Rentventory SQL Injection Attempt"; flow:to_server,established; content:"/patch/?product="; nocase; http_uri; content:"&panel=rent/select_time"; http_uri; nocase; reference:url,www.milw0rm.com/exploits/9081; reference:url,doc.emergingthreats.net/2009513; classtype:web-application-attack; sid:2009513; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv SELECT"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003829; classtype:web-application-attack; sid:2003829; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UNION SELECT"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003830; classtype:web-application-attack; sid:2003830; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv INSERT"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003831; classtype:web-application-attack; sid:2003831; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv DELETE"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003832; classtype:web-application-attack; sid:2003832; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv ASCII"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003833; classtype:web-application-attack; sid:2003833; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE"; flow:established,to_server; uricontent:"/edit_day.php?"; nocase; uricontent:"id_reserv="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003834; classtype:web-application-attack; sid:2003834; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php SELECT"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004600; classtype:web-application-attack; sid:2004600; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UNION SELECT"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004601; classtype:web-application-attack; sid:2004601; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php INSERT"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004602; classtype:web-application-attack; sid:2004602; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php DELETE"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004603; classtype:web-application-attack; sid:2004603; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php ASCII"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004604; classtype:web-application-attack; sid:2004604; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004605; classtype:web-application-attack; sid:2004605; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID SELECT"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005687; classtype:web-application-attack; sid:2005687; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005688; classtype:web-application-attack; sid:2005688; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID INSERT"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005689; classtype:web-application-attack; sid:2005689; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID DELETE"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005690; classtype:web-application-attack; sid:2005690; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID ASCII"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005691; classtype:web-application-attack; sid:2005691; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005692; classtype:web-application-attack; sid:2005692; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID SELECT"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005693; classtype:web-application-attack; sid:2005693; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005694; classtype:web-application-attack; sid:2005694; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID INSERT"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005695; classtype:web-application-attack; sid:2005695; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID DELETE"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005696; classtype:web-application-attack; sid:2005696; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID ASCII"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005697; classtype:web-application-attack; sid:2005697; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005698; classtype:web-application-attack; sid:2005698; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat SELECT"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005699; classtype:web-application-attack; sid:2005699; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005700; classtype:web-application-attack; sid:2005700; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat INSERT"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005701; classtype:web-application-attack; sid:2005701; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat DELETE"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005702; classtype:web-application-attack; sid:2005702; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat ASCII"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005703; classtype:web-application-attack; sid:2005703; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005704; classtype:web-application-attack; sid:2005704; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005705; classtype:web-application-attack; sid:2005705; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005706; classtype:web-application-attack; sid:2005706; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005707; classtype:web-application-attack; sid:2005707; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005708; classtype:web-application-attack; sid:2005708; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005709; classtype:web-application-attack; sid:2005709; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005710; classtype:web-application-attack; sid:2005710; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat SELECT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005711; classtype:web-application-attack; sid:2005711; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005712; classtype:web-application-attack; sid:2005712; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat INSERT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005713; classtype:web-application-attack; sid:2005713; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat DELETE"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005714; classtype:web-application-attack; sid:2005714; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat ASCII"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005715; classtype:web-application-attack; sid:2005715; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005716; classtype:web-application-attack; sid:2005716; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword SELECT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005717; classtype:web-application-attack; sid:2005717; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UNION SELECT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005718; classtype:web-application-attack; sid:2005718; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword INSERT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005719; classtype:web-application-attack; sid:2005719; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword DELETE"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005720; classtype:web-application-attack; sid:2005720; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword ASCII"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005721; classtype:web-application-attack; sid:2005721; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005722; classtype:web-application-attack; sid:2005722; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area SELECT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005723; classtype:web-application-attack; sid:2005723; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UNION SELECT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005724; classtype:web-application-attack; sid:2005724; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area INSERT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005725; classtype:web-application-attack; sid:2005725; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area DELETE"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005726; classtype:web-application-attack; sid:2005726; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area ASCII"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005727; classtype:web-application-attack; sid:2005727; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005728; classtype:web-application-attack; sid:2005728; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005729; classtype:web-application-attack; sid:2005729; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005730; classtype:web-application-attack; sid:2005730; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005731; classtype:web-application-attack; sid:2005731; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005732; classtype:web-application-attack; sid:2005732; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005733; classtype:web-application-attack; sid:2005733; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005734; classtype:web-application-attack; sid:2005734; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin SELECT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005735; classtype:web-application-attack; sid:2005735; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UNION SELECT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005736; classtype:web-application-attack; sid:2005736; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin INSERT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005738; classtype:web-application-attack; sid:2005738; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin DELETE"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005739; classtype:web-application-attack; sid:2005739; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin ASCII"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005740; classtype:web-application-attack; sid:2005740; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005741; classtype:web-application-attack; sid:2005741; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005742; classtype:web-application-attack; sid:2005742; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005743; classtype:web-application-attack; sid:2005743; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005744; classtype:web-application-attack; sid:2005744; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005745; classtype:web-application-attack; sid:2005745; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005746; classtype:web-application-attack; sid:2005746; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005747; classtype:web-application-attack; sid:2005747; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005748; classtype:web-application-attack; sid:2005748; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005749; classtype:web-application-attack; sid:2005749; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005750; classtype:web-application-attack; sid:2005750; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005751; classtype:web-application-attack; sid:2005751; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005752; classtype:web-application-attack; sid:2005752; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005753; classtype:web-application-attack; sid:2005753; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005754; classtype:web-application-attack; sid:2005754; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005755; classtype:web-application-attack; sid:2005755; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005756; classtype:web-application-attack; sid:2005756; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005757; classtype:web-application-attack; sid:2005757; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005758; classtype:web-application-attack; sid:2005758; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005759; classtype:web-application-attack; sid:2005759; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005760; classtype:web-application-attack; sid:2005760; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005761; classtype:web-application-attack; sid:2005761; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005762; classtype:web-application-attack; sid:2005762; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005763; classtype:web-application-attack; sid:2005763; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005764; classtype:web-application-attack; sid:2005764; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005765; classtype:web-application-attack; sid:2005765; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/download.php?"; nocase; uricontent:"filename="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,securityfocus.com/bid/32968; reference:url,milw0rm.com/exploits/7542; reference:url,doc.emergingthreats.net/2009018; classtype:web-application-attack; sid:2009018; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004660; classtype:web-application-attack; sid:2004660; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004661; classtype:web-application-attack; sid:2004661; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004662; classtype:web-application-attack; sid:2004662; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004663; classtype:web-application-attack; sid:2004663; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004664; classtype:web-application-attack; sid:2004664; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004665; classtype:web-application-attack; sid:2004665; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost"; flow:established,to_server; uricontent:"/contact/index.php?"; nocase; uricontent:"ripeformpost="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2206; reference:url,www.securityfocus.com/bid/23597; reference:url,doc.emergingthreats.net/2003871; classtype:web-application-attack; sid:2003871; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/roleManager.jsp?"; nocase; uricontent:"type=query&"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011155; classtype:web-application-attack; sid:2011155; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/roleManager.jsp?"; nocase; uricontent:"type=query&"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011156; classtype:web-application-attack; sid:2011156; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/roleManager.jsp?"; nocase; uricontent:"type=query&"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011157; classtype:web-application-attack; sid:2011157; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/roleManager.jsp?"; nocase; http_uri; content:"type=query&"; http_uri; nocase; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011158; classtype:web-application-attack; sid:2011158; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/roleManager.jsp?"; nocase; http_uri; content:"type=query&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011159; classtype:web-application-attack; sid:2011159; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt"; flow:established,to_server; uricontent:"/modules/admincp.php?"; nocase; uricontent:"admin="; nocase; pcre:"/(\?|&)admin=[^\x26\x3B]*([\x2F\x5C\x00]|\x2E\x2E)/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/roseonlinecms-lfi.txt; reference:url,doc.emergingthreats.net/2010610; classtype:web-application-attack; sid:2010610; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries SELECT"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003817; classtype:web-application-attack; sid:2003817; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UNION SELECT"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003818; classtype:web-application-attack; sid:2003818; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries INSERT"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003819; classtype:web-application-attack; sid:2003819; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries DELETE"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003820; classtype:web-application-attack; sid:2003820; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries ASCII"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003821; classtype:web-application-attack; sid:2003821; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE"; flow:established,to_server; uricontent:"/class/debug/debug_show.php?"; nocase; uricontent:"executed_queries="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003822; classtype:web-application-attack; sid:2003822; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id SELECT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003858; classtype:web-application-attack; sid:2003858; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UNION SELECT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003859; classtype:web-application-attack; sid:2003859; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id INSERT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003860; classtype:web-application-attack; sid:2003860; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id DELETE"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003861; classtype:web-application-attack; sid:2003861; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id ASCII"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003862; classtype:web-application-attack; sid:2003862; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003863; classtype:web-application-attack; sid:2003863; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/load_lang.php?"; nocase; uricontent:"_SERWEB[configdir]="; nocase; pcre:"/_SERWEB\[configdir\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,26747; reference:url,milworm.com/exploits/9284; reference:url,doc.emergingthreats.net/2010124; classtype:web-application-attack; sid:2010124; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/main_prepend.php?"; nocase; uricontent:"_SERWEB[functionsdir]="; nocase; pcre:"/_SERWEB\[functionsdir\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,26747; reference:url,milworm.com/exploits/9284; reference:url,doc.emergingthreats.net/2010125; classtype:web-application-attack; sid:2010125; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showcategory.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32536/; reference:url,milw0rm.com/exploits/6903; reference:url,doc.emergingthreats.net/2008815; classtype:web-application-attack; sid:2008815; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/software-description.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32536/; reference:url,milw0rm.com/exploits/6915; reference:url,doc.emergingthreats.net/2008816; classtype:web-application-attack; sid:2008816; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/track.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; reference:url,secunia.com/advisories/32552/; reference:url,milw0rm.com/exploits/6910; reference:url,doc.emergingthreats.net/2008793; classtype:web-application-attack; sid:2008793; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/theme/format.php?"; nocase; uricontent:"_page_css="; nocase; pcre:"/_page_css=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009653; classtype:web-application-attack; sid:2009653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/theme/format.php?"; nocase; uricontent:"_page_javascript="; nocase; pcre:"/_page_javascript=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009654; classtype:web-application-attack; sid:2009654; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/theme/format.php?"; nocase; uricontent:"_page_content="; nocase; pcre:"/_page_content=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009656; classtype:web-application-attack; sid:2009656; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; fast_pattern; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/admin/device_admin.php?"; nocase; uricontent:"cs_base_path="; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; reference:url,doc.emergingthreats.net/2011209; classtype:web-application-attack; sid:2011209; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp SELECT"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004463; classtype:web-application-attack; sid:2004463; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UNION SELECT"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004464; classtype:web-application-attack; sid:2004464; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp INSERT"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004465; classtype:web-application-attack; sid:2004465; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp DELETE"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004466; classtype:web-application-attack; sid:2004466; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp ASCII"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004467; classtype:web-application-attack; sid:2004467; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004468; classtype:web-application-attack; sid:2004468; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/classes/excel/class.writeexcel_workbook.inc.php?"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt; reference:url,doc.emergingthreats.net/2010922; classtype:web-application-attack; sid:2010922; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/classes/excel/class.writeexcel_worksheet.inc.php?"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt; reference:url,doc.emergingthreats.net/2010923; classtype:web-application-attack; sid:2010923; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004493; classtype:web-application-attack; sid:2004493; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004494; classtype:web-application-attack; sid:2004494; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004495; classtype:web-application-attack; sid:2004495; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004496; classtype:web-application-attack; sid:2004496; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004497; classtype:web-application-attack; sid:2004497; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004498; classtype:web-application-attack; sid:2004498; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004499; classtype:web-application-attack; sid:2004499; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004500; classtype:web-application-attack; sid:2004500; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004501; classtype:web-application-attack; sid:2004501; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004502; classtype:web-application-attack; sid:2004502; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004503; classtype:web-application-attack; sid:2004503; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004504; classtype:web-application-attack; sid:2004504; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004505; classtype:web-application-attack; sid:2004505; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004506; classtype:web-application-attack; sid:2004506; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004507; classtype:web-application-attack; sid:2004507; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004508; classtype:web-application-attack; sid:2004508; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004509; classtype:web-application-attack; sid:2004509; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004510; classtype:web-application-attack; sid:2004510; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004511; classtype:web-application-attack; sid:2004511; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004512; classtype:web-application-attack; sid:2004512; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004513; classtype:web-application-attack; sid:2004513; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004514; classtype:web-application-attack; sid:2004514; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004515; classtype:web-application-attack; sid:2004515; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004516; classtype:web-application-attack; sid:2004516; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004517; classtype:web-application-attack; sid:2004517; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004518; classtype:web-application-attack; sid:2004518; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004519; classtype:web-application-attack; sid:2004519; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004520; classtype:web-application-attack; sid:2004520; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004521; classtype:web-application-attack; sid:2004521; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004522; classtype:web-application-attack; sid:2004522; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011726; classtype:web-application-attack; sid:2011726; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011727; classtype:web-application-attack; sid:2011727; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011728; classtype:web-application-attack; sid:2011728; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011729; classtype:web-application-attack; sid:2011729; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011730; classtype:web-application-attack; sid:2011730; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011731; classtype:web-application-attack; sid:2011731; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004116; classtype:web-application-attack; sid:2004116; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004117; classtype:web-application-attack; sid:2004117; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004118; classtype:web-application-attack; sid:2004118; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004119; classtype:web-application-attack; sid:2004119; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004120; classtype:web-application-attack; sid:2004120; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004121; classtype:web-application-attack; sid:2004121; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid SELECT"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006309; classtype:web-application-attack; sid:2006309; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UNION SELECT"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006310; classtype:web-application-attack; sid:2006310; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid INSERT"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006311; classtype:web-application-attack; sid:2006311; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid DELETE"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006312; classtype:web-application-attack; sid:2006312; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid ASCII"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006313; classtype:web-application-attack; sid:2006313; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006314; classtype:web-application-attack; sid:2006314; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure"; flow:established,to_server; content:"GET "; depth:4; uricontent:"main.php?action=download"; nocase; uricontent:"&id="; nocase; pcre:"/(\.\.\/){1}/"; reference:url,www.milw0rm.com/exploits/6715; reference:url,secunia.com/Advisories/32210/; reference:url,doc.emergingthreats.net/2008652; classtype:web-application-attack; sid:2008652; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Scripts For Sites EZ e-store searchresults.php where Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/SearchResults.php?"; nocase; uricontent:"where="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2008-6242; reference:bugtraq,32039; reference:url,milw0rm.com/exploits/6922; reference:url,doc.emergingthreats.net/2009727; classtype:web-application-attack; sid:2009727; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form"; flow:established,to_server; uricontent:"/sendcard.php?"; nocase; uricontent:"form="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2472; reference:url,www.secunia.com/advisories/25085; reference:url,doc.emergingthreats.net/2003922; classtype:web-application-attack; sid:2003922; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/deptdisplay.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/7610; reference:bugtraq,33040; reference:url,doc.emergingthreats.net/2009048; classtype:web-application-attack; sid:2009048; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004415; classtype:web-application-attack; sid:2004415; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004416; classtype:web-application-attack; sid:2004416; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004417; classtype:web-application-attack; sid:2004417; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004418; classtype:web-application-attack; sid:2004418; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004419; classtype:web-application-attack; sid:2004419; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004420; classtype:web-application-attack; sid:2004420; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/SezHooTabsAndActions.php?"; nocase; uricontent:"IP="; nocase; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31756; reference:url,www.milw0rm.com/exploits/6751; reference:url,doc.emergingthreats.net/2009123; classtype:web-application-attack; sid:2009123; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SHOP-INET show_cat2.php grid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/show_cat2.php?"; nocase; uricontent:"grid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33471; reference:url,milw0rm.com/exploits/7874; reference:url,secunia.com/advisories/33660/; reference:url,doc.emergingthreats.net/2010020; classtype:web-application-attack; sid:2010020; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopMaker product.php id Parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/product.php?id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/6799; reference:bugtraq,31854; reference:url,doc.emergingthreats.net/2008723; classtype:web-application-attack; sid:2008723; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID SELECT"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005790; classtype:web-application-attack; sid:2005790; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UNION SELECT"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005791; classtype:web-application-attack; sid:2005791; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID INSERT"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005792; classtype:web-application-attack; sid:2005792; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID DELETE"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005793; classtype:web-application-attack; sid:2005793; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID ASCII"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005794; classtype:web-application-attack; sid:2005794; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005795; classtype:web-application-attack; sid:2005795; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Customer contact.php SQL injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/contact.php?id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:bugtraq,28852; reference:url,doc.emergingthreats.net/2008722; classtype:web-application-attack; sid:2008722; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003852; classtype:web-application-attack; sid:2003852; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UNION SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003853; classtype:web-application-attack; sid:2003853; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr INSERT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003854; classtype:web-application-attack; sid:2003854; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr DELETE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003855; classtype:web-application-attack; sid:2003855; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr ASCII"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003856; classtype:web-application-attack; sid:2003856; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"newsnr="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003857; classtype:web-application-attack; sid:2003857; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gallery="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2679; reference:url,www.securityfocus.com/bid/23534; reference:url,doc.emergingthreats.net/2003746; classtype:web-application-attack; sid:2003746; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/slogin_lib.inc.php?"; nocase; uricontent:"slogin_path="; nocase; pcre:"/slogin_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32811; reference:url,milw0rm.com/exploits/7444; reference:url,doc.emergingthreats.net/2008996; classtype:web-application-attack; sid:2008996; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RSS Simple News news.php pid parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/news.php?"; nocase; content:"pid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/7541; reference:bugtraq,32962; reference:url,doc.emergingthreats.net/2009000; classtype:web-application-attack; sid:2009000; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username SELECT"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004779; classtype:web-application-attack; sid:2004779; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UNION SELECT"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004780; classtype:web-application-attack; sid:2004780; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username INSERT"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004781; classtype:web-application-attack; sid:2004781; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username DELETE"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004782; classtype:web-application-attack; sid:2004782; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username ASCII"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004783; classtype:web-application-attack; sid:2004783; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004784; classtype:web-application-attack; sid:2004784; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username SELECT"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004785; classtype:web-application-attack; sid:2004785; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UNION SELECT"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004786; classtype:web-application-attack; sid:2004786; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username INSERT"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004787; classtype:web-application-attack; sid:2004787; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username DELETE"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004788; classtype:web-application-attack; sid:2004788; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username ASCII"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004789; classtype:web-application-attack; sid:2004789; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004790; classtype:web-application-attack; sid:2004790; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id SELECT"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005871; classtype:web-application-attack; sid:2005871; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UNION SELECT"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005872; classtype:web-application-attack; sid:2005872; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id INSERT"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005873; classtype:web-application-attack; sid:2005873; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id DELETE"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005874; classtype:web-application-attack; sid:2005874; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id ASCII"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005875; classtype:web-application-attack; sid:2005875; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005876; classtype:web-application-attack; sid:2005876; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/main/forum/komentar.php?"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,23334; reference:url,doc.emergingthreats.net/2010564; classtype:web-application-attack; sid:2010564; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/login.tpl.php?"; nocase; uricontent:"TplSuffix="; nocase; content:"../"; reference:bugtraq,33092; reference:url,doc.emergingthreats.net/2009070; classtype:web-application-attack; sid:2009070; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/login.tpl.php?"; nocase; uricontent:"theme="; nocase; pcre:"/theme=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33092; reference:url,doc.emergingthreats.net/2009071; classtype:web-application-attack; sid:2009071; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SlimCMS edit.php pageid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/edit.php?"; nocase; uricontent:"pageID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32300; reference:url,doc.emergingthreats.net/2008867; classtype:web-application-attack; sid:2008867; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005518; classtype:web-application-attack; sid:2005518; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005519; classtype:web-application-attack; sid:2005519; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005520; classtype:web-application-attack; sid:2005520; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005521; classtype:web-application-attack; sid:2005521; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005522; classtype:web-application-attack; sid:2005522; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005523; classtype:web-application-attack; sid:2005523; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005524; classtype:web-application-attack; sid:2005524; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005525; classtype:web-application-attack; sid:2005525; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; distance:0; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; nocase; http_uri; distance:0; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005527; classtype:web-application-attack; sid:2005527; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005528; classtype:web-application-attack; sid:2005528; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005529; classtype:web-application-attack; sid:2005529; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005530; classtype:web-application-attack; sid:2005530; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005531; classtype:web-application-attack; sid:2005531; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005532; classtype:web-application-attack; sid:2005532; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005533; classtype:web-application-attack; sid:2005533; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005534; classtype:web-application-attack; sid:2005534; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005535; classtype:web-application-attack; sid:2005535; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005536; classtype:web-application-attack; sid:2005536; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005537; classtype:web-application-attack; sid:2005537; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005538; classtype:web-application-attack; sid:2005538; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005539; classtype:web-application-attack; sid:2005539; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005540; classtype:web-application-attack; sid:2005540; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005541; classtype:web-application-attack; sid:2005541; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005542; classtype:web-application-attack; sid:2005542; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UNION SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005543; classtype:web-application-attack; sid:2005543; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code INSERT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005544; classtype:web-application-attack; sid:2005544; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code DELETE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005545; classtype:web-application-attack; sid:2005545; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code ASCII"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005546; classtype:web-application-attack; sid:2005546; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005547; classtype:web-application-attack; sid:2005547; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005548; classtype:web-application-attack; sid:2005548; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UNION SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005549; classtype:web-application-attack; sid:2005549; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f INSERT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005550; classtype:web-application-attack; sid:2005550; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f DELETE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005551; classtype:web-application-attack; sid:2005551; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f ASCII"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005552; classtype:web-application-attack; sid:2005552; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005553; classtype:web-application-attack; sid:2005553; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005554; classtype:web-application-attack; sid:2005554; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UNION SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005555; classtype:web-application-attack; sid:2005555; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us INSERT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005556; classtype:web-application-attack; sid:2005556; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us DELETE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005557; classtype:web-application-attack; sid:2005557; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us ASCII"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005558; classtype:web-application-attack; sid:2005558; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005559; classtype:web-application-attack; sid:2005559; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005560; classtype:web-application-attack; sid:2005560; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UNION SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005561; classtype:web-application-attack; sid:2005561; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps INSERT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005562; classtype:web-application-attack; sid:2005562; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps DELETE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005563; classtype:web-application-attack; sid:2005563; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps ASCII"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005564; classtype:web-application-attack; sid:2005564; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005566; classtype:web-application-attack; sid:2005566; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/vars.inc.php?"; http_uri; nocase; content:"_SESSION[SCRIPT_PATH]="; http_uri; pcre:"/_SESSION\[SCRIPT_PATH\]=\s*(https?|ftps?|php)\x3a\//Ui"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009179; classtype:web-application-attack; sid:2009179; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/pcltar.lib.php?"; nocase; uricontent:"g_pcltar_lib_dir="; pcre:"/g_pcltar_lib_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009180; classtype:web-application-attack; sid:2009180; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/vars.inc.php?"; http_uri; nocase; content:"_SESSION[SCRIPT_PATH]="; http_uri; content:"../"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009181; classtype:web-application-attack; sid:2009181; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/pcltar.lib.php?"; nocase; uricontent:"g_pcltar_lib_dir="; content:"../"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009182; classtype:web-application-attack; sid:2009182; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id SELECT"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004863; classtype:web-application-attack; sid:2004863; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UNION SELECT"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004864; classtype:web-application-attack; sid:2004864; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id INSERT"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004865; classtype:web-application-attack; sid:2004865; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id DELETE"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004866; classtype:web-application-attack; sid:2004866; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ASCII"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004867; classtype:web-application-attack; sid:2004867; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004868; classtype:web-application-attack; sid:2004868; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SocialEngine browse_classifieds.php Remote SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/browse_classifieds.php?"; nocase; uricontent:"classifiedcat_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33474/; reference:url,milw0rm.com/exploits/7730; reference:url,doc.emergingthreats.net/2009100; classtype:web-application-attack; sid:2009100; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/content/themes/softsaurus_default/pages/subHeader.php?"; nocase; uricontent:"objects_path="; nocase; pcre:"/objects_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,38842; reference:url,exploit-db.com/exploits/11807; reference:url,doc.emergingthreats.net/2011051; classtype:web-application-attack; sid:2011051; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/content/themes/softsaurus_stretched/pages/subHeader.php?"; nocase; uricontent:"objects_path="; nocase; pcre:"/objects_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,38842; reference:url,exploit-db.com/exploits/11807; reference:url,doc.emergingthreats.net/2011052; classtype:web-application-attack; sid:2011052; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent SELECT"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006129; classtype:web-application-attack; sid:2006129; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UNION SELECT"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006130; classtype:web-application-attack; sid:2006130; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent INSERT"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006131; classtype:web-application-attack; sid:2006131; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent DELETE"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006132; classtype:web-application-attack; sid:2006132; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent ASCII"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006133; classtype:web-application-attack; sid:2006133; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006134; classtype:web-application-attack; sid:2006134; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php SELECT"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006479; classtype:web-application-attack; sid:2006479; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UNION SELECT"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006480; classtype:web-application-attack; sid:2006480; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php INSERT"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006481; classtype:web-application-attack; sid:2006481; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php DELETE"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006482; classtype:web-application-attack; sid:2006482; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php ASCII"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006484; classtype:web-application-attack; sid:2006484; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006485; classtype:web-application-attack; sid:2006485; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"part="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1903; reference:url,www.netvigilance.com/advisory0020; reference:url,doc.emergingthreats.net/2003881; classtype:web-application-attack; sid:2003881; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004379; classtype:web-application-attack; sid:2004379; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004380; classtype:web-application-attack; sid:2004380; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004381; classtype:web-application-attack; sid:2004381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004382; classtype:web-application-attack; sid:2004382; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004383; classtype:web-application-attack; sid:2004383; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004384; classtype:web-application-attack; sid:2004384; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sonicwall NSA E7500 XSS attempt (fwReg parameter)"; flow:established,to_server; uricontent:"/servlet/dea/register?"; nocase; uricontent:"pwd="; nocase; uricontent:"fwReg="; nocase; uricontent:"sn="; nocase; pcre:"/\/servlet\/dea\/register\?fwReg=[>\"]/iU"; reference:url,securiteam.com/exploits/6O00C1FQAS.html; reference:url,doc.emergingthreats.net/2010509; classtype:web-application-attack; sid:2010509; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sonicwall Global Management System XSS attempt (scrn_name parameter)"; flow:established,to_server; uricontent:"/sgms/caption.jsp?"; nocase; uricontent:"scrn_name="; nocase; pcre:"/\/sgms\/caption\.jsp\?.*scrn_name=.*[>\"]/iU"; reference:url,securiteam.com/exploits/6P00D1FQAG.html; reference:url,doc.emergingthreats.net/2010511; classtype:web-application-attack; sid:2010511; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/example_clientside_javascript.php?"; nocase; uricontent:"neededFiles[patForms]="; nocase; pcre:"/neededFiles\[patForms\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,doc.emergingthreats.net/2009144; classtype:web-application-attack; sid:2009144; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004816; classtype:web-application-attack; sid:2004816; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004817; classtype:web-application-attack; sid:2004817; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004818; classtype:web-application-attack; sid:2004818; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004819; classtype:web-application-attack; sid:2004819; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004820; classtype:web-application-attack; sid:2004820; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004821; classtype:web-application-attack; sid:2004821; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005152; classtype:web-application-attack; sid:2005152; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005153; classtype:web-application-attack; sid:2005153; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005155; classtype:web-application-attack; sid:2005155; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005154; classtype:web-application-attack; sid:2005154; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005156; classtype:web-application-attack; sid:2005156; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005157; classtype:web-application-attack; sid:2005157; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SunByte e-Flower popupproduct.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/popupproduct.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/7323; reference:bugtraq,32589; reference:url,doc.emergingthreats.net/2008932; classtype:web-application-attack; sid:2008932; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SuperNews valor.php noticia Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/valor.php?"; nocase; uricontent:"noticia="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8255; reference:bugtraq,34195; reference:url,doc.emergingthreats.net/2009744; classtype:web-application-attack; sid:2009744; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat SELECT"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004822; classtype:web-application-attack; sid:2004822; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UNION SELECT"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004823; classtype:web-application-attack; sid:2004823; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat INSERT"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004824; classtype:web-application-attack; sid:2004824; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat DELETE"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004825; classtype:web-application-attack; sid:2004825; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat ASCII"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004826; classtype:web-application-attack; sid:2004826; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004827; classtype:web-application-attack; sid:2004827; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp SELECT"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006633; classtype:web-application-attack; sid:2006633; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UNION SELECT"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006634; classtype:web-application-attack; sid:2006634; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp INSERT"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006635; classtype:web-application-attack; sid:2006635; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp DELETE"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006636; classtype:web-application-attack; sid:2006636; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp ASCII"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006637; classtype:web-application-attack; sid:2006637; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006638; classtype:web-application-attack; sid:2006638; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp SELECT"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006639; classtype:web-application-attack; sid:2006639; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UNION SELECT"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006640; classtype:web-application-attack; sid:2006640; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp INSERT"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006641; classtype:web-application-attack; sid:2006641; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp DELETE"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006642; classtype:web-application-attack; sid:2006642; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp ASCII"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006643; classtype:web-application-attack; sid:2006643; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006644; classtype:web-application-attack; sid:2006644; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006645; classtype:web-application-attack; sid:2006645; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006646; classtype:web-application-attack; sid:2006646; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID INSERT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006647; classtype:web-application-attack; sid:2006647; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID DELETE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006648; classtype:web-application-attack; sid:2006648; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID ASCII"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006649; classtype:web-application-attack; sid:2006649; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006650; classtype:web-application-attack; sid:2006650; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID SELECT"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006651; classtype:web-application-attack; sid:2006651; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006652; classtype:web-application-attack; sid:2006652; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID INSERT"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006653; classtype:web-application-attack; sid:2006653; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID DELETE"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006654; classtype:web-application-attack; sid:2006654; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID ASCII"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006655; classtype:web-application-attack; sid:2006655; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006656; classtype:web-application-attack; sid:2006656; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/cgi/surgeftpmgr.cgi?"; nocase; uricontent:"cmd=class&"; nocase; uricontent:"classid="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/38097; reference:url,packetstormsecurity.org/1001-exploits/surgeftp-xss.txt; reference:url,doc.emergingthreats.net/2011065; classtype:web-application-attack; sid:2011065; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Synactis All_IN_THE_BOX ActiveX SaveDoc Method Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"B5576893-F948-4E0F-9BE1-A37CB56D66FF"; nocase; distance:0; content:"SaveDoc"; nocase; reference:url,milw0rm.com/exploits/7928; reference:bugtraq,33535; reference:url,doc.emergingthreats.net/2009138; classtype:web-application-attack; sid:2009138; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/preview.php?"; nocase; uricontent:"synTarget="; nocase; content:"../"; reference:url,www.milw0rm.com/exploits/7977; reference:bugtraq,33601; reference:url,doc.emergingthreats.net/2009145; classtype:web-application-attack; sid:2009145; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/body_default.php?"; nocase; uricontent:"GOODS[no]="; nocase; uricontent:"GOODS[gs_input]="; nocase; uricontent:"shop_this_skin_path="; nocase; pcre:"/shop_this_skin_path=\s*(https?|ftps?|php)\:\//Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,secunia.com/advisories/33732/; reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; reference:url,doc.emergingthreats.net/2009229; classtype:web-application-attack; sid:2009229; rev:4; metadata:created_at 2010_07_30, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/body_default.php?"; nocase; uricontent:"GOODS[no]="; nocase; uricontent:"GOODS[gs_input]="; nocase; uricontent:"shop_this_skin_path="; nocase; content:"../"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,secunia.com/advisories/33732/; reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; reference:url,doc.emergingthreats.net/2009230; classtype:web-application-attack; sid:2009230; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Telephone Directory 2008 edit1.php code Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/edit1.php?"; nocase; uricontent:"action=confirm_data"; nocase; uricontent:"code="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,29614; reference:url,xforce.iss.net/xforce/xfdb/42972; reference:url,milw0rm.com/exploits/5764; reference:url,doc.emergingthreats.net/2010098; classtype:web-application-attack; sid:2010098; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe"; flow:established,to_server; uricontent:"/site_conf.php?"; nocase; uricontent:"ordnertiefe="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003705; classtype:web-application-attack; sid:2003705; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot"; flow:established,to_server; uricontent:"/class.csv.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003706; classtype:web-application-attack; sid:2003706; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot"; flow:established,to_server; uricontent:"/produkte_nach_serie.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003707; classtype:web-application-attack; sid:2003707; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; uricontent:"/functionen/ref_kd_rubrik.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003708; classtype:web-application-attack; sid:2003708; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot"; flow:established,to_server; uricontent:"/hg_referenz_jobgalerie.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003709; classtype:web-application-attack; sid:2003709; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot"; flow:established,to_server; uricontent:"/surfer_anmeldung_NWL.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003710; classtype:web-application-attack; sid:2003710; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot"; flow:established,to_server; uricontent:"/produkte_nach_serie_alle.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003711; classtype:web-application-attack; sid:2003711; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot"; flow:established,to_server; uricontent:"/surfer_aendern.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003712; classtype:web-application-attack; sid:2003712; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; uricontent:"/ref_kd_rubrik.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003715; classtype:web-application-attack; sid:2003715; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot"; flow:established,to_server; uricontent:"/module/referenz.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003713; classtype:web-application-attack; sid:2003713; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot"; flow:established,to_server; uricontent:"/standard/1/lay.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003714; classtype:web-application-attack; sid:2003714; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot"; flow:established,to_server; uricontent:"/standard/3/lay.php?"; nocase; uricontent:"tt_docroot="; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003867; classtype:web-application-attack; sid:2003867; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005567; classtype:web-application-attack; sid:2005567; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005568; classtype:web-application-attack; sid:2005568; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005569; classtype:web-application-attack; sid:2005569; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server;  content:"/index.php?"; http_uri; nocase;  content:"board["; fast_pattern; http_uri; nocase;  content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005571; classtype:web-application-attack; sid:2005571; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005572; classtype:web-application-attack; sid:2005572; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006003; classtype:web-application-attack; sid:2006003; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006004; classtype:web-application-attack; sid:2006004; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006005; classtype:web-application-attack; sid:2006005; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006006; classtype:web-application-attack; sid:2006006; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006007; classtype:web-application-attack; sid:2006007; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006008; classtype:web-application-attack; sid:2006008; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006009; classtype:web-application-attack; sid:2006009; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006010; classtype:web-application-attack; sid:2006010; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006011; classtype:web-application-attack; sid:2006011; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006012; classtype:web-application-attack; sid:2006012; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006013; classtype:web-application-attack; sid:2006013; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006014; classtype:web-application-attack; sid:2006014; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006015; classtype:web-application-attack; sid:2006015; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006016; classtype:web-application-attack; sid:2006016; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006017; classtype:web-application-attack; sid:2006017; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006018; classtype:web-application-attack; sid:2006018; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006019; classtype:web-application-attack; sid:2006019; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006020; classtype:web-application-attack; sid:2006020; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006021; classtype:web-application-attack; sid:2006021; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; content:"passwordNew="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006022; classtype:web-application-attack; sid:2006022; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006023; classtype:web-application-attack; sid:2006023; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006024; classtype:web-application-attack; sid:2006024; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006025; classtype:web-application-attack; sid:2006025; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006026; classtype:web-application-attack; sid:2006026; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006027; classtype:web-application-attack; sid:2006027; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006028; classtype:web-application-attack; sid:2006028; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006029; classtype:web-application-attack; sid:2006029; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006030; classtype:web-application-attack; sid:2006030; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006031; classtype:web-application-attack; sid:2006031; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006032; classtype:web-application-attack; sid:2006032; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006033; classtype:web-application-attack; sid:2006033; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006034; classtype:web-application-attack; sid:2006034; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006035; classtype:web-application-attack; sid:2006035; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006036; classtype:web-application-attack; sid:2006036; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006037; classtype:web-application-attack; sid:2006037; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006038; classtype:web-application-attack; sid:2006038; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006039; classtype:web-application-attack; sid:2006039; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006040; classtype:web-application-attack; sid:2006040; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006041; classtype:web-application-attack; sid:2006041; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006042; classtype:web-application-attack; sid:2006042; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006043; classtype:web-application-attack; sid:2006043; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006044; classtype:web-application-attack; sid:2006044; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006045; classtype:web-application-attack; sid:2006045; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006046; classtype:web-application-attack; sid:2006046; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006047; classtype:web-application-attack; sid:2006047; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006048; classtype:web-application-attack; sid:2006048; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006049; classtype:web-application-attack; sid:2006049; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006050; classtype:web-application-attack; sid:2006050; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006051; classtype:web-application-attack; sid:2006051; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006052; classtype:web-application-attack; sid:2006052; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006053; classtype:web-application-attack; sid:2006053; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006054; classtype:web-application-attack; sid:2006054; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006055; classtype:web-application-attack; sid:2006055; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006056; classtype:web-application-attack; sid:2006056; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006057; classtype:web-application-attack; sid:2006057; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006058; classtype:web-application-attack; sid:2006058; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006059; classtype:web-application-attack; sid:2006059; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006060; classtype:web-application-attack; sid:2006060; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006061; classtype:web-application-attack; sid:2006061; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006062; classtype:web-application-attack; sid:2006062; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006063; classtype:web-application-attack; sid:2006063; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006064; classtype:web-application-attack; sid:2006064; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006065; classtype:web-application-attack; sid:2006065; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006066; classtype:web-application-attack; sid:2006066; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006067; classtype:web-application-attack; sid:2006067; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006068; classtype:web-application-attack; sid:2006068; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006069; classtype:web-application-attack; sid:2006069; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006070; classtype:web-application-attack; sid:2006070; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006071; classtype:web-application-attack; sid:2006071; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006072; classtype:web-application-attack; sid:2006072; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006073; classtype:web-application-attack; sid:2006073; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006074; classtype:web-application-attack; sid:2006074; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName SELECT"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006075; classtype:web-application-attack; sid:2006075; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UNION SELECT"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006076; classtype:web-application-attack; sid:2006076; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName INSERT"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006077; classtype:web-application-attack; sid:2006077; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName DELETE"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006078; classtype:web-application-attack; sid:2006078; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName ASCII"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006079; classtype:web-application-attack; sid:2006079; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006080; classtype:web-application-attack; sid:2006080; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/export.php?"; nocase; uricontent:"export_to="; nocase; content:"../"; reference:bugtraq,33731; reference:url,milw0rm.com/exploits/8029; reference:url,doc.emergingthreats.net/2009169; classtype:web-application-attack; sid:2009169; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/examples/tbs_us_examples_0view.php?"; nocase; uricontent:"script="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8667; reference:url,vupen.com/english/advisories/2009/1304; reference:url,doc.emergingthreats.net/2009789; classtype:web-application-attack; sid:2009789; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Script Toko Online shop_display_products.php cat_id Parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/shop_display_products.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2009-0296; reference:url,secunia.com/advisories/33661/; reference:url,milw0rm.com/exploits/7873; reference:url,doc.emergingthreats.net/2009199; classtype:web-application-attack; sid:2009199; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp"; flow:established,to_server; uricontent:"/implicit-objects.jsp?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2006-7195; reference:url,www.frsirt.com/english/advisories/2007/1729; reference:url,doc.emergingthreats.net/2003902; classtype:web-application-attack; sid:2003902; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test"; flow:established,to_server; uricontent:"/appdev/sample/web/hello.jsp?"; nocase; uricontent:"test="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-1355; reference:url,www.securityfocus.com/bid/24058; reference:url,doc.emergingthreats.net/2004575; classtype:web-application-attack; sid:2004575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file"; flow:established,to_server; uricontent:"/templates/default/tpl_message.php?"; nocase; uricontent:"right_file="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2544; reference:url,www.milw0rm.com/exploits/3854; reference:url,doc.emergingthreats.net/2003669; classtype:web-application-attack; sid:2003669; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TorrentTrader Classic delreq.php categ Parameter Sql Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/torrenttrader109/delreq.php?"; nocase; uricontent:"categ="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8958; reference:bugtraq,35369; reference:url,doc.emergingthreats.net/2010026; classtype:web-application-attack; sid:2010026; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/config.php?"; nocase; uricontent:"inc_dir="; nocase; pcre:"/inc_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,34617; reference:url,milw0rm.com/exploits/8494; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-attack; sid:2009663; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/config.php?"; nocase; uricontent:"inc_dir="; nocase; content:"../"; reference:bugtraq,34617; reference:url,milw0rm.com/exploits/8494; reference:url,doc.emergingthreats.net/2009726; classtype:web-application-attack; sid:2009726; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cms_detect.php?"; nocase; uricontent:"include="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8503; reference:bugtraq,34634; reference:url,doc.emergingthreats.net/2009729; classtype:web-application-attack; sid:2009729; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tours Manager cityview.php cityid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cityview.php?"; nocase; uricontent:"cityid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32503/; reference:url,milw0rm.com/exploits/6988; reference:url,doc.emergingthreats.net/2008821; classtype:web-application-attack; sid:2008821; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS trac q variable open redirect"; flow:to_server,established; content:"/search?q"; nocase; http_uri; pcre:"/search\?q=(ht|f)tp?\:\//iU"; reference:cve,CVE-2008-2951; reference:url,doc.emergingthreats.net/2008648; classtype:web-application-attack; sid:2008648; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId"; flow:established,to_server; uricontent:"/reportItem.do?"; nocase; uricontent:"projId="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2819; reference:url,www.securityfocus.com/bid/24060; reference:url,doc.emergingthreats.net/2004558; classtype:web-application-attack; sid:2004558; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH"; flow:established,to_server; uricontent:"/dosearch.php?"; nocase; uricontent:"RESPATH="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2530; reference:url,www.milw0rm.com/exploits/3865; reference:url,doc.emergingthreats.net/2003678; classtype:web-application-attack; sid:2003678; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turnkey Arcade Script id parameter SQL injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"action=play"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32890/; reference:url,milw0rm.com/exploits/7256; reference:url,doc.emergingthreats.net/2008934; classtype:web-application-attack; sid:2008934; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path"; flow:established,to_server; uricontent:"/include/payment/payflow_pro.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003687; classtype:web-application-attack; sid:2003687; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path"; flow:established,to_server; uricontent:"/global.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003688; classtype:web-application-attack; sid:2003688; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path"; flow:established,to_server; uricontent:"/libsecure.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003689; classtype:web-application-attack; sid:2003689; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"l="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2547; reference:url,www.securityfocus.com/bid/23856; reference:url,doc.emergingthreats.net/2003917; classtype:web-application-attack; sid:2003917; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnkeyForms Business Survey Pro id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/survey_results_text.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32561/; reference:url,milw0rm.com/exploits/7029; reference:url,doc.emergingthreats.net/2008827; classtype:web-application-attack; sid:2008827; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showcategory.php?"; nocase; uricontent:"cid="; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32568/; reference:url,milw0rm.com/exploits/7027; reference:url,doc.emergingthreats.net/2008828; classtype:web-application-attack; sid:2008828; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/listtest.php?"; nocase; uricontent:"r="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32591/; reference:url,milw0rm.com/exploits/7035; reference:url,doc.emergingthreats.net/2008829; classtype:web-application-attack; sid:2008829; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id SELECT"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004869; classtype:web-application-attack; sid:2004869; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UNION SELECT"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004870; classtype:web-application-attack; sid:2004870; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id INSERT"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004871; classtype:web-application-attack; sid:2004871; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id DELETE"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004872; classtype:web-application-attack; sid:2004872; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id ASCII"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004873; classtype:web-application-attack; sid:2004873; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004874; classtype:web-application-attack; sid:2004874; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile"; flow:established,to_server; uricontent:"/browseCat.php?"; nocase; uricontent:"catFile="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003888; classtype:web-application-attack; sid:2003888; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile"; flow:established,to_server; uricontent:"/browseSubCat.php?"; nocase; uricontent:"catFile="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003889; classtype:web-application-attack; sid:2003889; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id"; flow:established,to_server; uricontent:"/openTutorial.php?"; nocase; uricontent:"id="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003890; classtype:web-application-attack; sid:2003890; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id"; flow:established,to_server; uricontent:"/topFrame.php?"; nocase; uricontent:"id="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003891; classtype:web-application-attack; sid:2003891; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id"; flow:established,to_server; uricontent:"/admin/editListing.php?"; nocase; uricontent:"id="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003892; classtype:web-application-attack; sid:2003892; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003893; classtype:web-application-attack; sid:2003893; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TWiki INCLUDE remote command execution attempt"; flow:to_server,established; uricontent:"INCLUDE"; nocase; pcre:"/%INCLUDE\s*{.*rev=\"\d+\|.+\".*}\s*%/i"; reference:bugtraq,14960; reference:url,doc.emergingthreats.net/2002662; classtype:web-application-attack; sid:2002662; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TWiki Configure Script TYPEOF Remote Command Execution Attempt"; flow:to_server,established; content:"|26|TYPEOF"; http_uri; nocase; pcre:"/&TYPEOF\:.+system\s*\(/Ui"; reference:cve,CVE-2006-3819; reference:bugtraq,19188; reference:url,doc.emergingthreats.net/2003085; classtype:web-application-attack; sid:2003085; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug SELECT"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004672; classtype:web-application-attack; sid:2004672; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UNION SELECT"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004673; classtype:web-application-attack; sid:2004673; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug INSERT"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004674; classtype:web-application-attack; sid:2004674; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug DELETE"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004675; classtype:web-application-attack; sid:2004675; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug ASCII"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004676; classtype:web-application-attack; sid:2004676; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004677; classtype:web-application-attack; sid:2004677; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s SELECT"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004678; classtype:web-application-attack; sid:2004678; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UNION SELECT"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2005185; classtype:web-application-attack; sid:2005185; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s INSERT"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004679; classtype:web-application-attack; sid:2004679; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s DELETE"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004680; classtype:web-application-attack; sid:2004680; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s ASCII"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004681; classtype:web-application-attack; sid:2004681; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004682; classtype:web-application-attack; sid:2004682; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid SELECT"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005233; classtype:web-application-attack; sid:2005233; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UNION SELECT"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005234; classtype:web-application-attack; sid:2005234; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid INSERT"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005235; classtype:web-application-attack; sid:2005235; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid DELETE"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005236; classtype:web-application-attack; sid:2005236; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid ASCII"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005237; classtype:web-application-attack; sid:2005237; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005238; classtype:web-application-attack; sid:2005238; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci SELECT"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006886; classtype:web-application-attack; sid:2006886; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UNION SELECT"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006887; classtype:web-application-attack; sid:2006887; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci INSERT"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006888; classtype:web-application-attack; sid:2006888; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci DELETE"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006889; classtype:web-application-attack; sid:2006889; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci ASCII"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006890; classtype:web-application-attack; sid:2006890; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006891; classtype:web-application-attack; sid:2006891; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci SELECT"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006892; classtype:web-application-attack; sid:2006892; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UNION SELECT"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006893; classtype:web-application-attack; sid:2006893; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci INSERT"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006894; classtype:web-application-attack; sid:2006894; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci DELETE"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006895; classtype:web-application-attack; sid:2006895; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci ASCII"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006896; classtype:web-application-attack; sid:2006896; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006897; classtype:web-application-attack; sid:2006897; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp SELECT"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005003; classtype:web-application-attack; sid:2005003; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UNION SELECT"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005004; classtype:web-application-attack; sid:2005004; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp INSERT"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005005; classtype:web-application-attack; sid:2005005; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp DELETE"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005006; classtype:web-application-attack; sid:2005006; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp ASCII"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005007; classtype:web-application-attack; sid:2005007; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005008; classtype:web-application-attack; sid:2005008; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007283; classtype:web-application-attack; sid:2007283; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007200; classtype:web-application-attack; sid:2007200; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat INSERT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007201; classtype:web-application-attack; sid:2007201; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat DELETE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007202; classtype:web-application-attack; sid:2007202; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat ASCII"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007203; classtype:web-application-attack; sid:2007203; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007204; classtype:web-application-attack; sid:2007204; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007205; classtype:web-application-attack; sid:2007205; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UNION SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007206; classtype:web-application-attack; sid:2007206; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did INSERT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007207; classtype:web-application-attack; sid:2007207; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did DELETE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007208; classtype:web-application-attack; sid:2007208; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did ASCII"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007209; classtype:web-application-attack; sid:2007209; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007210; classtype:web-application-attack; sid:2007210; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrastats serverid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"serverid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32340; reference:url,milw0rm.com/exploits/7148; reference:url,doc.emergingthreats.net/2008872; classtype:web-application-attack; sid:2008872; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/timesheet.php?"; nocase; uricontent:"config[include_dir]="; pcre:"/config\[include_dir\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9297; reference:url,secunia.com/advisories/36033/; reference:url,doc.emergingthreats.net/2010126; classtype:web-application-attack; sid:2010126; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/timesheet.php?"; nocase; uricontent:"config[include_dir]="; content:"../"; depth:200; reference:url,milw0rm.com/exploits/9297; reference:url,secunia.com/advisories/36033/; reference:url,doc.emergingthreats.net/2010127; classtype:web-application-attack; sid:2010127; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR"; flow:established,to_server; uricontent:"/watermark.php?"; nocase; uricontent:"GALLERY_BASEDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2575; reference:url,www.milw0rm.com/exploits/3857; reference:url,doc.emergingthreats.net/2003692; classtype:web-application-attack; sid:2003692; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type"; flow:established,to_server; uricontent:"/shopcontent.asp?"; nocase; uricontent:"type="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2790; reference:url,www.securityfocus.com/archive/1/archive/1/468834/100/0/threaded; reference:url,doc.emergingthreats.net/2004573; classtype:web-application-attack; sid:2004573; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname SELECT"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005669; classtype:web-application-attack; sid:2005669; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UNION SELECT"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005670; classtype:web-application-attack; sid:2005670; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname INSERT"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005671; classtype:web-application-attack; sid:2005671; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname DELETE"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005672; classtype:web-application-attack; sid:2005672; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname ASCII"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005673; classtype:web-application-attack; sid:2005673; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005674; classtype:web-application-attack; sid:2005674; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VS Panel showcat.php Cat_ID Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showcat.php?"; nocase; uricontent:"Cat_ID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34648; reference:url,milw0rm.com/exploits/8506; reference:url,doc.emergingthreats.net/2009731; classtype:web-application-attack; sid:2009731; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user SELECT"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006603; classtype:web-application-attack; sid:2006603; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UNION SELECT"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006604; classtype:web-application-attack; sid:2006604; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user INSERT"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006605; classtype:web-application-attack; sid:2006605; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user DELETE"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006606; classtype:web-application-attack; sid:2006606; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user ASCII"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006607; classtype:web-application-attack; sid:2006607; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006608; classtype:web-application-attack; sid:2006608; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php"; flow:established,to_server; uricontent:"/get_header.php"; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/1632; reference:cve,2006-1636; reference:bugtraq,17358; reference:url,doc.emergingthreats.net/2002899; classtype:web-application-attack; sid:2002899; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php"; flow:established,to_server; uricontent:"/functions_install.php"; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:cve,2006-1503; reference:bugtraq,17290; reference:url,doc.emergingthreats.net/2002902; classtype:web-application-attack; sid:2002902; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/editor/edit_htmlarea.php?"; nocase; uricontent:"highlighter="; nocase; pcre:"/highlighter\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/57679; reference:url,doc.emergingthreats.net/2010254; classtype:web-application-attack; sid:2010254; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/debugger/debug_php.php?"; nocase; uricontent:"_GET[filename]="; nocase; content:"../"; depth:200; reference:url,osvdb.org/show/osvdb/57680; reference:url,doc.emergingthreats.net/2010255; classtype:web-application-attack; sid:2010255; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Venalsur Booking Centre HotelID Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/hotel_habitaciones.php?"; nocase; uricontent:"HotelID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/7253; reference:bugtraq,32512; reference:url,doc.emergingthreats.net/2008926; classtype:web-application-attack; sid:2008926; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod SELECT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006279; classtype:web-application-attack; sid:2006279; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UNION SELECT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006280; classtype:web-application-attack; sid:2006280; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod INSERT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006281; classtype:web-application-attack; sid:2006281; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod DELETE"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006282; classtype:web-application-attack; sid:2006282; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod ASCII"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006283; classtype:web-application-attack; sid:2006283; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006284; classtype:web-application-attack; sid:2006284; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick SELECT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006285; classtype:web-application-attack; sid:2006285; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UNION SELECT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006286; classtype:web-application-attack; sid:2006286; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick INSERT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006287; classtype:web-application-attack; sid:2006287; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick DELETE"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006288; classtype:web-application-attack; sid:2006288; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick ASCII"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006289; classtype:web-application-attack; sid:2006289; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006290; classtype:web-application-attack; sid:2006290; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick SELECT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006291; classtype:web-application-attack; sid:2006291; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UNION SELECT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006292; classtype:web-application-attack; sid:2006292; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick INSERT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006293; classtype:web-application-attack; sid:2006293; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick DELETE"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006294; classtype:web-application-attack; sid:2006294; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick ASCII"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006295; classtype:web-application-attack; sid:2006295; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006296; classtype:web-application-attack; sid:2006296; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod SELECT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006297; classtype:web-application-attack; sid:2006297; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UNION SELECT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006298; classtype:web-application-attack; sid:2006298; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod INSERT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006299; classtype:web-application-attack; sid:2006299; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod DELETE"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006300; classtype:web-application-attack; sid:2006300; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod ASCII"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006301; classtype:web-application-attack; sid:2006301; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006302; classtype:web-application-attack; sid:2006302; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo"; flow:established,to_server; uricontent:"/includes/ajax_listado.php?"; nocase; uricontent:"urlModulo="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2541; reference:url,www.milw0rm.com/exploits/3847; reference:url,doc.emergingthreats.net/2003671; classtype:web-application-attack; sid:2003671; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Versatile Bulletin Board SQL Injection Attack"; flow:to_server,established; content:"/index.php?"; http_uri; nocase; content:"select="; nocase; http_uri; fast_pattern; pcre:"/UNION\s+SELECT/Ui"; reference:bugtraq,15068; reference:url,doc.emergingthreats.net/2002494; classtype:web-application-attack; sid:2002494; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VidShare Pro listing_video.php catid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/listing_video.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8737; reference:bugtraq,35033; reference:url,doc.emergingthreats.net/2009794; classtype:web-application-attack; sid:2009794; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin left.cgi XSS attempt "; flow:to_server,established; content:"GET "; depth:4; content:"/left.cgi?"; nocase; content:"dom="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009587; classtype:web-application-attack; sid:2009587; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin link.cgi XSS attempt "; flow:to_server,established; content:"GET "; depth:4; content:"/link.cgi/"; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009588; classtype:web-application-attack; sid:2009588; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin Anonymous Proxy attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/virtual-server/link.cgi/"; nocase; content:"/http\://"; nocase; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009589; classtype:web-application-attack; sid:2009589; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005493; classtype:web-application-attack; sid:2005493; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UNION SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005494; classtype:web-application-attack; sid:2005494; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid INSERT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005495; classtype:web-application-attack; sid:2005495; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid DELETE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005496; classtype:web-application-attack; sid:2005496; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid ASCII"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005497; classtype:web-application-attack; sid:2005497; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005498; classtype:web-application-attack; sid:2005498; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005499; classtype:web-application-attack; sid:2005499; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UNION SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005500; classtype:web-application-attack; sid:2005500; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id INSERT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005501; classtype:web-application-attack; sid:2005501; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id DELETE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005502; classtype:web-application-attack; sid:2005502; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id ASCII"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005503; classtype:web-application-attack; sid:2005503; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005504; classtype:web-application-attack; sid:2005504; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005505; classtype:web-application-attack; sid:2005505; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UNION SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005506; classtype:web-application-attack; sid:2005506; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id INSERT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005507; classtype:web-application-attack; sid:2005507; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id DELETE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005508; classtype:web-application-attack; sid:2005508; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id ASCII"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005509; classtype:web-application-attack; sid:2005509; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005510; classtype:web-application-attack; sid:2005510; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admin.googlebase.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32098; reference:url,milw0rm.com/exploits/6975; reference:url,doc.emergingthreats.net/2009877; classtype:web-application-attack; sid:2009877; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003993; classtype:web-application-attack; sid:2003993; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003994; classtype:web-application-attack; sid:2003994; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003995; classtype:web-application-attack; sid:2003995; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003996; classtype:web-application-attack; sid:2003996; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003997; classtype:web-application-attack; sid:2003997; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase;  uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003998; classtype:web-application-attack; sid:2003998; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id SELECT"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005889; classtype:web-application-attack; sid:2005889; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UNION SELECT"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005890; classtype:web-application-attack; sid:2005890; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id INSERT"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005891; classtype:web-application-attack; sid:2005891; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id DELETE"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005892; classtype:web-application-attack; sid:2005892; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id ASCII"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005893; classtype:web-application-attack; sid:2005893; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005894; classtype:web-application-attack; sid:2005894; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vlog System note parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/blog.php?"; nocase; uricontent:"user="; nocase; uricontent:"note="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32784/; reference:url,www.milw0rm.com/exploits/7186; reference:url,doc.emergingthreats.net/2008875; classtype:web-application-attack; sid:2008875; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat SELECT"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007416; classtype:web-application-attack; sid:2007416; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007417; classtype:web-application-attack; sid:2007417; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat INSERT"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007418; classtype:web-application-attack; sid:2007418; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat DELETE"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007419; classtype:web-application-attack; sid:2007419; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat ASCII"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007420; classtype:web-application-attack; sid:2007420; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007421; classtype:web-application-attack; sid:2007421; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007422; classtype:web-application-attack; sid:2007422; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007423; classtype:web-application-attack; sid:2007423; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007424; classtype:web-application-attack; sid:2007424; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007425; classtype:web-application-attack; sid:2007425; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007426; classtype:web-application-attack; sid:2007426; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007427; classtype:web-application-attack; sid:2007427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007428; classtype:web-application-attack; sid:2007428; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007429; classtype:web-application-attack; sid:2007429; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007430; classtype:web-application-attack; sid:2007430; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007431; classtype:web-application-attack; sid:2007431; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007432; classtype:web-application-attack; sid:2007432; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007433; classtype:web-application-attack; sid:2007433; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007434; classtype:web-application-attack; sid:2007434; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007435; classtype:web-application-attack; sid:2007435; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007436; classtype:web-application-attack; sid:2007436; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007437; classtype:web-application-attack; sid:2007437; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007438; classtype:web-application-attack; sid:2007438; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007439; classtype:web-application-attack; sid:2007439; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007440; classtype:web-application-attack; sid:2007440; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007441; classtype:web-application-attack; sid:2007441; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007442; classtype:web-application-attack; sid:2007442; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007443; classtype:web-application-attack; sid:2007443; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007444; classtype:web-application-attack; sid:2007444; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007445; classtype:web-application-attack; sid:2007445; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007446; classtype:web-application-attack; sid:2007446; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007447; classtype:web-application-attack; sid:2007447; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007448; classtype:web-application-attack; sid:2007448; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007449; classtype:web-application-attack; sid:2007449; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007450; classtype:web-application-attack; sid:2007450; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007451; classtype:web-application-attack; sid:2007451; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search_forum="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004128; classtype:web-application-attack; sid:2004128; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search_forum="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004129; classtype:web-application-attack; sid:2004129; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search_forum="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004130; classtype:web-application-attack; sid:2004130; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search_forum="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004131; classtype:web-application-attack; sid:2004131; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum ASCII"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_forum="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004132; classtype:web-application-attack; sid:2004132; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_forum="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004133; classtype:web-application-attack; sid:2004133; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user SELECT"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004134; classtype:web-application-attack; sid:2004134; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UNION SELECT"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004135; classtype:web-application-attack; sid:2004135; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user INSERT"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004136; classtype:web-application-attack; sid:2004136; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user DELETE"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004137; classtype:web-application-attack; sid:2004137; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user ASCII"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004138; classtype:web-application-attack; sid:2004138; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004139; classtype:web-application-attack; sid:2004139; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id SELECT"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004647; classtype:web-application-attack; sid:2004647; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UNION SELECT"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004648; classtype:web-application-attack; sid:2004648; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id INSERT"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004649; classtype:web-application-attack; sid:2004649; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id DELETE"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004650; classtype:web-application-attack; sid:2004650; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id ASCII"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004651; classtype:web-application-attack; sid:2004651; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004652; classtype:web-application-attack; sid:2004652; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft SELECT"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005304; classtype:web-application-attack; sid:2005304; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UNION SELECT"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005305; classtype:web-application-attack; sid:2005305; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft INSERT"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005306; classtype:web-application-attack; sid:2005306; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft DELETE"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005307; classtype:web-application-attack; sid:2005307; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft ASCII"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005308; classtype:web-application-attack; sid:2005308; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005309; classtype:web-application-attack; sid:2005309; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay SELECT"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005310; classtype:web-application-attack; sid:2005310; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UNION SELECT"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005187; classtype:web-application-attack; sid:2005187; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay INSERT"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005188; classtype:web-application-attack; sid:2005188; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay DELETE"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005189; classtype:web-application-attack; sid:2005189; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay ASCII"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005190; classtype:web-application-attack; sid:2005190; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005191; classtype:web-application-attack; sid:2005191; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004313; classtype:web-application-attack; sid:2004313; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004314; classtype:web-application-attack; sid:2004314; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004315; classtype:web-application-attack; sid:2004315; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004316; classtype:web-application-attack; sid:2004316; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004318; classtype:web-application-attack; sid:2004318; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004317; classtype:web-application-attack; sid:2004317; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/search.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009838; classtype:web-application-attack; sid:2009838; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1"; flow:to_server,established; content:"GET"; http_method; content:"/archive.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009839; classtype:web-application-attack; sid:2009839; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET"; http_method; content:"/base/Archive.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009840; classtype:web-application-attack; sid:2009840; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1"; flow:to_server,established; content:"GET"; http_method; content:"/comments.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009841; classtype:web-application-attack; sid:2009841; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET"; http_method; content:"/base/Comments.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009842; classtype:web-application-attack; sid:2009842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1"; flow:to_server,established; content:"GET"; http_method; content:"/news.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009843; classtype:web-application-attack; sid:2009843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET"; http_method; content:"/base/News.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009844; classtype:web-application-attack; sid:2009844; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/base/SendFriend.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009845; classtype:web-application-attack; sid:2009845; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/admin/global.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33691; reference:url,milw0rm.com/exploits/8026; reference:url,doc.emergingthreats.net/2009846; classtype:web-application-attack; sid:2009846; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key SELECT"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005949; classtype:web-application-attack; sid:2005949; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UNION SELECT"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005950; classtype:web-application-attack; sid:2005950; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key INSERT"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005951; classtype:web-application-attack; sid:2005951; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key DELETE"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005952; classtype:web-application-attack; sid:2005952; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key ASCII"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005953; classtype:web-application-attack; sid:2005953; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005954; classtype:web-application-attack; sid:2005954; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid SELECT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003764; classtype:web-application-attack; sid:2003764; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UNION SELECT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003765; classtype:web-application-attack; sid:2003765; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid INSERT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003766; classtype:web-application-attack; sid:2003766; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid DELETE"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003767; classtype:web-application-attack; sid:2003767; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid ASCII"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003768; classtype:web-application-attack; sid:2003768; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003769; classtype:web-application-attack; sid:2003769; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WPS wps_shop.cgi Remote Command Execution Attempt"; flow: to_server,established; content:"/wps_shop.cgi?"; http_uri; nocase; pcre:"/(art=\|.+\|)/"; reference:bugtraq,14245; reference:url,doc.emergingthreats.net/2002100; classtype:web-application-attack; sid:2002100; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004253; classtype:web-application-attack; sid:2004253; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004254; classtype:web-application-attack; sid:2004254; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004255; classtype:web-application-attack; sid:2004255; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004256; classtype:web-application-attack; sid:2004256; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004257; classtype:web-application-attack; sid:2004257; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004258; classtype:web-application-attack; sid:2004258; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest search.php search parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/search.php?"; http_uri; nocase; content:"searchfields[0]=ownerid"; http_uri; nocase; content:"search="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33097; reference:url,milw0rm.com/exploits/7659; reference:url,doc.emergingthreats.net/2009058; classtype:web-application-attack; sid:2009058; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page SELECT"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006455; classtype:web-application-attack; sid:2006455; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UNION SELECT"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006456; classtype:web-application-attack; sid:2006456; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page INSERT"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006457; classtype:web-application-attack; sid:2006457; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page DELETE"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006458; classtype:web-application-attack; sid:2006458; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page ASCII"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006459; classtype:web-application-attack; sid:2006459; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006460; classtype:web-application-attack; sid:2006460; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num SELECT"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005955; classtype:web-application-attack; sid:2005955; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UNION SELECT"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005956; classtype:web-application-attack; sid:2005956; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num INSERT"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005957; classtype:web-application-attack; sid:2005957; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num DELETE"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005958; classtype:web-application-attack; sid:2005958; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num ASCII"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005959; classtype:web-application-attack; sid:2005959; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005960; classtype:web-application-attack; sid:2005960; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode SELECT"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005961; classtype:web-application-attack; sid:2005961; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005962; classtype:web-application-attack; sid:2005962; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode INSERT"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005963; classtype:web-application-attack; sid:2005963; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode DELETE"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005964; classtype:web-application-attack; sid:2005964; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode ASCII"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005965; classtype:web-application-attack; sid:2005965; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005966; classtype:web-application-attack; sid:2005966; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login SELECT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006975; classtype:web-application-attack; sid:2006975; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UNION SELECT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006976; classtype:web-application-attack; sid:2006976; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login INSERT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006977; classtype:web-application-attack; sid:2006977; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login DELETE"; flow:established,to_server; content:"/process.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006978; classtype:web-application-attack; sid:2006978; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login ASCII"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006979; classtype:web-application-attack; sid:2006979; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006980; classtype:web-application-attack; sid:2006980; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password SELECT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006981; classtype:web-application-attack; sid:2006981; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UNION SELECT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006982; classtype:web-application-attack; sid:2006982; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password INSERT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006983; classtype:web-application-attack; sid:2006983; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password DELETE"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006984; classtype:web-application-attack; sid:2006984; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password ASCII"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006985; classtype:web-application-attack; sid:2006985; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006986; classtype:web-application-attack; sid:2006986; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid SELECT"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006987; classtype:web-application-attack; sid:2006987; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UNION SELECT"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006988; classtype:web-application-attack; sid:2006988; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid INSERT"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006989; classtype:web-application-attack; sid:2006989; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid DELETE"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006990; classtype:web-application-attack; sid:2006990; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid ASCII"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006991; classtype:web-application-attack; sid:2006991; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006992; classtype:web-application-attack; sid:2006992; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid SELECT"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006993; classtype:web-application-attack; sid:2006993; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UNION SELECT"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006994; classtype:web-application-attack; sid:2006994; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid INSERT"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006995; classtype:web-application-attack; sid:2006995; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid DELETE"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006996; classtype:web-application-attack; sid:2006996; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid ASCII"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006997; classtype:web-application-attack; sid:2006997; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006998; classtype:web-application-attack; sid:2006998; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID SELECT"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007070; classtype:web-application-attack; sid:2007070; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UNION SELECT"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007071; classtype:web-application-attack; sid:2007071; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID INSERT"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007072; classtype:web-application-attack; sid:2007072; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID DELETE"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007073; classtype:web-application-attack; sid:2007073; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID ASCII"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007074; classtype:web-application-attack; sid:2007074; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007075; classtype:web-application-attack; sid:2007075; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"crea.php?"; nocase; uricontent:"plancia="; nocase; pcre:"/plancia=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008826; classtype:web-application-attack; sid:2008826; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wazzum Dating Software profile_view.php userid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"profile_view.php"; nocase; uricontent:"userid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/7877; reference:url,secunia.com/Advisories/33654/; reference:url,doc.emergingthreats.net/2009122; classtype:web-application-attack; sid:2009122; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wbstreet show.php id parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/show.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/7337; reference:bugtraq,32635; reference:url,doc.emergingthreats.net/2008939; classtype:web-application-attack; sid:2008939; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cron.php?"; nocase; uricontent:"include_path="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009306; classtype:web-application-attack; sid:2009306; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cron.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009307; classtype:web-application-attack; sid:2009307; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_browsers.php?"; nocase; uricontent:"include_path="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009308; classtype:web-application-attack; sid:2009308; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_browsers.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009309; classtype:web-application-attack; sid:2009309; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_countries.php?"; nocase; uricontent:"include_path="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009310; classtype:web-application-attack; sid:2009310; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_countries.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009311; classtype:web-application-attack; sid:2009311; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_platforms.php?"; nocase; uricontent:"include_path="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009312; classtype:web-application-attack; sid:2009312; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ST_platforms.php?"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009313; classtype:web-application-attack; sid:2009313; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webCalendar Remote File include"; flow: to_server,established; uricontent:"includedir="; pcre:"/\/ws\/(login|get_reminders|get_events)\.php/"; reference:url,www.securityfocus.com/archive/1/462957; reference:url,doc.emergingthreats.net/2003520; classtype:web-application-attack; sid:2003520; rev:8; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Webmoney Advisor ActiveX Redirect Method Remote DoS Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; content:"3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011723; classtype:attempted-user; sid:2011723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Webmoney Advisor ActiveX Control DoS Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TOOLBAR3Lib.ToolbarObj"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011724; classtype:attempted-user; sid:2011724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004754; classtype:web-application-attack; sid:2004754; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004755; classtype:web-application-attack; sid:2004755; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004756; classtype:web-application-attack; sid:2004756; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004757; classtype:web-application-attack; sid:2004757; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004758; classtype:web-application-attack; sid:2004758; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004759; classtype:web-application-attack; sid:2004759; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id SELECT"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004760; classtype:web-application-attack; sid:2004760; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UNION SELECT"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004761; classtype:web-application-attack; sid:2004761; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id INSERT"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004762; classtype:web-application-attack; sid:2004762; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id DELETE"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004763; classtype:web-application-attack; sid:2004763; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id ASCII"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004764; classtype:web-application-attack; sid:2004764; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004765; classtype:web-application-attack; sid:2004765; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro art.php idm Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/art.php"; nocase; uricontent:"idm="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009013; classtype:web-application-attack; sid:2009013; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro rub.php idr Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rub.php"; nocase; uricontent:"idr="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009014; classtype:web-application-attack; sid:2009014; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro galeri_info.php ida Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/galeri_info.php?"; nocase; uricontent:"ida="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009015; classtype:web-application-attack; sid:2009015; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro galeri_info.php lang Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/galeri_info.php?"; nocase; uricontent:"lang="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009016; classtype:web-application-attack; sid:2009016; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro rubrika.php idr Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rubrika.php?"; nocase; uricontent:"idr="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009017; classtype:web-application-attack; sid:2009017; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Framework/EmailTemplates.class.php?"; nocase; uricontent:"GLOBALS[RootPath]="; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010092; classtype:web-application-attack; sid:2010092; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Customers/PDPEmailReplaceConstants.class.php?"; nocase; uricontent:"GLOBALS[RootPath]="; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010093; classtype:web-application-attack; sid:2010093; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/Admin/ResellersManager.class.php?"; nocase; uricontent:"GLOBALS[RootPath]="; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010094; classtype:web-application-attack; sid:2010094; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID SELECT"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004911; classtype:web-application-attack; sid:2004911; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UNION SELECT"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004912; classtype:web-application-attack; sid:2004912; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID INSERT"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004913; classtype:web-application-attack; sid:2004913; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID DELETE"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004914; classtype:web-application-attack; sid:2004914; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID ASCII"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004915; classtype:web-application-attack; sid:2004915; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004916; classtype:web-application-attack; sid:2004916; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id SELECT"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004772; classtype:web-application-attack; sid:2004772; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UNION SELECT"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004773; classtype:web-application-attack; sid:2004773; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id INSERT"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004774; classtype:web-application-attack; sid:2004774; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id DELETE"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004775; classtype:web-application-attack; sid:2004775; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id ASCII"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004776; classtype:web-application-attack; sid:2004776; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004778; classtype:web-application-attack; sid:2004778; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp SELECT"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004224; classtype:web-application-attack; sid:2004224; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UNION SELECT"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004225; classtype:web-application-attack; sid:2004225; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp INSERT"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004226; classtype:web-application-attack; sid:2004226; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp DELETE"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004227; classtype:web-application-attack; sid:2004227; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp ASCII"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004228; classtype:web-application-attack; sid:2004228; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004229; classtype:web-application-attack; sid:2004229; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name SELECT"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004230; classtype:web-application-attack; sid:2004230; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UNION SELECT"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004231; classtype:web-application-attack; sid:2004231; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name INSERT"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004232; classtype:web-application-attack; sid:2004232; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name DELETE"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004233; classtype:web-application-attack; sid:2004233; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name ASCII"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004439; classtype:web-application-attack; sid:2004439; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004234; classtype:web-application-attack; sid:2004234; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID SELECT"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004235; classtype:web-application-attack; sid:2004235; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UNION SELECT"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004236; classtype:web-application-attack; sid:2004236; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID INSERT"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004237; classtype:web-application-attack; sid:2004237; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID DELETE"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004238; classtype:web-application-attack; sid:2004238; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID ASCII"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004239; classtype:web-application-attack; sid:2004239; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004240; classtype:web-application-attack; sid:2004240; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/unathenticated/"; content:"/unauthenticated//..%01/..%01/..%01/"; reference:url,bliki.rimuhosting.com/comments/knowledgebase/linux/miscapplications/webmin; reference:url,doc.emergingthreats.net/2010009; classtype:web-application-attack; sid:2010009; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/html.php?"; nocase; uricontent:"page="; nocase; pcre:"/page=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt; reference:url,doc.emergingthreats.net/2009690; classtype:web-application-attack; sid:2009690; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/html2.php?"; nocase; uricontent:"page="; nocase; pcre:"/page=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt; reference:url,doc.emergingthreats.net/2009691; classtype:web-application-attack; sid:2009691; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; uricontent:"Queue="; nocase; pcre:"/Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010167; classtype:web-application-attack; sid:2010167; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; uricontent:"FileName="; nocase; pcre:"/Filename\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010168; classtype:web-application-attack; sid:2010168; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; uricontent:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010169; classtype:web-application-attack; sid:2010169; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; uricontent:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010170; classtype:web-application-attack; sid:2010170; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"FileName="; nocase; pcre:"/FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010171; classtype:web-application-attack; sid:2010171; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010172; classtype:web-application-attack; sid:2010172; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010173; classtype:web-application-attack; sid:2010173; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"Dictionary="; nocase; pcre:"/Dictionary\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010174; classtype:web-application-attack; sid:2010174; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"Scoring="; nocase; pcre:"/Scoring\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010175; classtype:web-application-attack; sid:2010175; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"MessagePart="; nocase; pcre:"/MessagePart\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010176; classtype:web-application-attack; sid:2010176; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; uricontent:"Queue="; nocase; pcre:"/Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010177; classtype:web-application-attack; sid:2010177; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; uricontent:"FileName="; nocase; pcre:"/FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010178; classtype:web-application-attack; sid:2010178; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; uricontent:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010179; classtype:web-application-attack; sid:2010179; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; uricontent:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010180; classtype:web-application-attack; sid:2010180; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID SELECT"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005227; classtype:web-application-attack; sid:2005227; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UNION SELECT"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005228; classtype:web-application-attack; sid:2005228; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID INSERT"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005229; classtype:web-application-attack; sid:2005229; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID DELETE"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005230; classtype:web-application-attack; sid:2005230; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID ASCII"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005231; classtype:web-application-attack; sid:2005231; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005232; classtype:web-application-attack; sid:2005232; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order SELECT"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004140; classtype:web-application-attack; sid:2004140; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UNION SELECT"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004141; classtype:web-application-attack; sid:2004141; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order INSERT"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004142; classtype:web-application-attack; sid:2004142; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order DELETE"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004143; classtype:web-application-attack; sid:2004143; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order ASCII"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004144; classtype:web-application-attack; sid:2004144; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004145; classtype:web-application-attack; sid:2004145; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/include/header.php?"; nocase; uricontent:"config_path="; nocase; pcre:"/config_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32472; reference:url,milw0rm.com/exploits/7229; reference:url,doc.emergingthreats.net/2008935; classtype:web-application-attack; sid:2008935; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep"; flow:established,to_server; uricontent:"/handlers/page/show.php?"; nocase; uricontent:"sous_rep="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2570; reference:url,www.milw0rm.com/exploits/3863; reference:url,doc.emergingthreats.net/2003696; classtype:web-application-attack; sid:2003696; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name"; flow:established,to_server; uricontent:"/usersettings.php?"; nocase; uricontent:"name="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2551; reference:url,www.securityfocus.com/bid/23894; reference:url,doc.emergingthreats.net/2003916; classtype:web-application-attack; sid:2003916; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php"; flow:established,to_server; uricontent:"/include/sessionRegister.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2781; reference:url,www.secunia.com/advisories/25308; reference:url,doc.emergingthreats.net/2004574; classtype:web-application-attack; sid:2004574; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php SELECT"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004247; classtype:web-application-attack; sid:2004247; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UNION SELECT"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004248; classtype:web-application-attack; sid:2004248; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php INSERT"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004249; classtype:web-application-attack; sid:2004249; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php DELETE"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004250; classtype:web-application-attack; sid:2004250; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php ASCII"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004251; classtype:web-application-attack; sid:2004251; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004252; classtype:web-application-attack; sid:2004252; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid SELECT"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004997; classtype:web-application-attack; sid:2004997; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UNION SELECT"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004998; classtype:web-application-attack; sid:2004998; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid INSERT"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004999; classtype:web-application-attack; sid:2004999; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid DELETE"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005000; classtype:web-application-attack; sid:2005000; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid ASCII"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005001; classtype:web-application-attack; sid:2005001; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005002; classtype:web-application-attack; sid:2005002; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005280; classtype:web-application-attack; sid:2005280; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005281; classtype:web-application-attack; sid:2005281; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005282; classtype:web-application-attack; sid:2005282; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005283; classtype:web-application-attack; sid:2005283; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005284; classtype:web-application-attack; sid:2005284; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005285; classtype:web-application-attack; sid:2005285; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005286; classtype:web-application-attack; sid:2005286; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005287; classtype:web-application-attack; sid:2005287; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005288; classtype:web-application-attack; sid:2005288; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005289; classtype:web-application-attack; sid:2005289; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005290; classtype:web-application-attack; sid:2005290; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005291; classtype:web-application-attack; sid:2005291; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit SELECT"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006921; classtype:web-application-attack; sid:2006921; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UNION SELECT"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006922; classtype:web-application-attack; sid:2006922; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit INSERT"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006923; classtype:web-application-attack; sid:2006923; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit DELETE"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006924; classtype:web-application-attack; sid:2006924; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit ASCII"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006925; classtype:web-application-attack; sid:2006925; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006926; classtype:web-application-attack; sid:2006926; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; classtype:web-application-attack; sid:2003508; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH"; flow:established,to_server; uricontent:"/js/wptable-button.php?"; nocase; uricontent:"wpPATH="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2484; reference:url,www.milw0rm.com/exploits/3824; reference:url,doc.emergingthreats.net/2003685; classtype:web-application-attack; sid:2003685; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH"; flow:established,to_server; uricontent:"/wordtube-button.php?"; nocase; uricontent:"wpPATH="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2481; reference:url,www.milw0rm.com/exploits/3825; reference:url,doc.emergingthreats.net/2003686; classtype:web-application-attack; sid:2003686; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php"; flow:established,to_server; uricontent:"/sidebar.php?"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2627; reference:url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded; reference:url,doc.emergingthreats.net/2003885; classtype:web-application-attack; sid:2003885; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004011; classtype:web-application-attack; sid:2004011; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004012; classtype:web-application-attack; sid:2004012; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004013; classtype:web-application-attack; sid:2004013; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004014; classtype:web-application-attack; sid:2004014; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004015; classtype:web-application-attack; sid:2004015; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004016; classtype:web-application-attack; sid:2004016; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004403; classtype:web-application-attack; sid:2004403; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004404; classtype:web-application-attack; sid:2004404; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004405; classtype:web-application-attack; sid:2004405; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004406; classtype:web-application-attack; sid:2004406; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004407; classtype:web-application-attack; sid:2004407; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004408; classtype:web-application-attack; sid:2004408; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004654; classtype:web-application-attack; sid:2004654; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004655; classtype:web-application-attack; sid:2004655; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004656; classtype:web-application-attack; sid:2004656; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004657; classtype:web-application-attack; sid:2004657; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004658; classtype:web-application-attack; sid:2004658; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004659; classtype:web-application-attack; sid:2004659; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005657; classtype:web-application-attack; sid:2005657; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005658; classtype:web-application-attack; sid:2005658; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005659; classtype:web-application-attack; sid:2005659; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005660; classtype:web-application-attack; sid:2005660; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005661; classtype:web-application-attack; sid:2005661; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005662; classtype:web-application-attack; sid:2005662; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/st_newsletter/stnl_iframe.php"; nocase; uricontent:"?newsletter="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:url,milw0rm.com/exploits/6777; reference:url,secunia.com/advisories/32336; reference:url,doc.emergingthreats.net/2008725; classtype:web-application-attack; sid:2008725; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/books/getConfig.php?"; nocase; content:"book_id="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,www.milw0rm.com/exploits/7543; reference:bugtraq,32966; reference:url,doc.emergingthreats.net/2009010; classtype:web-application-attack; sid:2009010; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/js/wptable-tinymce.php?"; nocase; uricontent:"ABSPATH="; nocase; pcre:"/ABSPATH\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/56763; reference:url,doc.emergingthreats.net/2010473; classtype:web-application-attack; sid:2010473; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt"; flow:established,to_server; uricontent:"/wp-admin/admin.php"; nocase; content:"page="; nocase; pcre:"/\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp)/Ui"; reference:url,www.securityfocus.com/bid/35584; reference:cve,2009-2334; reference:url,doc.emergingthreats.net/2010728; classtype:web-application-attack; sid:2010728; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/wp-content/plugins/nextgen-gallery/xml/media-rss.php"; nocase; uricontent:"mode="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.coresecurity.com/content/nextgen-gallery-xss-vulnerability; reference:cve,2010-1186; reference:url,doc.emergingthreats.net/2011006; classtype:web-application-attack; sid:2011006; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011044; classtype:web-application-attack; sid:2011044; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011045; classtype:web-application-attack; sid:2011045; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011071; classtype:web-application-attack; sid:2011071; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011046; classtype:web-application-attack; sid:2011046; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011047; classtype:web-application-attack; sid:2011047; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"/wp-content/plugins/wp-cumulus/tagcloud.swf"; nocase; uricontent:"mode=tags"; nocase; uricontent:"tagcloud="; nocase; pcre:"/tagcloud\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,doc.emergingthreats.net/2011107; classtype:web-application-attack; sid:2011107; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id SELECT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004343; classtype:web-application-attack; sid:2004343; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UNION SELECT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004344; classtype:web-application-attack; sid:2004344; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id INSERT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004345; classtype:web-application-attack; sid:2004345; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id DELETE"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004346; classtype:web-application-attack; sid:2004346; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id ASCII"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004347; classtype:web-application-attack; sid:2004347; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004348; classtype:web-application-attack; sid:2004348; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005117; classtype:web-application-attack; sid:2005117; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UNION SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005118; classtype:web-application-attack; sid:2005118; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id INSERT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005119; classtype:web-application-attack; sid:2005119; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id DELETE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005120; classtype:web-application-attack; sid:2005120; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id ASCII"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005121; classtype:web-application-attack; sid:2005121; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005122; classtype:web-application-attack; sid:2005122; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005123; classtype:web-application-attack; sid:2005123; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UNION SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005124; classtype:web-application-attack; sid:2005124; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from INSERT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005125; classtype:web-application-attack; sid:2005125; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from DELETE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005126; classtype:web-application-attack; sid:2005126; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from ASCII"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005127; classtype:web-application-attack; sid:2005127; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005128; classtype:web-application-attack; sid:2005128; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005129; classtype:web-application-attack; sid:2005129; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UNION SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005130; classtype:web-application-attack; sid:2005130; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q INSERT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005131; classtype:web-application-attack; sid:2005131; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q DELETE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005132; classtype:web-application-attack; sid:2005132; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q ASCII"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005133; classtype:web-application-attack; sid:2005133; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005134; classtype:web-application-attack; sid:2005134; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/function_core.php?"; nocase; uricontent:"web_root="; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009925; classtype:web-application-attack; sid:2009925; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/function_core.php?"; nocase; uricontent:"web_root="; nocase; content:"../"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009926; classtype:web-application-attack; sid:2009926; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/templates/layout_lyrics.php?"; nocase; uricontent:"web_root="; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009927; classtype:web-application-attack; sid:2009927; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/templates/layout_lyrics.php?"; nocase; uricontent:"web_root="; nocase; content:"../"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009928; classtype:web-application-attack; sid:2009928; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/mini.php?"; nocase; uricontent:"help_file="; nocase; content:"../"; reference:url,milw0rm.com/exploits/6592; reference:bugtraq,31460; reference:url,doc.emergingthreats.net/2009194; classtype:web-application-attack; sid:2009194; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XAMPP showcode.php TEXT Parameter Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"/xampp/showcode.php?"; nocase; uricontent:"TEXT[global-showcode]="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/Ui"; reference:bugtraq,37997; reference:url,doc.emergingthreats.net/2011138; classtype:web-application-attack; sid:2011138; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XAMPP xamppsecurity.phpp TEXT Parameter Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"/xampp/xamppsecurity.php?"; nocase; uricontent:"TEXT[global-showcode]="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/Ui"; reference:bugtraq,37997; reference:url,doc.emergingthreats.net/2011139; classtype:web-application-attack; sid:2011139; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-BLC get_read.php section Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/get_read.php?"; nocase; uricontent:"section="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8258; reference:bugtraq,34197; reference:url,doc.emergingthreats.net/2009738; classtype:web-application-attack; sid:2009738; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album SELECT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004857; classtype:web-application-attack; sid:2004857; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UNION SELECT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004858; classtype:web-application-attack; sid:2004858; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album INSERT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004859; classtype:web-application-attack; sid:2004859; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album DELETE"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004860; classtype:web-application-attack; sid:2004860; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album ASCII"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004861; classtype:web-application-attack; sid:2004861; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004862; classtype:web-application-attack; sid:2004862; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/activities/workflow-activities.php?"; nocase; uricontent:"include_directory="; nocase; pcre:"/include_directory=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2008-3399; reference:url,milw0rm.com/exploits/6131; reference:url,xforce.iss.net/xforce/xfdb/43992; reference:url,doc.emergingthreats.net/2009870; classtype:web-application-attack; sid:2009870; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops Articles modules print.php SQL injection attempt"; flow:to_server,established; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; pcre:"/id=-?\d+.+UNION.+SELECT/Ui"; reference:bugtraq,23160; reference:url,doc.emergingthreats.net/2003516; classtype:web-application-attack; sid:2003516; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include"; flow:established,to_server; uricontent:"/header.php?"; nocase; uricontent:"set_menu="; nocase; pcre:"/set_menu=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,23189; reference:url,doc.emergingthreats.net/2003517; classtype:web-application-attack; sid:2003517; rev:6; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id SELECT"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005378; classtype:web-application-attack; sid:2005378; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UNION SELECT"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005379; classtype:web-application-attack; sid:2005379; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id INSERT"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005380; classtype:web-application-attack; sid:2005380; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id DELETE"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005381; classtype:web-application-attack; sid:2005381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id ASCII"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005382; classtype:web-application-attack; sid:2005382; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005383; classtype:web-application-attack; sid:2005383; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid SELECT"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005384; classtype:web-application-attack; sid:2005384; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UNION SELECT"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005385; classtype:web-application-attack; sid:2005385; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid INSERT"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005386; classtype:web-application-attack; sid:2005386; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid DELETE"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005387; classtype:web-application-attack; sid:2005387; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid ASCII"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005388; classtype:web-application-attack; sid:2005388; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005389; classtype:web-application-attack; sid:2005389; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006486; classtype:web-application-attack; sid:2006486; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UNION SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006487; classtype:web-application-attack; sid:2006487; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id INSERT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006488; classtype:web-application-attack; sid:2006488; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id DELETE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006489; classtype:web-application-attack; sid:2006489; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id ASCII"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006490; classtype:web-application-attack; sid:2006490; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006491; classtype:web-application-attack; sid:2006491; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XOOPS Makale Module id SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/makale.php?id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:url,secunia.com/advisories/32347/; reference:url,www.milw0rm.com/exploits/6795; reference:url,doc.emergingthreats.net/2008688; classtype:web-application-attack; sid:2008688; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/qas/aviso.php?"; nocase; uricontent:"codigo="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/9249; reference:url,xforce.iss.net/xforce/xfdb/51985; reference:url,doc.emergingthreats.net/2010121; classtype:web-application-attack; sid:2010121; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Attempt"; flow:established,to_server; uricontent:"/dictionary/detail.php?"; nocase; uricontent:"id="; nocase; pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/xoopsdictionary-sql.txt; reference:url,doc.emergingthreats.net/2010607; classtype:web-application-attack; sid:2010607; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news SELECT"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006213; classtype:web-application-attack; sid:2006213; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UNION SELECT"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006214; classtype:web-application-attack; sid:2006214; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news INSERT"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006215; classtype:web-application-attack; sid:2006215; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news DELETE"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006216; classtype:web-application-attack; sid:2006216; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news ASCII"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006217; classtype:web-application-attack; sid:2006217; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006218; classtype:web-application-attack; sid:2006218; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder SELECT"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005609; classtype:web-application-attack; sid:2005609; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UNION SELECT"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005610; classtype:web-application-attack; sid:2005610; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder INSERT"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005611; classtype:web-application-attack; sid:2005611; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder DELETE"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005612; classtype:web-application-attack; sid:2005612; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder ASCII"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005613; classtype:web-application-attack; sid:2005613; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005614; classtype:web-application-attack; sid:2005614; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/update_trailer.php?"; nocase; uricontent:"context[path_to_root]="; nocase; pcre:"/context\[path_to_root\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8066; reference:url,secunia.com/advisories/33959/; reference:url,doc.emergingthreats.net/2009190; classtype:web-application-attack; sid:2009190; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/update_trailer.php?"; nocase; uricontent:"context[path_to_root]="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8066; reference:url,secunia.com/advisories/33959/; reference:url,doc.emergingthreats.net/2009191; classtype:web-application-attack; sid:2009191; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/last_gallery.php?"; nocase; uricontent:"YAPIG_PATH="; nocase; pcre:"/YAPIG_PATH=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/11708; reference:url,doc.emergingthreats.net/2011098; classtype:web-application-attack; sid:2011098; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path"; flow:established,to_server; uricontent:"/includes/common.php?"; nocase; uricontent:"root_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2664; reference:url,www.milw0rm.com/exploits/3908; reference:url,doc.emergingthreats.net/2003739; classtype:web-application-attack; sid:2003739; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5622772D-6C27-11D3-95E5-006008D14F3B"; nocase; distance:0; content:"Open"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5622772D-6C27-11D3-95E5-006008D14F3B/si"; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010945; classtype:attempted-user; sid:2010945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YoPlayer.YoPlyCd.1"; nocase; distance:0; content:"open"; nocase; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010946; classtype:attempted-user; sid:2010946; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/class_yapbbcooker.php?"; nocase; uricontent:"cfgIncludeDirectory="; nocase; pcre:"/cfgIncludeDirectory=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,30686; reference:url,doc.emergingthreats.net/2009316; classtype:web-application-attack; sid:2009316; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/autoresponderhosting/tr.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6938; reference:url,doc.emergingthreats.net/2008817; classtype:web-application-attack; sid:2008817; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YourFreeWorld Reminder Service tr.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/reminderservice/tr.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6943; reference:url,doc.emergingthreats.net/2008818; classtype:web-application-attack; sid:2008818; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/classifiedsblaster/tr.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6944; reference:url,doc.emergingthreats.net/2008819; classtype:web-application-attack; sid:2008819; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cuenta/cuerpo.php?"; nocase; uricontent:"base_archivo="; nocase; content:"../"; reference:url,milw0rm.com/exploits/6117; reference:bugtraq,30345; reference:url,secunia.com/advisories/31161; reference:url,doc.emergingthreats.net/2009393; classtype:web-application-attack; sid:2009393; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/locales.php?"; nocase; uricontent:"next="; nocase; uricontent:"srclang="; nocase; content:"../"; reference:url,secunia.com/advisories/34091/; reference:url,milw0rm.com/exploits/8140; reference:bugtraq,33965; reference:url,doc.emergingthreats.net/2009329; classtype:web-application-attack; sid:2009329; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 4274 (msg:"ET WEB_SPECIFIC_APPS Possible Xedus Webserver Directory Traversal Attempt"; flow: to_server,established; content:"/../data/log.txt"; content:"/../WINNT/"; nocase; reference:url,www.gulftech.org/?node=research&article_id=00047-08302004; reference:url,doc.emergingthreats.net/2001238; classtype:web-application-activity; sid:2001238; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS zeeproperty adid Parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/bannerclick.php?adid="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/32333/; reference:url,milw0rm.com/exploits/6780; reference:url,doc.emergingthreats.net/2008686; classtype:web-application-attack; sid:2008686; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zen Cart Remote Code Execution "; flow:to_server,established; content:"POST "; depth:5; nocase; content:"admin/record_company.php/password_forgotten.php"; content:"action=insert"; nocase; depth:100; reference:url,www.securityfocus.com/bid/35467; reference:url,www.milw0rm.com/exploits/9004; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-activity; sid:2009693; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Events/getJSONEventsInfo"; nocase; uricontent:"severity="; nocase; content:"INTO"; nocase; content:"OUTFILE"; nocase; pcre:"/INTO.+OUTFILE/Ui"; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010669; classtype:web-application-attack; sid:2010669; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application SELECT FROM SQL Injection Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Events/getJSONEventsInfo"; nocase; uricontent:"severity="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010670; classtype:web-application-attack; sid:2010670; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INSERT INTO SQL Injection Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Events/getJSONEventsInfo"; nocase; uricontent:"severity="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010672; classtype:web-application-attack; sid:2010672; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application UNTION SELECT SQL Injection Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Events/getJSONEventsInfo"; nocase; uricontent:"severity="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010673; classtype:web-application-attack; sid:2010673; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; uricontent:"defaultAdminLevel"; nocase; uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; nocase; uricontent:"password="; nocase; uricontent:"zenScreenName=editUserSettings"; nocase; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010761; classtype:web-application-attack; sid:2010761; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; content:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; http_uri; content:"commandId="; http_uri; nocase; distance:0; pcre:"/commandId\x3D[a-z]/Ui"; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010762; classtype:web-application-attack; sid:2010762; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt"; flow:established,to_server; uricontent:"/zport/dmd/userCommands/ping"; nocase; uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; nocase; uricontent:"ScreenName=userCommandDetail"; nocase; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010763; classtype:web-application-attack; sid:2010763; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id SELECT"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004803; classtype:web-application-attack; sid:2004803; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UNION SELECT"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004804; classtype:web-application-attack; sid:2004804; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id INSERT"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004805; classtype:web-application-attack; sid:2004805; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id DELETE"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004806; classtype:web-application-attack; sid:2004806; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id ASCII"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004807; classtype:web-application-attack; sid:2004807; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004808; classtype:web-application-attack; sid:2004808; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id SELECT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005192; classtype:web-application-attack; sid:2005192; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UNION SELECT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005193; classtype:web-application-attack; sid:2005193; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id INSERT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005194; classtype:web-application-attack; sid:2005194; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id DELETE"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005195; classtype:web-application-attack; sid:2005195; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id ASCII"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005196; classtype:web-application-attack; sid:2005196; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005197; classtype:web-application-attack; sid:2005197; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass SELECT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005198; classtype:web-application-attack; sid:2005198; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UNION SELECT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005199; classtype:web-application-attack; sid:2005199; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass INSERT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005200; classtype:web-application-attack; sid:2005200; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass DELETE"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005201; classtype:web-application-attack; sid:2005201; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass ASCII"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005202; classtype:web-application-attack; sid:2005202; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005203; classtype:web-application-attack; sid:2005203; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass SELECT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005204; classtype:web-application-attack; sid:2005204; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UNION SELECT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005205; classtype:web-application-attack; sid:2005205; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass INSERT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005206; classtype:web-application-attack; sid:2005206; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass DELETE"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005207; classtype:web-application-attack; sid:2005207; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass ASCII"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005208; classtype:web-application-attack; sid:2005208; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005209; classtype:web-application-attack; sid:2005209; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id SELECT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005210; classtype:web-application-attack; sid:2005210; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UNION SELECT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005211; classtype:web-application-attack; sid:2005211; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id INSERT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005212; classtype:web-application-attack; sid:2005212; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id DELETE"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005213; classtype:web-application-attack; sid:2005213; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id ASCII"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005214; classtype:web-application-attack; sid:2005214; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005215; classtype:web-application-attack; sid:2005215; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler SELECT"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003981; classtype:web-application-attack; sid:2003981; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UNION SELECT"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003982; classtype:web-application-attack; sid:2003982; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler INSERT"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003983; classtype:web-application-attack; sid:2003983; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler DELETE"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003984; classtype:web-application-attack; sid:2003984; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler ASCII"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003985; classtype:web-application-attack; sid:2003985; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE"; flow:established,to_server; uricontent:"/plugins/mp3playlist/mp3playlist.php?"; nocase; uricontent:"speler="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003986; classtype:web-application-attack; sid:2003986; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode SELECT"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005979; classtype:web-application-attack; sid:2005979; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005980; classtype:web-application-attack; sid:2005980; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode INSERT"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005981; classtype:web-application-attack; sid:2005981; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode DELETE"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005982; classtype:web-application-attack; sid:2005982; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode ASCII"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005983; classtype:web-application-attack; sid:2005983; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005984; classtype:web-application-attack; sid:2005984; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/artmedic_print.php?"; nocase; uricontent:"date="; nocase; content:"../"; reference:url,secunia.com/advisories/28927/; reference:url,milw0rm.com/exploits/5116; reference:url,doc.emergingthreats.net/2009661; classtype:web-application-attack; sid:2009661; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view_messages.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010771; classtype:web-application-attack; sid:2010771; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view_blog_comments.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010772; classtype:web-application-attack; sid:2010772; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view_blog_archives.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010773; classtype:web-application-attack; sid:2010773; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/add_comments.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010774; classtype:web-application-attack; sid:2010774; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/downloads.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010775; classtype:web-application-attack; sid:2010775; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/emailsender.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010776; classtype:web-application-attack; sid:2010776; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/left_menu.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010777; classtype:web-application-attack; sid:2010777; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php"; flow:established,to_server; uricontent:"/ReadMsg.php?"; nocase; uricontent:"| 3C |"; uricontent:"SCRIPT"; nocase; uricontent:"| 3E |"; reference:cve,CVE-2007-2825; reference:url,xforce.iss.net/xforce/xfdb/34376; reference:url,doc.emergingthreats.net/2004557; classtype:web-application-attack; sid:2004557; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php SELECT"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005324; classtype:web-application-attack; sid:2005324; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UNION SELECT"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005325; classtype:web-application-attack; sid:2005325; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php INSERT"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005326; classtype:web-application-attack; sid:2005326; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php DELETE"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005327; classtype:web-application-attack; sid:2005327; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php ASCII"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005328; classtype:web-application-attack; sid:2005328; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005329; classtype:web-application-attack; sid:2005329; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bcoos adresses module viewcat.php cid Parameter SQL injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/adresses/viewcat.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/32870/; reference:url,milw0rm.com/exploits/7317; reference:url,doc.emergingthreats.net/2008929; classtype:web-application-attack; sid:2008929; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/arch.php?"; nocase; uricontent:"arch="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8680; reference:bugtraq,34968; reference:url,secunia.com/advisories/35059/; reference:url,doc.emergingthreats.net/2009790; classtype:web-application-attack; sid:2009790; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk SELECT"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005766; classtype:web-application-attack; sid:2005766; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UNION SELECT"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005767; classtype:web-application-attack; sid:2005767; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk INSERT"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005768; classtype:web-application-attack; sid:2005768; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk DELETE"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005769; classtype:web-application-attack; sid:2005769; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk ASCII"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005770; classtype:web-application-attack; sid:2005770; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005771; classtype:web-application-attack; sid:2005771; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/frontend/x3/files/fileop.html?"; nocase; uricontent:"fileop="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,37394; reference:url,vupen.com/english/advisories/2009/3608; reference:url,doc.emergingthreats.net/2011115; classtype:web-application-attack; sid:2011115; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008966; classtype:web-application-attack; sid:2008966; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/handle/proxy.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008967; classtype:web-application-attack; sid:2008967; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/header.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008968; classtype:web-application-attack; sid:2008968; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/include.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008969; classtype:web-application-attack; sid:2008969; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/workspace.php?"; nocase; uricontent:"cct_base="; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008970; classtype:web-application-attack; sid:2008970; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cfagcms right.php title Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/right.php"; nocase; uricontent:"title="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32851; reference:url,milw0rm.com/exploits/7483; reference:url,doc.emergingthreats.net/2009045; classtype:web-application-attack; sid:2009045; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse SELECT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006171; classtype:web-application-attack; sid:2006171; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UNION SELECT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006172; classtype:web-application-attack; sid:2006172; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse INSERT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006173; classtype:web-application-attack; sid:2006173; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse DELETE"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006174; classtype:web-application-attack; sid:2006174; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse ASCII"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006175; classtype:web-application-attack; sid:2006175; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006176; classtype:web-application-attack; sid:2006176; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas SELECT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006177; classtype:web-application-attack; sid:2006177; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UNION SELECT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006178; classtype:web-application-attack; sid:2006178; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas INSERT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006179; classtype:web-application-attack; sid:2006179; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas DELETE"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006180; classtype:web-application-attack; sid:2006180; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas ASCII"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006181; classtype:web-application-attack; sid:2006181; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006182; classtype:web-application-attack; sid:2006182; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lib.module.php?"; nocase; uricontent:"mod_root"; nocase; pcre:"/mod_root=\s*(https?|ftps?|php)/Ui"; reference:url,milw0rm.com/exploits/5921; reference:bugtraq,29914; reference:url,doc.emergingthreats.net/2009367; classtype:web-application-attack; sid:2009367; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_if_nexus&"; nocase; uricontent:"controller="; nocase; pcre:"/controller\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10754; reference:url,doc.emergingthreats.net/2010847; classtype:web-application-attack; sid:2010847; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category SELECT"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004053; classtype:web-application-attack; sid:2004053; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UNION SELECT"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004054; classtype:web-application-attack; sid:2004054; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category INSERT"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004055; classtype:web-application-attack; sid:2004055; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category DELETE"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004056; classtype:web-application-attack; sid:2004056; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category ASCII"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004057; classtype:web-application-attack; sid:2004057; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004058; classtype:web-application-attack; sid:2004058; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer SELECT"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004101; classtype:web-application-attack; sid:2004101; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UNION SELECT"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004102; classtype:web-application-attack; sid:2004102; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer INSERT"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004103; classtype:web-application-attack; sid:2004103; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer DELETE"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004104; classtype:web-application-attack; sid:2004104; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer ASCII"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004105; classtype:web-application-attack; sid:2004105; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004106; classtype:web-application-attack; sid:2004106; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/_functions.php?"; nocase; uricontent:"GLOBALS[prefix]="; nocase; pcre:"/GLOBALS\[prefix\]=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; reference:url,doc.emergingthreats.net/2009874; classtype:web-application-attack; sid:2009874; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/_functions.php?"; nocase; uricontent:"GLOBALS[prefix]="; nocase; content:"../"; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; reference:url,doc.emergingthreats.net/2009875; classtype:web-application-attack; sid:2009875; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005033; classtype:web-application-attack; sid:2005033; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UNION SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005034; classtype:web-application-attack; sid:2005034; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id INSERT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005035; classtype:web-application-attack; sid:2005035; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id DELETE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005036; classtype:web-application-attack; sid:2005036; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id ASCII"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005037; classtype:web-application-attack; sid:2005037; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005038; classtype:web-application-attack; sid:2005038; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006951; classtype:web-application-attack; sid:2006951; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006952; classtype:web-application-attack; sid:2006952; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006953; classtype:web-application-attack; sid:2006953; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006954; classtype:web-application-attack; sid:2006954; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006955; classtype:web-application-attack; sid:2006955; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006956; classtype:web-application-attack; sid:2006956; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006957; classtype:web-application-attack; sid:2006957; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006958; classtype:web-application-attack; sid:2006958; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; fast_pattern; distance:0; nocase; content:"INSERT"; http_uri; distance:0; nocase;  content:"INTO"; http_uri; distance:0; nocase; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006960; classtype:web-application-attack; sid:2006960; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006961; classtype:web-application-attack; sid:2006961; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006962; classtype:web-application-attack; sid:2006962; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006963; classtype:web-application-attack; sid:2006963; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006964; classtype:web-application-attack; sid:2006964; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006965; classtype:web-application-attack; sid:2006965; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006966; classtype:web-application-attack; sid:2006966; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006967; classtype:web-application-attack; sid:2006967; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006968; classtype:web-application-attack; sid:2006968; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc SELECT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006615; classtype:web-application-attack; sid:2006615; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UNION SELECT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006616; classtype:web-application-attack; sid:2006616; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc INSERT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006617; classtype:web-application-attack; sid:2006617; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc DELETE"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006618; classtype:web-application-attack; sid:2006618; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc ASCII"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006619; classtype:web-application-attack; sid:2006619; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006620; classtype:web-application-attack; sid:2006620; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut SELECT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006621; classtype:web-application-attack; sid:2006621; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UNION SELECT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006622; classtype:web-application-attack; sid:2006622; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut INSERT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006623; classtype:web-application-attack; sid:2006623; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut DELETE"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006624; classtype:web-application-attack; sid:2006624; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut ASCII"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006625; classtype:web-application-attack; sid:2006625; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006626; classtype:web-application-attack; sid:2006626; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 CMS backdoor access admin-access cookie and HTTP POST"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a|Cookie\: "; nocase; content:"admin-access="; content:"e107language_"; pcre:"/Cookie: .*admin-access=/i"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,seclists.org/fulldisclosure/2010/Jan/480; reference:url,www.e107.org/news.php; reference:url,doc.emergingthreats.net/2010719; classtype:attempted-admin; sid:2010719; rev:3; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 resetcore.php SQL Injection attempt"; flow:to_server,established; uricontent:"/resetcore.php?"; nocase; pcre:"/a_name='/Ui"; reference:bugtraq,15125; reference:url,doc.emergingthreats.net/2002663; classtype:web-application-attack; sid:2002663; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 BLOG Engine macgurublog.php uid Parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/macgurublog.php?"; nocase; uricontent:"uid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,29344; reference:url,milw0rm.com/exploits/6856; reference:url,doc.emergingthreats.net/2008788; classtype:web-application-attack; sid:2008788; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/lyrics_song.php?"; nocase; uricontent:"l_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32477/; reference:url,milw0rm.com/exploits/6885; reference:url,doc.emergingthreats.net/2008813; classtype:web-application-attack; sid:2008813; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/123flashchat.php?"; nocase; uricontent:"e107path="; nocase; pcre:"/e107path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/41867; reference:url,secunia.com/advisories/29870; reference:url,milw0rm.com/exploits/5459; reference:url,doc.emergingthreats.net/2009435; classtype:web-application-attack; sid:2009435; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/123flashchat.php?"; nocase; uricontent:"e107path="; nocase; content:"../"; reference:url,xforce.iss.net/xforce/xfdb/41867; reference:url,secunia.com/advisories/29870; reference:url,milw0rm.com/exploits/5459; reference:url,doc.emergingthreats.net/2009436; classtype:web-application-attack; sid:2009436; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eFiction toplists.php list Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/toplists.php?"; nocase; uricontent:"list="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/30606/; reference:url,milw0rm.com/exploits/5785; reference:url,doc.emergingthreats.net/2009227; classtype:web-application-attack; sid:2009227; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt"; flow:established,to_server; uricontent:"/libraries/database.php?"; nocase; uricontent:"="; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/Ui"; reference:url,www.securityfocus.com/bid/36411/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009932; classtype:web-application-attack; sid:2009932; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10616 (msg:"ET WEB_SPECIFIC_APPS EiQNetworks Security Analyzer Buffer Overflow"; flow:established,to_server; content:"LICMGR_ADDLICENSE&"; nocase; depth:18; isdataat:450,relative; pcre:"/LICMGR_ADDLICENSE&[^\x00\n\r@&]{450}/i"; reference:cve,2006-3838; reference:url,secunia.com/advisories/21211/; reference:url,doc.emergingthreats.net/2003056; classtype:attempted-admin; sid:2003056; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did SELECT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005925; classtype:web-application-attack; sid:2005925; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UNION SELECT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005926; classtype:web-application-attack; sid:2005926; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did INSERT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005927; classtype:web-application-attack; sid:2005927; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did DELETE"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005928; classtype:web-application-attack; sid:2005928; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did ASCII"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005929; classtype:web-application-attack; sid:2005929; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005930; classtype:web-application-attack; sid:2005930; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid SELECT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005931; classtype:web-application-attack; sid:2005931; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UNION SELECT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005932; classtype:web-application-attack; sid:2005932; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid INSERT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005933; classtype:web-application-attack; sid:2005933; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid DELETE"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005934; classtype:web-application-attack; sid:2005934; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid ASCII"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005935; classtype:web-application-attack; sid:2005935; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005936; classtype:web-application-attack; sid:2005936; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion"; flow:to_server,established; uricontent:"/index_inc.php?"; nocase; uricontent:"inc_ordner="; nocase; content:"../"; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; reference:url,doc.emergingthreats.net/2009224; classtype:web-application-attack; sid:2009224; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index_inc.php?"; nocase; uricontent:"inc_ordner="; nocase; pcre:"/inc_ordner=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; reference:url,doc.emergingthreats.net/2009225; classtype:web-application-attack; sid:2009225; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/3rdparty/adminpart/add3rdparty.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008849; classtype:web-application-attack; sid:2008849; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/polling/adminpart/addpolling.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008850; classtype:web-application-attack; sid:2008850; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/contact/adminpart/addcontact.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008851; classtype:web-application-attack; sid:2008851; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/brandnews/adminpart/addbrandnews.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008852; classtype:web-application-attack; sid:2008852; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/newsletter/adminpart/addnewsletter.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008853; classtype:web-application-attack; sid:2008853; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/game/adminpart/addgame.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008854; classtype:web-application-attack; sid:2008854; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/tour/adminpart/addtour.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008855; classtype:web-application-attack; sid:2008855; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/articles/adminpart/addarticles.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008856; classtype:web-application-attack; sid:2008856; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/product/adminpart/addproduct.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008857; classtype:web-application-attack; sid:2008857; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/plain/adminpart/addplain.php?"; nocase; uricontent:"module="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008858; classtype:web-application-attack; sid:2008858; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/e-pay/src/a_affil.php?"; nocase; uricontent:"_REQUEST[read]="; nocase; pcre:"/_REQUEST\[read\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10697; reference:url,doc.emergingthreats.net/2010661; classtype:web-application-attack; sid:2010661; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which SELECT"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007374; classtype:web-application-attack; sid:2007374; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UNION SELECT"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007375; classtype:web-application-attack; sid:2007375; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which INSERT"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007376; classtype:web-application-attack; sid:2007376; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which DELETE"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007377; classtype:web-application-attack; sid:2007377; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which ASCII"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007378; classtype:web-application-attack; sid:2007378; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007379; classtype:web-application-attack; sid:2007379; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat SELECT"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007380; classtype:web-application-attack; sid:2007380; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UNION SELECT"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007381; classtype:web-application-attack; sid:2007381; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat INSERT"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007382; classtype:web-application-attack; sid:2007382; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat DELETE"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007383; classtype:web-application-attack; sid:2007383; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat ASCII"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007384; classtype:web-application-attack; sid:2007384; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007385; classtype:web-application-attack; sid:2007385; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007386; classtype:web-application-attack; sid:2007386; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UNION SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007387; classtype:web-application-attack; sid:2007387; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid INSERT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007388; classtype:web-application-attack; sid:2007388; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid DELETE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007389; classtype:web-application-attack; sid:2007389; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid ASCII"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007390; classtype:web-application-attack; sid:2007390; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007391; classtype:web-application-attack; sid:2007391; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user"; flow:established,to_server; uricontent:"/all_photos.html?"; nocase; uricontent:"user="; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2724; reference:url,www.securityfocus.com/archive/1/archive/1/468316/100/0/threaded; reference:url,doc.emergingthreats.net/2003875; classtype:web-application-attack; sid:2003875; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid SELECT"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004108; classtype:web-application-attack; sid:2004108; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UNION SELECT"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004109; classtype:web-application-attack; sid:2004109; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid INSERT"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004110; classtype:web-application-attack; sid:2004110; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid DELETE"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004111; classtype:web-application-attack; sid:2004111; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid ASCII"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"ASCII"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004112; classtype:web-application-attack; sid:2004112; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004113; classtype:web-application-attack; sid:2004113; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/toolbar.php?"; nocase; uricontent:"dirDepth="; nocase; pcre:"/dirDepth=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2008/2059; reference:url,milw0rm.com/exploits/6036; reference:url,doc.emergingthreats.net/2009188; classtype:web-application-attack; sid:2009188; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; uricontent:"/libs/lom.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003718; classtype:web-application-attack; sid:2003718; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR"; flow:established,to_server; uricontent:"/lom_update.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003719; classtype:web-application-attack; sid:2003719; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR"; flow:established,to_server; uricontent:"/scripts/check-lom.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003720; classtype:web-application-attack; sid:2003720; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR"; flow:established,to_server; uricontent:"/scripts/weigh_keywords.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003721; classtype:web-application-attack; sid:2003721; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR"; flow:established,to_server; uricontent:"/logout.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003722; classtype:web-application-attack; sid:2003722; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR"; flow:established,to_server; uricontent:"/help.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003723; classtype:web-application-attack; sid:2003723; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003724; classtype:web-application-attack; sid:2003724; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR"; flow:established,to_server; uricontent:"/login.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003725; classtype:web-application-attack; sid:2003725; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; uricontent:"/web/lom.php?"; nocase; uricontent:"ETCDIR="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003747; classtype:web-application-attack; sid:2003747; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id SELECT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005807; classtype:web-application-attack; sid:2005807; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UNION SELECT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005808; classtype:web-application-attack; sid:2005808; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id INSERT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005804; classtype:web-application-attack; sid:2005804; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id DELETE"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005806; classtype:web-application-attack; sid:2005806; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id ASCII"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005809; classtype:web-application-attack; sid:2005809; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005810; classtype:web-application-attack; sid:2005810; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie SELECT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005811; classtype:web-application-attack; sid:2005811; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UNION SELECT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005812; classtype:web-application-attack; sid:2005812; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie INSERT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005813; classtype:web-application-attack; sid:2005813; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie DELETE"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005814; classtype:web-application-attack; sid:2005814; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie ASCII"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005815; classtype:web-application-attack; sid:2005815; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005816; classtype:web-application-attack; sid:2005816; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id SELECT"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005817; classtype:web-application-attack; sid:2005817; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UNION SELECT"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005818; classtype:web-application-attack; sid:2005818; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id INSERT"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005819; classtype:web-application-attack; sid:2005819; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id DELETE"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005820; classtype:web-application-attack; sid:2005820; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id ASCII"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005821; classtype:web-application-attack; sid:2005821; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005822; classtype:web-application-attack; sid:2005822; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005823; classtype:web-application-attack; sid:2005823; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005824; classtype:web-application-attack; sid:2005824; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005825; classtype:web-application-attack; sid:2005825; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005826; classtype:web-application-attack; sid:2005826; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005827; classtype:web-application-attack; sid:2005827; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005828; classtype:web-application-attack; sid:2005828; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL Injection Attempt"; flow:established,to_server; uricontent:"/gallery_show.asp?"; nocase; uricontent:"GID="; nocase; pcre:"/(\?|&)GID=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/galleryshow-sql.txt; reference:url,doc.emergingthreats.net/2010608; classtype:web-application-attack; sid:2010608; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"SELECT"; fast_pattern:only; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006609; classtype:web-application-attack; sid:2006609; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"D="; nocase; http_uri; content:"UNION"; fast_pattern:only; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui";  reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006610; classtype:web-application-attack; sid:2006610; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"INSERT"; fast_pattern:only; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006611; classtype:web-application-attack; sid:2006611; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"DELETE"; fast_pattern:only; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006612; classtype:web-application-attack; sid:2006612; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; content:"D="; http_uri; content:"ASCII("; fast_pattern:only; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006613; classtype:web-application-attack; sid:2006613; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE"; flow:established,to_server;uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"UPDATE";  fast_pattern:only; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006614; classtype:web-application-attack; sid:2006614; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS icash Click&BaneX user_menu.asp ID parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/user_menu.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/7484; reference:bugtraq,32856; reference:url,doc.emergingthreats.net/2008997; classtype:web-application-attack; sid:2008997; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/tools/filemanager/skins/mobile/admin1.template.php?"; nocase; uricontent:"net2ftp_globals[application_skinsdir]="; nocase; pcre:"/net2ftp_globals\[application_skinsdir\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,packetstorm.foofus.com/1003-exploits/ispcp-rfi.txt; reference:bugtraq,38644; reference:url,doc.emergingthreats.net/2010979; classtype:web-application-attack; sid:2010979; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/test/pages/contact.php?"; nocase; uricontent:"fs_jVroot="; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010191; classtype:web-application-attack; sid:2010191; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/system/pageTemplate.php?"; nocase; uricontent:"fs_jVroot="; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010192; classtype:web-application-attack; sid:2010192; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/system/utilities.php?"; nocase; uricontent:"fs_jVroot="; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010193; classtype:web-application-attack; sid:2010193; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor SELECT"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004840; classtype:web-application-attack; sid:2004840; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UNION SELECT"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004841; classtype:web-application-attack; sid:2004841; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor INSERT"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004842; classtype:web-application-attack; sid:2004842; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor DELETE"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004843; classtype:web-application-attack; sid:2004843; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor ASCII"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004844; classtype:web-application-attack; sid:2004844; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004845; classtype:web-application-attack; sid:2004845; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/users/payment.php?"; nocase; uricontent:"order_id="; nocase; uricontent:"<script>"; nocase; uricontent:"</script>"; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/millionpixel-xss.txt; reference:url,doc.emergingthreats.net/2009671; classtype:web-application-attack; sid:2009671; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion"; flow:to_server,established; content:"GET "; uricontent:"/Thumbnail.php?"; nocase; uricontent:"base_path="; nocase; pcre:"/base_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,securityvulns.com/Odocument913.html; reference:url,doc.emergingthreats.net/2009053; classtype:web-application-attack; sid:2009053; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path"; flow:established,to_server; uricontent:"/faq.php?"; nocase; uricontent:"module_root_path="; nocase; uricontent:"cmd="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2493; reference:url,www.milw0rm.com/exploits/3833; reference:url,doc.emergingthreats.net/2003684; classtype:web-application-attack; sid:2003684; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004469; classtype:web-application-attack; sid:2004469; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004470; classtype:web-application-attack; sid:2004470; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004471; classtype:web-application-attack; sid:2004471; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004472; classtype:web-application-attack; sid:2004472; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004473; classtype:web-application-attack; sid:2004473; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004474; classtype:web-application-attack; sid:2004474; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004475; classtype:web-application-attack; sid:2004475; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004476; classtype:web-application-attack; sid:2004476; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004477; classtype:web-application-attack; sid:2004477; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004478; classtype:web-application-attack; sid:2004478; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004479; classtype:web-application-attack; sid:2004479; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; nocase; distance:0; http_uri; content:"SELECT"; http_uri; nocase; distance:0; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myEvent viewevent.php SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/viewevent.php?eventdate="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:bugtraq,31773; reference:url,www.milw0rm.com/exploits/6760; reference:url,doc.emergingthreats.net/2008668; classtype:web-application-attack; sid:2008668; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS nweb2fax viewrq.php var_filename Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/viewrq.php?"; nocase; uricontent:"format=ps"; nocase; uricontent:"var_filename="; content:"../"; reference:bugtraq,29804; reference:url,milw0rm.com/exploits/5856; reference:url,doc.emergingthreats.net/2009501; classtype:web-application-attack; sid:2009501; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id SELECT"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004005; classtype:web-application-attack; sid:2004005; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UNION SELECT"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004006; classtype:web-application-attack; sid:2004006; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id INSERT"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004007; classtype:web-application-attack; sid:2004007; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id DELETE"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004008; classtype:web-application-attack; sid:2004008; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id ASCII"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004009; classtype:web-application-attack; sid:2004009; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004010; classtype:web-application-attack; sid:2004010; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/comments.php?"; nocase; uricontent:"templates_dir="; nocase; content:"../"; reference:url,milw0rm.com/exploits/6000; reference:bugtraq,19838; reference:url,doc.emergingthreats.net/2009719; classtype:web-application-attack; sid:2009719; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/comments.php?"; nocase; uricontent:"template="; nocase; content:"../"; reference:url,milw0rm.com/exploits/6000; reference:bugtraq,19838; reference:url,doc.emergingthreats.net/2009720; classtype:web-application-attack; sid:2009720; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003698; classtype:web-application-attack; sid:2003698; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path"; flow:established,to_server; uricontent:"/checkout.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003699; classtype:web-application-attack; sid:2003699; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path"; flow:established,to_server; uricontent:"/libsecure.php?"; nocase; uricontent:"abs_path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003700; classtype:web-application-attack; sid:2003700; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"repinc="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2558; reference:url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded; reference:url,doc.emergingthreats.net/2003701; classtype:web-application-attack; sid:2003701; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/gunaysoft.php?"; nocase; uricontent:"icerikyolu="; nocase; pcre:"/icerikyolu=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,30064; reference:cve,CVE-2008-3022; reference:url,xforce.iss.net/xforce/xfdb/43569; reference:url,doc.emergingthreats.net/2009325; classtype:web-application-attack; sid:2009325; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/gunaysoft.php?"; nocase; uricontent:"sayfaid="; nocase; pcre:"/sayfaid=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,30064; reference:cve,CVE-2008-3022; reference:url,xforce.iss.net/xforce/xfdb/43569; reference:url,doc.emergingthreats.net/2009326; classtype:web-application-attack; sid:2009326; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/gunaysoft.php?"; nocase; uricontent:"uzanti="; nocase; pcre:"/uzanti=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,30064; reference:cve,CVE-2008-3022; reference:url,xforce.iss.net/xforce/xfdb/43569; reference:url,doc.emergingthreats.net/2009327; classtype:web-application-attack; sid:2009327; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010615; classtype:web-application-attack; sid:2010615; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010616; classtype:web-application-attack; sid:2010616; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010617; classtype:web-application-attack; sid:2010617; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010618; classtype:web-application-attack; sid:2010618; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010619; classtype:web-application-attack; sid:2010619; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid SELECT"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004899; classtype:web-application-attack; sid:2004899; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UNION SELECT"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004900; classtype:web-application-attack; sid:2004900; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid INSERT"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004901; classtype:web-application-attack; sid:2004901; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid DELETE"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004902; classtype:web-application-attack; sid:2004902; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid ASCII"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004903; classtype:web-application-attack; sid:2004903; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004904; classtype:web-application-attack; sid:2004904; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/scripts/setup.php"; nocase; content:"|0D 0A 0D 0A|token="; content:"host"; content:"phpinfo|25|28|25|29|25|3b"; nocase; within:64; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009709; classtype:web-application-attack; sid:2009709; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system)"; flow:established,to_server; content:"POST"; http_method; uricontent:"/scripts/setup.php"; nocase; content:"token="; http_client_body; depth:6; content:"host"; http_client_body; content:"system|28 24 5F|"; nocase; http_client_body; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009710; classtype:web-application-attack; sid:2009710; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (p=)"; flow:established,to_server; uricontent:"/config/config.inc.php"; uricontent:"p=phpinfo()"; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; reference:url,doc.emergingthreats.net/2010902; classtype:web-application-attack; sid:2010902; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)"; flow:established,to_server; uricontent:"/config/config.inc.php"; uricontent:"c="; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; reference:url,doc.emergingthreats.net/2010903; classtype:web-application-attack; sid:2010903; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt"; flow:to_server,established; uricontent:"rootagenda="; nocase; pcre:"/(agendaplace(2?)|infoevent|agenda(2?))\.php3\?/Ui"; pcre:"/rootagenda=(https?|ftps?|php)/Ui"; reference:cve,2006-2009; reference:bugtraq,17670; reference:url,doc.emergingthreats.net/2002879; classtype:web-application-attack; sid:2002879; rev:6; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server"; flow:established,to_server; uricontent:"/sqledit.php?"; nocase; uricontent:"server="; nocase; uricontent:"script"; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2865; reference:url,www.securityfocus.com/bid/24115; reference:url,doc.emergingthreats.net/2004552; classtype:web-application-attack; sid:2004552; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/body_comm.inc.php?"; nocase; uricontent:"content="; nocase; pcre:"/content=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,27952; reference:url,milw0rm.com/exploits/5175; reference:url,doc.emergingthreats.net/2009397; classtype:web-application-attack; sid:2009397; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/addedit-render.php?"; nocase; uricontent:"editform="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,milw0rm.com/exploits/7417; reference:bugtraq,32774; reference:url,doc.emergingthreats.net/2008992; classtype:web-application-attack; sid:2008992; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/assets/plugins/mp3_id/mp3_id.php?"; nocase; uricontent:"GLOBALS[BASE]="; nocase; pcre:"/GLOBALS\[BASE\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0911-exploits/phptraverse-rfi.txt; reference:url,doc.emergingthreats.net/2010485; classtype:web-application-attack; sid:2010485; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004170; classtype:web-application-attack; sid:2004170; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004171; classtype:web-application-attack; sid:2004171; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004172; classtype:web-application-attack; sid:2004172; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004173; classtype:web-application-attack; sid:2004173; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004174; classtype:web-application-attack; sid:2004174; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004175; classtype:web-application-attack; sid:2004175; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004176; classtype:web-application-attack; sid:2004176; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004177; classtype:web-application-attack; sid:2004177; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004178; classtype:web-application-attack; sid:2004178; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004179; classtype:web-application-attack; sid:2004179; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004180; classtype:web-application-attack; sid:2004180; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004181; classtype:web-application-attack; sid:2004181; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004182; classtype:web-application-attack; sid:2004182; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UNION SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004183; classtype:web-application-attack; sid:2004183; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id INSERT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004184; classtype:web-application-attack; sid:2004184; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id DELETE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004185; classtype:web-application-attack; sid:2004185; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id ASCII"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004186; classtype:web-application-attack; sid:2004186; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004187; classtype:web-application-attack; sid:2004187; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004188; classtype:web-application-attack; sid:2004188; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UNION SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004189; classtype:web-application-attack; sid:2004189; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id INSERT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004190; classtype:web-application-attack; sid:2004190; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id DELETE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004191; classtype:web-application-attack; sid:2004191; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id ASCII"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004192; classtype:web-application-attack; sid:2004192; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004193; classtype:web-application-attack; sid:2004193; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004194; classtype:web-application-attack; sid:2004194; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UNION SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004195; classtype:web-application-attack; sid:2004195; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id INSERT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004196; classtype:web-application-attack; sid:2004196; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id DELETE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004197; classtype:web-application-attack; sid:2004197; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id ASCII"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004198; classtype:web-application-attack; sid:2004198; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004199; classtype:web-application-attack; sid:2004199; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004200; classtype:web-application-attack; sid:2004200; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UNION SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004201; classtype:web-application-attack; sid:2004201; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id INSERT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004202; classtype:web-application-attack; sid:2004202; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id DELETE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004203; classtype:web-application-attack; sid:2004203; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id ASCII"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004204; classtype:web-application-attack; sid:2004204; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004205; classtype:web-application-attack; sid:2004205; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004206; classtype:web-application-attack; sid:2004206; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UNION SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004207; classtype:web-application-attack; sid:2004207; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id INSERT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004208; classtype:web-application-attack; sid:2004208; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id DELETE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004209; classtype:web-application-attack; sid:2004209; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id ASCII"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004210; classtype:web-application-attack; sid:2004210; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004211; classtype:web-application-attack; sid:2004211; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004212; classtype:web-application-attack; sid:2004212; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UNION SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004213; classtype:web-application-attack; sid:2004213; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id INSERT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004214; classtype:web-application-attack; sid:2004214; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id DELETE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004215; classtype:web-application-attack; sid:2004215; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id ASCII"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004216; classtype:web-application-attack; sid:2004216; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004217; classtype:web-application-attack; sid:2004217; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id SELECT"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004218; classtype:web-application-attack; sid:2004218; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UNION SELECT"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004219; classtype:web-application-attack; sid:2004219; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id INSERT"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004220; classtype:web-application-attack; sid:2004220; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id DELETE"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004221; classtype:web-application-attack; sid:2004221; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id ASCII"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004222; classtype:web-application-attack; sid:2004222; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004223; classtype:web-application-attack; sid:2004223; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/plugin/gateway/gnokii/init.php?"; nocase; uricontent:"apps_path[plug]="; nocase; content:"../"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009085; classtype:web-application-attack; sid:2009085; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/plugin/themes/default/init.php?"; nocase; uricontent:"apps_path[themes]="; nocase; pcre:"/apps_path\[themes\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009086; classtype:web-application-attack; sid:2009086; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/plugin/themes/default/init.php?"; nocase; uricontent:"apps_path[themes]="; nocase; content:"../"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009087; classtype:web-application-attack; sid:2009087; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lib/function.php?"; nocase; uricontent:"apps_path[libs]="; nocase; pcre:"/apps_path\[libs\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009088; classtype:web-application-attack; sid:2009088; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lib/function.php?"; nocase; uricontent:"apps_path[libs]="; nocase; content:"../"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009089; classtype:web-application-attack; sid:2009089; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003782; classtype:web-application-attack; sid:2003782; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003783; classtype:web-application-attack; sid:2003783; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003784; classtype:web-application-attack; sid:2003784; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003785; classtype:web-application-attack; sid:2003785; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"ASCII("; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003786; classtype:web-application-attack; sid:2003786; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003787; classtype:web-application-attack; sid:2003787; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectButler RFI attempt "; flow:established,to_server; uricontent:"/pda_projects.php?offset=http\:"; nocase; reference:url,www.sans.org/top20/; reference:url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt; reference:url,doc.emergingthreats.net/2009887; classtype:web-application-attack; sid:2009887; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/_footer.php?"; nocase; uricontent:"skin_path="; nocase; content:"../"; reference:bugtraq,33621; reference:url,milw0rm.com/exploits/7978; reference:url,doc.emergingthreats.net/2009320; classtype:web-application-attack; sid:2009320; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/footer.php?"; nocase; uricontent:"_path[counter]="; nocase; pcre:"/_path\[counter\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33621; reference:url,milw0rm.com/exploits/7978; reference:url,doc.emergingthreats.net/2009321; classtype:web-application-attack; sid:2009321; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt"; flow:to_server,established; uricontent:"/tiki-featured_link.php?type="; nocase; uricontent:"/iframe>"; nocase; reference:url,www.securityfocus.com/archive/1/450268/30/0; reference:url,doc.emergingthreats.net/2003167; classtype:web-application-attack; sid:2003167; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/templater.php?"; nocase; uricontent:"config[template]="; content:"../"; reference:url,milw0rm.com/exploits/6287; reference:bugtraq,30785; reference:url,doc.emergingthreats.net/2009331; classtype:web-application-attack; sid:2009331; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/startup.php?"; nocase; uricontent:"CFG[txtsql][class]="; nocase; pcre:"/CFG\[txtsql\]\[class\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,30625; reference:url,milw0rm.com/exploits/6224; reference:url,doc.emergingthreats.net/2009416; classtype:web-application-attack; sid:2009416; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005663; classtype:web-application-attack; sid:2005663; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005664; classtype:web-application-attack; sid:2005664; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005665; classtype:web-application-attack; sid:2005665; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005666; classtype:web-application-attack; sid:2005666; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005667; classtype:web-application-attack; sid:2005667; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005668; classtype:web-application-attack; sid:2005668; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php SELECT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005348; classtype:web-application-attack; sid:2005348; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UNION SELECT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005349; classtype:web-application-attack; sid:2005349; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php INSERT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005350; classtype:web-application-attack; sid:2005350; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php DELETE"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005351; classtype:web-application-attack; sid:2005351; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php ASCII"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005352; classtype:web-application-attack; sid:2005352; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005353; classtype:web-application-attack; sid:2005353; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VBulletin 4.0.1 SQL Injection Attempt"; flow:established,to_server; uricontent:"/misc.php?"; uricontent:"sub=profilename"; uricontent:"name="; nocase; uricontent:"|27|"; pcre:"/[\?&]name=[^&\;\?]+\x27/Ui"; reference:url,www.packetstormsecurity.org/1001-exploits/vbulletin401-sql.txt; reference:url,doc.emergingthreats.net/2010701; classtype:web-application-attack; sid:2010701; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl"; flow:established,to_server; uricontent:"/printcal.pl?"; nocase; uricontent:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2745; reference:url,www.securityfocus.com/bid/24022; reference:url,doc.emergingthreats.net/2003874; classtype:web-application-attack; sid:2003874; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid SELECT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005354; classtype:web-application-attack; sid:2005354; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UNION SELECT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005355; classtype:web-application-attack; sid:2005355; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid INSERT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005356; classtype:web-application-attack; sid:2005356; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid DELETE"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005357; classtype:web-application-attack; sid:2005357; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid ASCII"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005358; classtype:web-application-attack; sid:2005358; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005359; classtype:web-application-attack; sid:2005359; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004748; classtype:web-application-attack; sid:2004748; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UNION SELECT"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004749; classtype:web-application-attack; sid:2004749; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic INSERT"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004750; classtype:web-application-attack; sid:2004750; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic DELETE"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004751; classtype:web-application-attack; sid:2004751; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic ASCII"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004752; classtype:web-application-attack; sid:2004752; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004753; classtype:web-application-attack; sid:2004753; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004881; classtype:web-application-attack; sid:2004881; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004882; classtype:web-application-attack; sid:2004882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004883; classtype:web-application-attack; sid:2004883; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004884; classtype:web-application-attack; sid:2004884; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004885; classtype:web-application-attack; sid:2004885; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004886; classtype:web-application-attack; sid:2004886; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005239; classtype:web-application-attack; sid:2005239; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005240; classtype:web-application-attack; sid:2005240; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005241; classtype:web-application-attack; sid:2005241; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005242; classtype:web-application-attack; sid:2005242; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005243; classtype:web-application-attack; sid:2005243; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005244; classtype:web-application-attack; sid:2005244; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005245; classtype:web-application-attack; sid:2005245; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005246; classtype:web-application-attack; sid:2005246; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005247; classtype:web-application-attack; sid:2005247; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005248; classtype:web-application-attack; sid:2005248; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005249; classtype:web-application-attack; sid:2005249; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005250; classtype:web-application-attack; sid:2005250; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005251; classtype:web-application-attack; sid:2005251; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005312; classtype:web-application-attack; sid:2005312; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005252; classtype:web-application-attack; sid:2005252; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005253; classtype:web-application-attack; sid:2005253; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005254; classtype:web-application-attack; sid:2005254; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005255; classtype:web-application-attack; sid:2005255; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path"; flow:established,to_server; uricontent:"/header.php?"; nocase; uricontent:"path="; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2542; reference:url,www.milw0rm.com/exploits/3848; reference:url,doc.emergingthreats.net/2003670; classtype:web-application-attack; sid:2003670; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id SELECT"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005158; classtype:web-application-attack; sid:2005158; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UNION SELECT"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005159; classtype:web-application-attack; sid:2005159; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id INSERT"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005160; classtype:web-application-attack; sid:2005160; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id DELETE"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005161; classtype:web-application-attack; sid:2005161; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005162; classtype:web-application-attack; sid:2005162; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005163; classtype:web-application-attack; sid:2005163; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS z1exchange edit.php site parameter SQL injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/edit.php?"; nocase; uricontent:"site="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32556; reference:url,milw0rm.com/exploits/7311; reference:url,doc.emergingthreats.net/2008928; classtype:web-application-attack; sid:2008928; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2102654; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include"; flow:to_server,established; content:"/base_stat_common.php"; nocase; http_uri; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(?:(?:ht|f)tps?|data|php)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:2019524; rev:5; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_09_23, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; content:"/delhomepage.cgi"; http_uri; fast_pattern:only; reference:bugtraq,9791; classtype:web-application-activity; sid:2103062; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:2101193; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/catalogo.php?"; nocase; uricontent:"id_livello="; nocase; pcre:"/id_livello\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13028; classtype:web-application-attack; sid:2011571; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; uricontent:"src="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011573; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; uricontent:"w="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011574; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; uricontent:"h="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011572; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/addressbook.cgi?"; nocase; uricontent:"show=search"; nocase; uricontent:"page="; nocase; pcre:"/page\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13944; classtype:web-application-attack; sid:2011566; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/dompdf.php?"; nocase; uricontent:"input_file="; nocase; pcre:"/input_file=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14851/; classtype:web-application-attack; sid:2011565; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/class.phpmailer.php?"; nocase; uricontent:"lang_path="; nocase; pcre:"/lang_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14893/; classtype:web-application-attack; sid:2011564; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/content/dynpage_load.php?"; nocase; uricontent:"file="; nocase; content:"../"; depth:200; reference:url,secunia.com/advisories/41317/; classtype:web-application-attack; sid:2011563; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/oldnews_reader.php?"; nocase; uricontent:"lang="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/13899/; classtype:web-application-attack; sid:2011562; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011557; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011558; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011559; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011560; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011561; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_jphone"; nocase; uricontent:"controller="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/14964/; classtype:web-application-attack; sid:2011554; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter Arbitrary Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/nmap.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=\w*\;/Ui"; reference:url,osvdb.org/show/osvdb/67739; classtype:web-application-attack; sid:2011555; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/familynews.php?"; nocase; uricontent:"current_user_id="; nocase; pcre:"/current_user_id=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14965/; classtype:web-application-attack; sid:2011552; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/settings.php?"; nocase; uricontent:"current_user_id="; nocase; pcre:"/current_user_id=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14965/; classtype:web-application-attack; sid:2011553; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft AskMe que_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/forum_answer.php?"; nocase; uricontent:"que_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/14979/; classtype:web-application-attack; sid:2011547; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/gnupg/json.php?"; nocase; uricontent:"task=send_key"; nocase; uricontent:"fingerprint="; nocase; pcre:"/fingerprint=\w*\;/Ui"; reference:url,inj3ct0r.com/exploits/13365; classtype:web-application-attack; sid:2011413; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/com_del.php?"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/13665; classtype:web-application-attack; sid:2011377; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; nocase; http_uri; content:"orderid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011378; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; nocase; http_uri; content:"orderid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011794; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; http_uri; nocase; content:"orderid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011380; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; nocase; http_uri; content:"orderid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011381; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; nocase; http_uri; content:"orderid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011382; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/csstidy/css_optimiser.php?"; nocase; http_uri; content:"url="; nocase; http_uri; pcre:"/url\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/40515/; reference:url,cross-site-scripting.blogspot.com/2010/07/impresscms-121-final-reflected-cross.html; classtype:web-application-attack; sid:2011383; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/includes/file_manager/special.php?"; nocase; http_uri; content:"fm_includes_special="; http_uri; nocase; pcre:"/fm_includes_special=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/5609; reference:url,vupen.com/english/advisories/2009/2136; classtype:web-application-attack; sid:2011384; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_noticeboard"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/12427; classtype:web-application-attack; sid:2011385; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/cacti/utilities.php"; nocase; uricontent:"tail_lines="; nocase; uricontent:"message_type="; nocase; uricontent:"filter="; nocase; pcre:"/filter\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,42575; reference:cve,2010-2544; reference:cve,2010-2545; classtype:web-application-attack; sid:2011423; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011426; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011427; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011428; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011429; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011450; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_jgrid"; nocase; uricontent:"controller="; nocase; content:"../"; depth:200; reference:url,secunia.com/advisories/40987/; reference:url,exploit-db.com/exploits/14656/; classtype:web-application-attack; sid:2011451; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/dailyview.php?"; nocase; uricontent:"date="; nocase; pcre:"/date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13770; classtype:web-application-attack; sid:2011452; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/maincore.php?"; nocase; uricontent:"folder_level="; nocase; content:"../"; depth:200; reference:url,inj3ct0r.com/exploits/13709; classtype:web-application-attack; sid:2011453; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/global.php?"; nocase; uricontent:"db_servertype="; nocase; pcre:"/db_servertype=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14712/; classtype:web-application-attack; sid:2011454; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit Attempt"; flow:established,to_server; uricontent:"/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011493; classtype:web-application-attack; sid:2011493; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit - possible Access to uploaded Files "; flow:established,to_server; uricontent:"/admin/plugins/videoReport/lib/tmp-upload-images"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011494; classtype:web-application-attack; sid:2011494; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/section.php?"; nocase; http_uri; content:"Module_Text="; nocase; http_uri; content:"ID="; nocase; http_uri; content:"Lang="; nocase; http_uri; content:"Nav="; nocase; http_uri; content:"Module="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/1005-exploits/724cms459-lfi.txt; classtype:web-application-attack; sid:2011828; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)"; flow:established,to_server; content:"GET"; http_method; content:"/classes/flash_mp3_player/extras/external_feeds/getfeed.php?"; nocase; http_uri; content:"file="; http_uri; nocase; content:"../"; depth:200; reference:url,inj3ct0r.com/exploits/12674; classtype:web-application-attack; sid:2011829; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)"; flow:established,to_server; content:"GET"; http_method; content:"/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php?"; nocase; http_uri; content:"file="; http_uri; nocase; content:"../"; depth:200; reference:url,inj3ct0r.com/exploits/12674; classtype:web-application-attack; sid:2011830; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/admin.lib.inc.php?"; nocase; http_uri; content:"site_path="; http_uri; nocase; pcre:"/site_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/1010-exploits/cmsboard-rfi.txt; classtype:web-application-attack; sid:2011831; rev:2; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; http_uri; nocase; content:"smilieid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011832; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; nocase; http_uri; content:"smilieid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011833; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; nocase; http_uri; content:"smilieid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011834; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; nocase; http_uri; content:"smilieid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011835; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; nocase; http_uri; content:"smilieid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011836; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?"; nocase; http_uri; content:"mosConfig_live_site="; http_uri; nocase; pcre:"/mosConfig_live_site=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,19198; reference:cve,CVE-2006-3930; classtype:web-application-attack; sid:2011837; rev:2; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; http_uri; content:"album_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011838; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; content:"album_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011839; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; http_uri; content:"album_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011840; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; http_uri; content:"album_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011841; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; http_uri; content:"album_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011842; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/baconmap/admin/updatelist.php?"; nocase; http_uri; content:"filepath="; http_uri; nocase; content:"../"; depth:200; reference:url,packetstormsecurity.com/1010-exploits/baconmap10-lfi.txt; classtype:web-application-attack; sid:2011843; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/com_rwcards/rwcards.advancedate.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.com/1010-exploits/joomlarwcards-rfi.txt; classtype:web-application-attack; sid:2011844; rev:2; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/html/11-login.asp?"; nocase; http_uri; content:"intPassedLocationID="; nocase; http_uri; pcre:"/intPassedLocationID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,43865; classtype:web-application-attack; sid:2011845; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"uniqcode=KPI"; nocase; http_uri; content:"menu_no_top=performance"; nocase; http_uri; content:"uri="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15232; classtype:web-application-attack; sid:2011846; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/real_estate/index.php?"; nocase; http_uri; content:"option=com_jomestate"; nocase; http_uri; content:"task="; nocase; http_uri; pcre:"/task=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/12835; classtype:web-application-attack; sid:2011847; rev:2; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt"; flow:to_server,established; content:"/news/search.php3?"; nocase; http_uri; content:"bn="; nocase; http_uri; pcre:"/bn\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,44370; classtype:web-application-attack; sid:2011852; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/news/search.php3?"; nocase; http_uri; content:"bn="; nocase; http_uri; pcre:"/(..\\)/i"; reference:bugtraq,44370; classtype:web-application-attack; sid:2011853; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_10_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SPECIFIC_APPS Oracle Fusion Middleware BPEL Console Cross Site Scripting"; flow:established,to_server; content:"/BPELConsole/default/processLog.jsp"; nocase; depth:50; content:"processName="; nocase; within:100; pcre:"/processName\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:bid,43954; reference:cve,2010-3581; classtype:attempted-admin; sid:2011860; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_10_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; content:"editmenu="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011875; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; fast_pattern; content:"editmenu="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011876; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; fast_pattern; content:"editmenu="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011877; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; fast_pattern; content:"editmenu="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011878; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; fast_pattern; content:"editmenu="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011879; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/bazar/picturelib.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; pcre:"/cat=\s*(ftps?|https?|php)\x3a\//Ui"; reference:cve,CVE-2010-2315; reference:url,exploit-db.com/exploits/12855/; classtype:web-application-attack; sid:2011880; rev:2; metadata:created_at 2010_10_29, updated_at 2010_10_29;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/mw_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011881; rev:5; metadata:created_at 2010_10_29, updated_at 2010_10_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"owa_action="; nocase; http_uri; fast_pattern; content:"../"; depth:200; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011882; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"owa_do="; http_uri; nocase; fast_pattern; content:"../"; depth:200; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011883; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/loadplugin.php?"; nocase; http_uri; content:"load="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/1010-exploits/igamingcms-lfi.txt; classtype:web-application-attack; sid:2011884; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webspell wCMS-Clanscript staticID Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"site=static"; nocase; http_uri; fast_pattern; content:"staticID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15152/; classtype:web-application-attack; sid:2011886; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/1011-exploits/joomlaxplorer-rfi.txt; classtype:web-application-attack; sid:2011935; rev:3; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/classes/BxDolGzip.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/42108; reference:url,exploit-db.com/exploits/15400/; classtype:web-application-attack; sid:2011936; rev:2; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"mailform_send="; nocase; http_uri; content:"confirm_value="; nocase; http_uri; content:"mailform_1="; nocase; pcre:"/mailform_1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/1008-exploits/siteloomcms-xss.txt; classtype:web-application-attack; sid:2011927; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/thumbnailformpost.inc.php?"; nocase; http_uri; content:"adminlangfile="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15345/; classtype:web-application-attack; sid:2011928; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_banners/banners.class.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/1010-exploits/joomlabanners-rfi.txt; classtype:web-application-attack; sid:2011929; rev:2; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011930; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011931; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011932; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011933; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011934; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PossibleFreeNAS exec_raw.php Arbitrary Command Execution Attempt"; flow:established,to_server; content:"/exec_raw.php"; http_uri; fast_pattern; nocase; content:"cmd="; http_uri; nocase; reference:bid,44974; classtype:web-application-attack; sid:2011940; rev:2; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/module.php?module=osTicket&file=../"; http_uri; fast_pattern; reference:url,packetstormsecurity.org/files/view/95646/osticket-lfi.txt; classtype:web-application-attack; sid:2011941; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php?"; nocase; http_uri; content:"gid="; http_uri; nocase; pcre:"/gid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42195; classtype:web-application-attack; sid:2011942; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011943; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011944; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011945; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011946; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011947; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/awcm/includes/window_top.php?"; nocase; http_uri; content:"theme_file="; nocase; http_uri; pcre:"/theme_file=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011948; rev:2; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/awcm/control/common.php?"; nocase; http_uri; content:"lang_file="; http_uri; nocase; pcre:"/lang_file=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011949; rev:2; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/awcm/header.php?"; nocase; http_uri; content:"theme_file="; nocase; http_uri; pcre:"/theme_file=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011950; rev:2; metadata:created_at 2010_11_19, updated_at 2010_11_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softbiz Article Directory Script sbiz_id Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/server/article_details.php?"; nocase; http_uri; content:"sbiz_id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; http_uri; nocase; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/14910/; classtype:web-application-attack; sid:2011987; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012001; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012002; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012003; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012004; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012005; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt"; flow:to_server,established; content:"GET"; http_method; content:"/Base/example_1.php?"; nocase; http_uri; content:"GLOBALS[MM_ROOT_DIRECTORY]="; http_uri; nocase; pcre:"/GLOBALS\[MM_ROOT_DIRECTORY\]=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15441/; classtype:web-application-attack; sid:2012006; rev:2; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; http_uri; content:"skin_file="; http_uri; nocase; pcre:"/skin_file=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012007; rev:2; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; http_uri; content:"skin_file="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012008; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/feedlist/handler_image.php?"; nocase; http_uri; content:"i="; nocase; http_uri; pcre:"/i\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42197/; reference:url,johnleitch.net/Vulnerabilities/WordPress.Feed.List.2.61.01.Reflected.Cross-site.Scripting/56; classtype:web-application-attack; sid:2012009; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/includes/initsystem.php?"; nocase; http_uri; content:"loader_file="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/42101/; classtype:web-application-attack; sid:2012010; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/fetchmailprefs.php?"; nocase; http_uri; content:"actionID=fetchmail_prefs_save"; nocase; http_uri; content:"fm_driver=imap"; nocase; http_uri; content:"fm_id="; http_uri; nocase; pcre:"/fm_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/94299/hordeimp-xss.txt; classtype:web-application-attack; sid:2012011; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/api/download_launch.php?"; nocase; http_uri; content:"filename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/13966/; classtype:web-application-attack; sid:2012012; rev:2; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_smf/smf.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/view/95510/mambosmf-rfi.txt; classtype:web-application-attack; sid:2012013; rev:2; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jimtawl"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"task="; http_uri; nocase; content:"../"; depth:200; reference:url,expbase.com/WebApps/13388.html; reference:url,secunia.com/advisories/42324/; classtype:web-application-attack; sid:2012014; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/viewver.php?"; http_uri; nocase; content:"doc_root="; http_uri; nocase; pcre:"/doc_root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,expbase.com/WebApps/13387.html; reference:url,xforce.iss.net/xforce/xfdb/63343; classtype:web-application-attack; sid:2012015; rev:2; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012016; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012017; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012018; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012019; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012020; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jSchool Advanced id_gallery Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"action=gallery.list"; nocase; http_uri; content:"id_gallery="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/15595/; reference:url,secunia.com/advisories/42334/; classtype:web-application-attack; sid:2012021; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_cbe"; nocase; http_uri; content:"task=userProfile"; nocase; http_uri; content:"user="; nocase; http_uri; content:"ajaxdirekt="; nocase; http_uri; content:"tabname="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15222/; classtype:web-application-attack; sid:2012022; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/Forms/home_1?"; nocase; http_uri; content:"HomeCurrent_Date="; nocase; http_uri; pcre:"/HomeCurrent_Date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42344/; reference:url,archives.neohapsis.com/archives/bugtraq/2010-11/0190.html; classtype:web-application-attack; sid:2012023; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/gbookmx/gbook.php?"; nocase; http_uri; content:"newlangsel="; nocase; http_uri; pcre:"/newlangsel=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/10986/; classtype:web-application-attack; sid:2012024; rev:2; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/download.php?"; nocase; http_uri; content:"filesec=sitemap"; nocase; http_uri; content:"filetype=text"; nocase; http_uri; content:"file="; nocase; http_uri; content:"..//"; depth:200; reference:url,packetstormsecurity.org/files/view/95644/seopanel-disclose.txt; classtype:web-application-attack; sid:2012025; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012026; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012027; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012028; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012029; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012030; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/esqueletos/skel_null.php?"; nocase; uricontent:"ABTPV_BLOQUE_CENTRAL="; nocase; pcre:"/ABTPV_BLOQUE_CENTRAL=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012031; rev:1; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/includes/esqueletos/skel_null.php?"; nocase; http_uri; content:"ABTPV_BLOQUE_CENTRAL="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012032; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/login.php?"; nocase; http_uri; content:"default_login_language="; http_uri; nocase; content:"../"; depth:200; reference:url,secunia.com/advisories/39144/; reference:url,1337db.com/exploits/11446; classtype:web-application-attack; sid:2012033; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012034; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012035; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012036; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012037; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012038; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Car Portal car Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"page=en_Home"; nocase; http_uri; content:"car="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/15135/; classtype:web-application-attack; sid:2012039; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/en/front_content.php?"; nocase; http_uri; content:"idart="; nocase; http_uri; pcre:"/idart\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42440/; classtype:web-application-attack; sid:2012040; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_12_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/indexlight.php?"; nocase; http_uri; content:"page=export"; nocase; http_uri; content:"type=single"; nocase; http_uri; content:"format=RIS"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012073; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/indexlight.php?"; nocase; http_uri; content:"page=export"; nocase; http_uri; content:"type=single"; nocase; http_uri; content:"format=RIS"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012074; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/indexlight.php?"; nocase; http_uri; content:"page=export"; nocase; http_uri; content:"type=single"; nocase; http_uri; content:"format=RIS"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012065; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/indexlight.php?"; nocase; http_uri; content:"page=export"; nocase; http_uri; content:"type=single"; nocase; http_uri; content:"format=RIS"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012066; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Profi Einzelgebots Auktions System auktion_text.php Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/auktion/auktion_text.php?"; nocase; http_uri; content:"id_auk="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12005/; classtype:web-application-attack; sid:2012068; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/upgrade_unattended.php?"; nocase; http_uri; content:"db_type="; nocase; http_uri; content:"..%2f"; depth:200; reference:url,exploit-db.com/exploits/15736/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012069; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/upgrade_unattended.php?"; nocase; http_uri; content:"db_type="; nocase; http_uri; pcre:"/db_type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/15735/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012070; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/session.cgi?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"app=urchin.cgi"; nocase; http_uri; content:"action=prop"; nocase; http_uri; content:"rid="; nocase; http_uri; content:"n="; nocase; http_uri; content:"vid="; nocase; http_uri; content:"dtc="; nocase; http_uri; content:"cmd="; nocase; http_uri; content:"gfid="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15737/; classtype:web-application-attack; sid:2012071; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php?"; nocase; http_uri; content:"v1="; nocase; http_uri; pcre:"/v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42544; classtype:web-application-attack; sid:2012072; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2010_12_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; http_uri; nocase; content:"option=com_billyportfolio"; nocase; http_uri; content:"view=billyportfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; pcre:"/and.*if\(/Ui"; reference:url,exploit-db.com/exploits/15721/; classtype:web-application-attack; sid:2012099; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_12_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/deco/blanc/haut.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012122; classtype:web-application-attack; sid:2012122; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/deco/blanc/bas.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012123; classtype:web-application-attack; sid:2012123; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/blanc/haut.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012124; classtype:web-application-attack; sid:2012124; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/blanc/bas.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012125; classtype:web-application-attack; sid:2012125; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/default/haut.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012126; classtype:web-application-attack; sid:2012126; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/default/bas.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012127; classtype:web-application-attack; sid:2012127; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/gold/haut.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012128; classtype:web-application-attack; sid:2012128; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/gold/bas.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012129; classtype:web-application-attack; sid:2012129; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/pingsvr.php?"; nocase; http_uri; content:"mybloggie_root_path="; nocase; http_uri; pcre:"/mybloggie_root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/96805/mybloggie216-rfi.txt; reference:url,doc.emergingthreats.net/2012130; classtype:web-application-attack; sid:2012130; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_seyret"; nocase; http_uri; content:"task=videodirectlink"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/14172/; reference:url,doc.emergingthreats.net/2012131; classtype:web-application-attack; sid:2012131; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_12_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012159; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012160; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012161; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012162; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012163; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/accept-signups/accept-signups_submit.php?"; nocase; http_uri; content:"email="; nocase; http_uri; pcre:"/email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/96928/wpsignups-xss.txt; classtype:web-application-attack; sid:2012164; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/blocks/file/controller.php?"; nocase; http_uri; content:"DIR_FILES_BLOCK_TYPES_CORE="; nocase; http_uri; pcre:"/DIR_FILES_BLOCK_TYPES_CORE=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,45669; classtype:web-application-attack; sid:2012165; rev:3; metadata:created_at 2011_01_07, updated_at 2011_01_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/com_xmovie/helpers/img.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/96996/xmovie-fli.txt; classtype:web-application-attack; sid:2012166; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ndCMS editor.aspx index Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/express_edit/editor.aspx?"; nocase; http_uri; content:"index="; nocase; http_uri; content:"AND"; nocase; http_uri; content:"IF"; nocase; http_uri; pcre:"/AND.*IF\(/Ui"; reference:url,exploit-db.com/exploits/15124/; classtype:web-application-attack; sid:2012167; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tiki-jsplugin.php?"; nocase; http_uri; content:"plugin="; nocase; http_uri; content:"language="; nocase; http_uri; content:"../"; depth:200; reference:url,johnleitch.net/Vulnerabilities/Tiki.Wiki.CMS.Groupware.5.2.Local.File.Inclusion/46; classtype:web-application-attack; sid:2012168; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_01_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/action.php?"; http_uri; nocase; content:"DIR_LIBS="; http_uri; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012181; rev:2; metadata:created_at 2011_01_14, updated_at 2011_01_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/media.php?"; http_uri; nocase; content:"DIR_LIBS="; http_uri; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012182; rev:3; metadata:created_at 2011_01_14, updated_at 2011_01_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/xmlrpc/server.php?"; nocase; http_uri; content:"DIR_LIBS="; nocase; http_uri; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012184; rev:2; metadata:created_at 2011_01_15, updated_at 2011_01_15;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/libs/PLUGINADMIN.php?"; nocase; http_uri; content:"DIR_LIBS="; nocase; http_uri; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012185; rev:2; metadata:created_at 2011_01_15, updated_at 2011_01_15;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/profile/user.php?"; nocase; http_uri; content:"aXconf[default_language]="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15938/; classtype:web-application-attack; sid:2012186; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_01_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/bizdir/bizdir.cgi?"; nocase; http_uri; content:"f_srch="; nocase; http_uri; pcre:"/f_srch\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/96613/bizdir510-xss.txt; classtype:web-application-attack; sid:2012187; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_01_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpscripte24 Vor und Ruckwarts Auktions System Blind SQL Injection Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/auktion.php?"; nocase; uricontent:"id_auk="; nocase; uricontent:"ASCII"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12026/; classtype:web-application-attack; sid:2012189; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/English_manual_version_2.php?"; nocase; http_uri; content:"client="; nocase; http_uri; pcre:"/client\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012190; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_01_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/zimplit.php?"; nocase; http_uri; content:"action=load"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012191; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_01_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012211; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012212; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012213; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012214; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012215; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt"; flow:established,to_server; content:"/tagcloud.swf?"; nocase; http_uri; content:"mode=tags"; nocase; http_uri; content:"tagcloud="; nocase; http_uri; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012216; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt"; flow:established,to_server; content:"/tagcloud-ru.swf"; nocase; http_uri; content:"mode=tags"; nocase; http_uri; content:"tagcloud="; nocase; http_uri; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012220; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/op/op.Login.php?"; http_uri; nocase; content:"login="; nocase; http_uri; content:"sesstheme="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,37828; classtype:web-application-attack; sid:2012217; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_01_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BetMore Site Suite mainx_a.php bid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mainx_a.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"xid="; nocase; http_uri; content:"bid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; http_uri; nocase; pcre:"/and.*substring\(/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/15999/; classtype:web-application-attack; sid:2012219; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_01_21, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/customer_ftp.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/16051/; classtype:web-application-attack; sid:2012334; rev:2; metadata:created_at 2011_02_24, updated_at 2011_02_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coupon Script bus parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"page=viewbus"; nocase; http_uri; content:"bus="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/16034/; classtype:web-application-attack; sid:2012335; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cultbooking.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012336; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/cultbooking.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; pcre:"/lang\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012337; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012338; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012339; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012340; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012341; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012342; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/active_auctions.php?"; nocase; http_uri; content:"lan="; nocase; http_uri; content:"../"; depth:200; reference:url,johnleitch.net/Vulnerabilities/WeBid.0.8.5P1.Local.File.Inclusion/63; classtype:web-application-attack; sid:2012343; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/lib/addressbook.php?"; nocase; http_uri; content:"basedir="; nocase; http_uri; pcre:"/basedir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12369/; classtype:web-application-attack; sid:2012344; rev:2; metadata:created_at 2011_02_24, updated_at 2011_02_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_frontenduseraccess"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/43137/; reference:url,securityhome.eu/exploits/exploit.php?eid=17879866924d479451d88fa8.02873909; classtype:web-application-attack; sid:2012345; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012346; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012347; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Services id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012348; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012349; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012350; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt"; flow:established,to_server; content:"/SearchCenter/Pages/AllResults.aspx?"; nocase; http_uri; content:"k="; nocase; http_uri; pcre:"/k\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98029/enp-xss.txt; classtype:web-application-attack; sid:2012351; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Classified ads software cid parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/browsecats.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/16062/; classtype:web-application-attack; sid:2012352; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/audio/getid3/demos/demo.browse.php?"; nocase; http_uri; content:"showfile="; nocase; http_uri; pcre:"/showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/97834/WordPressAudio0.5.1-xss.txt; classtype:web-application-attack; sid:2012353; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/gradebook/open_document.php?"; nocase; http_uri; content:"file="; http_uri; content:"../"; depth:200; reference:bugtraq,46173; classtype:web-application-attack; sid:2012354; rev:2; metadata:created_at 2011_02_24, updated_at 2011_02_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php?"; nocase; http_uri; content:"PHPCOVERAGE_HOME"; nocase; http_uri; pcre:"/PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98053/Moodle2.0.1-xss.txt; classtype:web-application-attack; sid:2012355; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/js/modalbox/tests/functional/_ajax_method_get.php?"; nocase; http_uri; content:"param="; nocase; http_uri; pcre:"/param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/97826/WordPressFeaturedContent0.0.1-xss.txt; classtype:web-application-attack; sid:2012356; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/components/com_xgallery/helpers/img.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/96864/joomlaxgallery-lfi.txt; classtype:web-application-attack; sid:2012357; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPCMS modelid Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/flash_upload.php?"; nocase; http_uri; content:"modelid="; nocase; http_uri; content:"ORDER"; nocase; http_uri; content:"BY"; nocase; http_uri; pcre:"/ORDER.+BY/Ui"; reference:bugtraq,45933; classtype:web-application-attack; sid:2012358; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012359; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012360; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012361; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012362; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012363; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012364; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012365; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012366; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012367; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012368; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/com_swmenupro/ImageManager/Classes/ImageManager.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/95505/joomlaswmenupro-rfi.txt; classtype:web-application-attack; sid:2012369; rev:2; metadata:created_at 2011_02_24, updated_at 2011_02_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/explanation.php?"; nocase; http_uri; content:"explain"; nocase; http_uri; pcre:"/explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012370; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/modules/boonex/custom_rss/post_mod_crss.php?"; nocase; http_uri; content:"relocate"; nocase; http_uri; pcre:"/relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012371; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ColdUserGroup LibraryID Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.cfm?"; nocase; http_uri; content:"actcfug=LibraryView"; nocase; http_uri; content:"LibraryID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/14935/; classtype:web-application-attack; sid:2012372; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/util/barcode.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/98424/horde-lfi.txt; classtype:web-application-attack; sid:2012373; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_02_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012374; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012375; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012376; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012377; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012378; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TelebidAuctionScript aid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/allauctions.php?"; nocase; http_uri; content:"aid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/82724/telebidauction-sql.txt; classtype:web-application-attack; sid:2012379; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/core/themes.php?"; nocase; http_uri; content:"L_failedopentheme="; nocase; http_uri; pcre:"/L_failedopentheme\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98143/podcastgenerator-xss.txt; classtype:web-application-attack; sid:2012380; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/itechd.php?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/9497; classtype:web-application-attack; sid:2012381; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"output="; nocase; http_uri; pcre:"/output=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012382; rev:3; metadata:created_at 2011_02_25, updated_at 2011_02_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"retva="; nocase; http_uri; pcre:"/retva=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012383; rev:3; metadata:created_at 2011_02_25, updated_at 2011_02_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; content:"awstats.cgi"; nocase; http_uri; content:"config="; nocase; http_uri; content:"pluginmode=rawlog"; nocase; http_uri; content:"configdir=|5C 5C|"; nocase; http_uri; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:1; metadata:created_at 2011_02_28, updated_at 2011_02_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"stconf.nsf/WebMessage"; nocase; http_uri; content:"OpenView"; nocase; http_uri; content:"messageString="; nocase; http_uri; pcre:"/messageString\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012394; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"stconf.nsf"; nocase; http_uri; content:"unescape"; nocase; fast_pattern; http_uri; pcre:"/stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape/Ui"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012395; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/index.jsp"; nocase; http_uri; pcre:"/help\x2Findex\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012396; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/advanced/content.jsp"; nocase; http_uri; pcre:"/content\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012397; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Potential Cewolf DOS attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Cewolf?"; nocase; http_uri; pcre:"/\&(width|height)\=([2-9][0-9][0-9][0-9]*)/Ui"; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079547.html; classtype:web-application-attack; sid:2012406; rev:3; metadata:created_at 2011_03_01, updated_at 2011_03_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/options-runnow-iframe.php?wpabs=/"; nocase; http_uri; content:"%00&"; depth:250; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012407; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_03_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/options-view_log-iframe.php?wpabs=/"; nocase; http_uri; content:"%00&logfile=/"; depth:250; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012408; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_03_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; pcre:"/post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012411; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_03_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt  updateAJAX.php post_id SELECT"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012412; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012413; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012414; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012415; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012416; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012417; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1"; flow:established,to_server; content:"/shipping/methods/fedex_v7/label_mgr/js_include.php?"; nocase; http_uri; content:"form="; nocase; http_uri; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012418; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2"; flow:established,to_server; content:"/shipping/pages/popup_shipping/js_include.php?"; nocase; http_uri; content:"form="; http_uri; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012419; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt dsp_page.cfm pageid SELECT"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012420; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UNION SELECT"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012421; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid INSERT"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012422; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid DELETE"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012423; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid ASCII"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012424; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012425; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php?"; nocase; http_uri; content:"config="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012426; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_xcloner-backupandrestore/cloner.cron.php?"; nocase; http_uri; content:"config="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012427; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/xcloner-backup-and-restore/index2.php?"; nocase; http_uri; content:"task=dologin"; nocase; http_uri; content:"option="; nocase; http_uri; pcre:"/option\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012428; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/xcloner-backup-and-restore/index2.php?"; nocase; http_uri; content:"mosmsg="; nocase; http_uri; pcre:"/mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012429; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/administrator/components/com_xcloner-backupandrestore/index2.php?"; nocase; http_uri; content:"mosmsg="; nocase; http_uri; pcre:"/mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012430; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012431; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012432; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012433; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012434; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012435; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012436; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/zotpress/zotpress.image.php?"; nocase; http_uri; content:"citation="; nocase; http_uri; pcre:"/citation\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98746/WordPressZotpress2.6-xss.txt; classtype:web-application-attack; sid:2012437; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_03_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu SELECT"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012468; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UNION SELECT"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012469; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu INSERT"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012470; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu DELETE"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012471; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu ASCII"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012472; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012473; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/rp-menu.php?"; nocase; http_uri; content:"_SESSION[sess_user]="; nocase; http_uri; pcre:"/_SESSION\[sess_user\]\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46798; reference:url,exploit-db.com/exploits/16950/; classtype:web-application-attack; sid:2012474; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/header.php?"; nocase; http_uri; content:"row[titledesc]="; nocase; http_uri; pcre:"/row\[titledesc\]\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46798; reference:url,exploit-db.com/exploits/16950/; classtype:web-application-attack; sid:2012475; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/folder.php?"; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,htbridge.ch/advisory/xss_in_1_flash_gallery_wordpress_plugin.html; reference:url,packetstormsecurity.org/files/view/99086/1flashgal-sqlxss.txt; classtype:web-application-attack; sid:2012476; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; fast_pattern:35,20; nocase; http_uri; content:"gall_id="; distance:0; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012478; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012479; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012480; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012481; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012482; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?"; nocase; http_uri; content:"to_p_dict="; nocase; http_uri; pcre:"/to_p_dict\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43709; classtype:web-application-attack; sid:2012483; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?"; nocase; http_uri; content:"to_r_list="; nocase; http_uri; pcre:"/to_r_list\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43709; classtype:web-application-attack; sid:2012484; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf SELECT"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012485; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UNION SELECT"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012486; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf INSERT"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012487; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf DELETE"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012488; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf ASCII"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012489; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012490; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod/vm/controller/AccessController.php?"; nocase; http_uri; content:"global[approot]="; nocase; http_uri; pcre:"/global\[approot\]=\s*(ftps?|https?|php)\x3a\//Ui"; reference:bugtraq,45656; reference:url,exploit-db.com/exploits/15896/; reference:url,xforce.iss.net/xforce/xfdb/64442; classtype:web-application-attack; sid:2012496; rev:2; metadata:created_at 2011_03_14, updated_at 2011_03_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod/vm/model/dao.php?"; nocase; http_uri; content:"global[approot]="; http_uri; nocase; pcre:"/global\[approot\]=\s*(ftps?|https?|php)\x3a\//Ui"; reference:bugtraq,45656; reference:url,exploit-db.com/exploits/15896/; reference:url,xforce.iss.net/xforce/xfdb/64442; classtype:web-application-attack; sid:2012497; rev:2; metadata:created_at 2011_03_14, updated_at 2011_03_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id SELECT"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012498; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id UNION SELECT"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012499; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id INSERT"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012500; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS Injection Attempt -- constructrXmlOutput.content.xml.php page_id DELETE"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012501; rev:2; metadata:created_at 2011_03_14, updated_at 2011_03_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012502; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012556; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012557; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012558; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012559; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012560; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/action.class.php?"; nocase; http_uri; content:"path_om="; http_uri; nocase; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012561; rev:2; metadata:created_at 2011_03_25, updated_at 2011_03_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/architecte.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012562; rev:2; metadata:created_at 2011_03_25, updated_at 2011_03_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/avis.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012563; rev:2; metadata:created_at 2011_03_25, updated_at 2011_03_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/bible.class.php?"; nocase; http_uri; content:"path_om="; http_uri; nocase; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012564; rev:2; metadata:created_at 2011_03_25, updated_at 2011_03_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/blocnote.class.php?"; nocase; http_uri; content:"path_om="; http_uri; nocase; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012565; rev:2; metadata:created_at 2011_03_25, updated_at 2011_03_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin vbBux vbplaza.php Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/vbplaza.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"name="; nocase; http_uri; content:"and"; http_uri; nocase; content:"substring"; http_uri; nocase; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/8784/; classtype:web-application-attack; sid:2012566; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET";http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012567; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012585; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012568; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012569; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012570; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/jquery-mega-menu/skin.php?"; nocase; http_uri; content:"skin="; nocase; http_uri; content:"..%2f"; depth:200; reference:url,exploit-db.com/exploits/16250; classtype:web-application-attack; sid:2012571; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/includes/Cache/Lite/Output.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/16912; classtype:web-application-attack; sid:2012572; rev:2; metadata:created_at 2011_03_25, updated_at 2011_03_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/header.php?"; nocase; http_uri; content:"row[titledesc]="; nocase; http_uri; pcre:"/row\[titledesc\]\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt; classtype:web-application-attack; sid:2012573; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/rp-menu.php?"; nocase; http_uri; content:"_SESSION[sess_user]="; nocase; http_uri; pcre:"/_SESSION\[sess_user\]\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt; classtype:web-application-attack; sid:2012574; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012575; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012577; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012579; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/lazyest-gallery/lazyest-popup.php?"; nocase; http_uri; content:"image="; http_uri; nocase; pcre:"/image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html; reference:url,secunia.com/advisories/43661/; classtype:web-application-attack; sid:2012581; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/mvc/ardeaMVC.php?"; nocase; http_uri; content:"appMVCPath="; http_uri; nocase; pcre:"/appMVCPath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012583; rev:2; metadata:created_at 2011_03_25, updated_at 2011_03_25;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; nocase; http_uri; pcre:"/CURRENT_BLOG_PATH=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012584; rev:3; metadata:created_at 2011_03_25, updated_at 2011_03_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012595; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012596; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012597; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012598; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012599; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012600; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/lazyest-gallery/lazyest-popup.php?"; nocase; http_uri; content:"image="; nocase; http_uri; pcre:"/image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html; reference:url,secunia.com/advisories/43661/; classtype:web-application-attack; sid:2012601; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_03_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012603; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_29, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/mvc/ardeaMVC.php?"; http_uri; nocase; content:"appMVCPath="; nocase; http_uri; pcre:"/appMVCPath=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012604; rev:3; metadata:created_at 2011_03_29, updated_at 2011_03_29;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; http_uri; nocase; pcre:"/CURRENT_BLOG_PATH=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012605; rev:2; metadata:created_at 2011_03_29, updated_at 2011_03_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012672; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UNION SELECT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012673; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa INSERT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012674; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa DELETE"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012675; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa ASCII"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012676; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012677; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/openBrowser.php?"; nocase; http_uri; content:"onload="; nocase; http_uri; pcre:"/onload\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012678; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/we/include/we_modules/shop/edit_shop_editorFrameset.php?"; nocase; http_uri; content:"onload="; http_uri; nocase; pcre:"/onload\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012679; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/we/include/we_modules/messaging/messaging_show_folder_content.php?"; nocase; http_uri; content:"we_transaction="; nocase; http_uri; pcre:"/we_transaction\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012680; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/we/include/weTracking/econda/weEcondaImplement.inc.php?"; http_uri; nocase; content:"shop_artikelid="; http_uri; nocase; pcre:"/shop_artikelid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012681; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012651; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012652; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012653; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012654; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012655; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php?"; nocase; http_uri; content:"callback="; nocase; http_uri; pcre:"/callback\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012656; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php?"; nocase; http_uri; content:"sleep="; nocase; http_uri; content:"file="; nocase; content:"..%2f"; depth:200; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012657; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt"; flow:established,to_server; content:"/templates/recruitment/jobVacancy.php?"; nocase; http_uri; content:"recruitcode="; nocase; http_uri; pcre:"/recruitcode\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47046; classtype:web-application-attack; sid:2012658; rev:2; metadata:created_at 2011_04_11, updated_at 2011_04_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_doqment"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"admin.ponygallery.html.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/99278/joomladoqment-rfilfisql.txt; classtype:web-application-attack; sid:2012659; rev:2; metadata:created_at 2011_04_11, updated_at 2011_04_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portel patron Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/portel/libreria/php/decide.php?"; nocase; http_uri; content:"patron="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/80053/portel-sql.txt; classtype:web-application-attack; sid:2012660; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012661; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012662; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012663; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012664; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012665; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/components/com_smartformer/smartformer.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/95477/joomlasmartformer-rfi.txt; classtype:web-application-attack; sid:2012666; rev:2; metadata:created_at 2011_04_11, updated_at 2011_04_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_mediamall"; nocase; http_uri; content:"category="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/88439/joomlamediamallfactory-bsql.txt; classtype:web-application-attack; sid:2012667; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/lib/lcUser.php?"; nocase; http_uri; content:"LIBDIR="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/22484; classtype:web-application-attack; sid:2012668; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClanSphere 'CKEditorFuncNum' parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/mods/ckeditor/filemanager/connectors/php/upload.php?"; nocase; http_uri; content:"CKEditorFuncNum="; nocase; http_uri; pcre:"/CKEditorFuncNum\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/99698/ClanSphere2010.3CKEditor-xss.txt; classtype:web-application-attack; sid:2012669; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/plugins/photosmash-galleries/index.php?"; nocase; content:"action="; nocase; http_uri; pcre:"/action\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/99089/photosmash-xss.txt; classtype:web-application-attack; sid:2012670; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_virtuemart"; http_uri; content:"page="; http_uri; content:"substring"; http_uri; reference:url,exploit-db.com/exploits/17132; classtype:web-application-attack; sid:2012697; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012698; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012699; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012700; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012701; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012702; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100324; classtype:web-application-attack; sid:2012703; rev:2; metadata:created_at 2011_04_21, updated_at 2011_04_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100325; classtype:web-application-attack; sid:2012704; rev:2; metadata:created_at 2011_04_21, updated_at 2011_04_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/wp-publication-archive/includes/openfile.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/43067; reference:url,securelist.com/en/advisories/43067; classtype:web-application-attack; sid:2012705; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2011_04_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/vtigerservice.php?"; nocase; http_uri; content:"service="; nocase; http_uri; pcre:"/service\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/100183/vtigerCRM5.2.1-XSS.txt; classtype:web-application-attack; sid:2012706; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_04_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012715; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012716; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; http_uri; content:"country_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012717; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012718; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012719; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/config/custom/base.ini.php?"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/x=\w/Ui"; reference:url,exploit-db.com/exploits/16016; classtype:web-application-attack; sid:2012720; rev:3; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/filemanager/get_file.php?"; nocase; http_uri; content:"language="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/39517; classtype:web-application-attack; sid:2012721; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability"; flow:established,to_server; content:"/plugins/socialgrid/static/js/inline-admin.js.php?"; nocase; http_uri; content:"default_services="; nocase; http_uri; pcre:"/default_services\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/44256; reference:url,htbridge.ch/advisory/xss_in_socialgrid_wordpress_plugin.html; classtype:web-application-attack; sid:2012722; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo component com_zoom Blind SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_zoom"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/80992/mambozoom-sql.txt; classtype:web-application-attack; sid:2012723; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CitusCMS filePath Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/classes/file.class.php?"; nocase; http_uri; content:"filePath="; nocase; http_uri; pcre:"/filePath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100525/cituscms-rfi.txt; classtype:web-application-attack; sid:2012724; rev:2; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SaurusCMS captcha_image.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/extensions/saurus4/captcha_image.php?"; nocase; http_uri; content:"class_path="; nocase; http_uri; pcre:"/class_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100461/sauruscms-rfi.txt; classtype:web-application-attack; sid:2012743; rev:2; metadata:created_at 2011_04_29, updated_at 2011_04_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Publishing Technology id Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/CollectionContent.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/100822/publishingtechnology-sql.txt; classtype:web-application-attack; sid:2012744; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012745; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012746; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012747; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012748; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012749; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/PluginController.php?"; nocase; http_uri; content:"path="; nocase; http_uri; content:"..%2f"; depth:200; reference:url,packetstormsecurity.org/files/view/100823/OrangeHRM2.6.3-lfi.txt; classtype:web-application-attack; sid:2012750; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; content:"/ccmcip/xmldirectorylist.jsp?f=vsr|27 7C 7C|"; nocase; http_uri; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or|and|select|delete|union|delete|update|insert)/Ui"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012788; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012789; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012790; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012791; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012792; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Xoopport Samsara Sections module secid Parameter Blind SQL Injection Exploit"; flow:established,to_server; content:"POST"; http_method; content:"/modules/sections/index.php?"; nocase; http_uri; content:"op="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15004; classtype:web-application-attack; sid:2012793; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mods/ckeditor/filemanager/connectors/php/connector.php?"; http_uri; nocase; content:"Command="; nocase; http_uri; content:"Type="; nocase; http_uri; content:"CurrentFolder="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,47636; classtype:web-application-attack; sid:2012794; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_05_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Golem Gaming Portal root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/admin_news_bot.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,securityreason.com/exploitalert/7180; classtype:web-application-attack; sid:2012795; rev:2; metadata:created_at 2011_05_09, updated_at 2011_05_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/lib/jscalendar/test.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; pcre:"/lang\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101056/WebAuction0.3.6-XSS.txt; classtype:web-application-attack; sid:2012797; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_05_09, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Automne upload-controler.php Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/admin/upload-controler.php?"; nocase; http_uri; content:"atm-regen="; nocase; http_uri; content:"../"; depth:200; reference:url,securelist.com/en/advisories/43589; classtype:web-application-attack; sid:2012805; rev:3; metadata:created_at 2011_05_13, updated_at 2011_05_13;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress DB XML dump attempted access"; flow:established,to_server; content:"/uploads/"; http_uri; content:".wordpress.20"; http_uri; distance:0; content:".xml_.txt"; http_uri; distance:0; fast_pattern; reference:url,seclists.org/fulldisclosure/2011/May/322; classtype:attempted-recon; sid:2012808; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_05_15, updated_at 2016_07_01;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress DB XML dump successful leakage"; flow:established,from_server; content:"|0d 0a|<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->|0d 0a|"; content:"|0d 0a|Content-Type|3a 20|text/plain|0d 0a|"; http_header; reference:url,seclists.org/fulldisclosure/2011/May/322; classtype:successful-recon-largescale; sid:2012809; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_05_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager Blind SQL Injection Attempt"; flow:established,to_server; content:"/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs=|27|waitfor"; nocase; http_uri; content:"delay|27|"; nocase; http_uri; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0960; classtype:web-application-attack; sid:2012818; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager advancedfind.do Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/advancedfind.do?extn="; http_uri; nocase; pcre:"/extn\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012819; rev:1; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager deviceInstanceName Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/ddv.do?deviceInstanceName="; http_uri; nocase; content:"deviceCapability=deviceCap"; http_uri; nocase; pcre:"/deviceInstanceName\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012820; rev:1; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/eventmon?cmd="; http_uri; nocase; content:"&dojo.preventCache="; http_uri; nocase; pcre:"/cmd\x3D(filterHelper|getDeviceData\x26group\x3D).+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012821; rev:1; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon_wrapper.jsp Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?"; http_uri; nocase; content:"Name="; http_uri; nocase; pcre:"/\x2Ejsp\x3F(clusterName|deviceName)\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012822; rev:1; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager clusterName Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/logicalTopo.do?clusterName="; http_uri; nocase; pcre:"/clusterName\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012823; rev:1; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Common Services Framework Reflective XSS Attempt"; flow:established,to_server; content:"/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage"; http_uri; nocase; pcre:"/introductionhomepage.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0962; classtype:web-application-attack; sid:2012824; rev:1; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CiscoWorks Help Servlet Reflective XSS Attempt"; flow:established,to_server; content:"/cwhp/device.center.do?device="; http_uri; nocase; pcre:"/device\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0961; classtype:web-application-attack; sid:2012825; rev:2; metadata:created_at 2011_05_18, updated_at 2011_05_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012829; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012830; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012831; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012832; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012833; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ChillyCMS mod Parameter Blind SQL Injection Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/core/show.site.php?"; nocase; http_uri; content:"editprofile"; nocase; http_uri; content:"mod="; nocase; http_uri; content:"AND"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/select.+substring/Ui"; reference:url,packetstormsecurity.org/files/view/89665/chillycms-sql.txt; reference:url,exploit-db.com/exploits/12643; classtype:web-application-attack; sid:2012834; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS f-fileman direkt Parameter Directory Traversal Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/ffileman.cgi?"; nocase; http_uri; content:"direkt="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/101212/ffileman-traversal.txt; classtype:web-application-attack; sid:2012835; rev:1; metadata:created_at 2011_05_20, updated_at 2011_05_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/src/slooz.php?"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file=\w/Ui"; reference:url,1337day.com/exploits/12148; classtype:web-application-attack; sid:2012836; rev:2; metadata:created_at 2011_05_20, updated_at 2011_05_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/components/com_mgm/help.mgm.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/94593/joomlamgm-rfi.txt; reference:url,securityreason.com/wlb_show/WLB-2010100045; classtype:web-application-attack; sid:2012837; rev:1; metadata:created_at 2011_05_20, updated_at 2011_05_20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/is-human/engine.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type=\w/Ui"; reference:url,exploit-db.com/exploits/17299; classtype:web-application-attack; sid:2012838; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_05_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012872; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012873; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012874; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012875; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012876; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 HANDLERS_DIRECTORY Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_handlers/secure_img_handler.php?"; nocase; http_uri; content:"HANDLERS_DIRECTORY="; nocase; http_uri; pcre:"/HANDLERS_DIRECTORY=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012877; rev:1; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 IMAGES_DIRECTORY Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_handlers/secure_img_handler.php?"; nocase; http_uri; content:"IMAGES_DIRECTORY="; nocase; http_uri; pcre:"/IMAGES_DIRECTORY=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012878; rev:1; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 imgp Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_handlers/secure_img_handler.php?"; nocase; http_uri; content:"imgp="; nocase; http_uri; pcre:"/imgp=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012879; rev:2; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 trackback_url Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_plugins/trackback/trackbackClass.php?"; nocase; http_uri; content:"trackback_url="; nocase; http_uri; pcre:"/trackback_url=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012880; rev:1; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 permLink Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_plugins/trackback/trackbackClass.php?"; nocase; http_uri; content:"permLink="; nocase; http_uri; pcre:"/permLink=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012881; rev:1; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter XSS Attempt"; flow:established,to_server; content:"/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; nocase; http_uri; pcre:"/expand\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,48087; classtype:web-application-attack; sid:2012919; rev:1; metadata:created_at 2011_06_02, updated_at 2011_06_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/authenticate/sessions.php?"; nocase; http_uri; content:"globalIncludeFilePath="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/101786/nvisionix-lfi.txt; classtype:web-application-attack; sid:2012945; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_06_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/inline-gallery/browser/browser.php?"; nocase; http_uri; content:"do="; nocase; http_uri; pcre:"/do\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46781; classtype:web-application-attack; sid:2012946; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_06_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/telecharger.php?"; nocase; http_uri; content:"Fichier_a_telecharger="; nocase; http_uri; pcre:"/Fichier_a_telecharger=\w/Ui"; reference:url,1337day.com/exploits/16237; classtype:web-application-attack; sid:2012947; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jmsfileseller"; nocase; http_uri; content:"view="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/17338; classtype:web-application-attack; sid:2012948; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_06_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/scr/soustab.php?"; nocase; http_uri; content:"dsn[phptype]="; nocase; http_uri; content:"../"; depth:200; reference:url,hack0wn.com/view.php?xroot=1440.0&cat=exploits; classtype:web-application-attack; sid:2012949; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_06_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin droit.class.php path_om  Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"droit.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012950; rev:1; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin collectivite.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/collectivite.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012951; rev:1; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin utilisateur.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/utilisateur.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012952; rev:1; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin courrier.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/courrier.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012953; rev:1; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin profil.class.php path_om Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/profil.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012954; rev:1; metadata:created_at 2011_06_07, updated_at 2011_06_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HP Insight Diagnostics Online Edition search.php XSS Attempt"; flow:established,to_server; content:"/hpdiags/frontend2/help/search.php?query="; http_uri; nocase; pcre:"/query\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,45420; reference:cve,2010-4111; classtype:web-application-attack; sid:2012976; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt"; flow:established,to_server; content:"TRACE "; nocase; depth:6; content:".jsf"; nocase; distance:0; reference:url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass; reference:bid,47818; reference:cve,2011-1511; classtype:attempted-recon; sid:2012977; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible ZOHO ManageEngine ADSelfService Captcha Bypass Attempt"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/accounts/ValidateAnswers?methodToCall=validateAll"; nocase; http_uri; content:"&Hide_Captcha=0"; nocase; content:"&LOGIN_NAME="; nocase; distance:0; content:"&quesList="; nocase; distance:0; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3272; classtype:web-application-attack; sid:2012979; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ZOHO ManageEngine ADSelfService Employee Search XSS Attempt"; flow:established,to_server; content:"/EmployeeSearch"; nocase; http_uri; fast_pattern; content:"actionId="; nocase; http_uri; content:"searchString="; http_uri; nocase; pcre:"/searchString\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3274; classtype:web-application-attack; sid:2012980; rev:1; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012990; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012987; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012988; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012989; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012991; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nakid CMS CKEditorFuncNum parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/addons/kcfinder/browse.php?"; nocase; http_uri; content:"CKEditorFuncNum="; nocase; http_uri; pcre:"/CKEditorFuncNum\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,autosectools.com/Advisory/Nakid-CMS-1.0.2-Reflected-Cross-site-Scripting-230; classtype:web-application-attack; sid:2012992; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PEAR include_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/pear.php?"; nocase; http_uri; content:"include_path="; nocase; http_uri; pcre:"/include_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/86292/pear-rfi.txt; classtype:web-application-attack; sid:2012993; rev:1; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PEAR_PHPDIR Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/pear.php?"; nocase; http_uri; content:"_PEAR_PHPDIR="; nocase; http_uri; pcre:"/_PEAR_PHPDIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/86292/pear-rfi.txt; classtype:web-application-attack; sid:2012994; rev:1; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_people"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/16001; classtype:web-application-attack; sid:2012995; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/awstatstotals.php?"; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort=\w/Ui"; reference:url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt; classtype:web-application-attack; sid:2012996; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013080; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013081; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013082; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013083; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013084; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability"; flow:established,to_server; content:"/templates/admin_default/confirm.tpl.php?"; nocase; http_uri; content:"nsextt="; nocase; http_uri; pcre:"/nsextt\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,seclists.org/bugtraq/2011/Jun/59; classtype:web-application-attack; sid:2013085; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/xperience.php?"; nocase; http_uri; content:"sortfield="; nocase; http_uri; content:"sortorder="; nocase; http_uri; pcre:"/sortorder\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/102001/xperience-xss.txt; classtype:web-application-attack; sid:2013086; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/editors/FCKeditor/editor_registry.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013087; rev:1; metadata:created_at 2011_06_21, updated_at 2011_06_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/editors/tinymce/editor_registry.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013088; rev:1; metadata:created_at 2011_06_21, updated_at 2011_06_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/editors/dhtmltextarea/editor_registry.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013089; rev:1; metadata:created_at 2011_06_21, updated_at 2011_06_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/nagios/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; fast_pattern; http_uri; nocase; pcre:"/expand\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive useredit script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/security/useredit.action?"; nocase; http_uri; content:"username="; nocase; http_uri; pcre:"/username\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013099; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive roleedit script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/security/roleedit.action?"; nocase; http_uri; content:"name="; nocase; http_uri; pcre:"/name\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013100; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive userlist script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/security/userlist!show.action?"; nocase; http_uri; content:"roleName="; nocase; http_uri; pcre:"/roleName\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013101; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive deleteArtifact script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/deleteArtifact!doDelete.action?"; nocase; http_uri; content:"groupId="; nocase; http_uri; pcre:"/groupId\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013102; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/addLegacyArtifactPath!commit.action?"; nocase; http_uri; content:"legacyArtifactPath.path="; nocase; http_uri; pcre:"/legacyArtifactPath.path\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013103; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive deleteNetworkProxy script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/deleteNetworkProxy!confirm.action?"; nocase; http_uri; content:"proxyid="; nocase; http_uri; pcre:"/proxyid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013104; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/addRepository.action"; nocase; http_uri; content:"repository.id="; nocase; http_uri; pcre:"/repository.id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc xss.txt; classtype:web-application-attack; sid:2013105; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/confirmDeleteRepository.action?"; nocase; http_uri; content:"repoid="; nocase; http_uri; pcre:"/repoid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc xss.txt; classtype:web-application-attack; sid:2013106; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive editAppearance script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/editAppearance.action"; nocase; http_uri; content:"organisationName="; nocase; http_uri; pcre:"/organisationName\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013107; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath.action Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/addLegacyArtifactPath.action"; nocase; http_uri; content:"legacyArtifactPath.path="; nocase; http_uri; pcre:"/legacyArtifactPath.path\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013108; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive addNetworkProxy script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/addNetworkProxy.action"; nocase; http_uri; content:"proxy.id="; nocase; http_uri; pcre:"/proxy.id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013109; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive networkProxies script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/networkProxies.action"; nocase; http_uri; content:"proxy.id="; nocase; http_uri; pcre:"/proxy.id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013110; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive legacyArtifactPath script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/legacyArtifactPath.action"; nocase; http_uri; content:"legacyArtifactPath.path="; nocase; http_uri; pcre:"/legacyArtifactPath.path\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013111; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive configureAppearance script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/configureAppearance.action"; nocase; http_uri; content:"organisationName="; nocase; http_uri; pcre:"/organisationName\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013112; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sessions?path="; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013117; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_24, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sessions?path="; nocase; http_uri; content:"orderby="; nocase; http_uri; pcre:"/orderby\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013118; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_24, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013125; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013126; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013127; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013128; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013129; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin vBTube vidid Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/vBTube.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"vidid="; nocase; http_uri; pcre:"/vidid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt; classtype:web-application-attack; sid:2013133; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin vBTube uname Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/vBTube.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"do="; nocase; http_uri; content:"uname="; nocase; http_uri; pcre:"/uname\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt; classtype:web-application-attack; sid:2013134; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ZyXEL ZyWALL LoginPassword/HiddenPassword Cross Site Scripting Attempt"; flow:established,to_server; content:"/Forms/rpAuth"; nocase; http_uri; content:"nPassword="; nocase; http_uri; pcre:"/(Loging|Hidden)Password\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:cve,2011-2466; classtype:web-application-attack; sid:2013150; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; fast_pattern:19,20; content:"pid="; distance:0; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013156; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013157; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013158; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013159; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webcat web_id Parameter Blind SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/ecat/cms_view.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"web_id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/17444; classtype:web-application-attack; sid:2013164; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp secteur parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/annonce.php?"; nocase; http_uri; content:"secteur="; nocase; http_uri; pcre:"/secteur\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013226; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013227; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013228; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013229; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013230; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013231; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActivDesk cid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/kbcat.cgi?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"or"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/or.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/102537/activdesk-sqlxss.txt; classtype:web-application-attack; sid:2013234; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013303; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013304; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013305; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013306; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013307; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013308; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013309; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2011_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; fast_pattern:55,20; nocase; http_uri; content:"title="; nocase; http_uri; pcre:"/title\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=eshop-templates.php"; nocase; http_uri; content:"eshoptemplate="; nocase; http_uri; pcre:"/eshoptemplate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013425; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=eshop-orders.php"; nocase; http_uri; content:"action="; nocase; http_uri; pcre:"/action\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013426; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=eshop-orders.php"; nocase; http_uri; content:"viewemail="; nocase; http_uri; pcre:"/viewemail\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013427; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jfeedback"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,xforce.iss.net/xforce/xfdb/57654; classtype:web-application-attack; sid:2013433; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS ajax parameter XSS Vulnerability"; flow:established,to_server; content:"/snarf_ajax.php?"; nocase; http_uri; content:"url="; http_uri; content:"ajax="; nocase; http_uri; pcre:"/ajax\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/103179/tikiwiki7-xss.txt; classtype:web-application-attack; sid:2013434; rev:2; metadata:created_at 2011_08_19, updated_at 2011_08_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/ungallery/source_vuln.php?"; http_uri; nocase; content:"pic="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/99004/RhinOS3.0r1113-lfi.txt; classtype:web-application-attack; sid:2013464; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2011_08_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasySiteEdit langval Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/sublink.php?"; nocase; http_uri; content:"langval="; nocase; http_uri; pcre:"/langval=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/104292/easysiteedit-rfi.txt; classtype:web-application-attack; sid:2013465; rev:2; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DiY-CMS lang Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/guestbook/blocks/control.block.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; pcre:"/lang=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/93285/diycms-rfi.txt; classtype:web-application-attack; sid:2013466; rev:2; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/103680/joomlacommunity-sql.txt; classtype:web-application-attack; sid:2013467; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_08_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013468; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_08_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013469; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_08_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013470; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_08_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013471; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_08_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openads row Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/libraries/lib-view-main.inc.php?"; nocase; http_uri; content:"row="; nocase; http_uri; pcre:"/basedir_save=\s*(ftps?|https?|php)\x3a\//Ui"; classtype:web-application-attack; sid:2013562; rev:4; metadata:created_at 2011_09_12, updated_at 2011_09_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bug_actiongroup_ext_page.php script Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bug_actiongroup_ext_page.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; classtype:web-application-attack; sid:2013563; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_09_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bug_actiongroup_page.php script Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bug_actiongroup_page.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; classtype:web-application-attack; sid:2013564; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_09_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pranian Group e107 page Parameter Cross Site Scripting Vulnerability Attempt"; flow:established,to_server; content:"/plugins/pviewgallery/pviewgallery.php?"; nocase; http_uri; content:"album="; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; sid:2013567; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_09_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OneFileCMS p parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/onefilecms.php?"; nocase; http_uri; content:"p="; nocase; http_uri; pcre:"/p\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; sid:2013568; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_09_12, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS University Of Vermont intro Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/magicscript.php?"; nocase; http_uri; content:"Page="; nocase; http_uri; content:"intro="; nocase; http_uri; pcre:"/intro=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; sid:2013569; rev:3; metadata:created_at 2011_09_12, updated_at 2011_09_12;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013673; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_09_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013674; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_09_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013675; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_09_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013676; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_09_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013677; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2011_09_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jr_questionnaire Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jr_questionnaire"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/102784/joomlajrqn-traversal.txt; classtype:web-application-attack; sid:2013678; rev:2; metadata:created_at 2011_09_19, updated_at 2011_09_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"type="; http_uri; content:"lien_2="; fast_pattern:only; nocase; http_uri; pcre:"/lien_2=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:4; metadata:created_at 2011_09_19, updated_at 2011_09_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla EZ Realty id Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ezrealty"; nocase; http_uri; content:"task="; nocase; http_uri; content:"id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/104017/joomlarealestate-sql.txt; classtype:web-application-attack; sid:2013680; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_09_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS American Bankers Association Cross Site Scripting Attempt"; flow:established,to_server; content:"/Search2/searchaba.aspx?"; nocase; http_uri; content:"SearchPhrase="; nocase; http_uri; pcre:"/SearchPhrase\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/103855/aba-xss.txt; classtype:web-application-attack; sid:2013681; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_09_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simplis CMS download_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"action=do_download"; nocase; http_uri; content:"download_file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/99797/simpliscms-disclose.txt; classtype:web-application-attack; sid:2013682; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_09_19, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013704; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013705; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013706; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013707; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013708; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Annonces Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php?"; nocase; http_uri; content:"abspath="; nocase; http_uri; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/105224/wpannonces-rfi.txt; classtype:web-application-attack; sid:2013709; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery workaround_dir parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/upload/tfu_upload.php?"; nocase; http_uri; content:"workaround_dir="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013711; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery install_path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/tfu_login.php?"; nocase; http_uri; content:"install_path="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013712; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joostina CMS users component Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_users"; nocase; http_uri; content:"user="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/100853/joostinausers-sql.txt; classtype:web-application-attack; sid:2013713; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_09_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rokquickcart"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/96804/joomlarokquickcart-lfi.txt; classtype:web-application-attack; sid:2013738; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_10_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1"; flow:established,to_server; content:"/ibrowser/scripts/random.php?"; nocase; http_uri; content:"dir="; nocase; pcre:"/dir\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013757; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_10_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Zingiri webshop plugin Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php?"; nocase; http_uri; content:"wpabspath="; nocase; http_uri; pcre:"/wpabspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/105237/wpzingiri-rfi.txt; classtype:web-application-attack; sid:2013758; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_10_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ahsshop"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013759; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_10_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ahsshop"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013760; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_10_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_ahsshop"; nocase; uricontent:"flokkur="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013761; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_10_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ahsshop"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013762; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_10_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ahsshop"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013763; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_10_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Redirect Component view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_redirect"; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/view/96608/joomlaredirect-lfi.txt; classtype:web-application-attack; sid:2013764; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_10_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-2"; flow:established,to_server; uricontent:"/phpThumb.demo.random.php?"; nocase; uricontent:"dir="; nocase; pcre:"/dir\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013765; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_10_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHool mainnav Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/includes/layout/plain.footer.php?"; nocase; http_uri; content:"mainnav="; nocase; http_uri; pcre:"/mainnav=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/106073/sportsphool-rfi.txt; classtype:web-application-attack; sid:2013815; rev:2; metadata:created_at 2011_10_31, updated_at 2011_10_31;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla YJ Contact Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yjcontactus"; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt; classtype:web-application-attack; sid:2013816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Easy Stats plugin homep Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/wpeasystats/export.php?"; nocase; http_uri; content:"homep="; nocase; http_uri; pcre:"/homep=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/46069; reference:url,spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos; classtype:web-application-attack; sid:2013817; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/cart.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"templatefile="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,dl.packetstormsecurity.net/1110-exploits/whmcompletesolution-disclose.txt; classtype:web-application-attack; sid:2013818; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla component Simple File Lister sflDir Parameter directory traversal attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_content"; http_uri; content:"sflDir="; nocase; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,exploit-db.com/exploits/17736; classtype:web-application-attack; sid:2013870; rev:2; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBSng str Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/util/show_multistr.php?"; nocase; http_uri; content:"str="; nocase; http_uri; pcre:"/str\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,50468; classtype:web-application-attack; sid:2013871; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mole Group Vacation Estate Listing Script Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/properties_view.php?"; nocase; http_uri; content:"editid1="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/7626; classtype:web-application-attack; sid:2013872; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013873; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013874; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013875; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013876; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013877; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 1024 CMS filename Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/forcedownload/force_download.php?"; nocase; http_uri; content:"filename="; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,exploit-db.com/exploits/18000; classtype:web-application-attack; sid:2013885; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress disclosure policy plugin Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/wp-content/plugins/disclosure-policy-plugin/functions/action.php?"; nocase; http_uri; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17865; classtype:web-application-attack; sid:2013886; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_11_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tinderbox.mozilla.org showbuilds.cgi Cross Site Scripting Attempt"; flow:established,to_server; content:"/showbuilds.cgi?"; nocase; http_uri; content:"tree=SeaMonkey"; nocase; http_uri; content:"hours="; nocase; http_uri; pcre:"/hours\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstorm.codar.com.br/1111-exploits/tinderbox-xss.txt; classtype:web-application-attack; sid:2013980; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_12_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orbis editor-body.php script Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/editors/text/editor-body.php?"; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,autosectools.com/Advisory/Orbis-1.0.2-Reflected-Cross-site-Scripting-4; classtype:web-application-attack; sid:2013981; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_12_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web File Browser file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/webFileBrowser.php?"; nocase; http_uri; content:"act=download"; nocase; http_uri; content:"sortby=name"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,exploit-db.com/exploits/18070/; classtype:web-application-attack; sid:2013982; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php  SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"SELECT"; nocase; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013984; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_12_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013985; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_12_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php UNION SELECT SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013986; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_12_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013987; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_12_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php INSERT INTO  SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013988; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_12_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla component img Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_img"; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95683/joomlaimg-lfi.txt; classtype:web-application-attack; sid:2013989; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2011_12_02, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack 2"; flow:established,to_server; content:"GET"; http_method; content:"config_settings.php"; http_uri; pcre:"/config_settings\.php\?.*=(http|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; classtype:web-application-activity; sid:2013993; rev:1; metadata:created_at 2011_12_06, updated_at 2011_12_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014061; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014062; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014063; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014064; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014065; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/xmltools/minidom/xml/sax/saxutils/os/popen2?"; nocase; http_uri; content:"cmd="; nocase; http_uri; pcre:"/cmd=\w/Ui"; reference:url,exploit-db.com/exploits/18262; classtype:web-application-attack; sid:2014068; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Booking Calendar page_info_message parameter Cross-Site Scripting Vulnerability "; flow:established,to_server; content:"/details_view.php?"; nocase; http_uri; content:"event_id="; nocase; http_uri; content:"date="; nocase; http_uri; content:"view="; nocase; http_uri; content:"loc="; nocase; http_uri; content:"page_info_message="; nocase; http_uri; pcre:"/page_info_message\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/107995; classtype:web-application-attack; sid:2014067; rev:2; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pet Listing Script type_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/preview.php?"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"action=search"; nocase; http_uri; content:"type_id="; nocase; http_uri; content:"bedrooms_from="; nocase; http_uri; pcre:"/bedrooms_from\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstorm.foofus.com/1112-exploits/petlisting-xss.txt; classtype:web-application-attack; sid:2014072; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress The-Welcomizer plugin page parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/the-welcomizer/twiz-index.php?"; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,dl.packetstormsecurity.net/1112-exploits/wpthewelcomizer-xss.txt; classtype:web-application-attack; sid:2014073; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase; http_uri; content:"item_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014074; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase; http_uri; content:"item_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014075; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase; http_uri; content:"item_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014076; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase;  http_uri; content:"item_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014077; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase; http_uri; content:"item_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Planex Mini-300PU & Mini100s Cross-site Scripting Attempt"; flow:established,to_server; content:"/RESTART.HTM?"; nocase; http_uri; content:"NDSContext="; nocase; http_uri; pcre:"/NDSContext\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/17114; classtype:web-application-attack; sid:2014086; rev:3; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014087; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014088; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UNION SELECT SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014079; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014080; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SourceBans ajaxargs Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"xajax=SelTheme"; nocase; http_uri; content:"ajaxargs[]="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,dl.packetstormsecurity.net/1112-exploits/sourcebans-lfisql.txt; classtype:web-application-attack; sid:2014082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_01_02, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mod_currencyconverter from Cross Site Scripting Attempt"; flow:established,to_server; content:"/modules/mod_currencyconverter/includes/convert.php?"; nocase; http_uri; content:"from="; nocase; http_uri; pcre:"/from\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|marquee|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/109337/Joomla-Currency-Converter-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014179; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_02_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SAPID get_infochannel.inc.php Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/usr/extensions/get_infochannel.inc.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/108488/sapidstable-rfi.txt; classtype:web-application-attack; sid:2014180; rev:2; metadata:created_at 2012_02_06, updated_at 2012_02_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014184; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014185; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014186; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014187; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014188; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jreactions mosConfig_absolute_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jreactions"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/95431/Joomla-Jreactions-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014250; rev:2; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grady Levkov id Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/view-search.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/109814/Grady-Levkov-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014251; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Membership Site Manager Script key Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/scripts/membershipsite/manager/index.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"key="; nocase; http_uri; pcre:"/key\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/108687/PHP-Membership-Site-Manager-Script-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014252; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014253; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014254; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014255; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014256; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014257; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2012_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_visa controller Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_visa"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109214/Joomla-Visa-SQL-Injection-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014258; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_02_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_eventcal mosConfig_absolute_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_eventcal"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/94983/Joomla-Eventcal-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014259; rev:2; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt"; flow:established,to_server; content:"/services/javascript.php"; http_uri; content:"href"; http_cookie; content:"file=open_calendar.js"; http_client_body; reference:cve,2012-0209; classtype:web-application-attack; sid:2014260; rev:2; metadata:created_at 2012_02_21, updated_at 2012_02_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ButorWiki service Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sso/signin?"; nocase; http_uri; content:"service="; nocase; http_uri; pcre:"/service\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/109852/ButorWiki-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014320; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS b2evolution inc_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/blogs/default.php?"; nocase; http_uri; content:"inc_path="; nocase; http_uri; pcre:"/inc_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014321; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS b2evolution skins_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/blogs/default.php?"; nocase; http_uri; content:"skins_path="; nocase; http_uri; pcre:"/skins_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014322; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_bch controller Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_bch"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109025/Joomla-BCH-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014323; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fork-CMS js.php module parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/frontend/js.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"language="; nocase; http_uri; content:"module="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109709/Fork-CMS-3.2.4-Cross-Site-Scripting-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014324; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS starCMS q parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"r="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"actionsuche="; nocase; http_uri; content:"q="; nocase; http_uri; pcre:"/q\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110376/starCMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014327; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_boss controller Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_boss"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/108905/Joomla-Boss-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014328; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snipsnap search Cross Site Scripting Attempt"; flow:established,to_server; content:"/space/snipsnap-search?"; nocase; http_uri; content:"query="; nocase; http_uri; pcre:"/query\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/109543/Snipsnap-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014329; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_phocadownload folder Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_phocadownload"; nocase; http_uri; content:"view="; nocase; http_uri; content:"manager="; nocase; http_uri; content:"tmpl="; nocase; http_uri; content:"folder="; nocase; http_uri; pcre:"/folder=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/100406/Joomla-Phocadownload-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014388; rev:2; metadata:created_at 2012_03_17, updated_at 2012_03_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_adsmanager mosConfig_absolute_path Remote File inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_adsmanager"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstorm.foofus.com/1012-exploits/joomlaadsmanager-rfi.txt; classtype:web-application-attack; sid:2014389; rev:2; metadata:created_at 2012_03_17, updated_at 2012_03_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_fundhelp controller Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_fundhelp"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109023/Joomla-Fundhelp-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014392; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rule controller Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_rule"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109026/Joomla-Rule-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014393; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_kp controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_kp"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/108917/Joomla-KP-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014394; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Address Book from Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/preferences.php?"; nocase; http_uri; content:"from="; nocase; http_uri; pcre:"/from\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110667/PHP-Address-Book-6.2.12-SQL-Injection-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014395; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Volusion Chat ID Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/livechat.aspx?"; nocase; http_uri; content:"location="; nocase; http_uri; content:"auto="; nocase; http_uri; content:"cookieGuid="; nocase; http_uri; content:"ID="; nocase; http_uri; pcre:"/ID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110811/Volusion-Chat-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014396; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EJBCA issuer Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/publicweb/webdist/certdist?"; nocase; http_uri; content:"cmd="; nocase; http_uri; content:"serno="; nocase; http_uri; content:"issuer="; nocase; http_uri; pcre:"/issuer\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110683/EJBCA-4.0.7-Cross-Site-Scripting-User-Enumeration.html; classtype:web-application-attack; sid:2014397; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_03_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VTiger CRM module_name parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/modules/com_vtiger_workflow/sortfieldsjson.php?"; nocase; http_uri; content:"module_name="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014424; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OneFileCMS f parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/onefilecms.php?"; nocase; http_uri; content:"f="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/110906/OneFileCMS-1.1.5-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014425; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikyBlog which Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/index.php/Special/Main/Templates?"; nocase; http_uri; content:"cmd="; nocase; http_uri; content:"which="; nocase; http_uri; pcre:"/which\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110863/WikyBlog-1.7.3RC2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014426; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Greenpeace.fr filter_dpt Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/incinerateurs/list.php?"; nocase; http_uri; content:"list_name="; nocase; http_uri; content:"filter_dpt="; nocase; http_uri; pcre:"/filter_dpt\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110989/Greenpeace.fr-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014427; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WEB-PHP Wordpress enable-latex plugin url Remote File inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/enable-latex/core.php?"; http_uri; fast_pattern:19,20; nocase; content:"url="; http_uri; distance:0; nocase; pcre:"/url=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/107260/WordPress-Enable-Latex-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014448; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_03_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Event Calendar PHP cal_year Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/demo_eventcalendar.php?"; http_uri; nocase;  content:"cal_id="; nocase;  http_uri; content:"cal_month="; nocase; http_uri; content:"cal_year="; nocase; http_uri; pcre:"/cal_year\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";  reference:url,packetstormsecurity.org/files/111161/Event-Calendar-PHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014449; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_03_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Mini Mail Dashboard Widget abspath Remote File inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?";  http_uri; nocase; fast_pattern:42,20;  content:"abspath="; http_uri; distance:0; nocase; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/105238/WordPress-Mini-Mail-Dashboard-Widget-1.36-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014450; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_03_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Pretty Link plugin url Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/pretty-link/pretty-bar.php?"; nocase; http_uri; content:"url="; nocase; http_uri; pcre:"/url\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/107551/WordPress-Pretty-Link-1.5.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014554; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress flash-album-gallery plugin i Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/flash-album-gallery/facebook.php?"; http_uri; nocase; content:"i="; nocase; http_uri; pcre:"/i\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/107424/WordPress-Flash-Album-Gallery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014555; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS wordpress thecartpress plugin loop parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/thecartpress/widgets/CustomPostTypeListWidget.class.php?"; nocase; http_uri; content:"loop="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,1337day.com/exploits/18018; classtype:web-application-attack; sid:2014556; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_bulkenquery controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_bulkenquery"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/108913/Joomla-Bulkenquery-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014557; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_br controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_br"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/108948/Joomla-BR-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014558; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Free PHP photo gallery script path parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/jadro/libs/adodb/adodb.inc.php?"; nocase; http_uri; content:"path="; nocase; http_uri; pcre:"/path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/92079/Free-PHP-Photo-Gallery-Script-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014559; rev:2; metadata:created_at 2012_04_13, updated_at 2012_04_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress yousaytoo-auto-publishing plugin submit Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?"; nocase; http_uri; content:"submit="; nocase; http_uri; pcre:"/submit\x3d +(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/108470/wpystap-xss.txt; classtype:web-application-attack; sid:2014589; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_pinboard option Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/components/com_pinboard/popup/popup.php?"; nocase; http_uri; content:"option="; nocase; http_uri; pcre:"/option=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/94991/Joomla-Pinboard-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014590; rev:2; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress whois search domain Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-whois/wp-whois-ajax.php?"; nocase; http_uri; content:"cmd="; nocase; http_uri; content:"ms="; nocase; http_uri; content:"domain="; nocase; http_uri; pcre:"/domain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/108271/WordPress-Whois-Search-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014591; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Facebook-Page-Promoter-Lightbox settings-updated Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/facebook-page-promoter-lightbox/arevico_options.php?"; nocase; http_uri; content:"settings-updated="; nocase; http_uri; pcre:"/settings\-updated\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/108238/WordPress-Facebook-Page-Promoter-Lightbox-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014592; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DokuWiki target parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/doku.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"id="; nocase; http_uri; content:"target="; nocase; http_uri; pcre:"/target\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/111939/DocuWiki-2012-01-25-Cross-Site-Request-Forgery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014621; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress 1-jquery-photo-gallery-slideshow-flash plugin page Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/1-jquery-photo-gallery-slideshow-flash/wp-1pluginjquery.php?"; http_uri; nocase; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107423/WordPress-1-JQuery-Photo-Gallery-Slideshow-Flash-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014622; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_04_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DirectNews rootpath parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/modules/plan/index.php?"; nocase; http_uri; content:"rootpath="; nocase; http_uri; pcre:"/rootpath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014623; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DirectNews uploadBigFiles.php Remote File inclusion Attempt"; flow:established,to_server; content:"/modules/upload/uploadBigFiles.php?"; nocase; http_uri; content:"rootpath="; nocase; http_uri; pcre:"/rootpath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014624; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DirectNews remote.php Remote File inclusion Attempt"; flow:established,to_server; content:"/modules/ajax/remote.php?"; nocase; http_uri; content:"rootpath="; nocase; http_uri; pcre:"/rootpath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014625; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DirectNews class.panier_article.php Remote File inclusion Attempt"; flow:established,to_server; content:"/modules/panier/class.panier_article.php?"; nocase; http_uri; content:"rootpath="; nocase; http_uri; pcre:"/rootpath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014626; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DirectNews menu_layers.php Remote File inclusion Attempt"; flow:established,to_server; content:"/modules/menu/menu_layers.php?"; nocase; http_uri; content:"rootpath="; nocase; http_uri; pcre:"/rootpath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014627; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DirectNews lib.panier.php Remote File inclusion Attempt"; flow:established,to_server; content:"/modules/panier/lib.panier.php?"; nocase; http_uri; content:"rootpath="; nocase; http_uri; pcre:"/rootpath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014628; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin setup.php Remote File inclusion Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/setup.php"; nocase; http_uri; content:"action="; http_client_body; nocase; content:"&configuration="; distance:0; http_client_body; content:"PMA"; distance:0; http_client_body; content:"Config"; within:11; http_client_body; pcre:"/source(\x22\x3b\w\x3a|%22%3b\w%3a)\d+(\x3a\x22|%3a%22)((ftps?|%66%74%70(%73)?)|(https?|%68%74%74%70(%73)?)|(php|%70%68%70))(\x3a|%3A)(\x2f|%2f)/Pi"; reference:url,blog.spiderlabs.com/2012/04/honeypot-alert-phpmyadmin-setupphp-rfi-attacks-detected.html; reference:url,phpmyadmin.net/home_page/security/PMASA-2010-4.php; reference:cve,CVE-2010-3055; classtype:web-application-attack; sid:2014633; rev:2; metadata:created_at 2012_04_23, updated_at 2012_04_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/mods/hours/data/get_hours.php?"; http_uri; nocase;  content:"take="; http_uri; nocase; content:"skip="; http_uri; nocase;  content:"pageSize="; http_uri; nocase;  content:"id="; http_uri;  nocase; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014647; rev:2; metadata:created_at 2012_04_27, updated_at 2012_04_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"option=com_videogallery"; http_uri; nocase; content:"controller="; http_uri; nocase; content:"|2e 2e 2f|";  http_raw_uri; reference:url,packetstormsecurity.org/files/112161/Joomla-Video-Gallery-Local-File-Inclusion-SQL-Injection.html; classtype:web-application-attack; sid:2014654; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_some controller Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"option=com_some"; http_uri; nocase; content:"controller="; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; reference:url,packetstormsecurity.org/files/108906/Joomla-Some-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014655; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_04_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Skysa Official submit parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/skysa-official/skysa.php?"; http_uri; nocase; content:"submit="; http_uri; nocase; pcre:"/submit\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107342/WordPress-Skysa-Official-1.01-1.02-1.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014656; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_04_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability"; flow:to_server,established; content:"?"; http_uri; content:"-"; fast_pattern; http_uri; distance:0; content:!"="; http_raw_uri; pcre:"/(?:\/(?:php)?|\.php)\?[\s\+]*\-[A-Za-z]/Ui"; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; reference:url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/; classtype:web-application-attack; sid:2014704; rev:6; metadata:created_at 2012_05_03, updated_at 2012_05_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS maxxweb Cms kategorie parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/anzeigen_neu.php?"; nocase; http_uri; content:"bereich="; nocase; http_uri; content:"kat_id="; nocase; http_uri; content:"kategorie="; nocase; http_uri; pcre:"/kategorie\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112289/Maxxweb-CMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014711; rev:2; metadata:created_at 2012_05_04, updated_at 2012_05_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress WPsc-MijnPress plugin rwflush parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wpsc-mijnpress/mijnpress_plugin_framework.php?"; nocase; http_uri; content:"rwflush="; nocase; http_uri; pcre:"/rwflush\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112324/WordPress-WPsc-MijnPress-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014712; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_obsuggest controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_obsuggest"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/103598/Joomla-obSuggest-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014715; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joomtouch controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_joomtouch"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/104112/Joomla-JoomTouch-1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014716; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP Custom Pages url parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-custom-pages/wp-download.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/100047/WordPress-WP-Custom-Pages-0.5.0.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014717; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andromeda Streaming MP3 Server andromeda.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/andromeda.php?"; http_uri; nocase; content:"q="; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112549/Andromeda-Streaming-MP3-Server-1.9.3.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014736; rev:2; metadata:created_at 2012_05_11, updated_at 2012_05_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP Survey and Quiz Tool plugin rowcount Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-survey-and-quiz-tool/javascript/survey_section.php?"; nocase; http_uri; content:"rowcount="; nocase; http_uri; pcre:"/rowcount\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112685/WordPress-WP-Survey-And-Quiz-Tool-2.9.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014768; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=catablog-gallery"; nocase; http_uri; content:"category="; nocase; http_uri; pcre:"/category\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014769; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor plugin uploader.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; http_uri; content:"tab="; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014770; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Appointment Booking Pro view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_rsappt_pro2"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/103172/Joomla-Appointment-Booking-Pro-Arbitrary-File-Reading.html; classtype:web-application-attack; sid:2014771; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_media file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/components/com_media/helpers/media.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/99775/Joomla-Media-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014772; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Dynamic Widgets plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/themes.php?"; nocase; http_uri; content:"page=dynwid-config"; nocase; http_uri; content:"action="; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112706/WordPress-Dynamic-Widgets-1.5.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014811; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin group parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaguemanager"; nocase; http_uri; content:"subpage="; nocase; http_uri; content:"league_id="; nocase; http_uri; content:"group="; nocase; http_uri; pcre:"/group\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014812; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin season parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaguemanager"; nocase; http_uri;  content:"subpage="; nocase; http_uri; content:"edit="; nocase; http_uri; content:"season="; nocase; http_uri; pcre:"/season\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014813; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component JE Story Submit view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jesubmit"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/103214/Joomla-JE-K2-Story-Submit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014814; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_acooldebate controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_acooldebate"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/102422/Joomla-A-Cool-Debate-1.0.3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynPG CMS PathToRoot Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/plugins/DPGguestbook/guestbookaction.php?"; nocase; http_uri; content:"PathToRoot="; nocase; http_uri; pcre:"/PathToRoot=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/87907/DynPG-CMS-4.1.0-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014836; rev:2; metadata:created_at 2012_06_01, updated_at 2012_06_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Jotloader component section parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jotloader"; nocase; http_uri; content:"section="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96812/Joomla-Jotloader-2.2.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014837; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin type parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/joliprint/joliprint_options_upload.php?"; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014838; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin opt parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/options-general.php?"; nocase; http_uri; content:"page=joliprint/joliprint_admin_options.php"; nocase; http_uri; content:"opt="; nocase; http_uri; pcre:"/opt\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014839; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Exponent file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/framework/modules/pixidou/download.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/101230/Exponent-2.0.0-Beta-1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014840; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeauto view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jeauto"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96803/Joomla-JE-Auto-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014878; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jradio controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jradio"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96751/Joomla-JRadio-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014879; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-livephp plugin wp-live.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-livephp/wp-live.php?"; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/108282/WordPress-LivePHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014880; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Mingle Forum groupid parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=mfstructure"; nocase; http_uri; content:"mingleforum_action="; nocase; http_uri; content:"groupid="; nocase; http_uri; pcre:"/groupid\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112696/WordPress-Mingle-Forum-1.0.33-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014881; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_catalogue controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_catalogue"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96190/Joomla-Catalogue-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014882; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jvb_bridge Itemid Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jvb_bridge"; nocase; http_uri; content:"Itemid="; nocase; http_uri; pcre:"/Itemid=(.+)?(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/90844/Joomla-JVB-Bridge-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014883; rev:2; metadata:created_at 2012_06_08, updated_at 2012_06_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jmsfileseller view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jmsfileseller"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/101770/Joomla-JMSFileSeller-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014897; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_mscomment controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_mscomment"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,1337day.com/exploits/12246; classtype:web-application-attack; sid:2014898; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Tinymce Thumbnail Gallery href parameter Remote File Disclosure Attempt"; flow:established,to_server; content:"/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?"; nocase; http_uri; fast_pattern:19,20; content:"href="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/113417/WordPress-Tinymce-Thumbnail-Gallery-1.0.7-File-Disclosure.html; classtype:web-application-attack; sid:2014899; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin pinterest-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/pinterest.php?"; nocase; http_uri; fast_pattern:19,20; content:"pinterest-url="; nocase; http_uri; pcre:"/pinterest-url\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014900; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin xing-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?"; nocase; http_uri; fast_pattern:19,20; content:"xing-url="; nocase; http_uri; pcre:"/xing-url\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014901; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Sharebar plugin status parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/sharebar/sharebar-admin.php?"; nocase; http_uri; fast_pattern:19,20; content:"status="; nocase; http_uri; pcre:"/status\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112690/WordPress-Sharebar-1.2.1-SQL-Injection-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014904; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_ckforms controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_ckforms"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/95623/Joomla-CKForms-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014905; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/includes/smarty/internals/core.write_compiled_include.php?"; nocase; http_uri; fast_pattern:26,20; content:"smarty="; nocase; http_uri; pcre:"/smarty=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014944; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHCMS banco Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/modules/gateways/boleto/boleto.php?"; nocase; fast_pattern:17,19; http_uri; content:"banco="; nocase; http_uri; pcre:"/banco=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014945; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt 2"; flow:established,to_server; content:"/includes/smarty/internals/core.process_compiled_include.php?"; nocase; http_uri; fast_pattern:26,20; content:"smarty="; nocase; http_uri; pcre:"/smarty=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014946; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Thinkun Remind Plugin dirPath Remote File Disclosure Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/thinkun-remind/exportData.php?"; nocase; http_uri; fast_pattern:19,20; content:"dirPath="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,secunia.com/advisories/49461; classtype:web-application-attack; sid:2014947; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Simple Download Button Shortcode Plugin Arbitrary File Disclosure Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/simple-download-button-shortcode/simple-download-button_dl.php?"; nocase; http_uri; fast_pattern:52,20; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,secunia.com/advisories/49462; classtype:web-application-attack; sid:2014948; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugins Wp-ImageZoom file parameter Remote File Disclosure Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/wp-imagezoom/download.php?"; nocase; http_uri; fast_pattern:19,20; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,1337day.com/exploits/18685; classtype:web-application-attack; sid:2014949; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_22, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI div parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/includes/components/graphexplorer/visApi.php?"; nocase; http_uri; fast_pattern:20,20; content:"type="; nocase; http_uri; content:"div="; nocase; http_uri; pcre:"/div\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014950; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI view parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/perfgraphs/index.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"end="; nocase; http_uri; content:"view="; nocase; http_uri; pcre:"/view\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014951; rev:1; metadata:created_at 2012_06_22, updated_at 2012_06_22;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pliggCMS src parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/modules/thumbnail_plus/thumbs/grab.php?"; nocase; http_uri; content:"src="; nocase; http_uri; pcre:"/src=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/18854; classtype:web-application-attack; sid:2014988; rev:2; metadata:created_at 2012_06_29, updated_at 2012_06_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor thumbnail parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; http_uri; fast_pattern:19,20; content:"tab="; nocase; http_uri; content:"thumbnail="; nocase; http_uri; pcre:"/thumbnail\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014989; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor tags parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; http_uri; fast_pattern:19,20; content:"tab="; nocase; http_uri; content:"tags="; nocase; http_uri; pcre:"/tags\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014990; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptCMS sitepath parameter Remote File Inclusion Vulnerability"; flow:established,to_server; content:"/inc/smarty/libs/init.php?"; nocase; http_uri; content:"sitepath="; nocase; http_uri; pcre:"/sitepath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/91022/AdaptCMS-2.0.0-Beta-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014993; rev:1; metadata:created_at 2012_06_29, updated_at 2012_06_29;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_profile controller parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_profile"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95609/Joomla-Profile-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014994; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress jRSS Widget url parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/jrss-widget/proxy.php?"; nocase; http_uri; fast_pattern:19,12; content:"url="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95638/WordPress-jRSS-Widget-1.1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014995; rev:2; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2012_06_29, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concrete CMS approveImmediately parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/index.php/tools/required/edit_collection_popup.php?"; nocase; http_uri; content:"ctask="; nocase; http_uri; content:"approveImmediately="; nocase; http_uri; pcre:"/approveImmediately\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/Ui"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015033; rev:3; metadata:created_at 2012_07_06, updated_at 2012_07_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concrete CMS btask parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"arHandle="; nocase; http_uri; fast_pattern; content:"method="; nocase; http_uri; content:"btask="; nocase; http_uri; pcre:"/btask\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/Ui"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015034; rev:3; metadata:created_at 2012_07_06, updated_at 2012_07_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Count Per Day Plugin page parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/count-per-day/userperspan.php?"; nocase; http_uri; fast_pattern:19,15; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,secunia.com/advisories/49692/; classtype:web-application-attack; sid:2015038; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_wisroyq controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_wisroyq"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95508/Joomla-Wisroyq-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015039; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rssreader controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_rssreader"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95430/Joomla-RSSReader-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015040; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Custom Contact Forms options-general.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/options-general.php?"; nocase; http_uri; content:"page=bb2_options"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/x\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112616/WordPress-Custom-Contact-Forms-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015041; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_marker) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaflet_marker"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015466; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_layer) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaflet_layer"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015467; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_jstore controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jstore"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/94689/Joomla-JStore-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015468; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Help Center Live file parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/module.php?"; nocase; http_uri; content:"module=helpcenter"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/88998/Help-Center-Live-2.0.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015469; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpPollScript include_class Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/php/init.poll.php?"; nocase; http_uri; content:"include_class="; nocase; http_uri; pcre:"/include_class=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/81376/phpPollScript-1.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015470; rev:1; metadata:created_at 2012_07_13, updated_at 2012_07_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_edir"; nocase; http_uri; content:"view="; nocase; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95604/Joomla-eDir-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015471; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_connect controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_connect"; nocase; http_uri; content:"view="; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95590/Joomla-Connect-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015472; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=catablog-gallery"; nocase; http_uri; content:"category="; nocase; http_uri; pcre:"/category\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015473; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin PICA Photo Gallery imgname parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/pica-photo-gallery/picadownload.php?"; nocase; http_uri; fast_pattern:19,20; content:"imgname="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/113404/WordPress-PICA-Photo-Gallery-1.0-File-Disclosure.html; classtype:web-application-attack; sid:2015494; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Edition mod parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/include/we_modules/show.php?"; nocase; http_uri; content:"mod="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/99789/Web-Edition-6.1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015495; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress church_admin Plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/church-admin/includes/validate.php?"; nocase; http_uri; fast_pattern:19,14; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,securityfocus.com/bid/54329; classtype:web-application-attack; sid:2015496; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Manager cid parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=file-manager/categories"; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/cid\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112708/WordPress-Download-Manager-2.2.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015497; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla  com_hello controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; fast_pattern:only; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/114893/Joomla-Hello-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015498; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Newsletter data parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/wp-content/plugins/plugin-newsletter/preview.php?"; nocase; http_uri; fast_pattern:19,19; content:"data="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/113413/WordPress-Newsletter-1.5-File-Disclosure.html; classtype:web-application-attack; sid:2015499; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress featurific-for-wordpress plugin snum parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/featurific-for-wordpress/cached_image.php?"; nocase; http_uri; fast_pattern:19,20; content:"snum="; nocase; http_uri; pcre:"/snum\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107256/WordPress-Featurific-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015536; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_picasa2gallery controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_picasa2gallery"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/90915/Joomla-Picasa2Gallery-1.2.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015540; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Commentics id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/comments/admin/index.php?"; nocase; http_uri; content:"page=edit_page"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/113996/Commentics-2.0-Cross-Site-Request-Forgery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015541; rev:1; metadata:created_at 2012_07_27, updated_at 2012_07_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress clickdesk-live-support-chat plugin cdwidgetid parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?"; nocase; http_uri; fast_pattern:19,20; content:"cdwidgetid="; nocase; http_uri; pcre:"/cdwidgetid\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107255/WordPress-Clickdesk-Live-Support-Chat-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015542; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles menu Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/Full_Release/include/body_admin.inc.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; pcre:"/menu=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015543; rev:1; metadata:created_at 2012_07_27, updated_at 2012_07_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles topic_title parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/full_release/community.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"comm_id="; nocase; http_uri; content:"topic_title="; nocase; http_uri; pcre:"/topic\_title\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015544; rev:1; metadata:created_at 2012_07_27, updated_at 2012_07_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla PollXT component Itemid parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_pollxt"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/94681/Joomla-PollXT-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015545; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ManageEngine Applications Manager attributeToSelect parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/jsp/ThresholdActionConfiguration.jsp?"; nocase; http_uri; content:"resourceid="; nocase; http_uri; content:"attributeIDs="; nocase; http_uri; content:"attributeToSelect="; nocase; http_uri; pcre:"/attributeToSelect\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,securityfocus.com/bid/54759/; classtype:web-application-attack; sid:2015565; rev:1; metadata:created_at 2012_08_03, updated_at 2012_08_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeformcr view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jeformcr"; fast_pattern:only; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/94549/Joomla-Jeformcr-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015568; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Bsadv controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_bsadv"; fast_pattern:only; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/94540/Joomla-Basdv-Local-File-Inclusion-Directory-Traversal.html; classtype:web-application-attack; sid:2015569; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_mailchimpccnewsletter controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_mailchimpccnewsletter"; fast_pattern:only; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/95332/Joomla-MailChimpCCNewsletter-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015570; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pragmaMx img_url parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/plugins/imgpopup/img_popup.php?"; nocase; http_uri; content:"img_url="; nocase; http_uri; pcre:"/img\_url\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/113035/pragmaMx-1.12.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015571; rev:1; metadata:created_at 2012_08_03, updated_at 2012_08_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEMENOS T24 skin parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/genrequest.jsp?"; nocase; http_uri; content:"routineName="; nocase; http_uri; content:"routineArgs="; nocase; http_uri; content:"compId="; nocase; http_uri; content:"skin="; nocase; http_uri; pcre:"/skin\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/115126/Temenos-T24-R07.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015572; rev:1; metadata:created_at 2012_08_03, updated_at 2012_08_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Advanced Text Widget plugin  page parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/wp-content/plugins/advanced-text-widget/advancedtext.php?"; nocase; http_uri; fast_pattern:19,22; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107192/WordPress-Advanced-Text-Widget-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015609; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Lanoba Social plugin action parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/wp-content/plugins/lanoba-social-plugin/index.php?"; nocase; http_uri; fast_pattern:19,22; content:"action="; nocase; http_uri; pcre:"/action\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107191/WordPress-Lanoba-Social-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015610; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla je-media-player view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/components/je-media-player.html?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/91171/Joomla-JE-Media-Player-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015611; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dirLIST show_scaled_image.php Local File Inclusion Attempt"; flow:established,to_server; content:"/dirLIST_files/gallery_files/show_scaled_image.php?"; nocase; http_uri; content:"image_path="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015612; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dirLIST thumb_gen.php Local File Inclusion Attempt"; flow:established,to_server; content:"/dirLIST_files/thumb_gen.php?"; nocase; http_uri; content:"image_path="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015613; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BaglerCMS articleID parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/baglercms.php?"; nocase; http_uri; content:"articleID="; nocase; http_uri; pcre:"/articleID\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,1337day.com/exploits/18221; classtype:web-application-attack; sid:2015614; rev:1; metadata:created_at 2012_08_10, updated_at 2012_08_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress LiveGrounds plugin uid parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/wp-content/plugins/livegrounds/lg_crop.php?"; nocase; http_uri; fast_pattern:19,13; content:"uid="; nocase; http_uri; pcre:"/uid\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,1337day.com/exploits/18932; classtype:web-application-attack; sid:2015615; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/gui/link.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015637; rev:2; metadata:created_at 2012_08_17, updated_at 2012_08_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015638; rev:2; metadata:created_at 2012_08_17, updated_at 2012_08_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"wgDekiPluginPath="; nocase; http_uri; pcre:"/wgDekiPluginPath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015639; rev:2; metadata:created_at 2012_08_17, updated_at 2012_08_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Local File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/gui/link.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015640; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Local File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015641; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"wgDekiPluginPath="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015642; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_g2bridge controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_g2bridge"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/90150/Joomla-G2Bridge-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015645; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/invoker/JMXInvokerServlet/"; http_uri; nocase; reference:cve,CVE-2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:2; metadata:created_at 2012_09_28, updated_at 2012_09_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhpTax Possible Remote Code Exec"; flow:established,to_server; content:"/phptax/"; http_uri; fast_pattern:only; content:"&pfilez="; http_uri; nocase; classtype:web-application-attack; sid:2015794; rev:2; metadata:created_at 2012_10_11, updated_at 2012_10_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access"; flow:established,to_server; content:"/core/Loader.php?"; fast_pattern:only; http_uri; nocase; content:"g="; http_uri; content:"s="; http_uri; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015947; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2"; flow:established,to_server; content:"/core/DataTable/Filter/Megre.php"; http_uri; nocase; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015948; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection"; flow:to_server,established; content:"/nagiosxi/includes/components/graphexplorer/visApi.php?"; http_uri; pcre:"/(\?|&)(host|service|opt|end|start)=[^&]+?\x60.+?\x60/Ui"; reference:url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details; classtype:attempted-user; sid:2016015; rev:2; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 41080 (msg:"ET WEB_SPECIFIC_APPS Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download 2"; flow:to_server,established; content:"/brightmail/admin/restore/download.do?"; http_uri; content:"&localBackupFileSelection="; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00; classtype:attempted-user; sid:2016119; rev:2; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/admin/admin_header.php?"; nocase; http_uri; content:"root_folder_path="; fast_pattern:only; nocase; http_uri; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016002; rev:1; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/ajax_list_tree.php?"; nocase; http_uri; content:"root_folder_path="; fast_pattern:only; nocase; http_uri; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016003; rev:1; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/previews_functions.php?"; nocase; http_uri; content:"root_folder_path="; fast_pattern:only; nocase; http_uri; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016004; rev:1; metadata:created_at 2012_12_07, updated_at 2012_12_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"/dispatch.php?"; nocase; http_uri; content:"atkaction=search"; fast_pattern:only; nocase; http_uri; content:"atknodetype="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html; classtype:web-application-attack; sid:2016005; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tests/test_tools/functional_tests.php?"; nocase; http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|";  depth:200; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016006; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/demos/time-tracker/tests/functional.php?"; nocase; http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|";  depth:200; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016007; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/consulta_fact.php?"; nocase; http_uri; fast_pattern:only; content:"fact_num="; nocase; http_uri; pcre:"/fact_num\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016008; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/newinventario.php?"; nocase; http_uri; fast_pattern:only; content:"sn="; nocase; http_uri; pcre:"/sn\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016009; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/newtransact.php?"; nocase; http_uri; fast_pattern:only; content:"ref="; nocase; http_uri; pcre:"/ref\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016010; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_12_07, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/floating-social-media-links/fsml-admin.js.php?"; nocase; http_uri; fast_pattern:47,18; content:"wpp="; nocase; http_uri; pcre:"/wpp=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016037; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-hideshow.js.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/floating-social-media-links/fsml-hideshow.js.php?"; nocase; http_uri; fast_pattern:47,21; content:"wpp="; nocase; http_uri; pcre:"/wpp=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016038; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/hava_user.php?"; nocase; http_uri; fast_pattern:only; content:"userId="; nocase; http_uri; pcre:"/userId\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/118714/Havalite-1.1.7-Cross-Site-Scripting-Shell-Upload.html; classtype:web-application-attack; sid:2016039; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"module="; nocase; http_uri; content:"view="; nocase; http_uri; content:"having="; nocase; http_uri; fast_pattern:only; pcre:"/having\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/118737/SimpleInvoices-2011.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016040; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manhali download.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/includes/download.php?"; nocase; http_uri; content:"f="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/116724/Manhali-1.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016042; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RIPS code.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/windows/code.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016043; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RIPS function.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/windows/function.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016044; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Admidio headline parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/adm_program/modules/guestbook/guestbook_new.php?"; nocase; http_uri; fast_pattern:30,18; content:"headline="; nocase; http_uri; pcre:"/headline\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/116155/Admidio-2.3.5-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2016045; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/ssi_examples.php?"; nocase; http_uri; fast_pattern:only; content:"view="; nocase; http_uri; pcre:"/view\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016036; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner detected "; flow:established,to_server; content:"POST"; http_method; nocase; content:"/xmlrpc.php"; http_uri; content:"pingback.ping"; http_client_body; nocase; threshold: type both, track by_src, seconds 60, count 5; reference:url,seclists.org/bugtraq/2012/Dec/101; reference:url,github.com/FireFart/WordpressPingbackPortScanner/; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/; classtype:web-application-attack; sid:2016061; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_12_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Video Lead Form plugin errMsg parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=video-lead-form"; nocase; http_uri; fast_pattern:5,15; content:"errMsg="; nocase; http_uri; pcre:"/errMsg\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/118466/WordPress-Video-Lead-Form-0.5-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016076; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery albumid parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plist.php?albumid="; nocase; http_uri; pcre:"/albumid\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html; classtype:web-application-attack; sid:2016077; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/force-download.php?file="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html; classtype:web-application-attack; sid:2016078; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS simple machines forum include parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"action=admin"; nocase; http_uri; content:"include="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/116709/SMF-2.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016079; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Cloudsafe365 file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?"; nocase; http_uri; fast_pattern:19,20; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115972/WordPress-Cloudsafe365-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016080; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zenphoto date parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/zp-core/zp-extensions/zenpage/admin-news-articles.php?"; nocase; http_uri; content:"date="; nocase; http_uri; pcre:"/date\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117067/Zenphoto-1.4.3.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016081; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanageredit page XSS Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=tokenmanageredit"; nocase; http_uri; fast_pattern:5,16; content:"tid="; nocase; http_uri; pcre:"/tid\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016082; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanagertypeedit page XSS Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=tokenmanagertypeedit"; nocase; http_uri; fast_pattern:5,20; content:"tid="; nocase; http_uri; pcre:"/tid\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016083; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SonicWALL SonicOS searchStr XML Tag Script Insertion Attempt"; flow:established,to_server; content:"POST"; http_method; content:"dbInfo"; nocase; http_client_body; content:"dbInfoRequest"; nocase; http_client_body; content:"searchStr"; nocase; http_client_body; pcre:"/(\x3c|\x253c)dbInfo(\x3e|\x253e)[\r\n\s]*?(\x3c|\x253c)dbInfoRequest(\x3e|\x253e).+?(\x3c|\x253c)searchStr(\x3e|\x253e)((?!(\x3c|\x253c)(\/|\x252f)searchStr(\x3e|\x253e)).)+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=)).+?(\x3c|\x253c)(\/|\x252f)searchStr(\x3e|\x253e)/Psi"; reference:url,securelist.com/en/advisories/51615; reference:url,seclists.org/bugtraq/2012/Dec/110; classtype:web-application-attack; sid:2016086; rev:1; metadata:created_at 2012_12_21, updated_at 2012_12_21;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in dbcache Directory"; flow:established,to_server; content:"/wp-content/w3tc/dbcache"; http_uri; nocase; reference:url,seclists.org/fulldisclosure/2012/Dec/242; classtype:trojan-activity; sid:2016100; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_12_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP-Property Plugin uploadify.php Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/wp-property/third-party/uploadify/uploadify.php"; http_uri; nocase; content:"Filedata"; nocase; http_client_body; reference:url,www.securityfocus.com/bid/53787/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/53787.php; classtype:web-application-attack; sid:2016109; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS section parameter XSS Attempt"; flow:established,to_server; content:"/?cmd=new_section"; nocase; http_uri; fast_pattern; content:"section="; nocase; http_uri; pcre:"/section\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016114; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS index.php file XSS Attempt"; flow:established,to_server; content:"/index.php/Child_Page?"; nocase; http_uri; content:"cmd=new_section"; nocase; http_uri; fast_pattern; content:"section="; nocase; http_uri; pcre:"/section\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016115; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS key parameter XSS Attempt"; flow:established,to_server; content:"/index.php/Admin_Theme_Content?"; nocase; http_uri; content:"cmd=edittext"; nocase; http_uri; fast_pattern; content:"key="; nocase; http_uri; pcre:"/key\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016116; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Mailing List plugin wpabspath parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/mailz/lists/config/config.php?"; fast_pattern:20,20; nocase; http_uri; content:"wpabspath="; nocase; http_uri; pcre:"/wpabspath=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/105236/WordPress-Mailing-List-1.3.2-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016117; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wiki Web Help configpath parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/pages/links.php?"; nocase; http_uri; content:"configpath="; nocase; http_uri; pcre:"/configpath=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116202/Wiki-Web-Help-0.3.11-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016120; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Relocate Upload plugin abspath parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/relocate-upload/relocate-upload.php?"; nocase; http_uri; fast_pattern:19,17; content:"ru_folder="; nocase; http_uri; content:"abspath="; nocase; http_uri; pcre:"/abspath=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/105239/WordPress-Relocate-Upload-0.14-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016121; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2012_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LogAnalyzer asktheoracle.php file XSS Attempt"; flow:established,to_server; content:"/asktheoracle.php?"; nocase; http_uri; fast_pattern; content:"type="; nocase; http_uri; content:"oracle_query="; nocase; http_uri; pcre:"/oracle\_query\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/119015/Loganalyzer-3.6.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016122; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Myflash path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/myflash/myextractXML.php"; nocase; http_uri; fast_pattern:19,9; content:"path="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/118400/WordPress-Myflash-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016123; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2012_12_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Advanced Custom Fields Remote File Inclusion"; flow:established,to_server; content:"/wp-content/plugins/advanced-custom-fields/core/actions/export.php"; nocase; http_uri; fast_pattern:20,20; content:"abspath="; nocase; http_client_body; pcre:"/abspath=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Pi"; classtype:attempted-user; sid:2016148; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_01_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mahara query Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/group/members.php?"; nocase; http_uri; fast_pattern:only; content:"id="; nocase; http_uri; content:"query="; nocase; http_uri; pcre:"/query\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,securityfocus.com/bid/56718; classtype:web-application-attack; sid:2016156; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_01_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHM filtername Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/mail/filters/editfilter.html?"; nocase; http_uri; content:"account="; nocase; http_uri; content:"filtername="; nocase; http_uri; pcre:"/filtername\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,securityfocus.com/bid/57061; classtype:web-application-attack; sid:2016157; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_01_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Google Doc Embedder plugin file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/google-document-embedder/libs/pdf.php?"; nocase; http_uri; fast_pattern:20,20; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,secunia.com/advisories/50832; classtype:web-application-attack; sid:2016158; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Local_File_Inclusion, tag Wordpress, signature_severity Major, created_at 2013_01_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Machines Forum ssi_function parameter path disclosure vulnerability"; flow:established,to_server; content:"/SSI.php?ssi_function="; nocase; http_uri; reference:url,packetstormsecurity.com/files/119240/Simple-Machines-Forum-2.0.3-Path-Disclosure.html; classtype:web-application-attack; sid:2016159; rev:1; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of green Remote File Inclusion Attempt"; flow:established,to_server; content:"/style/green/get_templet.php?"; nocase; http_uri; content:"MyStyle[StylePath]="; nocase; http_uri; pcre:"/MyStyle\[StylePath\]=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016163; rev:1; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of blue Remote File Inclusion Attempt"; flow:established,to_server; content:"/style/blue/get_templet.php?"; nocase; http_uri; content:"MyStyle[StylePath]="; nocase; http_uri; pcre:"/MyStyle\[StylePath\]=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016164; rev:1; metadata:created_at 2013_01_04, updated_at 2013_01_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cPanel dir Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/x3/files/dir.html?"; nocase; http_uri; fast_pattern; content:"showhidden="; nocase; http_uri; content:"dir="; nocase; http_uri; pcre:"/dir\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,securityfocus.com/bid/57064; classtype:web-application-attack; sid:2016165; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_01_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery plugin test-head parameter XSS Attempt"; flow:established,to_server; content:"/wp-content/plugins/nextgen-gallery/nggallery.php?"; nocase; http_uri; fast_pattern:19,20; content:"test-head="; nocase; http_uri; pcre:"/test\-head\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/119360/WordPress-NextGEN-Gallery-1.9.10-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016194; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_01_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Browser Rejector Plugin wppath Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/browser-rejector/rejectr.js.php?"; nocase; http_uri; fast_pattern:19,20; content:"wppath="; nocase; http_uri; pcre:"/wppath=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51739/; classtype:web-application-attack; sid:2016195; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_01_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dell OpenManage Server Administrator topic parameter XSS Attempt"; flow:established,to_server; content:"/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?"; nocase; http_uri; content:"topic="; nocase; http_uri; pcre:"/topic\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,kb.cert.org/vuls/id/950172; classtype:web-application-attack; sid:2016196; rev:2; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Free Blog Arbitrary File Deletion Attempt"; flow:established,to_server; content:"/up.php?del="; nocase; http_uri; fast_pattern:only; content:"del="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.com/files/119385/Free-Blog-1.0-Shell-Upload-Arbitrary-File-Deletion.html; classtype:web-application-attack; sid:2016198; rev:2; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adiscon LogAnalyzer viewid Cross-Site Scripting Attempt"; flow:established,to_server; content:"/src/userchange.php?"; nocase; http_uri; content:"op=changeview"; nocase; http_uri; fast_pattern; content:"viewid="; nocase; http_uri; pcre:"/viewid\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,secunia.com/advisories/51816/; classtype:web-application-attack; sid:2016199; rev:1; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyBrowser tinybrowser.php file Script Execution Attempt"; flow:established,to_server; content:"/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?"; nocase; http_uri; content:"type="; nocase; http_uri; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016200; rev:2; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyBrowser edit.php file Script Execution Attempt"; flow:established,to_server; content:"/js/tiny_mce/plugins/tinybrowser/edit.php?"; nocase; http_uri; content:"type="; nocase; http_uri; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016201; rev:1; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyBrowser upload.php file Script Execution Attempt"; flow:established,to_server; content:"/js/tiny_mce/plugins/tinybrowser/upload.php?"; nocase; http_uri; content:"type="; nocase; http_uri; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016202; rev:1; metadata:created_at 2013_01_11, updated_at 2013_01_11;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Gallery Plugin filename_1 Parameter Remote File Access Attempt"; flow:established,to_server; content:"/wp-content/plugins/gallery-plugin/gallery-plugin.php?"; nocase; http_uri; fast_pattern:33,20; content:"filename_1="; nocase; http_uri; pcre:"/filename\_1=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,securityfocus.com/bid/57256/; classtype:web-application-attack; sid:2016203; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_01_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Age Verification plugin redirect_to Parameter URI Redirection"; flow:established,to_server; content:"/wp-content/plugins/age-verification/age-verification.php?"; nocase; fast_pattern:20,20; http_uri; content:"redirect_to="; nocase; http_uri; pcre:"/redirect\_to=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,securityfocus.com/bid/51357/; classtype:web-application-attack; sid:2016230; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cartweaver 3 Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/helpfiles/AdminHelp.php?"; nocase; http_uri; content:"helpFileName="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.com/files/117370/Cartweaver-3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016231; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_bit controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_bit"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.com/files/118943/Joomla-Bit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016232; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_ztautolink controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_ztautolink"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.com/files/118944/Joomla-ZtAutoLink-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016233; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mu Perspectives Cms id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/site_news.php?id="; nocase; http_uri; pcre:"/id\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/116148/Mu-Perspectives-CMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016234; rev:2; metadata:created_at 2013_01_18, updated_at 2013_01_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Incapsula component Security.php XSS Attempt"; flow:established,to_server; content:"/com_incapsula/assets/tips/en/Security.php?"; nocase; http_uri; fast_pattern; content:"token="; nocase; http_uri; pcre:"/token\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016238; rev:1; metadata:created_at 2013_01_18, updated_at 2013_01_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Incapsula component Performance.php file XSS Attempt"; flow:established,to_server; content:"/com_incapsula/assets/tips/en/Performance.php?"; nocase; http_uri; fast_pattern; content:"token="; nocase; http_uri; pcre:"/token\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016239; rev:1; metadata:created_at 2013_01_18, updated_at 2013_01_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Can be Used to Spawn Shell)"; flow:established,to_server; content:"POST"; http_method; content:"/script"; http_uri; nocase; pcre:"/\/script\/?$/Ui"; content:"script"; http_client_body; nocase; content:"Submit"; nocase; http_client_body; content:"Runtime"; http_client_body; nocase; content:"getRuntime"; nocase; http_client_body; distance:0; content:".exec"; nocase; http_client_body; classtype:attempted-user; sid:2016294; rev:9; metadata:created_at 2013_01_24, updated_at 2013_01_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Windows CMD Shell)"; content:"POST"; http_method; nocase; content:"/script"; http_uri; nocase; pcre:"/\/script\/?$/Ui"; content:"sun.misc.BASE64Decoder"; nocase; http_client_body; content:".decodeBuffer"; nocase; http_client_body; content:"cmd.exe"; http_client_body; fast_pattern; classtype:attempted-user; sid:2016295; rev:6; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Unix Shell)"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/script"; http_uri; nocase; pcre:"/\/script\/?$/Ui"; content:"sun.misc.BASE64Decoder"; nocase; http_client_body; content:".decodeBuffer"; nocase; http_client_body; content:"/bin/sh"; http_client_body; fast_pattern; classtype:attempted-user; sid:2016296; rev:6; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_24, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS result Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/data/file/edit.php?"; nocase; http_uri; content:"hybridid="; nocase; http_uri; content:"result="; nocase; http_uri; pcre:"/keyword\x3d.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016282; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS keyword Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/users/users.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"keyword="; nocase; http_uri;pcre:"/keyword\x3d.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016283; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart loc parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/admin.php?_g=filemanager/language"; nocase; http_uri; fast_pattern; content:"loc="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.com/files/119082/CubeCart-4.4.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016284; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GetSimple CMS path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/filebrowser.php?"; nocase; http_uri; fast_pattern; content:"path="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.com/files/115302/GetSimple-CMS-3.1.2-Local-File-Inclusion-Path-Disclosure.html; classtype:web-application-attack; sid:2016285; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Banana Dance name Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/functions/ajax.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"name="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.com/files/118964/Banana-Dance-B.2.6-Inclusion-Access-Control-SQL-Injection.html; classtype:web-application-attack; sid:2016287; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_collector Component Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_collector"; nocase; http_uri; fast_pattern:only; content:"view="; nocase; http_uri; reference:url,exploit-db.com/exploits/24228/; classtype:web-application-attack; sid:2016288; rev:2; metadata:created_at 2013_01_25, updated_at 2013_01_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS web wiz forums ForumID Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/forum_members.asp?"; nocase; http_uri; content:"find="; nocase; http_uri; content:"ForumID="; nocase; http_uri; pcre:"/ForumID\x3d.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016289; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS web wiz forums ThreadPage Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/post_message_form.asp?"; nocase; http_uri; content:"ForumID="; nocase; http_uri; content:"ThreadPage="; nocase; http_uri; pcre:"/ThreadPage\x3d.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016290; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMiniAdmin db Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/phpminiadmin.php?"; nocase; http_uri; fast_pattern; content:"XSS="; nocase; http_uri; content:"db="; nocase; http_uri; pcre:"/db\x3d.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ui"; reference:url,cxsecurity.com/issue/WLB-2013010179; classtype:web-application-attack; sid:2016291; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSClass file Parameter Remote File Access Attempt"; flow:established,to_server; content:"/oc-admin/index.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"action=upgrade"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016334; rev:1; metadata:created_at 2013_02_01, updated_at 2013_02_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 1"; flow:established,to_server; content:"/oc-admin/index.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"action=enable_category"; nocase; http_uri; fast_pattern; content:"id="; nocase; http_uri; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016335; rev:1; metadata:created_at 2013_02_01, updated_at 2013_02_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 2"; flow:established,to_server; content:"/oc-admin/index.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"action=edit_category_post"; nocase; http_uri; fast_pattern; content:"id="; nocase; http_uri; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016336; rev:1; metadata:created_at 2013_02_01, updated_at 2013_02_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern:12,20; nocase; http_uri; content:"src="; nocase; http_uri; pcre:"/src\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016337; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, tag Wordpress, signature_severity Major, created_at 2013_02_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern:12,20; nocase; http_uri; content:"h="; nocase; http_uri; content:"src="; nocase; http_uri; pcre:"/src=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016338; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_02_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMSQLITE id parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/mediaAdmin.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016339; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_02_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMSQLITE mediaAdmin.php file Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/mediaAdmin.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016340; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_02_01, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP ecommerce Shop Styling Plugin dompdf RFI Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-ecommerce-shop-styling/includes/generate-pdf.php?"; nocase; fast_pattern:20,20; http_uri; content:"dompdf="; nocase; http_uri; pcre:"/dompdf=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51707/; classtype:web-application-attack; sid:2016381; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Audio Player Plugin playerID parameter XSS attempt in swf"; flow:established,to_server; content:"/wp-content/plugins/audio-player/assets/player.swf?"; nocase; http_uri; fast_pattern:20,20; content:"playerID="; nocase; http_uri; pcre:"/playerID\x3d.+\)\)\}catch\(.+\)\{/Ui"; reference:url,packetstormsecurity.com/files/120129/WordPress-Audio-Player-SWF-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016383; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/wp-admin/admin-ajax.php"; nocase; http_uri; content:"_ajax_nonce="; nocase; http_client_body; pcre:"/\_ajax\_nonce\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Pi"; reference:url,securityfocus.com/bid/57771/; classtype:web-application-attack; sid:2016384; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteGo file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/extra/contacts/DownloadMailAttach.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,securityfocus.com/bid/57845/; classtype:web-application-attack; sid:2016388; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteGo OpenFolder parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/extra/StyleManager/EditFile.php?"; nocase; http_uri; content:"OpenFolder="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,securityfocus.com/bid/57845/; classtype:web-application-attack; sid:2016389; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossword gw_admin.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/1.8/gw_admin.php?a="; nocase; http_uri; content:"t="; nocase; http_uri; pcre:"/a\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/120045/Glossword-1.8.12-XSS-CSRF-Shell-Upload-Database-Disclosure.html; classtype:web-application-attack; sid:2016390; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload"; flow:to_server,established; content:"POST"; http_method; content:"?action=twikidraw"; http_uri; content:"&target="; http_uri; content:"|2e 2e 2f|moin.wsgi"; reference:bugtraq,57082; reference:cve,2012-6081; reference:url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt; reference:url,exploit-db.com/exploits/25304/; classtype:web-application-attack; sid:2017074; rev:1; metadata:created_at 2013_06_27, updated_at 2013_06_27;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible WHMCS SQLi AES_ENCRYPT at start of value"; flow:to_server,established; content:".php?"; http_uri; nocase; content:"=AES_ENCRYPT("; http_uri; nocase; distance:0; reference:url,localhost.re/p/whmcs-527-vulnerability; classtype:attempted-admin; sid:2017560; rev:4; metadata:created_at 2013_10_04, updated_at 2013_10_04;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet RCE Using Marshalled Object"; flow:established,to_server; content:"POST"; http_method; content:"/invoker/JMXInvokerServlet/"; http_uri; nocase; fast_pattern:only; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017573; rev:2; metadata:created_at 2013_10_09, updated_at 2013_10_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX EJBInvokerServlet RCE Using Marshalled Object"; flow:established,to_server; content:"POST"; http_method; content:"/invoker/EJBInvokerServlet/"; http_uri; nocase; fast_pattern:only; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017574; rev:2; metadata:created_at 2013_10_09, updated_at 2013_10_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin Account Creation"; flow:established,to_server; content:"POST"; http_method; content:"/upgrade.php"; http_uri; nocase; fast_pattern:only; content:"Origin|3a|"; http_header; content:"&customerid="; nocase; http_client_body; content:"&htmlsubmit="; http_client_body; content:"username"; nocase; http_client_body; content:"confirmpassword"; http_client_body; nocase; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017575; rev:1; metadata:created_at 2013_10_09, updated_at 2013_10_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt"; flow:established,to_server; content:"/WEB-INF/web.xml"; nocase; http_uri; fast_pattern:only; content:"|2e 2e 2f|"; http_raw_uri; reference:url,security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html; reference:cve,2013-3815; classtype:web-application-attack; sid:2017611; rev:1; metadata:created_at 2013_10_17, updated_at 2013_10_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHMCS lt 5.2.8 SQL Injection"; flow:established,to_server; content:"[sqltype]="; http_uri; nocase; content:"[value]="; http_uri; nocase; content:".php?"; http_uri; nocase; reference:url,localhost.re/res/whmcs2.py; classtype:attempted-admin; sid:2017622; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2013_10_21, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PeopleSoft Portal Command with Default Creds"; flow:to_server,established; content:"cmd="; http_uri; nocase; content:"pwd=dayoff"; http_uri; nocase; fast_pattern:only; pcre:"/[&?]pwd=dayoff(?:&|$)/Ui"; pcre:"/[&?]cmd=/Ui"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017801; rev:2; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SAP Possible CTC Auth/HTTP Verb Bypass Attempt"; flow:to_server,established; content:"HEAD"; nocase; http_method; content:"/ctc/"; http_uri; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017802; rev:2; metadata:created_at 2013_12_06, updated_at 2013_12_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress OptimizePress Arbitratry File Upload"; flow:to_server,established; content:"POST"; http_method; content:"/lib/admin/media-upload"; http_uri; pcre:"/\/lib\/admin\/media-upload(?:-lncthumb|-sq_button)?\.php/Ui"; content:"<?"; http_client_body; content:".php"; http_client_body; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017853; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_12_13, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JoomSocial AvatarUpload RCE"; flow:established,to_server; content:"func="; nocase; content:"photo"; nocase; distance:0; content:"ajaxUploadAvatar"; nocase; fast_pattern:only; content:"CStringHelper"; nocase; content:"escape"; nocase; distance:0; reference:url,blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulnerability.html; classtype:web-application-attack; sid:2018107; rev:8; metadata:created_at 2014_02_10, updated_at 2014_02_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:to_server,established; content:"/thumb.php?"; http_uri; fast_pattern:only; nocase; pcre:"/[&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&]/Ui"; pcre:"/[&?]f=/Ui"; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/Ii"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:2; metadata:created_at 2014_02_21, updated_at 2014_02_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [8443,9090] (msg:"ET WEB_SPECIFIC_APPS Symantec Endpoint Manager XXE RCE Attempt"; flow:established,to_server; content:"POST "; depth:5; content:"/servlet/ConsoleServlet?ActionType=ConsoleLog"; content:"Content-Type|3a| text/xml|0d 0a|"; nocase; content:"|3c 21|DOCTYPE"; nocase; content:"http|3a|//127.0.0.1|3a|9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av&SequenceNum="; nocase; content:"&Parameter="; nocase; reference:cve,2013-5014; reference:cve,2013-5015; reference:url,cxsecurity.com/issue/WLB-2014020199; classtype:web-application-attack; sid:2018176; rev:3; metadata:created_at 2014_02_25, updated_at 2014_02_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JCE Joomla Extension"; flow:to_server,established; content:".php"; http_uri; content:"option="; http_uri; content:"&task="; http_uri; content:"&plugin=imgmanager"; http_uri; content:"&file="; http_uri; content:"&version="; http_uri; content:"&cid="; http_uri; content:"folderRename"; fast_pattern:only; http_client_body; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:web-application-attack; sid:2018326; rev:2; metadata:created_at 2014_03_26, updated_at 2014_03_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TimThumb Remote Command Execution"; flow:established,to_server; content:".php"; http_uri; content:"webshot="; fast_pattern:only; http_uri; content:"src="; http_uri; content:"|24 28|"; http_uri; pcre:"/[&?]src=https?[^&]+\x24\x28/U"; reference:url,cxsecurity.com/issue/WLB-2014060134; classtype:attempted-user; sid:2018605; rev:1; metadata:created_at 2014_06_25, updated_at 2014_06_25;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti Superlinks Plugin SQL Injection"; flow:established,to_server; content:"/superlinks.php?"; http_uri; nocase; fast_pattern:only; pcre:"/[?&]id=\d*?[^\d]\d*?(?:&|$)/Ui"; reference:url,www.exploit-db.com/exploits/33809/; classtype:attempted-user; sid:2018612; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2014_06_27, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible WP Plug-in MailPoet  Arbitrary File Upload/Auth Bypass Vulnerability"; flow:established,to_server; content:"/wp-admin/admin-post.php"; http_uri; content:"page=wysija_campaigns"; http_uri; content:"action=themes"; http_uri; content:"|0d 0a|PK"; http_client_body; content:"style.css"; http_client_body; reference:url,www.exploit-db.com/exploits/33991/; classtype:web-application-attack; sid:2018648; rev:2; metadata:created_at 2014_07_08, updated_at 2014_07_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9002 (msg:"ET WEB_SPECIFIC_APPS Oracle Event Processing FileUploadServlet Arbitrary File Upload"; flow:established,to_server; content:"POST "; depth:5; content:"/wlevs/visualizer/upload"; content:"filename"; pcre:"/^\s*?=\s*?[\x22\x27]?[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; reference:url,www.exploit-db.com/exploits/33989/; reference:cve,2014-2424; classtype:web-application-attack; sid:2018652; rev:1; metadata:created_at 2014_07_08, updated_at 2014_07_08;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Custom Contact Forms DB Upload/Download Auth Bypass"; flow:established,to_server; content:"POST"; http_method; content:"/wp-admin/admin-post.php?"; http_uri; nocase; content:"page=ccf_settings"; http_uri; nocase; fast_pattern; pcre:"/ccf_(?:(?:clear|merge)_im|ex)port/Pi"; reference:url,blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html; classtype:web-application-attack; sid:2018975; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_08_20, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible WP CuckooTap Arbitrary File Download"; flow:established,to_server; content:"/wp-admin/admin-ajax.php"; http_uri; content:"action=revslider_show_image"; http_uri; content:"img=|2e 2e 2f|"; http_raw_uri; reference:url,exploit-db.com/exploits/34511/; classtype:web-application-attack; sid:2019137; rev:1; metadata:created_at 2014_09_08, updated_at 2014_09_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Huge IT Image Gallery 1.0.0 SQL Injection"; flow:established,to_server; content:"wp-admin/admin.php"; http_uri; content:"page=gallerys_huge_it_gallery"; http_uri; fast_pattern:only; content:"task=edit_cat"; http_uri; content:"removeslide="; http_uri; reference:url,packetstormsecurity.com/files/128118/wphugeitig-sql.txt; classtype:web-application-attack; sid:2019139; rev:1; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, tag Wordpress, signature_severity Major, created_at 2014_09_08, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webmin Directory Traversal"; flow:to_server,established; content:"POST"; http_method; content:"/save_env.cgi"; http_uri; fast_pattern:only; content:"&user="; http_client_body; content:"|2e 2e 2f|"; distance:0; http_client_body; reference:url,sites.utexas.edu/iso/2014/09/09/arbitrary-file-deletion-as-root-in-webmin/; classtype:misc-attack; sid:2019157; rev:2; metadata:created_at 2014_09_10, updated_at 2014_09_10;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt URI"; flow:to_server,established; content:"/token.cgi"; http_uri; nocase; content:"&realname=login_name"; http_uri; nocase; fast_pattern:only; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019364; rev:1; metadata:created_at 2014_10_08, updated_at 2014_10_08;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt Client Body"; flow:to_server,established; content:"/token.cgi"; http_uri; nocase; content:"&realname=login_name"; http_client_body; nocase; fast_pattern:only; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019365; rev:4; metadata:created_at 2014_10_08, updated_at 2014_10_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Slideshow Gallery 1.4.6 - Shell Upload"; flow:established,to_server; content:"POST"; http_method; content:"application/x-httpd-php"; http_client_body; fast_pattern:only; content:"Content-Disposition|3a 20|form-data|3b 20|"; http_client_body; pcre:"/^[^\r]*?name=[\x22\x27]image_file"\x3b[^(?>\r\n|\n|\r)]*?(?>\r\n|\n|\r)(?>\r\n|\n|\r)?Content-Type: application/x-httpd-php/Rsi"; reference:url,www.exploit-db.com/exploits/34681/; reference:cve,2014-5460; classtype:trojan-activity; sid:2019728; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_11_17, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pandora FMS SQLi"; flow:to_server,established; content:"POST"; http_method; content:"/pandora_console/mobile/index.php"; http_uri; content:"action=login"; http_client_body; fast_pattern; content:"user="; http_client_body; distance:0; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,www.rapid7.com/db/modules/exploit/linux/http/pandora_fms_sqli; classtype:attempted-admin; sid:2019903; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8020 (msg:"ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation"; flow:established,to_server; content:"/servlets/DCPluginServelet?"; nocase; content:"action=addPlugInUser"; nocase; content:"role="; nocase; content:"userName="; nocase; content:"email="; nocase; content:"password="; nocase; content:"salt="; nocase; content:"HTTP/1"; distance:0; reference:cve,CVE-2014-7862; reference:url,seclists.org/fulldisclosure/2015/Jan/2; classtype:trojan-activity; sid:2020092; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Generic revslider Arbitrary File Download"; flow:established,to_server; content:"/admin-ajax.php?"; http_uri; fast_pattern:only; content:"slider_show_image"; http_uri; pcre:"/slider_show_image[^\r\n]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Uim"; reference:url,blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html; classtype:web-application-attack; sid:2020221; rev:2; metadata:created_at 2015_01_20, updated_at 2015_01_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress PingBack Possible GHOST attempt"; flow:established,to_server; content:"/xmlrpc.php"; http_uri; nocase; content:"pingback.ping"; nocase; http_client_body; fast_pattern:only; content:"<string>"; pcre:"/^\s*?https?\x3a\/\//Rs"; isdataat:1024,relative; content:!"|2f|"; within:1024; content:!"</string>"; within:1033; pcre:"/^\d[\d\x2e]{255}/R"; classtype:web-application-attack; sid:2020327; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2015_01_28, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FancyBox Remote Code Inclusion POST Request"; flow:to_server,established; content:"POST"; http_method; content:"/admin-post.php?page=fancybox-for-wordpress"; http_uri; fast_pattern:only; content:"INPUTBODY|3a|"; http_client_body; content:"action=update"; http_client_body; content:"mfbfw"; http_client_body; content:"extraCalls"; http_client_body; nocase; reference:url,blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html; classtype:attempted-admin; sid:2020368; rev:2; metadata:created_at 2015_02_05, updated_at 2015_02_05;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI data)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_header; content:"Content-Type|3a 20|"; distance:0; http_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Ui"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020731; rev:1; metadata:created_at 2015_03_23, updated_at 2015_03_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application"; http_header; content:"Content-Type|3a 20|"; http_header; distance:0; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Pmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020732; rev:1; metadata:created_at 2015_03_23, updated_at 2015_03_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_header; content:"Content-Type|3a 20|"; distance:0; http_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Cmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020733; rev:1; metadata:created_at 2015_03_23, updated_at 2015_03_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vulnerable Magento Adminhtml Access"; flow:established,to_server; content:"Adminhtml"; http_uri; nocase; content:!"|2f|admin|2f|"; nocase; http_uri; reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability; classtype:attempted-admin; sid:2021005; rev:1; metadata:created_at 2015_04_24, updated_at 2015_04_24;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Jetpack/Twentyfifteen Possible XSS Request"; flow:to_server,established; content:"/genericons/example.html"; http_uri; fast_pattern:only; pcre:"/\/genericons\/example\.html$/U"; reference:url,blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html; classtype:web-application-attack; sid:2021062; rev:1; metadata:created_at 2015_05_06, updated_at 2015_05_06;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315"; flow:established,to_server; content:"viewtopic.php"; http_uri; nocase; content:"highlight="; nocase; http_uri; pcre:"/[&?]highlight=[^&]*?\x2525[a-f0-9]{2}/Ii"; reference:cve,2004-1315; classtype:web-application-attack; sid:2021390; rev:1; metadata:created_at 2015_07_07, updated_at 2015_07_07;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt"; flow:established,to_server; content:"GET"; http_method; content:"option="; http_uri; nocase; content:"view="; http_uri; nocase; content:"list[select]="; http_uri; nocase; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/Ui"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; classtype:trojan-activity; sid:2021992; rev:1; metadata:created_at 2015_10_22, updated_at 2015_10_22;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB"; flow:established,from_server; file_data; content:"<script"; content:"=i?php.war/moc.nibetsap"; fast_pattern:only; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022014; rev:1; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB 2"; flow:established,from_server; file_data; content:"<script"; content:"ptth|22|=crs tpircs"; fast_pattern:only; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022015; rev:2; metadata:created_at 2015_11_02, updated_at 2015_11_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invalid/Suspicious User-Agent (PHP)"; flow:to_server,established; content:"User-Agent|3a 20|PHP/5."; nocase; fast_pattern; pcre:"/^\{\d(\|\d){1,}\}\.\{\d(\|\d){1,}\}\{\d(\|\d){1,}\}/R"; classtype:web-application-attack; sid:2022350; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2016_01_11, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Magento Shoplift Exploit Inbound"; flow:to_server,established; content:"POST"; http_method; content:"/admin/Cms_Wysiwyg/directive/index/"; http_uri; content:"filter=cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0w"; http_client_body; fast_pattern; depth:100; reference:url,blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html; reference:url,packetstormsecurity.com/files/133327/Magento-Add-Administrator-Account.html; classtype:web-application-attack; sid:2022776; rev:1; metadata:created_at 2016_05_03, updated_at 2016_05_03;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS User Agent (SQLi Injection / Scanning)"; flow:established,to_server; content:"User-Agent|3a 20|testitest"; http_header; fast_pattern; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2023351; rev:1; metadata:attack_target SQL_Server, deployment Datacenter, signature_severity Major, created_at 2016_10_19, performance_impact Low, updated_at 2016_10_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla GoogleMaps Plugin Open Proxy Access"; flow:established,to_server; content:"/plugins/system/plugin_googlemap2_proxy.php?url="; http_uri; fast_pattern:28,20; content:!"Referer|3a 20|"; http_header; reference:url,bnshosting.net/googlemap-proxy-vulnerability; classtype:web-application-attack; sid:2023574; rev:1; metadata:affected_product Joomla, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_12_02, performance_impact Low, updated_at 2016_12_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Netgear WNR2000v5 Possible Serial Number Leak"; flow:to_server,established; content:"/BRS_netgear_success.html"; nocase; http_uri; reference:cve,2016-10175; reference:url,cve.circl.lu/cve/CVE-2016-10175; classtype:attempted-recon; sid:2023830; rev:1; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_02, performance_impact Low, updated_at 2017_02_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)"; flow:to_server,established; content:"ProcessBuilder"; http_header; content:"apache"; http_header; nocase; content:"struts"; http_header; pcre:"/^Content-Type\x3a\x20(?=[^\r\n]*?ProcessBuilder)[^\r\n]*?\.struts/Hmi"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-5638; reference:url,github.com/rapid7/metasploit-framework/issues/8064; classtype:web-application-attack; sid:2024038; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2017_03_08, performance_impact Low, updated_at 2017_03_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Drupal Object Unserialize Exploit Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/user/login"; http_uri; content:"Content-Type|3a 20|application/vnd.php.serialized|0d 0a|"; http_header; content:"username"; http_client_body; content:"SelectQuery"; http_client_body; fast_pattern:only; metadata: former_category WEB_SPECIFIC_APPS; reference:url,www.ambionics.io/blog/drupal-services-module-rce; classtype:web-application-attack; sid:2024039; rev:1; metadata:affected_product Drupal_Server, attack_target Server, deployment Datacenter, signature_severity Minor, created_at 2017_03_08, performance_impact Moderate, updated_at 2017_03_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M2"; flow:to_server,established; content:"Content-Type|3a|"; http_header; nocase; content:"multipart/form-data"; http_header; content:"{"; http_header; nocase; content:"}"; http_header; pcre:"/^Content-Type\x3a(?=[^\r\n]*?multipart\/form-data)[^\r\n]*?\{[^\r\n]{15,}\}/Hmi"; metadata: former_category WEB_SPECIFIC_APPS; classtype:web-application-attack; sid:2024044; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2017_03_10, performance_impact Low, updated_at 2017_03_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M3"; flow:to_server,established; content:"Content-Type|3a| %{(#"; http_header; nocase; fast_pattern; content:"multipart/form-data"; http_header; metadata: former_category WEB_SPECIFIC_APPS; classtype:web-application-attack; sid:2024045; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_03_13, performance_impact Low, updated_at 2017_03_13;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/Pmi"; content:"multipart/form-data"; http_header; nocase; metadata: former_category WEB_SPECIFIC_APPS; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_03_20, updated_at 2017_03_21;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M1"; flow:to_server,established; content:"Host|3a|"; http_header; nocase; content:"("; http_header; nocase; content:")"; http_header; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/Hmi"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024277; rev:1; metadata:affected_product Wordpress, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2017_05_05, updated_at 2017_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M2"; flow:to_server,established; content:"action=lostpassword"; http_uri; nocase; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/Hmi"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024278; rev:1; metadata:affected_product Wordpress, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2017_05_05, updated_at 2017_05_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M3"; flow:to_server,established; content:"substr{"; http_header; nocase; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/Hmi"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024279; rev:1; metadata:affected_product Wordpress, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2017_05_05, updated_at 2017_05_05;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)"; flow:to_server,established; content:".php?"; http_uri; content:"option="; http_uri; content:"view="; http_uri; content:"layout="; http_uri; content:"&list[fullordering]="; http_uri; fast_pattern:only; pcre:"/&list\[fullordering\]=(?:[a-zA-Z0-9])*[\x22\x27\x28]/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html; reference:cve,2017-8917; classtype:web-application-attack; sid:2024342; rev:2; metadata:affected_product Joomla, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2017_06_01, performance_impact Low, updated_at 2017_06_02;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OTRS Installation Dialog (after auth) attempt"; flow:to_server,established; content:"/otrs/index.pl?Action=Installer"; nocase; http_uri; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-9324; classtype:web-application-attack; sid:2024368; rev:1; metadata:affected_product OTRS, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_06_08, performance_impact Low, updated_at 2017_06_08;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OGNL Expression Injection (CVE-2017-9791)"; flow:established,to_server; content:"POST"; http_method; nocase; content:"multipart"; http_client_body; content:"form-data"; http_client_body; distance:1; within:11; content:"ognl.OgnlContext"; http_client_body; distance:1; fast_pattern; content:"DEFAULT_MEMBER_ACCESS"; http_client_body; distance:1; within:23; content:"java.lang.ProcessBuilder"; http_client_body; distance:1; content:".start"; http_client_body; distance:1; metadata: former_category WEB_SPECIFIC_APPS; reference:url,securityonline.info/tutorial-cve-2017-9791-apache-struts2-s2-048-remote-code-execution-vulnerability/; reference:cve,2017-9791; classtype:attempted-user; sid:2024468; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_07_14, performance_impact Low, updated_at 2017_07_14;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; content:"PUT"; http_method; content:".jsp/"; http_uri; nocase; fast_pattern:only; pcre:"/\.jsp\/[^\x2f]*$/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024808; rev:4; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_05, updated_at 2017_11_29;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; content:"PUT"; http_method; content:".jspx/"; http_uri; nocase; fast_pattern:only; pcre:"/\.jspx\/[^\x2f]*$/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024809; rev:4; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_05, updated_at 2017_11_29;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; content:"PUT"; http_method; content:".shtml/"; http_uri; nocase; fast_pattern:only; pcre:"/\.shtml\/[^\x2f]*$/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024810; rev:3; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_05, updated_at 2017_11_29;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; content:"DELETE"; http_method; content:".jsp/"; http_uri; nocase; fast_pattern:only; pcre:"/\.jsp\/[^\x2f]*$/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024811; rev:3; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_05, updated_at 2017_11_29;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; content:"DELETE"; http_method; content:".jspx/"; http_uri; nocase; fast_pattern:only; pcre:"/\.jspx\/[^\x2f]*$/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024812; rev:3; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_05, updated_at 2017_11_29;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; content:"DELETE"; http_method; content:".shtml/"; http_uri; nocase; fast_pattern:only; pcre:"/\.shtml\/[^\x2f]*$/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024813; rev:3; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_05, updated_at 2017_11_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cli"; http_uri; depth:4; content:"Side|3a 20|upload"; http_header; content:"JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJ"; http_client_body; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:url,blogs.securiteam.com/index.php/archives/3171; reference:cve,2017-1000353; reference:url,research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/; classtype:attempted-user; sid:2025376; rev:1; metadata:created_at 2018_02_21, updated_at 2018_02_21;)

alert tcp $EXTERNAL_NET any -> any $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)"; flow:established,to_server; content:"POST"; http_method; content:"/editor.php"; http_uri; content:"&map_title="; nocase; content:"&map_legend="; nocase; content:"&editorsettings_showrelative="; fast_pattern:0,20; nocase; content:"="; pcre:"/.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/R"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/; reference:cve,2013-2618; classtype:attempted-admin; sid:2025459; rev:2; metadata:affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2018_04_03, performance_impact Low, updated_at 2018_04_03;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; content:"/user/register"; http_uri; content:"POST"; http_method; content:"drupal"; http_client_body; pcre:"/(%23|#)(access_callback|pre_render|post_render|lazy_builder)/Pi"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025494; rev:1; metadata:affected_product Drupal_Server, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_04_13, updated_at 2018_04_13;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Drupal RCE (CVE-2018-7602)"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/?q=node"; http_uri; content:"delete&destination="; http_uri; content:"#"; http_uri; content:"form_id=node_delete_confirm"; http_client_body; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:url,www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours; reference:cve,2018-7602; classtype:attempted-user; sid:2025533; rev:2; metadata:affected_product Drupal_Server, attack_target Web_Server, deployment Datacenter, tag drupalgeddon, signature_severity Minor, created_at 2018_04_26, updated_at 2018_04_26;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; content:"user/password"; http_uri; content:"POST"; http_method; content:"_triggering_element_name"; http_client_body; pcre:"/(?:%(?:25)?23|#)\s*(access_callback|pre_render|post_render|lazy_builder)/U"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025534; rev:2; metadata:affected_product Drupal_Server, attack_target Web_Server, deployment Datacenter, tag drupalgeddon, signature_severity Minor, created_at 2018_04_26, updated_at 2018_04_26;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)"; flow:established,to_server; content:"DNNPersonalization="; fast_pattern; content:"DNNPersonalization="; http_cookie; content:"ObjectStateFormatter"; http_cookie; content:"ObjectDataProvider"; http_cookie; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-9822; reference:url,f5.com/labs/articles/threat-intelligence/cyber-security/zealot-new-apache-struts-campaign-uses-eternalblue-and-eternalsynergy-to-mine-monero-on-internal-networks?sf176487178; classtype:attempted-admin; sid:2025545; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, signature_severity Minor, created_at 2018_04_27, updated_at 2018_04_27;)

alert tcp any any -> $HTTP_SERVERS 8161 (msg:"ET WEB_SPECIFIC_APPS Apache ActiveMQ File Upload RCE (CVE-2016-3088)"; flow:established,to_server; content:"MOVE /"; depth:6; content:"|0d 0a|Destination|3a 20|"; distance:0; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2016-3088; reference:url,www.exploit-db.com/exploits/42283/; classtype:attempted-admin; sid:2025574; rev:1; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Minor, created_at 2018_05_10, updated_at 2018_05_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin iThemes Security SQL Injection"; flow:established,to_server; content:"/wp-admin/admin.php"; http_uri; content:"&orderby="; http_uri; fast_pattern; pcre:"/&orderby=(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ui"; metadata: former_category WEB_SPECIFIC_APPS; classtype:web-application-attack; sid:2025738; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, deployment Perimeter, cve cve_2018_12636, signature_severity Major, created_at 2018_06_25, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 1"; flow:established,to_server; content:"/_users/org.couchdb.user|3a|"; http_uri; content:"|22|roles|22 3a 20 5b 22 5f|admin|22 5d 2c|"; http_client_body; fast_pattern; content:"password";  http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12635; classtype:attempted-user; sid:2025740; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_25, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 2"; flow:established,to_server; content:"/_config/query_servers/cmd"; http_uri; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12636; classtype:attempted-user; sid:2025741; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_25, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 3"; flow:established,to_server; content:"/_temp_view?limit="; http_uri; content:"|22|cmd|22|"; http_client_body; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12636; classtype:attempted-user; sid:2025742; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_25, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 4"; flow:established,to_server; content:"DELETE"; http_method; content:"/_config/query_servers/cmd"; http_uri; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12636; classtype:attempted-user; sid:2025743; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_25, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 1"; flow:established,to_server; content:"home/requested_user/Sent interest/"; http_uri; nocase; fast_pattern:14,20; pcre:"/\/Sent\x20interest\/(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-12254; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025744; rev:3; metadata:affected_product Joomla, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2018_06_26, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 2"; flow:established,to_server; content:"/ekrishta/index.php/login/sign-in"; http_uri; nocase; fast_pattern; pcre:"/username=(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Pi"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025745; rev:2; metadata:affected_product Joomla, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2018_06_26, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 3"; flow:established,to_server; content:"/index.php?option=com_ekrishta&view="; http_uri; nocase; fast_pattern:16,20; content:"&cid="; nocase; http_uri;  pcre:"/&cid=(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025746; rev:2; metadata:affected_product Joomla, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_26, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Pie Register SQL Injection"; flow:established,to_server; content:"/wp-admin/admin.php?page=pie-invitation-codes&orderby="; nocase; http_uri; content:"&order="; nocase; distance:0; pcre:"/&order=(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,www.exploit-db.com/exploits/44867/; classtype:web-application-attack; sid:2025747; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, deployment Perimeter, cve cve_2018_10969, signature_severity Major, created_at 2018_06_26, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Contact Form Maker Plugin - SQL Injection 1"; flow:established,to_server; content:"/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc"; nocase; http_uri; fast_pattern:35,20; content:"name="; http_client_body; nocase; distance:0; pcre:"/name=(?:[a-zA-Z0-9_%+])*(?:[\x2c\x22\x27\x28]|\x252[c278])/Pi"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,www.exploit-db.com/exploits/44854/; classtype:web-application-attack; sid:2025748; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Contact Form Maker Plugin - SQL Injection 2"; flow:established,to_server; content:"/wp-admin/admin-ajax.php?form_id="; nocase; http_uri; content:"&send_header="; nocase; http_uri; distance:0; content:"&action="; http_uri; nocase; distance:0; content:"search_labels="; http_client_body; nocase; fast_pattern; pcre:"/search_labels=(?:[a-zA-Z0-9_%+])*(?:[\x2c\x22\x27\x28]|\x252[c278])/Pi"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,www.exploit-db.com/exploits/44854/; classtype:web-application-attack; sid:2025749; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Arbitrary File Deletion 1"; flow:established,to_server; content:"/wp-admin/post.php?post="; http_uri; content:"action=editattachment&_wpnonce="; fast_pattern; http_client_body; content:"&thumb=../../"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/44949/; classtype:attempted-user; sid:2025757; rev:2; metadata:affected_product Wordpress, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_27, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Arbitrary File Deletion 2"; flow:established,to_server; content:"/wp-admin/post.php?post="; http_uri; content:"action=delete&_wpnonce="; http_client_body; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/44949/; classtype:attempted-user; sid:2025758; rev:2; metadata:affected_product Wordpress, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_27, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blind Server-Side Request Forgery"; flow:established,to_server; content:"/xmlrpc/pingback"; http_uri; isdataat:!1,relative; content:"<methodCall>"; http_client_body; content:"<methodName>pingback.ping</methodName>"; http_client_body; fast_pattern; content:"<value>http://"; http_client_body; content:"<value>http://"; http_client_body; distance:0; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/raw/44945/; classtype:attempted-user; sid:2025759; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_27, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dolibarr ERP CRM PHP Code Injection"; flow:established,to_server; content:".php"; http_uri; content:"&db_name="; http_client_body; content:"%5C%27%3Bsystem(%24_GET%5B"; fast_pattern; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/44964/; classtype:web-application-attack; sid:2025770; rev:2; metadata:affected_product PHP, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2018_07_02, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DAMICMS Cross-Site Request Forgery (Add Admin)"; flow:from_server,established; file_data; content:"history.pushState"; content:"/admin.php?s=/Admin/doadd|22| method=|22|POST|22|>"; nocase; fast_pattern; content:"name=|22|username|22|"; content:"name=|22|password|22|"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/44960/; classtype:web-application-attack; sid:2025771; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_02, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution"; flow:established,to_server; content:"/admin/moduleinterface.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"<?php system($_GET["; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-1000094; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-user; sid:2025782; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_05, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Trade - Information Disclosure"; flow:established,to_server; content:"/dashboard/deposit"; http_uri; fast_pattern; isdataat:!1,relative; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-12905; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-recon; sid:2025783; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_05, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopNx - Arbitrary File Upload"; flow:established,to_server; content:"/api/media"; http_uri; fast_pattern; isdataat:!1,relative; content:"<script"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-12519; reference:url,exploit-db.com/exploits/44978/; classtype:web-application-attack; sid:2025784; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_05, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftExpert Excellence Suite 2.0 SQL Injection"; flow:established,to_server; content:"/view_eletronic_download.php?class_name="; http_uri; fast_pattern; content:"&cddocument="; http_uri; pcre:"/&cddocument=[a-z0-9A-Z]+[^&]+[\x27\x22]/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44981/; classtype:web-application-attack; sid:2025786; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_05, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ManageEngine Exchange Reporter Plus Remote Code Execution"; flow:established,to_server; content:"/servlet/ADSHACluster"; http_uri; fast_pattern; content:"MTCALL=nativeClient"; http_client_body; content:"&BCP_RLL=0102"; http_client_body; content:"&BCP_EXE=4d5a"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/44975/; classtype:attempted-user; sid:2025787; rev:2; metadata:attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2018_07_05, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Airties AIR5444TT - Cross-Site Scripting"; flow:established,to_server; content:"/top.html?page=main&productboardtype="; http_uri; fast_pattern; pcre:"/&productboardtype=[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/44986/; reference:cve,2018-8738; classtype:attempted-user; sid:2025789; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_06, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elektronischer Leitz-Ordner 10 - SQL Injection"; flow:established,to_server; content:"/social/api/feed/aggregation"; http_uri; fast_pattern; content:"ticket="; http_uri; pcre:"/ticket=[^&]*[\x22\x27\x28]/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/44999/; classtype:attempted-user; sid:2025819; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_10, performance_impact Low, updated_at 2018_07_18;)

alert tcp any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS [eSentire] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; content:"GET"; http_method; content:"user/password&name"; http_uri; nocase; fast_pattern; pcre:"/\[(?:%(?:25)?23|#)\s*(?:access_callback|pre_render|post_render|lazy_builder)/Ui"; content:"markup|5d 3d|"; nocase; http_uri; distance:0; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025646; rev:2; metadata:affected_product Drupal_Server, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_10, performance_impact Moderate, updated_at 2018_07_10;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GitList Argument Injection"; flow:established,to_server; content:"query=--open-files-in-pager"; fast_pattern; http_client_body; content:"php%20"; http_client_body; content:"%22eval"; content:"base64_decode"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/44993/; classtype:attempted-user; sid:2025820; rev:2; metadata:affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_10, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dicoogle PACS 2.5.0 - Directory Traversal"; flow:established,to_server; content:"/exportFile?UID="; http_uri; fast_pattern; content:"|2e 2e 5c|"; http_uri; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45007/; classtype:attempted-user; sid:2025825; rev:2; metadata:attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2018_07_11, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 1"; flow:established,to_server; content:"Y21kIC9jIHBvd2Vyc2hlbGwuZXhl"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025827; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_12, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 2"; flow:established,to_server; content:"NtZCAvYyBwb3dlcnNoZWxsLmV4Z"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025828; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_12, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 3"; flow:established,to_server; content:"jbWQgL2MgcG93ZXJzaGVsbC5leG"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025829; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_12, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GitStack - Unsanitized Argument Remote Code Execution"; flow:established,to_server; content:"p="; http_uri; content:".git&a="; fast_pattern; http_uri; content:"Authorization|3a| Basic"; http_header; pcre:"/Authorization\x3a Basic.*(?:Y21kIC9jIHBvd2Vyc2hlbGwuZXhl|NtZCAvYyBwb3dlcnNoZWxsLmV4Z|jbWQgL2MgcG93ZXJzaGVsbC5leG)/Hi"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-5955; reference:url,exploit-db.com/exploits/44356/; classtype:attempted-user; sid:2025830; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_12, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1"; flow:established,to_server; content:"/fm-ws/services"; http_uri; fast_pattern; isdataat:!1,relative; content:"<?xml"; http_client_body; content:".dtd|22|>"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025841; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_16, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2"; flow:established,to_server; content:"/fm-ws/services"; http_uri; fast_pattern; isdataat:!1,relative; content:"<?xml"; http_client_body; content:"<!DOCTYPE html PUBLIC |22|-//W3C//DTD XHTML 1.0 Transitional//EN|22|"; http_client_body; pcre:"/<\x21DOCTYPE html PUBLIC \x22-\/\/W3C\/\/DTD XHTML 1\.0 Transitional\/\/EN\x22[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Pi"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025842; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_16, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3"; flow:established,to_server; content:"/fm-ws/services"; http_uri; fast_pattern; isdataat:!1,relative; content:"<?xml"; http_client_body; content:"<!DOCTYPE data SYSTEM"; http_client_body; pcre:"/<\x21DOCTYPE data SYSTEM[^>]+\x22\s*ftp\x3a\x2f\x2f/Pi"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025843; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_16, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4"; flow:established,to_server; content:"/fm-ws/services"; http_uri; fast_pattern; isdataat:!1,relative; content:"<?xml"; http_client_body; content:"<!DOCTYPE data SYSTEM"; http_client_body; pcre:"/<\x21DOCTYPE data SYSTEM[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Pi"; content:"<data>&send|3b|</data>"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025844; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_16, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Job Manager Stored Cross-Site Scripting"; flow:established,to_server; content:"/?step=|00|"; http_uri; content:"submit-job-form"; http_uri; fast_pattern; content:"enctype=|22|multipart/form-data|22|"; http_uri; pcre:"/enctype=\x22multipart/form-data\x22[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45031/; classtype:attempted-user; sid:2025839; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_16, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hadoop YARN ResourceManager Unauthenticated Command Execution"; flow:established,to_server; content:"/ws/v1/cluster/apps"; fast_pattern; http_uri; content:"|22|application-type|22 3a 22|YARN|22|"; http_client_body; content:"|22 3a 7b 22|commands|22 3a 7b 22|command|22 3a 22|"; http_client_body; pcre:"/(?:f0VM|9FT|\/RU)/P"; content:"base64"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45025/; classtype:attempted-user; sid:2025840; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_16, performance_impact Low, updated_at 2018_07_18;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 1"; flow:established,to_server; content:"base64"; fast_pattern; content:"f0VM"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025716; rev:2; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, created_at 2018_07_16, updated_at 2018_07_16;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 2"; flow:established,to_server; content:"base64"; fast_pattern; content:"9FT"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025717; rev:2; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, created_at 2018_07_16, updated_at 2018_07_16;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 3"; flow:established,to_server; content:"base64"; fast_pattern; content:"/RU"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025718; rev:2; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download"; flow:established,to_server; content:"/download.sh?script=/cgi-bin/"; http_uri; content:"/system-editor.sh&path=/etc/"; http_uri; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025845; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download"; flow:established,to_server; content:"/IPn4G.config"; http_uri; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025847; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download"; flow:established,to_server; content:"/cgi-bin/system.conf"; http_uri; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025846; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service Stop"; flow:established,to_server; content:"/system-services.sh?service="; http_uri; fast_pattern; content:"&action=stop"; http_uri; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-dos; sid:2025848; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Process Kill"; flow:established,to_server; content:"/status-processes.sh"; http_uri; content:"signal=SIGILL&pid="; fast_pattern; http_client_body; content:"&kill=+Send+"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-dos; sid:2025849; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service start"; flow:established,to_server; content:"/system-services.sh?service="; http_uri; fast_pattern; content:"&action=start"; http_uri; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025850; rev:2; metadata:created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service Enable"; flow:established,to_server; content:"/system-services.sh?service="; http_uri; fast_pattern; content:"&action=enable"; http_uri; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025851; rev:2; metadata:created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Change Admin Passwd"; flow:established,to_server; content:"/system-acl.sh"; http_uri; fast_pattern; content:"pw1"; http_client_body; content:"pw2"; http_client_body; content:"passwdchange"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025852; rev:2; metadata:created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Add Admin Passwd"; flow:established,to_server; content:"/system-acl.sh"; http_uri; fast_pattern; content:"pw1"; http_client_body; content:"pw2"; http_client_body; content:"user_add"; http_client_body; content:"password_add"; http_client_body; content:"mhadd_user"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025853; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Add Root Htpasswd"; flow:established,to_server; content:"/system-editor.sh"; http_uri; fast_pattern; content:"pw1"; http_client_body; content:"/etc"; http_client_body; content:"htpasswd"; http_client_body; content:"root:"; http_client_body; content:"Save Changes"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025854; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Crontab"; flow:established,to_server; content:"/system-crontabs.sh"; http_uri; fast_pattern; content:"Save Changes"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025856; rev:2; metadata:created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Startup Script"; flow:established,to_server; content:"/system-startup.sh"; http_uri; fast_pattern; content:"/etc/init.d"; http_client_body; content:"#!/bin/sh"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025857; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Disable Firewall"; flow:established,to_server; content:"/system-crontabs.sh"; http_uri; fast_pattern; content:"/etc/init.d/firewall stop"; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025858; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Start the Microhard Sh (msshc) service"; flow:established,to_server; content:"/system-services.sh?service=msshc&action=start"; http_uri; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025859; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Auto-enable the Microhard Sh (msshc) service"; flow:established,to_server; content:"/system-services.sh?service=msshc&action=enable"; http_uri; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025860; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded ASCII Inbound Web Servers Likely Command Execution 4"; flow:established,to_server; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025732; rev:2; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials"; flow:established,to_server; content:"Authorization|3a| Basic YWRtaW46YWRtaW4="; http_header; fast_pattern:21,16; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025855; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 5"; flow:established,to_server; content:"XDE3N1wxMDVcMTE0XDEwN"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025832; rev:1; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, created_at 2018_07_18, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 6"; flow:established,to_server; content:"wxNzdcMTA1XDExNFwxMD"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025833; rev:1; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, created_at 2018_07_18, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 7"; flow:established,to_server; content:"cMTc3XDEwNVwxMTRcMTA2"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025834; rev:1; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, created_at 2018_07_18, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 8"; flow:established,to_server; content:"XFx4N2ZcXHg0NVxceDRjXFx4ND"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025865; rev:1; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_19, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 9"; flow:established,to_server; content:"xceDdmXFx4NDVcXHg0Y1xceDQ2"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025866; rev:1; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_19, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 10"; flow:established,to_server; content:"cXHg3ZlxceDQ1XFx4NGNcXHg0N"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025867; rev:1; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_19, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 11"; flow:established,to_server; content:"|5c|177|5c|105|5c|114|5c|106|5c|"; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025868; rev:2; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_19, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 12"; flow:established,to_server; content:"|5c 5c|x7f|5c 5c|x45|5c 5c|x4c|5c 5c|x46|5c 5c|"; metadata: former_category WEB_SPECIFIC_APPS; classtype:attempted-user; sid:2025869; rev:2; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_19, updated_at 2018_07_19;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XML External Entity Information Disclosure"; flow:established,to_server; content:"POST"; http_method; content:"<?xml version=|22|1.0|22| encoding="; http_client_body; content:"<!DOCTYPE"; http_client_body; content:"<!ENTITY"; http_client_body; content:"SYSTEM |22|file|3a|///etc/"; http_client_body; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:url,owasp.org/index.php/XML_External_Entity_(XXE)_Processing; classtype:attempted-recon; sid:2025877; rev:2; metadata:affected_product Linux, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_20, performance_impact Low, updated_at 2018_07_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XML External Entity Remote Code Execution"; flow:established,to_server; content:"POST"; http_method; content:"<?xml version=|22|1.0|22| encoding="; http_client_body; content:"<!DOCTYPE"; http_client_body; content:"<!ENTITY"; http_client_body; content:"SYSTEM |22|php|3a|//"; http_client_body; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:url,owasp.org/index.php/XML_External_Entity_(XXE)_Processing; classtype:attempted-user; sid:2025878; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_20, performance_impact Low, updated_at 2018_07_20;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Modx Revolution < 2.6.4 phpthumb.php RCE Attempt"; flow:established,to_server; urilen:31; content:"POST"; http_method; content:"/connectors/system/phpthumb.php"; http_uri; fast_pattern; content:"<?php"; http_client_body; nocase; content:"($_SERVER"; nocase; distance:0; http_client_body; metadata: former_category WEB_SPECIFIC_APPS; reference:url,exploit-db.com/exploits/45055/; classtype:web-application-attack; sid:2025917; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Minor, created_at 2018_07_27, updated_at 2018_07_27;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Outbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; fast_pattern:only; threshold: type both, count 1, seconds 60, track by_src; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003292; classtype:trojan-activity; sid:2003292; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Reply Inbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; fast_pattern:only; threshold: type both, count 1, seconds 60, track by_dst; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003293; classtype:trojan-activity; sid:2003293; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; classtype:trojan-activity; sid:2003294; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Reply Outbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; fast_pattern:only; threshold: type both, count 1, seconds 60, track by_dst; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003295; classtype:trojan-activity; sid:2003295; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential MySQL bot scanning for SQL server"; flags:S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; reference:url,doc.emergingthreats.net/2001689; classtype:trojan-activity; sid:2001689; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM SDBot HTTP Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; content:"quem=dodoi&tit="; depth:15; http_client_body; fast_pattern; content:"&txt="; http_client_body; offset:15; depth:40;  reference:url,doc.emergingthreats.net/2007914; classtype:trojan-activity; sid:2007914; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM Win32.Socks.s HTTP Post Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"proc=[System Process]|0a|"; http_client_body; reference:url,doc.emergingthreats.net/2008020; classtype:trojan-activity; sid:2008020; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM shell bot perl code download"; flow:to_client,established; content:"# ShellBOT"; nocase; reference:url,doc.emergingthreats.net/2002683; classtype:trojan-activity; sid:2002683; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM Shell Bot Code Download"; flow:to_client,established; content:"##################### IRC #######################"; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2002684; classtype:trojan-activity; sid:2002684; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"GPL WORM mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:2103272; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"GPL WORM Slammer Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102004; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM Possible Worm Sohanad.Z or Other Infection Request for setting.nql"; flow:established,to_server; content:"/setting.nql"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=a70aad8f27957702febfa162556dc5b5; classtype:trojan-activity; sid:2012201; rev:1; metadata:created_at 2011_01_17, updated_at 2011_01_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM Rimecud Worm checkin"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"/taskx.txt"; http_uri; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=9623efa133415d19c941ef92a4f921fc; classtype:trojan-activity; sid:2012739; rev:1; metadata:created_at 2011_04_29, updated_at 2011_04_29;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 15000:30000 (msg:"ET WORM W32/Rimecud /qvod/ff.txt Checkin"; flow:established,to_server; content:"GET /qvod/ff.txt"; depth:16; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; reference:md5,f97e1c4aefbd2595fcfeb0f482c47517; reference:md5,f96a29bcf6cba870efd8f7dd9344c39e; reference:md5,fae8675502d909d6b546c111625bcfba; classtype:trojan-activity; sid:2014401; rev:1; metadata:created_at 2012_03_19, updated_at 2012_03_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 15000:30000 (msg:"ET WORM W32/Rimecud wg.txt Checkin"; flow:established,to_server; content:"GET /wg.txt"; depth:11; reference:md5,a89f7289d5cce821a194542e90026082; reference:md5,fd56ce176889d4fbe588760a1da6462b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; classtype:trojan-activity; sid:2014402; rev:1; metadata:created_at 2012_03_19, updated_at 2012_03_19;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:trojan-activity; sid:2017404; rev:3; metadata:created_at 2013_08_30, updated_at 2013_08_30;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET WORM TheMoon.linksys.router 1"; flow:to_server,established; urilen:7; content:"GET"; http_method; content:"/HNAP1/"; http_uri; pcre:"/Host\x3a (?:[0-9]{1,3}\.){3}[0-9]{1,3}/H"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; classtype:trojan-activity; sid:2018131; rev:4; metadata:created_at 2014_02_13, updated_at 2014_02_13;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET WORM TheMoon.linksys.router 2"; flow:to_server,established; content:"POST"; http_method; content:"/tmUnblock.cgi"; http_uri; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018132; rev:4; metadata:created_at 2014_02_13, updated_at 2014_02_13;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET WORM TheMoon.linksys.router 3"; flow:to_server,established; content:"POST"; http_method; content:"/hndUnblock.cgi"; http_uri; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,exploit-db.com/exploits/31683/; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018155; rev:3; metadata:created_at 2014_02_18, updated_at 2014_02_18;)